Implications of the ‘Data Fiduciary’ Provision in the Proposed New York Privacy Act
MONDAY, MARCH 2, 2020
The proposed New York Privacy Act (NYPA), currently pending before the state legislature, could significantly contribute to the trend of stronger state data privacy laws appearing nationwide. While it has many core elements of other recent state data privacy legislation, such as California’s Consumer Privacy Act (CCPA), New York’s proposed law, however, goes substantially further—and it does so in several novel respects. In particular, the NYPA has a provision creating the “data fiduciary,” by which entities collecting and controlling data would owe fiduciary duties to the individuals from which the data was collected (commonly referred to as data subjects). Under §1102 of the NYPA, these obligations would include “the duty of care, loyalty and confidentiality,” as well as the requirement to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” These pro.visions would establish standards of care that would shift the burden of protecting consumer information to business entities and other data collectors.
The NYPA’s provisions relating to data fiduciaries provide that fiduciary duties should be exercised to secure consumers against “privacy risks.” This term is, how.ever, defined quite broadly to include direct or indirect financial loss, physical harm, psychological harm, significant inconvenience or time expenditure, adverse employment outcomes, stigmatization or reputational harm, disruption and intrusion from unwanted commercial communication, price discrimination and others. This long list of privacy risks suggests that the proposed fiduciary duties would be meant to protect consumers in a wide variety of scenarios.