The Evolving New York State of Privacy
In our recent episode of BigIDeas on the Go, New York State Senator Kevin Thomas sits down (virtually) with BigID CEO Dimitri Sirota to talk about privacy rights in the state of New York, from the NY SHIELD Act to the proposed New York Privacy Act—a groundbreaking initiative that would give residents unprecedented control over their data.
In addition to representing New York’s Sixth Senate District, Senator Thomas serves as the Chair of the Committee on Consumer Protection and is one of the creators behind the New York Stop Hacks and Improve Electronic Data Security Act—commonly known as the NY SHIELD Act.
NY SHIELD: Modernizing “Lagging” Data Breach Laws
NY SHIELD went into effect on March 21, 2020, to help mitigate data breaches and threats by imposing greater restrictions and obligations on companies handling private and personal information.
“I’ve seen industry basically run things in the shadows, and it was time to hold them accountable,” says Thomas. “In this ever-evolving world of technology, our data breach law was lagging behind.”
So NY SHIELD was introduced to “modernize” data breach law. The bill includes:
- A broadened definition of private information that includes both biometric data and the combination of different types of personal data, like a username or email with a security question or passcode
- An expanded definition of data breach to incorporate “unauthorized access”
- Extraterritoriality to extend to companies who use data from New York residents—not just New York-based companies (like GDPR and CCPA)
Expanding the Meaning of Privacy: You Can’t Change Your Fingerprints
Working with the New York State Attorney General’s office, Thomas redefined what should be considered personally identifiable information (PII), proposing the inclusion of biometric data.
“This is the most important and sensitive personal information of ours,” says Thomas. “If you think of it, if there’s a breach and your social security number gets stolen or a password is stolen, you can change that. But you cannot change the color of your eyes—or your fingerprints. So expanding that definition was really crucial for this.”
We Share Too Much “Without Thinking Twice”
Thomas has his eye on what he calls the tendency to “[trade] our privacy for convenience.”
It doesn’t take much to give up data freely in order to navigate, communicate, or access information. We assume that our personal information will be safe, but “the truth is, our data is being exploited by tech companies for profit,” says Thomas. “They know so much about our lives, like our likes and routines, and can predict with pretty good algorithms what we can pretty much do next.”
In a world where personal data is often the currency for access—and many individuals don’t consider its value—Thomas aims to introduce legislation that holds tech companies accountable.
How the New York Privacy Act Compares to CCPA
Enter the New York Privacy Act, which provides transparency, control, and a code of ethics that companies would be expected to follow going forward.
The proposed New York Privacy Act and the existing California Consumer Protection Act (CCPA) are “much more similar than different,” according to Thomas. Like the CCPA, the new NY measures would give consumers the right to know—or the ability to find out what information companies collect on them, who those companies share it with, and request that it be corrected, deleted, or not shared with third parties.
The bill would also include the private right of action—the right for New York residents to sue companies directly for privacy violations. And a new code of ethics would legislate how the actual data is used by companies; for example, restricting the use of location data beyond the purpose for which it was collected (which is also a key element of the proposed CPRA).
For Thomas, as for many privacy advocates, the eventual solution lies in a universal bill passed by the federal government. Until then, and “even after this bill is passed, technology is constantly improving and changing. So the issue of privacy will continue to evolve, and I want to make sure that my bill can capture the evolution of this going forward.”