Amd §§50 & 51, Civ Rts L; add Art 32-A §§676 - 676-q, Gen Bus L
 
Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.
STATE OF NEW YORK
________________________________________________________________________
3586
2021-2022 Regular Sessions
IN ASSEMBLY
January 28, 2021
___________
Introduced by M. of A. KIM, DICKENS, COOK, HYNDMAN, COLTON, SAYEGH,
GUNTHER, MONTESANO, ENGLEBRIGHT, NIOU, J. RIVERA -- Multi-Sponsored by
-- M. of A. DE LA ROSA -- read once and referred to the Committee on
Consumer Affairs and Protection
AN ACT to amend the civil rights law and the general business law, in
relation to establishing the "It's Your Data Act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "It's Your
2 Data Act".
3 § 2. Section 50 of the civil rights law is amended to read as follows:
4 § 50. Right of privacy. A person, firm or corporation that collects,
5 stores, and/or uses for the purpose of advertising [purposes, or for the
6 purposes of], trade, data-mining, or generating commercial or economic
7 value, the name, portrait [or], picture, video, voice, likeness, and all
8 other personal data, biometric data, and location data of any living
9 person without having first obtained the written consent of such person,
10 or if a minor of his or her parent or guardian, or, if such consent is
11 obtained, subsequently fails to exercise reasonable care consistent with
12 its obligations as bailee of that individual's name, portrait, picture,
13 video, voice, likeness, and all other personal data, biometric data, and
14 location data, is guilty of a misdemeanor.
15 § 3. Section 51 of the civil rights law, as amended by chapter 674 of
16 the laws of 1995, is amended to read as follows:
17 § 51. Action for injunction and for damages. Any person [whose name,
18 portrait, picture or voice is used within this state for advertising
19 purposes or for the purposes of trade without the written consent], firm
20 or corporation that collects, stores, and/or uses for the purpose of
21 advertising, trade, data-mining, or generating commercial or economic
22 value, name, portrait, picture, video, voice, likeness, and all other
23 personal data, biometric data, and location data of any living person
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD06064-01-1
A. 3586 2
1 without having first obtained the written consent of such person, or if
2 a minor of his or her parent or guardian, or, when such consent is
3 obtained, subsequently fails to exercise reasonable care consistent with
4 its obligations as bailee of that individual's name, portrait, picture,
5 video, voice, likeness, and all other personal data, biometric data, and
6 location data first obtained as above provided may maintain an equitable
7 action in the supreme court of this state against the person, firm or
8 corporation so using his or her name, portrait, picture [or], video,
9 voice, likeness, and all other personal data, biometric data, and
10 location data to prevent and restrain the use thereof; and may also sue
11 and recover damages for any injuries sustained by reason of such use and
12 if the defendant shall have knowingly used such person's name, portrait,
13 picture [or], video, voice, likeness, and all other personal data, biom-
14 etric data, and location data in such manner as is forbidden or declared
15 to be unlawful by section fifty of this article, the jury, in its
16 discretion, may award exemplary damages. But nothing contained in this
17 article shall be so construed as to prevent any person, firm or corpo-
18 ration from selling or otherwise transferring any material containing
19 such name, portrait, picture [or], video, voice, likeness, and all other
20 personal data, biometric data, and location data in whatever medium to
21 any user of such name, portrait, picture [or], video, voice, likeness,
22 and all other personal data, biometric data, and location data or to any
23 third party [for sale] or transfer directly or indirectly to such a
24 user, for use, provided that the transferring party undertakes reason-
25 able steps to ensure that any such use is consistent with the selling or
26 transferring party's obligations as bailee of that individual's name,
27 portrait, picture, video, voice, likeness, and all other personal data,
28 biometric data, and location data and use in a manner lawful under this
29 article; nothing contained in this article shall be so construed as to
30 prevent any person, firm or corporation, practicing the profession of
31 photography, from exhibiting in or about his or its establishment speci-
32 mens of the work of such establishment, unless the same is continued by
33 such person, firm or corporation after written notice objecting thereto
34 has been given by the person portrayed; and nothing contained in this
35 article shall be so construed as to prevent any person, firm or corpo-
36 ration from using the name, portrait, picture [or], video, voice, like-
37 ness, and all other personal data, biometric data, and location data of
38 any manufacturer or dealer in connection with the goods, wares and
39 merchandise manufactured, produced or dealt in by him or her which he or
40 she has sold or disposed of with such name, portrait, picture [or],
41 video, voice, likeness, and all other personal data, biometric data, and
42 location data used in connection therewith; or from using the name,
43 portrait, picture [or], video, voice, likeness, and all other personal
44 data, biometric data, and location data of any author, composer or
45 artist in connection with his or her literary, musical or artistic
46 productions which he or she has sold or disposed of with such name,
47 portrait, picture [or], video, voice, likeness, and all other personal
48 data, biometric data, and location data used in connection therewith.
49 Nothing contained in this section shall be construed to prohibit the
50 copyright owner of a sound recording from disposing of, dealing in,
51 licensing or selling that sound recording to any party, if the right to
52 dispose of, deal in, license or sell such sound recording has been
53 conferred by contract or other written document by such living person or
54 the holder of such right. Nothing contained in the foregoing sentence
55 shall be deemed to abrogate or otherwise limit any rights or remedies
56 otherwise conferred by federal law or state law.
A. 3586 3
1 § 4. The general business law is amended by adding a new article 32-A
2 to read as follows:
3 ARTICLE 32-A
4 IT'S YOUR DATA ACT
5 Section 676. Definitions.
6 676-a. Transparency of the collection, use, retention, and shar-
7 ing of personal information.
8 676-b. Fair collection and use of personal information.
9 676-c. Deletion of personal information.
10 676-d. Access to retained personal information.
11 676-e. Access to disclosure of personal information.
12 676-f. Consent to additional collection or sharing of personal
13 information.
14 676-g. No discrimination by a business against a consumer for
15 exercise of rights.
16 676-h. Reasonable security.
17 676-i. Business implementation of duties.
18 676-j. Exceptions.
19 676-k. Consumer's private right of action.
20 676-l. Agency enforcement action.
21 676-m. Construction.
22 676-n. Attorney general regulations.
23 676-o. Intermediate transactions.
24 676-p. Non-waiver.
25 676-q. Severability.
26 § 676. Definitions. 1. For the purposes of this article:
27 (a) "Aggregate consumer information" means information that relates to
28 a group of consumers, from which individual consumer identities have
29 been removed, that is not linked or reasonably linkable to any consumer
30 or household, including via a device. Aggregate consumer information
31 does not mean one or more individual consumer records that have been
32 de-identified.
33 (b) "Biometric information" means an individual's physiological,
34 biological or behavioral characteristics or an electronic representation
35 of such, including an individual's deoxyribonucleic acid (DNA), that can
36 be used, singly or in combination with each other or with other identi-
37 fying data, to establish individual identity. Biometric information
38 includes, but is not limited to, imagery of the iris, retina, finger-
39 print, face, hand, palm, vein patterns, and voice recordings, from which
40 an identifier template, such as a faceprint, a minutiae template, or a
41 voiceprint, can be extracted, and keystroke patterns or rhythms, gait
42 patterns or rhythms, and sleep, health, or exercise data that contain
43 identifying information.
44 (c) "Business" means:
45 (i) A sole proprietorship, partnership, limited liability company,
46 corporation, association, or other legal entity that is organized or
47 operated for the profit or financial benefit of its shareholders or
48 other owners, that collects consumers' personal information, or on the
49 behalf of which such information is collected and that alone, or jointly
50 with others, determines the purposes and means of the processing of
51 consumers' personal information, that does business in the state of New
52 York, and that satisfies one or more of the following thresholds:
53 (1) has annual gross revenues in excess of fifty million dollars, as
54 adjusted pursuant to paragraph (f) of subdivision one of section six
55 hundred seventy-six-n of this article;
A. 3586 4
1 (2) alone or in combination, annually buys, receives for the business'
2 commercial purposes, sells, or discloses for commercial purposes, alone
3 or in combination, the personal information of fifty thousand or more
4 consumers, households, or devices; or
5 (3) derives fifty percent or more of its annual revenues from selling
6 consumers' personal information; and
7 (ii) Any entity that controls or is controlled by a business, as
8 defined in subparagraph (i) of this paragraph, and that shares common
9 branding with such business.
10 (d) "Control" or "controlled" means ownership of, or the power to
11 vote, more than fifty percent of the outstanding shares of any class of
12 voting security of a business; control in any manner over the election
13 of a majority of the directors, or of individuals exercising similar
14 functions; or the power to exercise a controlling influence over the
15 management of a business.
16 (e) "Common branding" means a shared name, servicemark, or trademark.
17 (f) "Operational purpose" means the use of personal information when
18 reasonably necessary and proportionate to achieve one of the following
19 operational purposes:
20 (i) auditing related to a current interaction with the consumer and
21 concurrent transactions, including, but not limited to, counting ad
22 impressions to unique visitors, verifying positioning and quality of ad
23 impressions, and auditing compliance with this paragraph and other stan-
24 dards;
25 (ii) detecting and responding to security incidents, protecting
26 against malicious, deceptive, fraudulent, or illegal activity, and pros-
27 ecuting those responsible for that activity;
28 (iii) debugging to identify and repair errors that impair existing
29 intended functionality;
30 (iv) short-term, transient use, provided the personal information is
31 not disclosed to another third party and is not used to build a profile
32 about a consumer or otherwise alter an individual consumer's experience
33 outside the current interaction, including, but not limited to, the
34 contextual customization of ads shown as part of the same interaction;
35 (v) performing or providing services on behalf of the business or
36 service provider, including maintaining or servicing accounts, billing
37 or collecting for requested products or services, providing customer
38 service, processing or fulfilling orders and transactions, verifying
39 customer information, processing payments, providing financing, provid-
40 ing advertising or marketing services, providing analytic services, or
41 providing similar services on behalf of the business or service provid-
42 er;
43 (vi) undertaking internal research for technological development and
44 demonstration;
45 (vii) undertaking activities to verify or maintain the quality or
46 safety of a service or device that is owned, manufactured, manufactured
47 for, or controlled by the business, or to improve, upgrade, or enhance
48 the service or device that is owned, manufactured, manufactured for, or
49 controlled by the business;
50 (viii) customization of content; or
51 (ix) customization of advertising or marketing.
52 (g) "Collects," "collected," or "collection" means buying, renting,
53 gathering, obtaining, receiving, or accessing any personal information
54 pertaining to a consumer by any means. This shall include, but shall not
55 be limited to, receiving information from the consumer, either actively
56 or passively, or by observing the consumer's behavior.
A. 3586 5
1 (h) "Commercial purposes" means to advance a person's commercial or
2 economic interests, such as by inducing another person to buy, rent,
3 lease, join, subscribe to, provide, or exchange products, goods, proper-
4 ty, information, or services, or enabling or effecting, directly or
5 indirectly, a commercial transaction. Commercial purposes shall not
6 include engaging in speech that state or federal courts have recognized
7 as noncommercial speech, including, but not limited to, political speech
8 and journalism.
9 (i) "Consumer" means a natural person who is a resident of the state
10 of New York.
11 (j) "De-identified" means information that cannot reasonably identify,
12 relate to, describe, be capable of being associated with, or be linked,
13 directly or indirectly, to a particular consumer, provided that a busi-
14 ness that uses de-identified information:
15 (i) takes reasonable measures to ensure that the data is de-identi-
16 fied;
17 (ii) publicly commits to maintain and use the data in a de-identified
18 fashion and not to attempt to re-identify the data; and
19 (iii) contractually prohibits downstream recipients from attempting to
20 re-identify the data.
21 (k) "Designated methods for submitting requests" means a mailing
22 address, email address, internet web page, internet web portal, toll-
23 free telephone number, or other applicable contact information, whereby
24 consumers may submit a request under this article, and any new, consum-
25 er-friendly means of contacting a business, as approved by the attorney
26 general pursuant to section six hundred seventy-six-n of this article.
27 (l) "Device" means any physical object that is capable of connecting
28 to the internet, directly or indirectly, or to another device.
29 (m) "Health insurance information" means a consumer's insurance policy
30 number or subscriber identification number, any unique identifier used
31 by a health insurer to identify the consumer, or any information in the
32 consumer's application and claims history, including any appeals
33 records, if the information is linked or reasonably linkable to a
34 consumer or household, including via a device, by a business or service
35 provider.
36 (n) "Infer" or "inference" means the derivation of information, data,
37 assumptions, or conclusions from facts, evidence, or another source of
38 information or data.
39 (o) "Person" means an individual, proprietorship, firm, partnership,
40 joint venture, syndicate, business trust, company, corporation, limited
41 liability company, association, committee, and any other organization or
42 group of persons acting in concert.
43 (p) "Personal information" means information that identifies or could
44 reasonably be linked, directly or indirectly, with a particular consum-
45 er, household, or consumer device. Personal information shall not
46 include publicly available information, information that is de-identi-
47 fied, or aggregate consumer information.
48 (q) "Publicly available" means information that is lawfully made
49 available from federal, state, or local government records. Publicly
50 available does not mean information collected by a business about a
51 consumer without the consumer's knowledge.
52 (r) "Service" or "services" means work, labor, and services, including
53 services furnished in connection with the production, sale or repair of
54 goods.
55 (s) "Service provider" means an individual sole proprietorship, part-
56 nership, limited liability company, corporation, association, or other
A. 3586 6
1 legal entity that is organized or operated for the profit or financial
2 benefit of its shareholders or other owners, that processes information
3 on behalf of a business and to which such business discloses a consum-
4 er's personal information for an operational purpose pursuant to a writ-
5 ten or electronic contract, provided that the contract prohibits the
6 entity receiving the information from retaining, using, or disclosing
7 the personal information for any purpose other than for the specific
8 purpose of performing the services specified in the contract for such
9 business, or as otherwise permitted by this article, including a prohi-
10 bition on retaining, using, or disclosing the personal information for a
11 commercial purpose other than providing the services specified in the
12 contract with such business.
13 (t) "Verifiable consumer request" means a request that is made by a
14 consumer, by a consumer on behalf of the consumer's minor child, or by a
15 natural person or a person registered with the secretary of state,
16 authorized by the consumer to act on the consumer's behalf, and that the
17 business can reasonably verify. A business shall not be obligated to
18 provide any personal information to a consumer if such business cannot
19 verify that the consumer making the request is the consumer about whom
20 such business has collected personal information or is a person author-
21 ized by the consumer to act on such consumer's behalf.
22 (u) "Third party" means a person or business that is not any of the
23 following:
24 (i) the business that collects personal information from consumers
25 under this article; or
26 (ii) a person to whom the business discloses a consumer's personal
27 information for an operational purpose pursuant to a written contract,
28 provided that the contract:
29 (1) prohibits the person receiving the personal information from:
30 (A) selling the personal information;
31 (B) retaining, using, or disclosing the personal information for any
32 purpose other than for the specific purpose of performing the services
33 specified in the contract, including retaining, using, or disclosing the
34 personal information for a commercial purpose other than providing the
35 services specified in the contract; and
36 (C) retaining, using, or disclosing the information outside of the
37 direct business relationship between the person and the business; and
38 (2) includes a certification made by the person receiving the personal
39 information that the person understands the restrictions in clause one
40 of this paragraph and will comply with such restrictions.
41 2. For references to a category or categories of personal information
42 required to be disclosed pursuant to this article:
43 (a) "Processing" means any operation or set of operations that are
44 performed on personal data or on sets of personal data, whether or not
45 by automated means.
46 (b) "Research" means scientific and systematic study and observation,
47 including basic research or applied research that is in the public
48 interest and that adheres to all other applicable ethics and privacy
49 laws or studies conducted in the public interest in the area of public
50 health. Research with personal information that may have been collected
51 from a consumer in the course of the consumer's interactions with a
52 business' service or device for other purposes shall be:
53 (i) compatible with an operational purpose for which the personal
54 information was collected;
55 (ii) subsequently de-identified, or in the aggregate, such that the
56 information cannot reasonably identify, relate to, describe, be capable
A. 3586 7
1 of being associated with, or be linked, directly or indirectly, to a
2 particular consumer;
3 (iii) made subject to technical safeguards to prevent re-identifica-
4 tion of the consumer to whom the information may pertain;
5 (iv) subject to business processes that specifically prohibit re-iden-
6 tification of the information;
7 (v) made subject to business processes to prevent inadvertent release
8 of de-identified information;
9 (vi) protected from any re-identification attempts;
10 (vii) used solely for research purposes that are compatible with the
11 context in which the personal information was collected;
12 (viii) not be used for any commercial purpose; and
13 (ix) subjected by the business conducting the research to additional
14 security controls that limit access to the research data to only those
15 individuals in a business as are necessary to carry out the research
16 purpose.
17 (c) (i) "Sell," "selling," "sale," or "sold," means selling, renting,
18 releasing, disclosing, disseminating, making available, transferring, or
19 otherwise communicating orally, in writing, or by electronic or other
20 means, a consumer's personal information by the business to another
21 business or a third party for monetary or other valuable consideration.
22 (ii) For purposes of this article, a business does not sell personal
23 information when:
24 (1) a consumer uses or directs the business to intentionally disclose
25 personal information or uses the business to intentionally interact with
26 a third party, provided such third party does not also sell the personal
27 information, unless such disclosure would be consistent with the
28 provisions of this article. An intentional interaction occurs when the
29 consumer intends to interact with the third party, via one or more
30 deliberate interactions. Hovering over, muting, pausing, or closing a
31 given piece of content shall not constitute a consumer's intent to
32 interact with a third party;
33 (2) the business uses or discloses an identifier for a consumer who
34 has opted out of the sale of the consumer's personal information for the
35 purposes of alerting third parties that the consumer has opted out of
36 the sale of the consumer's personal information;
37 (3) the business uses or discloses personal information of a consumer
38 with a service provider that is necessary to perform an operational
39 purpose and the business has provided notice that information being used
40 or disclosed in its terms and conditions consistent with section six
41 hundred seventy-six-i of this article; or
42 (4) the business transfers to a third party the personal information
43 of a consumer as an asset that is part of a merger, acquisition, bank-
44 ruptcy, or other transaction in which the third party assumes control of
45 all or part of the business, provided that information is used or
46 disclosed consistently with this article. A third party may not mate-
47 rially alter how it uses or discloses the personal information of a
48 consumer in a manner that is materially inconsistent with the promises
49 made at the time of collection, unless it first obtains opt-in consent,
50 as set forth in this article.
51 § 676-a. Transparency of the collection, use, retention, and sharing
52 of personal information. Any business that collects a consumer's
53 personal information shall disclose the following information in its
54 online privacy policy or policies, if the business has an online privacy
55 policy, and update such information at least once every twelve months:
A. 3586 8
1 1. a description of a consumer's rights pursuant to sections six
2 hundred seventy-six-b, six hundred seventy-six-d, six hundred seventy-
3 six-e, six hundred seventy-six-f and six hundred seventy-six-g of this
4 article and one or more designated methods for submitting requests
5 pursuant to sections six hundred seventy-six-c, six hundred
6 seventy-six-d, and six hundred seventy-six-e of this article;
7 2. a description of the personal information such business collects
8 about consumers;
9 3. the categories of sources from which the personal information is
10 collected;
11 4. a description of the methods such business uses to collect personal
12 information;
13 5. the specific purposes for collecting, disclosing, or retaining
14 personal information;
15 6. a description of the personal information it discloses about
16 consumers, or if the business does not disclose consumers' personal
17 information, the business shall disclose such fact;
18 7. the categories of third parties with whom such business shares
19 personal information with, or if the business does not disclose consum-
20 ers' personal information to third parties, the business shall disclose
21 such fact;
22 8. the categories of service providers with whom such business shares
23 personal information with, or if the business does not disclose consum-
24 ers' personal information to service providers, the business shall
25 disclose such fact;
26 9. a description of the length of time for which personal information
27 is retained; and
28 10. if personal data is de-identified such that it is no longer
29 considered personal information but subsequently retained, used, or
30 shared by the business, a description of the method or methods of de-i-
31 dentification.
32 § 676-b. Fair collection and use of personal information. 1. Subject
33 to section six hundred seventy-six-f of this article a business that
34 collects a consumer's personal information shall limit its collection
35 and sharing of personal information with third parties to what is
36 reasonably necessary to provide a service or conduct an activity that a
37 consumer has requested or is reasonably necessary for security or fraud
38 prevention, and shall require any such third party to exercise care over
39 the consumer's personal information consistent with the original busi-
40 ness's obligations as bailee of such information.
41 2. Subject to section six hundred seventy-six-f of this article, a
42 business that collects a consumer's personal information shall be obli-
43 gated to exercise reasonable care with respect to the collection, stor-
44 age, and use of that information, consistent with its obligations as a
45 bailee, and shall limit its use and retention of personal information to
46 what is reasonably necessary to provide a service or conduct an activity
47 that a consumer has requested or a related operational purpose, provided
48 however that data collected or retained solely for security or fraud
49 prevention may not be used for related operational purposes.
50 § 676-c. Deletion of personal information. 1. A consumer shall have
51 the right to request that a business delete any personal information
52 about such consumer which the business has collected from the consumer.
53 2. A business that collects personal information about consumers shall
54 disclose, pursuant to the notice requirements of section six hundred
55 seventy-six-i of this article, the consumer's rights to request the
56 deletion of the consumer's personal information.
A. 3586 9
1 3. A business that receives a verifiable consumer request from a
2 consumer to delete the consumer's personal information pursuant to
3 subdivision one of this section shall delete the consumer's personal
4 information from its records and direct any service providers to delete
5 the consumer's personal information from their records.
6 4. A business or a service provider shall not be required to comply
7 with a consumer's request to delete the consumer's personal information
8 if:
9 (a) such retention of personal information is reasonably anticipated
10 within the context of a business's ongoing business relationship with
11 the consumer; or
12 (b) it is necessary for the business or service provider to maintain
13 the consumer's personal information in order to:
14 (i) complete the transaction for which the personal information was
15 collected, provide a good or service requested by the consumer, or
16 otherwise perform a contract between the business and the consumer;
17 (ii) detect or respond to security incidents, protect against mali-
18 cious, deceptive, fraudulent, or illegal activity, or prosecute those
19 responsible for that activity;
20 (iii) debug to identify and repair errors that impair existing
21 intended functionality;
22 (iv) exercise free speech, ensure the right of another consumer to
23 exercise his or her right of free speech;
24 (v) engage in public or peer-reviewed scientific, historical, or
25 statistical research in the public interest that adheres to all other
26 applicable ethics and privacy laws, when the businesses' deletion of the
27 information is likely to render impossible or seriously impair the
28 achievement of such research, if the consumer has provided informed
29 consent; or
30 (vi) comply with a legal obligation.
31 § 676-d. Access to retained personal information. 1. If a business
32 collects personal information about a consumer, the consumer shall have
33 the right to ask the business for the following information, and the
34 business shall have the duty to provide it, promptly and free of charge,
35 upon receipt of a verifiable request:
36 (a) the specific pieces of personal information that the business
37 retains about that consumer;
38 (b) the specific sources from which the business collected the
39 personal information; and
40 (c) its purpose for collecting the personal information.
41 2. When a business receives a verifiable consumer request from a
42 consumer for the specific pieces of their personal information, such
43 business shall disclose such information in an electronic, portable,
44 machine-readable, and readily-useable format or formats that allow the
45 consumer to understand such information and to transmit such information
46 to another entity without hindrance.
47 § 676-e. Access to disclosure of personal information. If a business
48 discloses personal information about a consumer to a third party, the
49 consumer shall have the right to request the following information from
50 the business, and such business shall have the duty to provide it,
51 promptly and free of charge, upon receipt of a verifiable request:
52 1. the categories of personal information that the business disclosed
53 about the consumer, and the categories of third parties to whom the
54 personal information was disclosed, by category of personal information
55 for each category of third party; and
A. 3586 10
1 2. the specific third parties to whom the personal information was
2 disclosed.
3 § 676-f. Consent to additional collection or sharing of personal
4 information. 1. Other than as described in section six hundred seventy-
5 six-b of this article, a business shall not collect or share a consum-
6 er's personal information unless the consumer has affirmatively author-
7 ized the collection or disclosure. This right to collect or share a
8 consumer's personal information may be referred to as the right to
9 "opt-in consent".
10 2. Any personal information of a consumer collected or shared by a
11 business upon the affirmative authorization of the consumer shall remain
12 the property of such consumer, and the business shall be required to
13 exercise reasonable care in the collection and sharing of such data,
14 consistent with its obligations towards the consumer as bailee of his or
15 her personal information.
16 3. A business shall request a user's opt-in consent separately from
17 any other permission or consent, with the option to decline consent at
18 least as prominent as the option to provide consent.
19 4. If a consumer declines to provide their opt-in consent to the
20 disclosure of their personal information, a business shall refrain for
21 at least twelve months before again requesting that the consumer provide
22 their opt-in consent to the disclosure of their personal information.
23 5. A business may make available a setting or other user control that
24 the consumer may affirmatively access in order to consent to additional
25 data collection or sharing.
26 6. A business that obtains a consumer's opt-in consent to collect or
27 disclose their personal information pursuant to this section shall
28 provide consumers the ability to withdraw such consent through a readily
29 usable and automated means at any time.
30 § 676-g. No discrimination by a business against a consumer for exer-
31 cise of rights. A business shall not discriminate against a consumer
32 because the consumer exercised any of the consumer's rights under this
33 article or does not provide consent to additional data collection or
34 sharing under section six hundred seventy-six-f of this article includ-
35 ing, but not limited to, by:
36 1. denying goods or services to the consumer;
37 2. charging different prices or rates for goods or services, including
38 through the use of discounts or other benefits or imposing penalties;
39 3. providing a different level or quality of goods or services to the
40 consumer; or
41 4. suggesting that the consumer will receive a different price or rate
42 for goods or services or a different level or quality of goods or
43 services.
44 § 676-h. Reasonable security. 1. A business or service provider shall
45 implement and maintain reasonable security procedures and practices,
46 including administrative, physical, and technical safeguards, appropri-
47 ate to the nature of the information and the purposes for which the
48 personal information will be used, to protect consumers' personal infor-
49 mation from unauthorized use, disclosure, access, destruction, or
50 modification.
51 2. A business or service provider may employ any lawful security meas-
52 ures that allow it to comply with the requirements set forth in this
53 section.
54 § 676-i. Business implementation of duties. 1. A business shall:
55 (a) make available to consumers two or more designated methods for
56 submitting requests pursuant to sections six hundred seventy-six-c, six
A. 3586 11
1 hundred seventy-six-d, and six hundred seventy-six-e of this article,
2 including, at a minimum, a telephone number, and, if the business main-
3 tains an internet web site, a web site address;
4 (b) disclose and deliver the required information to a consumer free
5 of charge within forty-five days of receiving a verifiable consumer
6 request. A business shall take steps to determine whether the request is
7 a verifiable consumer request from the identified consumer. The time
8 period may be extended once by forty-five days when reasonably neces-
9 sary, provided the consumer is provided notice of the extension within
10 the first forty-five day period. The disclosure shall cover the twelve
11 month period preceding the request. It shall be delivered through the
12 consumer's account with the business, if the consumer maintains an
13 account with the business, or by mail or electronically at the consum-
14 er's option, if the consumer does not maintain an account with the busi-
15 ness. The business shall not require the consumer to create an account
16 with the business in order to make a verifiable request;
17 (c) ensure that all individuals responsible for handling consumer
18 inquiries about the business's privacy practices or the business's
19 compliance with this article are informed of all requirements in this
20 article, and how to direct consumers to exercise their rights in this
21 article; and
22 (d) limit the use of any personal information collected from the
23 consumer in connection with a business's verification of the consumer's
24 request solely for the purposes of verification.
25 2. A business shall not be obligated to provide the information
26 required by sections six hundred seventy-six-d and six hundred seventy-
27 six-e of this article to the same consumer more than twice in a twelve
28 month period.
29 § 676-j. Exceptions. 1. The obligations imposed on businesses by this
30 article shall not restrict a business's or service provider's ability
31 to:
32 (a) comply with federal, state, or local laws;
33 (b) comply with a civil, criminal, or regulatory inquiry, investi-
34 gation, subpoena, or summons by federal, state, or local authorities;
35 (c) cooperate with law enforcement agencies concerning conduct or
36 activity that the business, service provider, or third party reasonably
37 and in good faith believes may violate federal, state, or local law;
38 (d) exercise or defend legal claims;
39 (e) collect, use, retain, sell, or disclose consumer information that
40 is de-identified or in the aggregate; or
41 (f) collect or sell a consumer's personal information if every aspect
42 of that commercial conduct takes place wholly outside of the state. For
43 purposes of this section, commercial conduct takes place wholly outside
44 of the state if the business collected information while the consumer
45 was outside of the state, no part of the sale of the consumer's personal
46 information occurred in the state, and no personal information collected
47 while the consumer was in the state is sold. This paragraph shall not
48 permit a business from storing, including on a device, personal informa-
49 tion about a consumer when such consumer is in the state and then
50 collecting such personal information when such consumer and stored
51 personal information is outside of the state.
52 2. Nothing in this article shall require a business to violate an
53 evidentiary privilege under state or federal law or prevent a business
54 from providing the personal information of a consumer who is covered by
55 an evidentiary privilege under state or federal law as part of a privi-
56 leged communication.
A. 3586 12
1 3. This article shall not apply to any of the following:
2 (a) medical information governed by part 2.6 of the Confidentiality of
3 Medical Information Act or protected health information that is
4 collected by a covered entity or business associate governed by the
5 privacy, security, and breach notification rules issued or established
6 by the United States department of health and human services, 45 C.F.R.
7 parts 160 and 164, the Health Insurance Portability and Accountability
8 Act of 1996, or the Health Information Technology for Economic and Clin-
9 ical Health Act;
10 (b) a provider of health care governed by part 2.6 of the Confiden-
11 tiality of Medical Information Act or a covered entity governed by the
12 privacy, security, and breach notification rules issued or established
13 by the United States department of health and human services, 45 C.F.R.
14 parts 160 and 164, or the Health Insurance Portability and Accountabil-
15 ity Act of 1996, to the extent the provider or covered entity maintains
16 patient information in the same manner as medical information or
17 protected health information as described in paragraph (a) of this
18 subdivision;
19 (c) information collected as part of a clinical trial subject to the
20 Federal Policy for the Protection of Human Subjects, also known as the
21 "Common Rule", pursuant to good clinical practice guidelines issued by
22 the International Council for Harmonization or pursuant to human subject
23 protection requirements of the United States Food and Drug Adminis-
24 tration;
25 (d) the sale of personal information to or from a consumer reporting
26 agency if such information is to be reported in, or used to generate, a
27 consumer report as defined in section three hundred eighty-a of this
28 chapter and use of that information is limited by the federal Fair Cred-
29 it Reporting Act, 15 USC 1681;
30 (e) personal information collected, processed, sold, or disclosed
31 pursuant to the federal Gramm-Leach-Bliley Act or any financial privacy
32 laws or regulations of the state of New York, and implementing regu-
33 lations, if it is in conflict with such law; or
34 (f) personal information collected, processed, sold, or disclosed
35 pursuant to the Driver's Privacy Protection Act of 1994, if it is in
36 conflict with such act.
37 4. Notwithstanding a business' obligations to respond to and honor
38 consumer rights requests pursuant to sections six hundred seventy-six-c,
39 six hundred seventy-six-d, and six hundred seventy-six-e of this arti-
40 cle:
41 (a) the time period for a business to respond to any verified consumer
42 request may be extended by up to ninety additional days where necessary,
43 taking into account the complexity and number of the requests. A busi-
44 ness shall inform the consumer of any such extension within forty-five
45 days of receipt of the request, together with the reasons for the delay;
46 (b) if a business does not take action on the request of the consumer,
47 such business shall inform the consumer, without delay and at the latest
48 within the time period permitted of response by this section, of the
49 reasons for not taking action and any rights the consumer may have to
50 appeal the decision to the business; and
51 (c) if requests from a consumer are manifestly unfounded or excessive,
52 in particular because of their repetitive character, a business may
53 either charge a reasonable fee, taking into account the administrative
54 costs of providing the information or communication or taking the action
55 requested, or refuse to act on the request and notify the consumer of
56 the reason for refusing the request. Such business shall bear the burden
A. 3586 13
1 of demonstrating that any verified consumer request is manifestly
2 unfounded or excessive.
3 5. A business that discloses personal information to a service provid-
4 er shall not be liable under this article if the service provider
5 receiving the personal information uses it in violation of the
6 restrictions set forth in this article, provided that, at the time of
7 disclosing the personal information, such business does not have actual
8 knowledge, or reason to believe, that the service provider intends to
9 commit such a violation. A service provider shall not be liable under
10 this article for the obligations of a business for which it provides
11 services as set forth in this article.
12 6. This article shall not be construed to: (a) require a business to
13 collect or retain personal information about a consumer longer than it
14 would be retained such information in the ordinary course of business;
15 or
16 (b) require a business to re-identify or otherwise link information
17 that is not maintained in a manner that would be considered personal
18 information.
19 7. The rights afforded to consumers and the obligations imposed on a
20 business pursuant to this article shall not adversely affect the rights
21 and freedoms of other consumers.
22 8. The rights afforded to consumers and the obligations imposed on any
23 business pursuant to this article shall not apply to the extent that
24 they infringe on the noncommercial activities of a publisher, editor,
25 reporter, or other person connected with or employed upon a newspaper,
26 magazine, or other periodical publication, or by a press association or
27 wire service.
28 § 676-k. Consumer's private right of action. 1. A consumer who has
29 suffered a violation of this article may bring a lawsuit against the
30 business that committed such violation. A violation of this article
31 shall be deemed to constitute an injury in fact to the consumer who has
32 suffered such violation, and the consumer need not suffer monetary or
33 property loss as a result of such violation in order to bring an action
34 for a violation of this article.
35 2. A consumer who prevails in such an action shall obtain the follow-
36 ing remedies:
37 (a) damages in an amount not to exceed seven hundred fifty dollars per
38 consumer per violation or actual damages, whichever is greater;
39 (b) injunctive or declaratory relief, as the court deems proper;
40 (c) reasonable attorney fees and costs; and
41 (d) any other relief the court deems proper.
42 3. In assessing the amount of statutory damages, the court shall
43 consider any one or more of the relevant circumstances presented by any
44 of the parties to the case, including, but not limited to, the nature
45 and seriousness of the misconduct, the number of violations, the
46 persistence of the misconduct, the length of time over which the miscon-
47 duct occurred, the willfulness of the defendant's misconduct, and the
48 defendant's assets, liabilities, and net worth.
49 4. A consumer bringing an action pursuant to this section shall notify
50 the attorney general within thirty days of the filing of such action.
51 § 676-l. Agency enforcement action. 1. The attorney general, county
52 district attorney, or city corporation counsel having proper jurisdic-
53 tion may bring a civil action in the name of the people of the state of
54 New York against any person, business, or service provider who violates
55 any provision of this article.
A. 3586 14
1 2. Any person, business, or service provider who violates the
2 provisions of this article may be liable for a civil penalty of up to
3 seven thousand five hundred dollars for each intentional violation and
4 of up to two thousand five hundred dollars for each unintentional
5 violation.
6 § 676-m. Construction. This article is intended to further the consti-
7 tutional right of privacy and to supplement existing laws relating to
8 consumers' personal information. The provisions of this article are not
9 limited to information collected electronically or over the internet,
10 but shall apply to the collection and sale of all personal information
11 collected by a business from consumers. Wherever possible, law relating
12 to consumers' personal information should be construed to harmonize with
13 the provisions of this article, but in the event of a conflict between
14 other laws and the provisions of this article, the provisions of the law
15 that afford the greatest protection for the right of privacy for consum-
16 ers shall control.
17 § 676-n. Attorney general regulations. 1. Within one year of the
18 effective date of this article, the attorney general shall adopt regu-
19 lations to further the purposes of this article, including, but not
20 limited to:
21 (a) detailing as needed the types of information that are personal
22 information in technology, data collection practices, obstacles to
23 implementation, and privacy concerns;
24 (b) establishing any exceptions necessary to comply with state or
25 federal law, including, but not limited to, those relating to trade
26 secrets and intellectual property rights;
27 (c) facilitating and governing the submission of a request by a
28 consumer to opt out of the sale of personal information pursuant to
29 section six hundred seventy-six-f of this article;
30 (d) governing business compliance with a consumer's opt-out request;
31 (e) developing a recognizable and uniform opt-out logo or button by
32 all businesses to promote consumer awareness of the opportunity to opt-
33 out of the sale of personal information;
34 (f) adjusting the monetary threshold in clause one of subparagraph (i)
35 of paragraph (c) of subdivision one of section six hundred seventy-six
36 of this article in January of every odd-numbered year to reflect any
37 increase in the consumer price index;
38 (g) establishing rules, procedures, and any exceptions necessary to
39 ensure that the notices and information that businesses are required to
40 provide pursuant to this article are provided in a manner that may be
41 easily understood by the average consumer, are accessible to consumers
42 with disabilities, and are available in the language primarily used to
43 interact with the consumer, including establishing rules and guidelines
44 regarding financial incentive offerings; and
45 (h) establishing rules and procedures to further the purposes of
46 sections six hundred seventy-six-d and six hundred seventy-six-e of this
47 article and to facilitate a consumer's or the consumer's authorized
48 agent's ability to obtain information pursuant to section six hundred
49 seventy-six-i of this article, with the goal of minimizing the adminis-
50 trative burden on consumers, taking into account available technology,
51 security concerns, and the burden on the business, to govern a business'
52 determination that a request for information received by a consumer is a
53 verifiable consumer request, including treating a request submitted
54 through a password-protected account maintained by the consumer with the
55 business while the consumer is logged into the account as a verifiable
56 consumer request and providing a mechanism for a consumer who does not
A. 3586 15
1 maintain an account with the business to request information through the
2 business' authentication of the consumer's identity.
3 2. The attorney general may update the foregoing regulations, and
4 adopt additional regulations, as necessary to further the purposes of
5 this article.
6 3. Before adopting any regulations, the attorney general shall solicit
7 broad public participation concerning those regulations.
8 § 676-o. Intermediate transactions. If a series of steps or trans-
9 actions were component parts of a single transaction intended from the
10 beginning to be taken with the intention of avoiding the reach of this
11 article, a court shall disregard the intermediate steps or transactions
12 for purposes of effectuating the purposes of this article.
13 § 676-p. Non-waiver. Any provision of a contract or agreement of any
14 kind that purports to waive or limit in any way a consumer's rights
15 under this article, including, but not limited to, any right to a remedy
16 or means of enforcement, shall be deemed contrary to public policy and
17 shall be void and unenforceable. This section shall not prevent a
18 consumer from declining to request information from a business, declin-
19 ing to opt out of a business' sale of the consumer's personal informa-
20 tion, or authorizing a business to sell the consumer's personal informa-
21 tion after previously opting out.
22 § 676-q. Severability. If any provision of this article or the appli-
23 cation thereof to any person, business, service provider, or circum-
24 stances is held invalid, such invalidity shall not affect other
25 provisions or applications of this article which can be given effect
26 without the invalid provision or application, and to this end the
27 provisions of this article are declared to be severable.
28 § 5. This act shall take effect one year after it shall have become a
29 law.