The Fate of the New York Privacy Act

When the General Data Protection Regulation (“GDPR”) came into force last year, all eyes were on Europe as the world was eager to see how the latest and strictest set of data protection regulations would hold up.

Over a year later, it is safe to say that the GDPR has not only been a success here at home, but it has also served as a benchmark for all future data protection laws around the globe. Of course, the GDPR is not only a piece of European legislation but also applies to companies handling personal data outside of the EU when they are processing personal data of EU-residents or are simply offering goods and services to the EU.

Across the pond, the GDPR clearly had an influence on the California Consumer Privacy Act, California’s new data protection law (“CCPA”). Although it isn’t as strict as the GDPR, the CCPA faced its fair share of criticism for being too strict by American standards. Following California’s efforts to strengthen their data protection laws, New York State tried their hand as well with the bill for the New York Privacy Act (“NYPA”), although efforts failed (as we explain below).

Given that the USA is nonetheless such a key player in the global arena of data processing, despite the fact that it seems the NYPA shall not become binding law anytime soon, it is nonetheless important for companies to have an overview of the NYPA’s provisions. We also share our insights as to why the NYPA did not progress – at least this time around!

Overview of the NYPA and its similarities with the GDPR

New York is the third largest state in the USA housing over 19.5 million people and 8.2 million of those people call NYC home, making it the country’s most populated city. NYC has been a commercial hub for decades, and given its dense population, New York Senator Kevin Thomas attempted to empower the residents of the iconic state by introducing the NYPA.

Under the NYPA, individuals in the state of New York could:

  • See the data that a company has on them

  • See who their data is being shared with

  • Correct and erase personal data in the hands of companies

  • Forbid companies from transferring data to third parties

  • Personally sue companies for mistreating their data

Much like the GDPR, the NYPA’s intention was to instate a greater accountability upon companies and to empower consumers by giving them back control over their data. Under the NYPA, consumers would be able to see what personal data has been collected by companies and who they are sharing it with. The NYPA would also allow consumers to correct or erase personal data in the hands of these companies – a staple of the GDPR known as the right to be forgotten.

Furthermore, the NYPA would allow data subject in the state of New York to personally sue companies who violate their privacy rights. Although to a European this sounds like an obvious course of action, by American standards, it is rather extreme. The CCPA, California’s equivalent to the NYPA, widely regarded as the strictest of American data protection laws, does not allow Californians to personally sue companies who mistreat their data. Rather, under the CCPA, the state’s attorney general is the only one to have this power and to ensure that the provisions of the CCPA are respected. 

The rights given to consumers under the NYPA may seem familiar to a European audience, and that is because they are extremely similar to the ones accorded to data subjects by the GDPR. 

Unfortunately, for the reasons brought up in this article, the proposed NYPA faced a strong opposition and recently failed at the last legislative session - presumably putting an end to the future of the NYPA.


  • Why were companies unhappy?

The NYPA was without a doubt the toughest take on American data protection regulations. And it was this very intensity that led to it being abandoned – it was simply too big a jump from the status quo. Companies and lobbyists feared that the NYPA, whilst offering protection to individual rights, would nonetheless have a negative impact on business and innovation within the state, which is simply a compromise that they weren’t willing to make. 

  • Fiduciary obligation

Another big component of the backlash to the NYPA is the clause on fiduciary duty. This clause states that companies are obliged to act in the best interests of consumers, above anything else.

The clause would therefore force companies in New York to shift from their current profit-based practices to one that focuses more on the rights and interests of their consumers.

Hence, the NYPA’s fiduciary obligation would require companies to put consumer data above their profits – a very controversial point.

  • The problem with state level data protection regulations

The NYPA would have been a state law, meaning that it would only apply to those in the state of New York. If every other state in the country were to follow suit and adopt their own data protection legislation, business would potentially have to comply with up to 50 different data protection laws in the USA alone depending where they conduct their operations.

Rightfully so, this point has been raised and many believe that a single law at the federal level could more appropriately govern data protection practices.

Only time will tell if this argument comes from a place of true concern or was merely a way to to bring an end to the NYPA for now. 

NYPA shall go no further

For the reasons mentioned above, the NYPA failed to pass during the latest legislative session due to lack of support in the senate. The recent Washington State Privacy Act also faced a similar fate earlier this year. In the USA, companies and lobbyists have a huge influence over new legislation and their involvement in the passing of future data protection legislation should not be underestimated.

Although the NYPA could potentially be brought up again next session, there is very little hope that the bill will ever become law.

It may be easier for the US market to swallow several bills that tend to specific privacy matters rather than an all encompassing one.

All this being said however, it seems likely that real change to US data protection laws will only occur when a data protection regulation is passed on a federal level. This would not only facilitate company compliance but would also offer greater protection to US citizens across all states, as well as potentially in the US’ dealings with personal data on an international level.

For more information, don’t hesitate to contact us.

Article by Justin Boileau, Legal Consultant & Charlotte Gerrish, Founder @ Gerrish Legal.