While Congress largely remains mired in hearings and pre-election posturing on the topic of consumer privacy protections, states are increasingly putting their own scrutiny on large tech companies.

New York, for example, is considering what some say could be the most stringent data privacy law in the nation.

State Sen. Kevin Thomas, a Democrat, has drafted Senate Bill S5642, the NY Privacy Act, that he is confident has majority support in the state senate and hopes will pass sometime this summer. 

It would: require companies to disclose their methods of de-identifying personal information; place special safeguards around data sharing and allow consumers to obtain the names of all entities with whom their information is shared; and create a special account to fund a new state office of privacy and data protection.

“The legislation will improve transparency and strengthen protections over consumers’ personal data,” Thomas said in a statement. “Social media companies routinely capture users’ personal information, which can be shared or sold to external parties without the user’s consent. The NY Privacy Act would require social media companies to disclose their methods for gathering personal information and allow consumers to find out what companies have access to their personal data.”

“In this technology-based world that we live in, consumers should have the right to know how their personal information is being used,” Thomas added. “These large social media platforms continue to compromise our personal data. The time has come for properly regulating Facebook and other social media sites.”

Mary Hildebrand of the law firm Lowenstein Sandler explained why New York’s efforts may prove to be so important. First and foremost, it puts “more companies at issue since it includes far more companies under its jurisdiction. State law also allows private causes of action for violating the NY Privacy Act, although New York might make the individual litigant prove damages.”

“Companies seeking to comply [with the NY Privacy Act] will be confronted by complexity and entirely new (and ill-defined) concepts such as ‘data fiduciary’ and ‘privacy risk,’ ” she added. “The law is unclear, so it is harder to follow.”

Also, in any merger or acquisition that involves the transfer of personal data associated with a NYS resident, an affirmative consent to the transfer must be obtained from each NY resident before the transfer is permitted to occur.

Thomas also sponsored the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which was passed by the New York State Senate last week in its first step toward becoming law. It seeks to “return control of personal data back to New Yorkers and require businesses to put customers’ privacy over profits.”

Specifically, the SHIELD Act will:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA.
  • Broaden the definition of a data breach to include unauthorized access to private information. It applies the notification requirement to any person or entity with the private information of a New York resident, not just to those that conduct business in New York State.
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information.
  • Create reasonable data security requirements tailored to the size of a business and provides protection from liability for certain entities that take steps to verify their safeguarding of private information.

“Technology is evolving at an ever-increasing pace, and government needs to step up to protect New Yorkers’ privacy and personal data,” Senate Majority Leader Andrea Stewart-Cousins stated. “Consumers deserve the peace of mind of knowing that their personal information isn’t being disseminated without their consent. The SHIELD Act will provide expanded protections for New Yorkers’ to safeguard private data as technology continues to progress.

Further north, in Maine, Governor Janet Mills last week signed “An Act to Protect the Privacy of Online Customer Information” into law. The legislation was sponsored by State Sen. Shenna Bellows.

The Internet privacy legislation, which garnered bipartisan support and unanimous approval in the Maine Senate, prevents the use, sale, or distribution of a customer’s personal information by Internet providers without the express consent of the customer.

“Maine people value their privacy, online and off,” Mills said in a statement. “The internet is a powerful tool and, as it becomes increasingly intertwined with our lives, it is appropriate to take steps to protect the personal information and privacy of Maine people. With this commonsense law, Maine people can access the internet with the knowledge and comfort that their personal information cannot be bought or sold by their ISPs without their express approval.”

“Internet privacy has become such a critical issue across our country and our state. Mainers need to be able to trust that the private data they send online won’t be sold or shared without their knowledge,” Bellows, a Democrat, added. “This law makes Maine first and best in the nation in protecting consumer privacy online.”

The legislation prohibits providers of broadband Internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.

It also prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale, or access of their personal information.

To allow the ISPs to adjust their practices and accommodate the new law’s privacy provisions, the law takes effect July 1, 2020.

Nevada is also joining the fray with a new online privacy law that takes effect Oct. 1 and grants consumers the right to opt out of the selling of their collected data and personal information. Senate Bill 220, signed into law by Nevada’s governor on May 29, alters existing privacy law from 2017 by adding a requirement that businesses provide an online or telephonic means to permit consumers to opt out of the brokering of their personal information.

The law excludes financial institutions subject to Gramm-Leach-Bliley and entities covered by HIPAA.

Attorneys at the law firm Mintz Levin produced a client alert that details how the new law will work.