Proposed NY Privacy Bill Would Increase Business Obligations and Litigation/Enforcement Exposure for Businesses, Including Financial Institutions

While California understandably has received most of the attention given its recent passage of the California Privacy Rights Act (CPRA), several other states continue to move forward with consideration of their own privacy legislation. Indeed, Washington, Minnesota, and New York have had privacy legislation introduced, and at least 13 other states have privacy bills in committee. These bills have the potential to drastically impact the privacy obligations of businesses, including financial institutions.

One of the bills to which financial institutions must pay attention is New York's Senate Bill 567 (SB 567). If passed SB 567 would require covered businesses to provide privacy notices and give consumers the right to know the personal information that is being collected about them. In this regard, SB 567 borrows many of its obligations from the California Consumer Privacy Act (CCPA), including:

• Giving consumers the right to know the personal information collected about them;
• Requiring businesses to disclose to consumers the categories of personal information collected about them and the categories of personal information sold or disclosed for a business purpose;
• Requiring businesses to respond to verified requests from a consumer to know the personal information about them sold or disclosed for a business purpose;
• Giving consumers the right to "opt-out" of the sale of their personal information;
• Prohibiting discrimination against a consumer for exercising their "opt-out" rights; and
• Requiring businesses to disclose in their privacy policies the New York-specific privacy rights.

Similar to the CCPA, SB 567 includes broad definitions of "Personal Information" and "Sale" which would bring a host of information and activities within the scope of the act.

"Personal Information" is defined as "information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device[.]" This would include, among other things: name, social security number, physical characteristic or description, address, email address, IP address, account name, telephone number, passport number, driver's license or state identification card number, insurance policy number, education or, employment history, bank account number, credit card number, debit card number, any other financial information, medical information, or health insurance information, commercial information, biometric data, and geolocation data.

"Sale" is defined by SB 567 as "(A) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for valuable consideration; or (B) sharing orally, in writing, or by electronic or other means, a consumer's personal information with a third party, whether for valuable consideration or for no consideration, for the third party's commercial purposes."

Not only would SB 567 require covered businesses to review and revise their privacy policies to comply with these provisions − a substantial undertaking itself for many businesses − it presents a substantial potential for increasing exposure to litigation. Specifically, SB 567 includes a very broad private right of action that would allow consumers to sue for alleged violations, including technical non-compliance. This would be the first U.S. privacy law to extend private rights of action beyond data breaches. SB 567 provides for statutory and actual damages, class action awards, and civil penalties.

SB 567 could also serve to increase regulatory enforcement actions. New York's privacy enforcement is already robust, and SB 567 would give the attorney general additional authority to bring actions against businesses for failing to comply with its regulations. In fact, SB 567 contains incentives that would give whistleblowers a portion of the civil penalties if the attorney general brings an action. This could also serve to drive up enforcement actions.

SB 567 has the potential to substantially impact businesses' privacy obligations given New York's large population and could especially impact financial institutions given the number of these institutions doing business in New York. Whether it be SB 567, or another law, New York is likely to pass comprehensive privacy legislation in the future. Numerous other states are also likely to follow suit. Reviewing, auditing, and updating your privacy compliance program is more important than ever. Businesses should act now to understand the data they collect on their customers, and how that data is used, and should review and revise their privacy policies and procedures accordingly.

Matthew G. White, a shareholder in the Memphis office of Baker Donelson, advises clients on a wide variety of cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP / US, CIPP / E) and a Certified Information Privacy Manager (CIPM). He can be reached at [email protected].

Alexander F. Koskey, an attorney in Baker Donelson’s Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on a wide range of data privacy, regulatory and compliance, and litigation matters. He can be reached at [email protected]