In late May, the proposed New York Privacy Act made it out of committee and went up for approval by the state Senate. The bill is replete with notable features, from a consumer opt-in requirement to an all-inclusive jurisdictional reach to the expansive rights granted to individual consumers. Possibly most significant is its so-called "information fiduciary standard," an idea promoted by Yale Law professor Jack Balkin as a way to equalize the power imbalance between data-collecting platforms (like social media sites) and their users. 

A fiduciary standard is something you probably already benefit from. It’s the reason we feel comfortable giving lawyers compromising information. It’s the reason we can hand over money to be professionally managed; in both instances the recipient has a duty of care, loyalty and confidentiality in handling our personal information. This means that they are held to the high standard of safeguarding our privacy, and acting in our best interest — to the exclusion of their own. 

On its face, this might seem like the ideal; the monetization of our data necessitates care on the part of its collectors. But care is required on our part as well, to ensure that any fix isn’t in name only.    

First, tech policy in general doesn’t translate well to an inconsistent patchwork of state laws. For platforms with customers dispersed across state lines, and with pre-existing obligations to shareholders, the burden of complying with individual state requirements might be enough for them to falter completely — or to lobby the SEC into agreeing that compliance is impossible. 

Another issue is that in fields where fiduciary standards are already used, beneficiaries’ interests are clear and generally align. A patient wants maximum achievable privacy and adequate medical care; financial customers want money handled with discretion and acumen. In the case of internet platforms, the waters become muddied. To implement a fiduciary standard based on genuine user consent might gut platforms’ business models completely, as most consumers are uninformed or unwilling to relinquish data in return for personalized ads. 

To mandate a fiduciary standard and then leave it as that is to risk normalizing the power and pervasiveness of a handful of tech companies, and to potentially cripple any further attempts at regulation. Ironically, holding platforms to the high standard of fiduciaries might ultimately empower them more, by tweaking the qualities of their data collecting rather than disputing or limiting that power to begin with. 

Most online platforms don’t abide by geographical borders; laws about them shouldn’t either. We need a comprehensive federal data privacy law. In its absence, and if the information fiduciary standard continues to gain traction, the way in which it’s looked at is crucial to the long-term integrity of our privacy: as a step towards a workable interplay between data collectors and ourselves, not as a solution in and of itself. 

Privacy in the digital age is an ever-evolving question. Solutions to the problem should be too.