Privacy Compliance Is No Longer ‘California or Not California’

New York Governor Andrew Cuomo’s executive budget proposal includes plans for a comprehensive data privacy law that echoes many of the provisions already put forth in the California Consumer Privacy Act (CCPA). But rather than bring more clarity to an increasingly fragmented U.S. privacy landscape, a New York regulation could place even more strain on companies attempting to get a handle on compliance.

Details of the proposed legislation were included in a New York State Department of Financial Services (DFS) document titled “Report on Investigation of Facebook Inc. Data Privacy Concerns” that was published last week. As proposed by Cuomo, the New York Data Accountability and Transparency Act (NYDATA) would establish a Consumer Data Privacy Bill of Rights giving New York residents the right to control, access, and delete any information an organization has collected from them. The act would also require companies to disclose the reasons why they collect data and limit their collections activity to that express purpose.

“Until a comprehensive federal law is passed—and a federal regulatory body created—this report is certainly one indication that the DFS will be taking a larger role in national data security and privacy matters moving forward,” said Myriah Jaworski, leader of the privacy litigation practice group at Beckage, via email.

It’s not just New York taking a closer look at data protection, either. States like Virginia are also exploring the possibility of enacting some form of data protection regulation, which may ultimately change the way that corporate compliance teams have to think about privacy.

Behnam Dayanim, a partner and chair of the privacy and cybersecurity practice at Paul Hastings, indicated that up until now, companies were able to approach privacy compliance in the United States as a “binary choice”—California or not California. “But now there will be multiple states, not just New York. Virginia, possibly Washington, and others that all have different standards. And what has been a binary choice will become a multifaceted one, and that will exponentially add to compliance complications,” he said.

Just how widely state privacy laws would vary from one another remains to be seen, but there are a few key sticking points that have the potential to create significant differences. For example, whereas the CCPA limits a consumer’s private right of action to data breaches, other state data protection laws may expand on those categories.

“There is probably furious lobbying right now in [New York] about the scope of the private right of action because that will obviously impact the compliance risk in a major way,” said Jarno Vanto, a partner at Crowell & Moring.

There’s also the question of whether each of the respective state privacy laws under consideration will apply to employee as well as consumer data. In California, for instance, employers are currently exempt from having to filter employee information through the requirements of the CCPA.

However, other state privacy laws that are enacted may not offer the same distinction, which could widen the corporate-leaning impact of a regulation. “That means that all companies that are typically not consumer-facing, interacting with consumers online, would also have to comply,” Vanto said.

Still, no matter what shape the regulation ends up taking, the impact of New York privacy act would likely vary from industry to industry and company to company. Michael Morgan, a partner at McDermott Will & Emery, noted that organizations which were previously subject to the CCPA will likely have to build out or tweak their compliance programs.

Some companies may elect to roll out stringent and robust privacy standards across their national operations in order to make the process of complying with multiple state privacy laws less arduous. “If they made the decision, motivated by the CCPA and some other laws, to achieve a fairly high level of privacy with respect to the data that they process during the course of business, then it may not be a heavy lift to have a New York law that requires the ability to provide access,” Morgan said.

From: Corporate Counsel