In the United States, California has long led the way in digital privacy. The California Online Privacy Protection Act (CalOPPA) was the country's first major privacy law, and the California Consumer Privacy Act (CCPA) placed some tough restrictions on the sale of personal data (or "personal information").
Even though the New York Privacy Act (NYPA) (NY State Senate Bill S5642) won't be taking effect, it shows how states and legislators are taking privacy and privacy laws more and more seriously. This means that sooner than later, laws will likely be introduced in states that could make California's privacy laws look weak in comparison.
It's good to become familiar with the NYPA to get an understanding of what the future of privacy laws may look like for your business. The NYPA would have introduced strict new data protection requirements on businesses and would have forced businesses to act in their customers' best interests. And it would have empowered consumers with new a set of rights.
Let's see how New York's proposed law compares with California's major privacy laws, CalOPPA and the CCPA.
Objectives and Scope
The NYPA and California's existing privacy laws all serve similar purposes. But they apply very differently. Let's examine what the laws are trying to achieve.
What are the Main Aims of Each Law?
The NYPA would have brought a new standard of data protection to the State of New York.
Kevin Thomas, the New York Senator who sponsored the bill, stated that the NYPA was intended to "address how online platform/social media firms process personal data."
However, the NYPA wouldn't only have applied to social media companies. It would have required all types of businesses to handle personal data in a responsible and transparent way.
The CCPA also emerged as a response to the increasing power of online platforms and social media companies. Legislators expressed concern that many businesses now know:
"where consumer lives and how many children a consumer has, [their] personality, sleep habits, biometric and health information [...]"
The CPPA is all about regulating the sale of personal data. It also provides consumers with some control over how certain companies use their personal data. Its scope is, therefore, narrower than that of the NYPA.
CalOPPA was passed in 2003 when the internet was a very different place. Fundamentally, the same motivations underpinned the law, which was concern about the ways businesses treat personal data. CalOPPA's scope is also narrower than the NYPA. It requires businesses to be transparent in their practices, but doesn't require much beyond this.
Who Does Each Law Apply to?
One thing that unites all three laws is that they apply to companies based outside of their respective states.
The NYPA, CCPA, and CalOPPA are designed to protect consumers located in New York and California (respectively). The location of the businesses that the laws regulate is, effectively, irrelevant.
The NYPA would have applied to companies of any size and any turnover including multinational corporations and small nonprofits. It divided companies into two categories:
- Controllers, who "determine the purposes and means of the processing of personal data." A controller needs to fulfill a certain task by using a consumer's personal data, and it decides how to go about doing this. Almost every company "controls" some personal data.
- Processors, who "process personal data on behalf of a controller." A processor doesn't usually have a direct relationship with consumers. A common example is an email marketing company that emails a company's customers on its behalf.
However, the NYPA wouldn't have applied to state and local governments.
The CCPA applies much more narrowly. It applies to "businesses." However, it defines a business as a legal entity that:
- Is operated for a profit,
- Does business in California, and
- Determines why and how to process personal data (i.e. it is a "controller" in the terms of the NYPA)
- And either:
- Has an annual revenue of more than $25 million, or
- Annually buys, sells, receives or shares personal data from at least 50,000 consumers, or
- Makes at least 50 percent of its annual revenue through selling personal data
CalOPPA also applies broadly, covering "operators of commercial websites." This could include a nonprofit or publicly funded operation if its website is engaged in commercial activity, such as advertising.
What are the Penalties for Violating Each Law?
The NYPA would have been enforced under the New York General Business Law Article 22-A: Consumer Protection From Deceptive Acts And Practices (Section 350-D). Businesses could have received a $5000 maximum fine per violation.
The CCPA is enforced by the California Attorney General:
- $2,500 maximum fine per unintentional violation
- $7,500 maximum fine per intentional violation
Both laws also contain a "private right of action." This means that under certain conditions, consumers can take a business to court and claim damages.
CalOPPA is enforced under the California Business and Professions Code (Section 17206). For a maximum fine of $2,500 per violation.
Definitions
The laws all define important concepts in different ways. This is important, as it affects how the laws apply.
Personal Data
The NYPA and the CCPA regulate how businesses "process" (store, collect, share and otherwise use) personal data. CalOPPA requires business owners to be transparent how they process personal data. To comply with each law, you need to know what types of data they consider to be "personal."
The NYPA defined personal data as information relating to an "identifiable natural person" (a living individual). The NYPA provided many examples of personal data. These range from the obvious (name, address) to the obscure (browsing history, information about property rentals).
The CCPA uses the term "personal information," which it defines as:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA's definition of personal data is just as broad as the NYPA's definition. This makes sense. Both acts are inspired by EU law (most notably the GDPR), which takes a similarly bold approach to defining personal data.
CalOPPA uses the term "personally identifiable information," which it defines as:
"individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form."
CalOPPA's list of examples is much shorter than under the NYPA or CCPA.
CalOPPA's examples of personal data includes "information concerning a user that the Web site or online service collects online from the user". This could include IP addresses or cookie data. However, such information is only considered personal data if it is kept alongside one of the direct identifiers that CalOPPA recognizes (e.g. name, email address).
Consent
Consent is an important concept in privacy law. Certain ways of using a consumer's personal data are only permitted with that person's consent.
However, some privacy laws recognize "implied" consent, also known as "opt-out" consent. Under the "implied consent" model, there are circumstances in which a company can assume a person would give their permission for something, even if the person has never confirmed this.
The NYPA didn't recognize implied consent. Businesses would have been required to demonstrate that they had earned clear and proactive agreement from consumers whenever required.
Here's how the NYPA defined consent:
"'Consent' means a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of a consumer's agreement to the processing of personal data relating to the consumer, such as by a written statement or other clear affirmative action."
The CCPA does recognize implied consent. By default, businesses are allowed to sell consumers' personal data. Consumers have "the right to opt out" of this practice. We'll discuss this in more detail below.
CalOPPA doesn't restrict the ways in which businesses process personal data. The law only requires businesses to be transparent. Therefore, consent isn't relevant to CalOPPA.
Consumers
One thing that unites the three laws is that they all protect the personal data of "consumers."
Under the NYPA, a consumer is a New York state resident. Under the CCPA and CalOPPA, a consumer is a California resident.
The definition of "consumer" under the NYPA excluded people acting in the capacity of an employee or contractor. So, for example, Facebook would've had to obey the NYPA in respect of Facebook users in New York, but not in respect of its employees in its New York office (except when they are using Facebook for personal reasons).
Obligations Under Each Law
We're now going to look at what each law requires. First, it's worth noting that there's a difference in the general approach of the NYPA and the two Californian privacy laws.
Every business covered by the NYPA would be deemed to be a "data fiduciary." A data fiduciary is legally obliged not to process consumers' personal data in a way that benefits them but harms the consumer. This includes selling the personal data without consent.
Neither of California's privacy laws contains any general principles governing the processing of personal data. They focus on providing clear, specific instructions to businesses.
Consumer Rights
The NYPA and the CCPA both include a set of rights that consumers have over their personal data. If a consumer wants to exercise these rights, they can simply make a request to the controller/business.
Here is a list of the consumer rights provided under each law. Both laws also contain a "right to be informed/to disclosure." This amounts to a requirement to maintain a Privacy Policy. We'll look at this in the next section.
NYPA | CCPA | |
Right of access |
Controllers must provide the following to consumers on request:
|
In addition to the NYPA's requirements, the CCPA also requires businesses to provide:
The business must provide a copy of any personal data they hold on a consumer, in an accessible, machine-readable format. |
Right to rectification | A controller must correct any inaccurate personal data on request. Where appropriate they must complete incomplete personal data by adding a supplementary statement. | N/A |
Right to erasure/deletion |
A controller must erase a consumer's personal data on request, unless the personal data is needed for:
|
Consumers also have a right to erasure under the CCPA. In addition to the NYPA's exceptions, businesses can refuse deletion under the CCPA if the personal data is needed for:
|
Right to restrict processing | The right to restrict processing requires a controller not to process personal data in any way other than storing it. For example, the controller must remove personal data from a website but not delete it. | N/A |
Right to data portability | The controller must provide a copy of any personal data they hold on a consumer, in an accessible, machine-readable format. | The CCPA contains a similar provision under the "right of access." |
Right not to be subject to profiling | Controllers must not make decisions with "legal or similarly significant effects" (e.g. access to credit or housing) based solely on profiling. "Profiling" means building up a profile of a person based on their activities or personal data. | N/A |
Right to opt-out | N/A |
Businesses must allow consumers to object to the sale of their personal data. A business must:
A business can invite a consumer to opt back in within 12 months of them opting out. Children (under 16) have "the right opt in." This means that businesses cannot sell the personal data of children without their active consent (or, if they're under 13, the consent of their parents). |
The Right to Non-Discrimination | N/A | Businesses can't withdraw or refuse services to consumers who have exercised their rights under the CCPA. |
Other information |
Controllers must respond within 30 days. A further 60 day extension is available where required. Consumers can exercise their rights for free, twice per calendar year. Controllers must not refuse or charge a fee for the first two requests unless they are "unfounded or excessive." |
The conditions are the same under the NYPA and the CCPA, but businesses have 45 days to respond. A further 45 day extension is available where required. Consumers can exercise their rights for free, twice per calendar year. Controllers must not refuse or charge a fee for the first two requests unless they are "unfounded or excessive." |
CalOPPA doesn't require commercial website operators to provide consumers with any access to or control over their personal data. However, if a website operator chooses to provide consumers with a way to access their personal data, they must disclose this in their Privacy Policy.
Privacy Policy Requirements
Each of the three laws requires businesses to maintain a Privacy Policy. If you don't have a Privacy Policy already, you need to create one. It's almost certainly a requirement under whatever privacy laws you're already subject to.
Here's a breakdown of what must be included in a Privacy Policy under each law.
NYPA | CCPA | CalOPPA | |
Types of personal data you collect | Y | Y | Y |
Purposes for using personal data | Y | Y | N |
Purposes for disclosing personal data to third parties | Y | Y | N |
Information about consumer rights | Y | Y | Y (if applicable) |
Types of personal data you share with third parties | Y | N | N |
Types of third parties with whom you share personal data | Y | Y | Y |
Names of third parties with whom you share personal data | Y | N | N |
Commercial reasons for selling personal data | N | Y | N |
Link to your "Do Not Sell My Personal Information" page | N | Y | N |
Confirmation of whether you sell personal data | N | Y | N |
Types of sources of personal data | Y | Y | N |
List of the types of consumers' personal data the business collected in the previous year | N | Y | N |
List of the types of consumers' personal data the business sold in the previous year. | N | Y | N |
List of the types of consumers' personal data the business shared for commercial purposes in the previous year. | N | Y | N |
Information about how you will disclose any changes to the Privacy Policy | N | N | Y |
The date from which the Privacy Policy takes effect | N | N | Y |
Information about whether your website respects "Do Not Track" (DNT) signals | N | N | Y |
Whether you will subject users to tracking on other websites. | N | N | Y |
Under each law, your Privacy Policy must be clear and easily accessible.
California remains the US state with the strictest privacy laws. If the NYPA had passed, this may have changed. But this still shows how laws may be shifting in a much more strict direction..
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.