The Business Council of New York State, the state’s leading statewide business and industry association, strongly opposes S.6701 (Thomas) / A.680-A (L. Rosenthal) in its current form. As is, the bill, which would enact the “New York Privacy Act” which would needlessly add considerable costs to businesses of all sizes in New York.
The intention of this legislation, which is to help consumers feel more secure when navigating the internet, is laudable. However, the bill is overly expansive and a major departure from existing privacy law both in this state and around the country, negatively impacting a wide range of businesses without commensurate protections for consumers.
This legislation imposes excessive and unworkable mandates on business and goes far beyond what is necessary to improve the management and protection of personal data. It goes far beyond the privacy laws adopted by other jurisdictions, including at the federal level, and by states such as California and Virginia.
Most troubling is the inclusion of a private right of action which would encourage ever more litigation in a state already suffering swelling court calendars and unnecessary lawsuits. Further, we are troubled by the preemptive prosecution within the legislation, empowering the Attorney General to bring suit if a business or person “has engaged or is about to engage in any acts or practices stated to be unlawful under this [law].” This would allow the Attorney General to bring suit against a business or person that has not actually done anything in violation of the Act, violating all legal norms.
Since this bill legislates far beyond any data privacy legislation in the country, it will subject New York businesses to far greater costs than their competitors. As a baseline, we should consider California’s Privacy Law. The California Attorney General’s office performed a regulatory assessment for the California Consumer Privacy Act (CCPA), on their far less onerous bill, finding that 75 percent of California’s businesses would have to comply, costing businesses $55 billion statewide. The initial cost to comply for companies was significant:
- $50,000 for companies with <20 employees
- $100,000 for companies with 20-100 employees
- $450,000 for companies with 100-500 employees
- $2 million for companies with over 500 employees 1
The proposed New York Privacy Act will not only cost businesses exponentially more to comply with, it will be particularly more challenging for smaller- and mid-sized businesses.
While some may focus on the bill’s impact on large technology companies, it will actually apply to and impact, broadly, any business conducting business online – being particularly challenging for smaller businesses, hotels, travel and tourism, grocery stores, and other retailers – many of which are just beginning to recover from the economic crisis brought about by the pandemic.
We appreciate the underlying concerns of the sponsor, as our members generally support privacy regulations that are meaningful to consumers and businesses, however, New York’s businesses need the opportunity to improve this legislation. There are many needed amendments, such as the inclusion of a “right to cure,” which would provide businesses the incentive to quickly resolve consumers’ concerns about their personal information. This would allow businesses the opportunity to come into compliance and correct mistakes while maintaining good faith amongst their customers.
Also, the opt-in consent is a departure from current norms, likely to cause consumer confusion around the ability to participate in customer reward programs. Opt-out consent is the standard nationwide and is broadly recognized as beneficial to consumers and businesses alike. We look forward to discussing these and other recommendations with the sponsor to ensure that this legislation becomes both protective and workable for consumers and businesses alike.
Businesses are the economic engine of the state and those who have endured through the pandemic have largely done so through a shift to a virtual marketplace. In order to continue to allow businesses to not only survive but thrive, we must work together to ensure that we do nothing to stymie the rebound of New York’s economy. For these reasons, The Business Council opposes S.6701 (Thomas) / A.680-A (L. Rosenthal) in its current form.
1. Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations (August 2019). Prepared by Berkeley Economic Advising and Research, LLC for the Attorney General's Office, California Department of Justice.