New York is Protecting Your Privacy

TAKING A STANCE ON DATA PRIVACY LAW

The digital age has brought with it unprecedented complexity surrounding personal data and the need for comprehensive data legislation. Recognizing this gap in legislative protection, New York has introduced the New York Privacy Act (NYPA), and the Stop Addictive Feeds Exploitation (SAFE) For Kids Act, two comprehensive initiatives designed to better document and safeguard personal data from the consumer side of data collection transactions. New York is taking a stand to protect consumers and children from the harms of data harvesting.

Currently under consideration in the Standing Committee on Consumer Affairs And Protection, chaired by Assemblywoman Nily Rozic, the New York Privacy Act was introduced as “An Act to amend the general business law, in relation to the management and oversight of personal data.” The NYPA was sponsored by State Senator Kevin Thomas and closely resembles the California Consumer Privacy Act (CCPA), which was finalized in 2019. In passing the NYPA, New York would become just the 12th state to adopt a comprehensive data privacy law protecting state residents.

DOING IT FOR THE DOLLAR

Companies buy and sell millions of user’s sensitive personal data in the pursuit of boosting profits. By purchasing personal user data from social media sites, web browsers, and other applications, advertisement companies can predict and drive trends that will increase product sales among different target groups.

Social media companies are notorious for selling user data to data collection companies, things such as your: name, phone number, payment information, email address, stored videos and photos, photo and file metadata, IP address, networks and connections, messages, videos watched, advertisement interactions, and sensor data, as well as time, frequency, and duration of activity on the site. The NYPA targets businesses like these by regulating legal persons that conduct business in the state of New York, or who produce products and services aimed at residents of New York. The entity that stands to be regulated must:

  • (a) have annual gross revenue of twenty-five million dollars or more;
  • (b) control or process personal data of fifty thousand consumers or more;
  • or (c) derive over fifty percent of gross revenue from the sale of personal data.

The NYPA does more for residents of New York because it places the consumer first, as the Act is not restricted to regulating businesses operating within New York but encompasses every resident of New York State who may be subject to targeted data collection, an immense step forward in giving consumers control over their digital footprint.

MORE RIGHTS, LESS FRIGHT

The NYPA works by granting all New Yorkers additional rights regarding how their data is maintained by controllers to which the Act applies. The comprehensive rights granted to New York consumers include the right to notice, opt out, consent, portability, correct, and delete personal information. The right to notice requires each controller provide a conspicuous and readily available notice statement describing the consumer’s rights, indicating the categories of personal data the controller will be collecting, where its collected from, and what it may be used for. The right to opt out includes allowing for consumers to opt out of processing their personal data for the purposes of targeted advertising, the sale of their personal data, and for profiling purposes. This gives the consumer an advantage when browsing sites and using apps, as they will be duly informed of exactly what information they are giving up when online.

While all the rights included in the NYPA are groundbreaking for the New York consumer, the right to consent to sensitive data collection and the right to delete data cannot be understated. The right to consent requires controllers to conspicuously ask for express consent to collect sensitive personal data. It also contains a zero-discrimination clause to protect consumers who do not give controllers express consent to use their personal data. The right to delete requires controllers to delete any or all of a consumer’s personal data upon request, demanding controllers delete said data within 45 days of receiving the request. These two clauses alone can do more for New Yorker’s digital privacy rights than ever before, allowing for complete control over who may access and keep sensitive personal data.

BUILDING A SAFER FUTURE

Following the early success of the NYPA, New York announced their comprehensive plan to better protect children from the harms of social media algorithms, which are some of the main drivers of personal data collection. Governor Kathy Hochul, State Senator Andrew Gounardes, and Assemblywoman Nily Rozic recently proposed the Stop Addictive Feeds Exploitation (SAFE) For Kids Act, directly targeting social media sites and their algorithms. It has long been suspected that social media usage contributes to worsening mental health conditions in the United States, especially among youths. The SAFE For Kids Act seeks to require parental consent for children to have access to social media feeds that use algorithms to boost usage.

On top of selling user data, social media sites like Facebook, YouTube, and X/Twitter also use carefully constructed algorithms to push content that the user has expressed interest in, usually based on the profiles they click on or the posts they ‘like’. Social media sites feed user data to algorithms they’ve designed to promote content that will keep the user engaged for longer, which exposes the user to more advertisements and produces more revenue.

Children, however, are particularly susceptible to these algorithms, and depending on the posts they view, can be exposed to harmful images or content that can have serious consequences for their mental health. Social media algorithms can show children things they are not meant to see, regardless of their naiveté and blind trust, traits that are not exactly cohesive with internet use. Distressing posts or controversial images could be plastered across children’s feeds if the algorithm determines it would drive better engagement by putting them there. Under the SAFE For Kids Act, without parental consent, children on social media sites would see their feed in chronological order, and only see posts from users they ‘follow’ on the platform. This change would completely alter the way platforms treat accounts associated with children, ensuring they are not exposed to content they don’t seek out themselves. This legislation would build upon the foundations established by the NYPA, opening the door to even further regulations that could increase protections for the average consumer and more importantly, for the average child online.

New Yorkers: If you have ever spent time on the internet, your personal data is out there, but now you have the power to protect it.

Is your data protected? By who? What rights do you have over your personal information once it has entered the world wide web?

  • – Who doesn’t protect your data?
  • – History of the “data” or personal information legislation 
  • – A July 2021 update on the start of legislation regarding data protection on the internet
  • – What you can do to protect your data for now.

Ever since the 2018 publicized Facebook data breach, I have been curious about what data exactly can be stored, used and “understood” by computer algorithms and what the legal implications may be. At first, I was excited  about this as a new tool. I tend to shop and look for things that are, at least branded as sustainably sourced and environmentally friendly. For me, the idea that I would only be advertised these types of items, no plastics that may off gas sounded great to me. It wasn’t until I heard some of my peers’ concerns before I seriously questioned the dangers of data collection and how this information could be used to harm. 

Social media websites, commerce websites and mobile apps have become integral parts in many of our everyday lives. We use them to connect with friends online, find like-minded people through virtual groups from across the world. These sites are used to share private, work, and “public” information. The data collected from social media can be looked at as a tool or an invasion of privacy. User data collection could give us access to knowledge which allows us to learn more about our human nature. For example, this data can tell us about different demographics and how users use  each platform. However, it also raises new issues on what should be private, and who owns the data created by user usage (the platform/company or individual using it).

What are our governments doing to protect our data – personal information- rights? Do individuals even have data rights over their personal information on the internet? If so, how will these rights be protected or regulated for? And how will legislation attempt to regulate businesses?  These are all questions that I have wondered about and hope to start to answer here. After watching Mark Zuckerberg explain to congressmen how companies make money on the internet, while remaining fre,  I had little faith that our legal system would catch up to how companies and computer programmers are using these new technologies. Many large social media companies remain free making money selling the data and virtual advertising space, which has its own legal issues. Would you rather pay for Facebook, Instagram, Twitter, Snapchat ect., or allow them to sell your data? If we demand regulation and privacy for our data we may need to make this choice. 

 Privacy on the Internet 

Federally in the United States, this area of law is unregulated territory, leaving it up to the tech and social media companies for now. However, some states are starting to create their own laws. See the pictures below.

US State Privacy Legislation Tracker

How has the government regulated these areas thus far? 

There are no general consumer privacy and security laws in the federal government legislation. However, as you may remember the US government imposed a whopping $5 billion dollar penalty for Facebook’s data breach.  The order also required “Facebook to restructure its approach to privacy…  and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight” (FTC).  This was under the Federal Trade Commission Act (FTC).

This act, past in 1914, created a government agency and prohibited companies from engaging in “unfair or deceptive acts or practises” (section 5 FTC). It protected consumers from misleading or boldly false advertising by some of America’s largest leading consumer brands (Federal Trade Commission Overview)

Interesting here is why Facebook had to pay a settlement under the Federal Trade Commission act. Under the Federal Trade commission act only companies which, “boldly false advertise,” “mislead,” or “misrepresent.” Facebook told consumers that the site did not sell their data and that users could restrict access Facebook had to data if they set it up by clicking certain boxes. The opposite was true. Facebook did not violate any internet privacy laws (there weren’t any). In this case, a 20th century legislation created, in large, to protect consumers from companies selling fake merchandise.  If Facebook had said nothing about data privacy on their website they wouldn’t have been liable for anything. Since this case, more legal regulations have been introduced. 

Complete Guide to Privacy Laws in the US | Varonis

US Privacy Act of 1974 

 

In order to understand where the legal field will go it is important to understand the history of US Privacy Rights. This act restricted what data, of personal information, US government agencies could store on their (first) computer databases. This act also gave individual’s certain rights, such as the right to access any of the data that is held by government agencies, and the right to correct any errors. It also restricted what and how the information was shared between federal and non-federal agencies, allowing it only under specific circumstances. 

HIPAA, GLBA, COPPA

These three acts further protect individuals personal information. 

HIPAA, the Health Insurance portability and Accountability Act, was put in place to regulate health insurance and protect people’s personal health information. This act laid down certain ground rules for confidentiality requirements. (HIPAA for Professionals).

The Gramm-Leach- Bliley  Act (GLBA), passed in 1999, protects nonpublic personal information, defined as “any information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”

The Children’s Online Privacy Protection Act (CPPA), enacted in 1998,regulates the personal information that is collected from minors. The law “imposes certain requirements on operators of websites or online services directed to (or have actual knowledge of) children under 13 years of age.”

 

Worldwide Internet Data Privacy 

Currently, the US does not have any federal level consumer data privacy or security law. According to the “United Nations Conference on Trade and Development, 107 countries have data privacy rules in place including 66 developing nations.”

What does GDPR mean for me? An explainer

The European Union passed the General Data Protection Regulation in 2018. This law went through a long legislative process, the data privacy and security rights law was officially approved in 2016 and went into effect May 2018. It put specific obligations on data processors and the cloud. The regulation also hopes to give individuals the ability to sue processors of data directly for damages, limit and minimize the retention of data that is kept by default and give consumers the right to correct incorrect information. The GDPR also requires explicit consent when consumers give their data. Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.”CCPA vs. GDPR - differences and similarities – Data Privacy Manager

THE U.S.’s strictest state so far:

CCPA rights and compliance requirements | DropsuiteSo far only three states, California, Colorado and Virginia have actually enacted comprehensive consumer data privacy laws according to the National Conference of State Legislatures as of July 22, 2021. The closest US law to the EU’s GDPR, is California’s Consumer Privacy Act (currently U.S.’s strictest regulation on internet data privacy). In California this act requires businesses to clearly state what types of personal data will be collected from consumers and how this information will be used, managed, shared, and sold by companies or entities doing business with and compiling information about California Residents (CCPA AND GDPR Comparison chart.) This “landmark law” secures new privacy rights for California consumers, including:

 

 

New York State Privacy Law Update June 2021 

 In the New York legislature there were a number of privacy bills that were pending, including the “It’s Your Data Act,” the “New York Privacy Act,” the “Digital Fairness Act,” and the “New York Data Accountability and Transparency Act.” Most of the bills never made it out of committee. 

US LEGISLATION TRACKER

The “It’s Your Data Act” proposed to provide protections and transparency in the collection, use, retention, and sharing of personal information. 

 

From the New York State Senate Summary:

 “The ‘NY Privacy Act’ proposed to enact would require companies to disclose their methods of identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared”, creating a special account to fund a new Office of Privacy and Data Protection. It is currently on the floor calendar, and no action has yet been taken on it. 

 

 The definition of personal information here is – “any information related to an identified or identifiable person” – includes a very extensive list of identifiers: biometric, email addresses, network information and more. 

How to balance your data privacy requirements with effective video security | Blog | Hikvision

What are Data Privacy Rights which have been identified thus far? 

Provisions in Chart

CONSUMER RIGHTS

  • The right of access to personal information collected or shared – The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
  • The right to rectification — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
  • The right to deletion — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
  • The right to restriction of processing — The right for a consumer to restrict a business’s ability to process personal information about the consumer.
  • The right to data portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
  • The right to opt out of the sale of personal information — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
  • The right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
  • A consumer private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.

Fines Increase & Enforcements Fall in First Year of GDPR | Hrdots

BUSINESS OBLIGATIONS

While many rights and obligations are starting to be recognized, again, there is not yet legislation to protect them. 

 

What Is Data Privacy? | Laws and Best Practices for Businesses

So, what can you do to protect yourself?

    1. Update and Optimize Your Privacy Settings. 
  • Review what apps have access to facebook data and what they can do with the access 
  • Delete access for all apps you no longer use or need 
  1. Share with Care. Be aware that when you post a picture or message, you may be inadvertantly sharing personal details and sensitive data with strangers. 
  2. Block “supercookies” trails – Supercookies are bits of data that can be stored on your computer like advertising networks. They are a “a much more invasive type of behavior-tracking program than traditional cookies that is also harder to circumvent.supercookies are harder to detect and get rid of because they hide in various places and can’t be automatically deleted. A supercookie owner can capture a ton of your unique personal data like your identity, behavior, preferences, how long you’re online, when you’re most active and more. Supercookies can communicate across different websites, stitching together your personal data into a highly detailed profile.
  3. Set up Private email Identity 
  4. Update your softwares – many software companies release updates which patch bugs and vulnerabilities in the app when they are discovered 
  5. Use App lockers – App lockers provide an extra level of security for apps and work 
  6. Encrypt your data – There are free apps available to encrypt or scramble data so that it can not be read without a key. 
  7. Create long and unique passwords for all counts and use multi-factor authentication whenever possible”. This additional layer of security makes it harder for hackers to get into your accounts. (Data Privacy Senate). 

A computer science expert on the data privacy crisis | The University of Chicago Magazine

Skip to toolbar