Kathryn Wylde, president of the Partnership for New York City. Photo: Wes Bruer/Bloomberg Kathryn Wylde, president of the Partnership for New York City. Photo: Wes Bruer/Bloomberg

New data privacy legislation in New York that would allow consumers to sue businesses when their data is put at risk or sold without their consent was not well-received at a public hearing on the measure Friday by the state's business and technology leaders.

Two business leaders told panel members that the bill, as written, has the potential to flood the state's courts with litigation.

That's because the legislation, called the NY Privacy Act, would allow a so-called private right of action, meaning that individual consumers could bring litigation over violations of the proposed law. The New York Attorney General's Office could also bring litigation under the law.

Kathryn Wylde, president of the Partnership for New York City, an organization representing businesses in the five boroughs, said that part of the law would be unworkable.

"The private right of action could inundate companies and the courts with individual claims, even for minor technical errors that are likely to be common as new systems for data management are developed," Wylde said.

She, and others who testified, said enforcement of the law should rest solely with the Attorney General's Office, rather than with individual litigants. The Attorney General's Office could bring class action litigation when necessary, or file individual claims, she said.

"The Attorney General's Office has, and can develop the expertise required to deal with the complexities associated with this emerging area of case law, and bring class actions where necessary and appropriate," Wylde said.

The Business Council of New York State, the leading representative group for businesses in the state, testified with the same view, but also said lawmakers should consider what's happening at the federal level before they move on the legislation.

John Evers, director of government affairs for The Business Council, said the New York Legislature shouldn't enact any laws around data privacy that can't be replicated at the federal level. The federal government has yet to approve a comprehensive data protection law.

"The best way to regulate data privacy is universal federal rules and guidelines. This would be best," Evers said. "Such an avenue would ensure a consistent set of standards for consumers … and an end to conflicting state rules that foster confusion."

Evers, and other business representatives, also testified that enacting different laws in several other states would drive up costs for companies, which would then have to comply with a patchwork of different regulations across the country.

If approved next year, New York would become the second state in the country to enact a comprehensive law geared toward empowering consumers to retain ownership over their personal data, and decide how companies can use it, and when.

Under the bill, consumers in New York would have to affirmatively opt in to having their data used for commercial purposes, rather than opt out. Consumers would also be able to find out what data companies have on them, and see who they're sharing it with.

The measure would also allow consumers to request that companies either correct the data they have on them, or delete it altogether. Companies could also be barred from sharing, or selling, their data to third parties.

The legislation, unlike another bill recently approved in California, would apply to all companies operating in New York. California's law, which hasn't been enacted yet, will only apply to businesses that have gross annual revenues of at least $25 million, or handle the personal information of 50,000 or more consumers.

The measure would build on a law approved earlier this year in New York, called the SHIELD Act, which will broaden the definition of what's considered a data breach and set new requirements for when consumers should be notified.

That law did not include a private right of action, much to the favor of individuals who've advocated for changes in statute to streamline litigation and reduce strain on the state's courts.

Tom Stebbins, one of those individuals, said Friday that allowing a private right of action in the NY Privacy Act would create a new business incentive for attorneys to bring frivolous lawsuits in New York in search of an easy payout.

Stebbins is the executive director of the Lawsuit Reform Alliance of New York, an advocacy and educational group that seeks to encourage changes in state law that would curb the amount of litigation in New York.

"This for-profit model of law enforcement is not ideal," Stebbins said. "Private rights of action create a perverse incentive for private lawyers, who have no accountability to the public, to file cases with little or no merit."

Others who testified at the hearing Friday argued that, without a private right of action, it would be more difficult for consumers to seek recourse under the law when their data is allegedly misused by a company.

Allie Bohm, policy counsel at the New York Civil Liberties Union, testified that lawmakers would remove much of the legislation's power if they nixed that component.

"To be effective, comprehensive privacy legislation must include a private right of action," Bohm said.

Any new data privacy legislation that includes a private right of action would have to clearly define when a consumer has been harmed under the law, she said. That way, consumers can avoid obstacles in court.

"A necessary requisite to ensuring individuals have that private right of action is ensuring individuals have standing to bring suit," Bohm said.

Sen. Diane Savino, a Democrat from Staten Island who chairs the Senate Committee on Internet and Technology, said later in the hearing that she saw the value in including both a private right of action and the power of the Attorney General's Office to enforce the law.

"You need both," Savino said. "You need the private right of action and you need the regulatory structure to enforce it."

Lawmakers are expected to consider the bill when they reconvene in Albany for next year's legislative session. They'll return to the state Capitol in January.

READ MORE:

New York Enacts New Data Security Requirements to Protect Consumer Information

Equifax to Pay New York $19.1 Million as Part of Settlement Over Data Breach

Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action