Mayoral forum member invite (copy 01)

The NY Privacy Act, Ranked Choice Voting, & Supporting Voting Rights in New York

May 18, 2021 • Estimated Reading Time: 9 minutes

Hi all,

From time to time, Tech:NYC will send policy alerts to all members about tech legislation that may impact your company. Today, I am writing with an alert on the NY Privacy Act, which would impact companies of all sizes and create the most comprehensive consumer privacy protections in the world. In addition, below we've included a sign-on letter by Tech:NYC supporting voting rights in New York and information on programmatic resources tied to the upcoming Mayoral primary.

If you have any questions about any of this - please let me know. Also, please email me directly if you would like to be involved in our advocacy efforts on privacy.

Thank you!

Ryan

Tech:NYC Voting Rights Letter

It has been encouraging to see many tech leaders join the national movement to defend voting rights for all but we cannot ignore the reality in our own backyard. For this reason, Tech:NYC is undertaking a campaign to push legislators in Albany to adopt common-sense voting reforms. The good news is that this effort is already underway, being championed by a handful of Senators and Assembly Members. An extra push by the tech community could be crucial in getting these reforms across the finish line. 

To that end, we are asking you, as leaders of the tech community here in NYC, to signal your commitment to the right to vote by signing a letter linked 

. Please fill out this 

to sign on by COB tomorrow, Tuesday, May 19th. We are currently looking for signatures from CEOs or other NY-based senior executives.

Ranked Choice Voting Event

For the first time ever, NYC’s mayoral primaries will feature Ranked Choice Voting. To explain how this process will work, please join us for an info session with Rank the Vote NYC. During the session we will talk through the mechanics of rank choice voting, how it is tabulated, and what to expect. We will also be joined by Ben Max from the Gotham Gazette, who will provide insight into the race and how rank choice voting may play out with regards to specific political outcomes.

Date: Wednesday, May 26th, 2021

Time: 3pm

Who: Ben Max, Gotham Gazette Executive Editor

Where: (link to come)

The NY Privacy Act

This morning, the NY Privacy Act was passed out of the Senate Consumer Protection Committee. The bill applies to any entities processing, sharing, or selling the data of New York residents. It would require affirmative “opt-in” consent for all data processes and establish a new set of consumer rights. It also mandates that every entity collecting, processing, or selling personal data maintain a “duty of loyalty” and ”duty of care” to consumers — meaning that businesses must act in the best interests of the consumer. A more complete summary of the legislation is below. 

As of now, this bill is only in the Senate and does not have an Assembly counterpart, which means it is unlikely that it becomes law this year. That said, we will work to stop or amend the Senate bill because it is bad public policy. The end of the state legislative session is June 10th.

Tech:NYC’s Position: We plan to oppose this bill. Not only does it create a third entirely new regulatory regime for privacy compliance after CA and VA, but it goes far further than the both laws. Specifically, it requires opt-in consent for all data processing, creates a private right of action for privacy violations, and has no right to cure violations prior to enforcement. We have informed the Senate of these concerns.

In order to have the best chance of achieving these objectives, again, please let us know if you would like to be involved with our advocacy efforts. 

If you have any questions or to get involved, please email me directly.

BILL SUMMARY:

  • The New York Privacy Act would apply to any entity processing the data of more than 100,000 New York residents or 10,000 New York residents if it also processes data for 500,000 people outside of the state or 25,000 New York residents if it generates over 50% of gross revenue from the sale of data.

  • The legislation establishes that personal data (defined extremely broadly and includes IP address), shall not be collected, used, processed, or transferred to a processor or third party unless a consumer provides stand-alone consent for every category of processing. 

    • Consent would be opt-in but “excessive requests” for consent is not allowed. The option to deny consent would also need to be clearly provided.

  • Every entity that collects, sells, or licenses personal data has a “duty of loyalty” and “duty of care” to consumers.

    • Accordingly, covered entities must not engage in unfair, deceptive, or abusive acts or practices in processing data, obtaining consent, or when a consumer exercises consumer rights in this law.

    • Entities must also provide notice when it is reasonably foreseeable that a process will be against a consumer’s physical, financial, psychological, or reputational interests. This notice is required in advance of any interest being actually harmed and in advance of requesting consent.

    • Under the “duty of care,” covered entities must annually assess their processes for their operational utility, all existing safeguards, and whether they risk physical, financial, psychological, or reputational harm to consumers.

    • Continuous review of processes is also required under the “duty of care” to ensure controllers can always identify natural person consumers and properly update data classifications as either “identified” or “identifiable.”

  • The Act creates the following new class of consumer rights:

    • The right to notice of categories of personal data collected, the purposes for which data is used, where it was collected from, the rights of consumers, the categories of data shared with third parties, the names and categories of third parties, if data will be used for targeted advertising, and if so, the average expected revenue per user from the advertising.

    • The right to access data wherein a controller provides a copy of data that was processed, the identity of any processors or third parties receiving the data, the categories of data shared, and the purpose. 

    • The right to portable data wherein a controller must provide a consumer’s data in a “structured, commonly used, and machine-readable format.”

    • The right to correct inaccurate data upon request of the consumer.

    • The right to delete data and controllers must work to prevent data reappearance and accidental resharing.

    • Right to appeal a denial by automated decision making and receive a human review on applications for financial or lending services, housing, public accommodation, insurance, healthcare services, or access to basic necessities such as food and water.

  • Additional Data Restrictions

    • Any data sold or transferred by a data processor cannot be combined with other data sold or transferred.

    • Data processors and controllers and any covered entity must not discriminate, deny, or provide different qualities of service based on a consumer’s decision to opt-in 

  • Data Brokers:

    • Required to register with the Office of the Attorney General which must publish a registry online

      • $1,000 fine per day for failure to register or submitting false information

    • Controllers are required to report to the OAG the list of data brokers they share or sell data to; they can only be OAG-registered data brokers.

  • Compliance: 

    • 45 days to exercise a consumer right plus one additional 45 day extension. 

    • No ability to cure exists.

  • Enforcement:

    • Private right of action and class action lawsuit is allowed to “enjoin an unlawful act or practice” and seek actual damages or $1,000, whichever is greater.

      • Each unlawful processing is a separate violation.

    • Attorney General enforcement exists to: Enjoin any violation of the law, obtain restitution for money or property or obtained directly or indirectly by a violation, obtain up to $15,000 in civil penalties per violation, and any further relief as the court may deem proper. 

    • Penalty considerations are broad and include but are not limited to: the seriousness, number, and persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the  violator's  misconduct, and the violator's financial condition.

    • 6 year statute of limitations

  • Exemptions exist for: 

    • Processing data needed to provide services or goods requested by a consumer.

    • Any collection, processing, and transferring done to comply with local, state, or federal law and in other discrete cases.