•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A03586 Summary:

BILL NOA03586
 
SAME ASSAME AS S04021
 
SPONSORKim (MS)
 
COSPNSRDickens, Cook, Hyndman, Colton, Sayegh, Gunther, Montesano, Englebright, Niou, Rivera J
 
MLTSPNSRDe La Rosa
 
Amd §§50 & 51, Civ Rts L; add Art 32-A §§676 - 676-q, Gen Bus L
 
Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.
Go to top    

A03586 Actions:

BILL NOA03586
 
01/28/2021referred to consumer affairs and protection
01/05/2022referred to consumer affairs and protection
Go to top

A03586 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          3586
 
                               2021-2022 Regular Sessions
 
                   IN ASSEMBLY
 
                                    January 28, 2021
                                       ___________
 
        Introduced  by  M.  of  A.  KIM, DICKENS, COOK, HYNDMAN, COLTON, SAYEGH,
          GUNTHER, MONTESANO, ENGLEBRIGHT, NIOU, J. RIVERA -- Multi-Sponsored by
          -- M. of A. DE LA ROSA -- read once and referred to the  Committee  on
          Consumer Affairs and Protection
 
        AN  ACT  to  amend the civil rights law and the general business law, in
          relation to establishing the "It's Your Data Act"
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section  1. This act shall be known and may be cited as the "It's Your
     2  Data Act".
     3    § 2. Section 50 of the civil rights law is amended to read as follows:
     4    § 50. Right of privacy. A person, firm or corporation  that  collects,
     5  stores, and/or uses for the purpose of advertising [purposes, or for the
     6  purposes  of],  trade, data-mining, or generating commercial or economic
     7  value, the name, portrait [or], picture, video, voice, likeness, and all
     8  other personal data, biometric data, and location  data  of  any  living
     9  person without having first obtained the written consent of such person,
    10  or  if  a minor of his or her parent or guardian, or, if such consent is
    11  obtained, subsequently fails to exercise reasonable care consistent with
    12  its obligations as bailee of that individual's name, portrait,  picture,
    13  video, voice, likeness, and all other personal data, biometric data, and
    14  location data, is guilty of a misdemeanor.
    15    §  3. Section 51 of the civil rights law, as amended by chapter 674 of
    16  the laws of 1995, is amended to read as follows:
    17    § 51. Action for injunction and for damages. Any person  [whose  name,
    18  portrait,  picture  or  voice  is used within this state for advertising
    19  purposes or for the purposes of trade without the written consent], firm
    20  or corporation that collects, stores, and/or uses  for  the  purpose  of
    21  advertising,  trade,  data-mining,  or generating commercial or economic
    22  value, name, portrait, picture, video, voice, likeness,  and  all  other
    23  personal  data,  biometric  data, and location data of any living person
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD06064-01-1

        A. 3586                             2
 
     1  without having first obtained the written consent of such person, or  if
     2  a  minor  of  his  or  her  parent or guardian, or, when such consent is
     3  obtained, subsequently fails to exercise reasonable care consistent with
     4  its  obligations as bailee of that individual's name, portrait, picture,
     5  video, voice, likeness, and all other personal data, biometric data, and
     6  location data first obtained as above provided may maintain an equitable
     7  action in the supreme court of this state against the  person,  firm  or
     8  corporation  so  using  his  or her name, portrait, picture [or], video,
     9  voice, likeness, and  all  other  personal  data,  biometric  data,  and
    10  location  data to prevent and restrain the use thereof; and may also sue
    11  and recover damages for any injuries sustained by reason of such use and
    12  if the defendant shall have knowingly used such person's name, portrait,
    13  picture [or], video, voice, likeness, and all other personal data, biom-
    14  etric data, and location data in such manner as is forbidden or declared
    15  to be unlawful by section fifty  of  this  article,  the  jury,  in  its
    16  discretion,  may  award exemplary damages. But nothing contained in this
    17  article shall be so construed as to prevent any person, firm  or  corpo-
    18  ration  from  selling  or otherwise transferring any material containing
    19  such name, portrait, picture [or], video, voice, likeness, and all other
    20  personal data, biometric data, and location data in whatever  medium  to
    21  any  user  of such name, portrait, picture [or], video, voice, likeness,
    22  and all other personal data, biometric data, and location data or to any
    23  third party [for sale] or transfer directly  or  indirectly  to  such  a
    24  user,  for  use, provided that the transferring party undertakes reason-
    25  able steps to ensure that any such use is consistent with the selling or
    26  transferring party's obligations as bailee of  that  individual's  name,
    27  portrait,  picture, video, voice, likeness, and all other personal data,
    28  biometric data, and location data and use in a manner lawful under  this
    29  article;  nothing  contained in this article shall be so construed as to
    30  prevent any person, firm or corporation, practicing  the  profession  of
    31  photography, from exhibiting in or about his or its establishment speci-
    32  mens  of the work of such establishment, unless the same is continued by
    33  such person, firm or corporation after written notice objecting  thereto
    34  has  been  given  by the person portrayed; and nothing contained in this
    35  article shall be so construed as to prevent any person, firm  or  corpo-
    36  ration  from using the name, portrait, picture [or], video, voice, like-
    37  ness, and all other personal data, biometric data, and location data  of
    38  any  manufacturer  or  dealer  in  connection  with the goods, wares and
    39  merchandise manufactured, produced or dealt in by him or her which he or
    40  she has sold or disposed of with  such  name,  portrait,  picture  [or],
    41  video, voice, likeness, and all other personal data, biometric data, and
    42  location  data  used  in  connection  therewith; or from using the name,
    43  portrait, picture [or], video, voice, likeness, and all  other  personal
    44  data,  biometric  data,  and  location  data  of any author, composer or
    45  artist in connection with his  or  her  literary,  musical  or  artistic
    46  productions  which  he  or  she  has sold or disposed of with such name,
    47  portrait, picture [or], video, voice, likeness, and all  other  personal
    48  data,  biometric  data,  and location data used in connection therewith.
    49  Nothing contained in this section shall be  construed  to  prohibit  the
    50  copyright  owner  of  a  sound  recording from disposing of, dealing in,
    51  licensing or selling that sound recording to any party, if the right  to
    52  dispose  of,  deal  in,  license  or  sell such sound recording has been
    53  conferred by contract or other written document by such living person or
    54  the holder of such right. Nothing contained in  the  foregoing  sentence
    55  shall  be  deemed  to abrogate or otherwise limit any rights or remedies
    56  otherwise conferred by federal law or state law.

        A. 3586                             3
 
     1    § 4. The general business law is amended by adding a new article  32-A
     2  to read as follows:
     3                                ARTICLE 32-A
     4                             IT'S YOUR DATA ACT
     5  Section 676.   Definitions.
     6          676-a. Transparency of the collection, use, retention, and shar-
     7                   ing of personal information.
     8          676-b. Fair collection and use of personal information.
     9          676-c. Deletion of personal information.
    10          676-d. Access to retained personal information.
    11          676-e. Access to disclosure of personal information.
    12          676-f. Consent  to  additional collection or sharing of personal
    13                   information.
    14          676-g. No discrimination by a business against  a  consumer  for
    15                   exercise of rights.
    16          676-h. Reasonable security.
    17          676-i. Business implementation of duties.
    18          676-j. Exceptions.
    19          676-k. Consumer's private right of action.
    20          676-l. Agency enforcement action.
    21          676-m. Construction.
    22          676-n. Attorney general regulations.
    23          676-o. Intermediate transactions.
    24          676-p. Non-waiver.
    25          676-q. Severability.
    26    § 676. Definitions. 1. For the purposes of this article:
    27    (a) "Aggregate consumer information" means information that relates to
    28  a  group  of  consumers,  from which individual consumer identities have
    29  been removed, that is not linked or reasonably linkable to any  consumer
    30  or  household,  including  via a device.  Aggregate consumer information
    31  does not mean one or more individual consumer  records  that  have  been
    32  de-identified.
    33    (b)  "Biometric  information"  means  an  individual's  physiological,
    34  biological or behavioral characteristics or an electronic representation
    35  of such, including an individual's deoxyribonucleic acid (DNA), that can
    36  be used, singly or in combination with each other or with other  identi-
    37  fying  data,  to  establish individual identity.   Biometric information
    38  includes, but is not limited to, imagery of the  iris,  retina,  finger-
    39  print, face, hand, palm, vein patterns, and voice recordings, from which
    40  an  identifier  template, such as a faceprint, a minutiae template, or a
    41  voiceprint, can be extracted, and keystroke patterns  or  rhythms,  gait
    42  patterns  or  rhythms,  and sleep, health, or exercise data that contain
    43  identifying information.
    44    (c) "Business" means:
    45    (i) A sole proprietorship,  partnership,  limited  liability  company,
    46  corporation,  association,  or  other  legal entity that is organized or
    47  operated for the profit or financial  benefit  of  its  shareholders  or
    48  other  owners,  that collects consumers' personal information, or on the
    49  behalf of which such information is collected and that alone, or jointly
    50  with others, determines the purposes and  means  of  the  processing  of
    51  consumers'  personal information, that does business in the state of New
    52  York, and that satisfies one or more of the following thresholds:
    53    (1) has annual gross revenues in excess of fifty million  dollars,  as
    54  adjusted  pursuant  to  paragraph  (f) of subdivision one of section six
    55  hundred seventy-six-n of this article;

        A. 3586                             4

     1    (2) alone or in combination, annually buys, receives for the business'
     2  commercial purposes, sells, or discloses for commercial purposes,  alone
     3  or  in  combination,  the personal information of fifty thousand or more
     4  consumers, households, or devices; or
     5    (3)  derives fifty percent or more of its annual revenues from selling
     6  consumers' personal information; and
     7    (ii) Any entity that controls or  is  controlled  by  a  business,  as
     8  defined  in  subparagraph  (i) of this paragraph, and that shares common
     9  branding with such business.
    10    (d) "Control" or "controlled" means ownership  of,  or  the  power  to
    11  vote,  more than fifty percent of the outstanding shares of any class of
    12  voting security of a business; control in any manner over  the  election
    13  of  a  majority  of  the directors, or of individuals exercising similar
    14  functions; or the power to exercise a  controlling  influence  over  the
    15  management of a business.
    16    (e) "Common branding" means a shared name, servicemark, or trademark.
    17    (f)  "Operational  purpose" means the use of personal information when
    18  reasonably necessary and proportionate to achieve one of  the  following
    19  operational purposes:
    20    (i)  auditing  related  to a current interaction with the consumer and
    21  concurrent transactions, including, but  not  limited  to,  counting  ad
    22  impressions  to unique visitors, verifying positioning and quality of ad
    23  impressions, and auditing compliance with this paragraph and other stan-
    24  dards;
    25    (ii)  detecting  and  responding  to  security  incidents,  protecting
    26  against malicious, deceptive, fraudulent, or illegal activity, and pros-
    27  ecuting those responsible for that activity;
    28    (iii)  debugging  to  identify  and repair errors that impair existing
    29  intended functionality;
    30    (iv) short-term, transient use, provided the personal  information  is
    31  not  disclosed to another third party and is not used to build a profile
    32  about a consumer or otherwise alter an individual consumer's  experience
    33  outside  the  current  interaction,  including,  but not limited to, the
    34  contextual customization of ads shown as part of the same interaction;
    35    (v) performing or providing services on  behalf  of  the  business  or
    36  service  provider,  including maintaining or servicing accounts, billing
    37  or collecting for requested products  or  services,  providing  customer
    38  service,  processing  or  fulfilling  orders and transactions, verifying
    39  customer information, processing payments, providing financing,  provid-
    40  ing  advertising  or marketing services, providing analytic services, or
    41  providing similar services on behalf of the business or service  provid-
    42  er;
    43    (vi)  undertaking  internal research for technological development and
    44  demonstration;
    45    (vii) undertaking activities to verify  or  maintain  the  quality  or
    46  safety  of a service or device that is owned, manufactured, manufactured
    47  for, or controlled by the business, or to improve, upgrade,  or  enhance
    48  the  service or device that is owned, manufactured, manufactured for, or
    49  controlled by the business;
    50    (viii) customization of content; or
    51    (ix) customization of advertising or marketing.
    52    (g) "Collects," "collected," or "collection"  means  buying,  renting,
    53  gathering,  obtaining,  receiving, or accessing any personal information
    54  pertaining to a consumer by any means. This shall include, but shall not
    55  be limited to, receiving information from the consumer, either  actively
    56  or passively, or by observing the consumer's behavior.

        A. 3586                             5
 
     1    (h)  "Commercial  purposes"  means to advance a person's commercial or
     2  economic interests, such as by inducing another  person  to  buy,  rent,
     3  lease, join, subscribe to, provide, or exchange products, goods, proper-
     4  ty,  information,  or  services,  or  enabling or effecting, directly or
     5  indirectly,  a  commercial  transaction.  Commercial  purposes shall not
     6  include engaging in speech that state or federal courts have  recognized
     7  as noncommercial speech, including, but not limited to, political speech
     8  and journalism.
     9    (i)  "Consumer"  means a natural person who is a resident of the state
    10  of New York.
    11    (j) "De-identified" means information that cannot reasonably identify,
    12  relate to, describe, be capable of being associated with, or be  linked,
    13  directly  or indirectly, to a particular consumer, provided that a busi-
    14  ness that uses de-identified information:
    15    (i) takes reasonable measures to ensure that the  data  is  de-identi-
    16  fied;
    17    (ii)  publicly commits to maintain and use the data in a de-identified
    18  fashion and not to attempt to re-identify the data; and
    19    (iii) contractually prohibits downstream recipients from attempting to
    20  re-identify the data.
    21    (k) "Designated methods  for  submitting  requests"  means  a  mailing
    22  address,  email  address,  internet web page, internet web portal, toll-
    23  free telephone number, or other applicable contact information,  whereby
    24  consumers  may submit a request under this article, and any new, consum-
    25  er-friendly means of contacting a business, as approved by the  attorney
    26  general pursuant to section six hundred seventy-six-n of this article.
    27    (l)  "Device"  means any physical object that is capable of connecting
    28  to the internet, directly or indirectly, or to another device.
    29    (m) "Health insurance information" means a consumer's insurance policy
    30  number or subscriber identification number, any unique  identifier  used
    31  by  a health insurer to identify the consumer, or any information in the
    32  consumer's  application  and  claims  history,  including  any   appeals
    33  records,  if  the  information  is  linked  or  reasonably linkable to a
    34  consumer or household, including via a device, by a business or  service
    35  provider.
    36    (n)  "Infer" or "inference" means the derivation of information, data,
    37  assumptions, or conclusions from facts, evidence, or another  source  of
    38  information or data.
    39    (o)  "Person"  means an individual, proprietorship, firm, partnership,
    40  joint venture, syndicate, business trust, company, corporation,  limited
    41  liability company, association, committee, and any other organization or
    42  group of persons acting in concert.
    43    (p)  "Personal information" means information that identifies or could
    44  reasonably be linked, directly or indirectly, with a particular  consum-
    45  er,  household,  or  consumer  device.    Personal information shall not
    46  include publicly available information, information that  is  de-identi-
    47  fied, or aggregate consumer information.
    48    (q)  "Publicly  available"  means  information  that  is lawfully made
    49  available from federal, state, or  local  government  records.  Publicly
    50  available  does  not  mean  information  collected by a business about a
    51  consumer without the consumer's knowledge.
    52    (r) "Service" or "services" means work, labor, and services, including
    53  services furnished in connection with the production, sale or repair  of
    54  goods.
    55    (s)  "Service provider" means an individual sole proprietorship, part-
    56  nership, limited liability company, corporation, association,  or  other

        A. 3586                             6
 
     1  legal  entity  that is organized or operated for the profit or financial
     2  benefit of its shareholders or other owners, that processes  information
     3  on  behalf  of a business and to which such business discloses a consum-
     4  er's personal information for an operational purpose pursuant to a writ-
     5  ten  or  electronic  contract,  provided that the contract prohibits the
     6  entity receiving the information from retaining,  using,  or  disclosing
     7  the  personal  information  for  any purpose other than for the specific
     8  purpose of performing the services specified in the  contract  for  such
     9  business,  or as otherwise permitted by this article, including a prohi-
    10  bition on retaining, using, or disclosing the personal information for a
    11  commercial purpose other than providing the services  specified  in  the
    12  contract with such business.
    13    (t)  "Verifiable  consumer  request" means a request that is made by a
    14  consumer, by a consumer on behalf of the consumer's minor child, or by a
    15  natural person or a person  registered  with  the  secretary  of  state,
    16  authorized by the consumer to act on the consumer's behalf, and that the
    17  business  can  reasonably  verify.  A business shall not be obligated to
    18  provide any personal information to a consumer if such  business  cannot
    19  verify  that  the consumer making the request is the consumer about whom
    20  such business has collected personal information or is a person  author-
    21  ized by the consumer to act on such consumer's behalf.
    22    (u)  "Third  party"  means a person or business that is not any of the
    23  following:
    24    (i) the business that collects  personal  information  from  consumers
    25  under this article; or
    26    (ii)  a  person  to  whom the business discloses a consumer's personal
    27  information for an operational purpose pursuant to a  written  contract,
    28  provided that the contract:
    29    (1) prohibits the person receiving the personal information from:
    30    (A) selling the personal information;
    31    (B)  retaining,  using, or disclosing the personal information for any
    32  purpose other than for the specific purpose of performing  the  services
    33  specified in the contract, including retaining, using, or disclosing the
    34  personal  information  for a commercial purpose other than providing the
    35  services specified in the contract; and
    36    (C) retaining, using, or disclosing the  information  outside  of  the
    37  direct business relationship between the person and the business; and
    38    (2) includes a certification made by the person receiving the personal
    39  information  that  the person understands the restrictions in clause one
    40  of this paragraph and will comply with such restrictions.
    41    2. For references to a category or categories of personal  information
    42  required to be disclosed pursuant to this article:
    43    (a)  "Processing"  means  any  operation or set of operations that are
    44  performed on personal data or on sets of personal data, whether  or  not
    45  by automated means.
    46    (b)  "Research" means scientific and systematic study and observation,
    47  including basic research or applied  research  that  is  in  the  public
    48  interest  and  that  adheres  to all other applicable ethics and privacy
    49  laws or studies conducted in the public interest in the area  of  public
    50  health.  Research with personal information that may have been collected
    51  from a consumer in the course of  the  consumer's  interactions  with  a
    52  business' service or device for other purposes shall be:
    53    (i)  compatible  with  an  operational  purpose for which the personal
    54  information was collected;
    55    (ii) subsequently de-identified, or in the aggregate,  such  that  the
    56  information  cannot reasonably identify, relate to, describe, be capable

        A. 3586                             7
 
     1  of being associated with, or be linked, directly  or  indirectly,  to  a
     2  particular consumer;
     3    (iii)  made  subject to technical safeguards to prevent re-identifica-
     4  tion of the consumer to whom the information may pertain;
     5    (iv) subject to business processes that specifically prohibit re-iden-
     6  tification of the information;
     7    (v) made subject to business processes to prevent inadvertent  release
     8  of de-identified information;
     9    (vi) protected from any re-identification attempts;
    10    (vii)  used  solely for research purposes that are compatible with the
    11  context in which the personal information was collected;
    12    (viii) not be used for any commercial purpose; and
    13    (ix) subjected by the business conducting the research  to  additional
    14  security  controls  that limit access to the research data to only those
    15  individuals in a business as are necessary to  carry  out  the  research
    16  purpose.
    17    (c)  (i) "Sell," "selling," "sale," or "sold," means selling, renting,
    18  releasing, disclosing, disseminating, making available, transferring, or
    19  otherwise communicating orally, in writing, or by  electronic  or  other
    20  means,  a  consumer's  personal  information  by the business to another
    21  business or a third party for monetary or other valuable consideration.
    22    (ii) For purposes of this article, a business does not  sell  personal
    23  information when:
    24    (1)  a consumer uses or directs the business to intentionally disclose
    25  personal information or uses the business to intentionally interact with
    26  a third party, provided such third party does not also sell the personal
    27  information,  unless  such  disclosure  would  be  consistent  with  the
    28  provisions  of  this article. An intentional interaction occurs when the
    29  consumer intends to interact with the  third  party,  via  one  or  more
    30  deliberate  interactions.   Hovering over, muting, pausing, or closing a
    31  given piece of content shall  not  constitute  a  consumer's  intent  to
    32  interact with a third party;
    33    (2)  the  business  uses or discloses an identifier for a consumer who
    34  has opted out of the sale of the consumer's personal information for the
    35  purposes of alerting third parties that the consumer has  opted  out  of
    36  the sale of the consumer's personal information;
    37    (3)  the business uses or discloses personal information of a consumer
    38  with a service provider that is  necessary  to  perform  an  operational
    39  purpose and the business has provided notice that information being used
    40  or  disclosed  in  its  terms and conditions consistent with section six
    41  hundred seventy-six-i of this article; or
    42    (4) the business transfers to a third party the  personal  information
    43  of  a  consumer as an asset that is part of a merger, acquisition, bank-
    44  ruptcy, or other transaction in which the third party assumes control of
    45  all or part of the  business,  provided  that  information  is  used  or
    46  disclosed  consistently  with  this article. A third party may not mate-
    47  rially alter how it uses or discloses  the  personal  information  of  a
    48  consumer  in  a manner that is materially inconsistent with the promises
    49  made at the time of collection, unless it first obtains opt-in  consent,
    50  as set forth in this article.
    51    §  676-a.  Transparency of the collection, use, retention, and sharing
    52  of  personal  information.  Any  business  that  collects  a  consumer's
    53  personal  information  shall  disclose  the following information in its
    54  online privacy policy or policies, if the business has an online privacy
    55  policy, and update such information at least once every twelve months:

        A. 3586                             8
 
     1    1. a description of a  consumer's  rights  pursuant  to  sections  six
     2  hundred  seventy-six-b,  six hundred seventy-six-d, six hundred seventy-
     3  six-e, six hundred seventy-six-f and six hundred seventy-six-g  of  this
     4  article  and  one  or  more  designated  methods for submitting requests
     5  pursuant   to   sections   six   hundred   seventy-six-c,   six  hundred
     6  seventy-six-d, and six hundred seventy-six-e of this article;
     7    2. a description of the personal information  such  business  collects
     8  about consumers;
     9    3.  the  categories  of sources from which the personal information is
    10  collected;
    11    4. a description of the methods such business uses to collect personal
    12  information;
    13    5. the specific purposes  for  collecting,  disclosing,  or  retaining
    14  personal information;
    15    6.  a  description  of  the  personal  information  it discloses about
    16  consumers, or if the business  does  not  disclose  consumers'  personal
    17  information, the business shall disclose such fact;
    18    7.  the  categories  of  third  parties with whom such business shares
    19  personal information with, or if the business does not disclose  consum-
    20  ers'  personal information to third parties, the business shall disclose
    21  such fact;
    22    8. the categories of service providers with whom such business  shares
    23  personal  information with, or if the business does not disclose consum-
    24  ers' personal information  to  service  providers,  the  business  shall
    25  disclose such fact;
    26    9.  a description of the length of time for which personal information
    27  is retained; and
    28    10. if personal data is  de-identified  such  that  it  is  no  longer
    29  considered  personal  information  but  subsequently  retained, used, or
    30  shared by the business, a description of the method or methods of  de-i-
    31  dentification.
    32    §  676-b.  Fair collection and use of personal information. 1. Subject
    33  to section six hundred seventy-six-f of this  article  a  business  that
    34  collects  a  consumer's  personal information shall limit its collection
    35  and sharing of personal  information  with  third  parties  to  what  is
    36  reasonably  necessary to provide a service or conduct an activity that a
    37  consumer has requested or is reasonably necessary for security or  fraud
    38  prevention, and shall require any such third party to exercise care over
    39  the  consumer's  personal information consistent with the original busi-
    40  ness's obligations as bailee of such information.
    41    2. Subject to section six hundred seventy-six-f  of  this  article,  a
    42  business  that collects a consumer's personal information shall be obli-
    43  gated to exercise reasonable care with respect to the collection,  stor-
    44  age,  and  use of that information, consistent with its obligations as a
    45  bailee, and shall limit its use and retention of personal information to
    46  what is reasonably necessary to provide a service or conduct an activity
    47  that a consumer has requested or a related operational purpose, provided
    48  however that data collected or retained solely  for  security  or  fraud
    49  prevention may not be used for related operational purposes.
    50    §  676-c.  Deletion  of personal information. 1. A consumer shall have
    51  the right to request that a business  delete  any  personal  information
    52  about such consumer which the business has collected from the consumer.
    53    2. A business that collects personal information about consumers shall
    54  disclose,  pursuant  to  the  notice requirements of section six hundred
    55  seventy-six-i of this article, the  consumer's  rights  to  request  the
    56  deletion of the consumer's personal information.

        A. 3586                             9
 
     1    3.  A  business  that  receives  a  verifiable consumer request from a
     2  consumer to delete  the  consumer's  personal  information  pursuant  to
     3  subdivision  one  of  this  section shall delete the consumer's personal
     4  information from its records and direct any service providers to  delete
     5  the consumer's personal information from their records.
     6    4.  A  business  or a service provider shall not be required to comply
     7  with a consumer's request to delete the consumer's personal  information
     8  if:
     9    (a)  such  retention of personal information is reasonably anticipated
    10  within the context of a business's ongoing  business  relationship  with
    11  the consumer; or
    12    (b)  it  is necessary for the business or service provider to maintain
    13  the consumer's personal information in order to:
    14    (i) complete the transaction for which the  personal  information  was
    15  collected,  provide  a  good  or  service  requested by the consumer, or
    16  otherwise perform a contract between the business and the consumer;
    17    (ii) detect or respond to security incidents,  protect  against  mali-
    18  cious,  deceptive,  fraudulent,  or illegal activity, or prosecute those
    19  responsible for that activity;
    20    (iii) debug  to  identify  and  repair  errors  that  impair  existing
    21  intended functionality;
    22    (iv)  exercise  free  speech,  ensure the right of another consumer to
    23  exercise his or her right of free speech;
    24    (v) engage in  public  or  peer-reviewed  scientific,  historical,  or
    25  statistical  research  in  the public interest that adheres to all other
    26  applicable ethics and privacy laws, when the businesses' deletion of the
    27  information is likely to  render  impossible  or  seriously  impair  the
    28  achievement  of  such  research,  if  the consumer has provided informed
    29  consent; or
    30    (vi) comply with a legal obligation.
    31    § 676-d. Access to retained personal information.  1.  If  a  business
    32  collects  personal information about a consumer, the consumer shall have
    33  the right to ask the business for the  following  information,  and  the
    34  business shall have the duty to provide it, promptly and free of charge,
    35  upon receipt of a verifiable request:
    36    (a)  the  specific  pieces  of  personal information that the business
    37  retains about that consumer;
    38    (b) the  specific  sources  from  which  the  business  collected  the
    39  personal information; and
    40    (c) its purpose for collecting the personal information.
    41    2.  When  a  business  receives  a  verifiable consumer request from a
    42  consumer for the specific pieces of  their  personal  information,  such
    43  business  shall  disclose  such  information in an electronic, portable,
    44  machine-readable, and readily-useable format or formats that  allow  the
    45  consumer to understand such information and to transmit such information
    46  to another entity without hindrance.
    47    §  676-e.  Access to disclosure of personal information. If a business
    48  discloses personal information about a consumer to a  third  party,  the
    49  consumer  shall have the right to request the following information from
    50  the business, and such business shall  have  the  duty  to  provide  it,
    51  promptly and free of charge, upon receipt of a verifiable request:
    52    1.  the categories of personal information that the business disclosed
    53  about the consumer, and the categories of  third  parties  to  whom  the
    54  personal  information was disclosed, by category of personal information
    55  for each category of third party; and

        A. 3586                            10
 
     1    2. the specific third parties to whom  the  personal  information  was
     2  disclosed.
     3    §  676-f.  Consent  to  additional  collection  or sharing of personal
     4  information. 1. Other than as described in section six hundred  seventy-
     5  six-b  of  this article, a business shall not collect or share a consum-
     6  er's personal information unless the consumer has affirmatively  author-
     7  ized  the  collection  or  disclosure.  This right to collect or share a
     8  consumer's personal information may be  referred  to  as  the  right  to
     9  "opt-in consent".
    10    2.  Any  personal  information  of a consumer collected or shared by a
    11  business upon the affirmative authorization of the consumer shall remain
    12  the property of such consumer, and the business  shall  be  required  to
    13  exercise  reasonable  care  in  the collection and sharing of such data,
    14  consistent with its obligations towards the consumer as bailee of his or
    15  her personal information.
    16    3. A business shall request a user's opt-in  consent  separately  from
    17  any  other  permission or consent, with the option to decline consent at
    18  least as prominent as the option to provide consent.
    19    4. If a consumer declines to  provide  their  opt-in  consent  to  the
    20  disclosure  of  their personal information, a business shall refrain for
    21  at least twelve months before again requesting that the consumer provide
    22  their opt-in consent to the disclosure of their personal information.
    23    5. A business may make available a setting or other user control  that
    24  the  consumer may affirmatively access in order to consent to additional
    25  data collection or sharing.
    26    6. A business that obtains a consumer's opt-in consent to  collect  or
    27  disclose  their  personal  information  pursuant  to  this section shall
    28  provide consumers the ability to withdraw such consent through a readily
    29  usable and automated means at any time.
    30    § 676-g. No discrimination by a business against a consumer for  exer-
    31  cise  of  rights.  A  business shall not discriminate against a consumer
    32  because the consumer exercised any of the consumer's rights  under  this
    33  article  or  does  not  provide consent to additional data collection or
    34  sharing under section six hundred seventy-six-f of this article  includ-
    35  ing, but not limited to, by:
    36    1. denying goods or services to the consumer;
    37    2. charging different prices or rates for goods or services, including
    38  through the use of discounts or other benefits or imposing penalties;
    39    3.  providing a different level or quality of goods or services to the
    40  consumer; or
    41    4. suggesting that the consumer will receive a different price or rate
    42  for goods or services or a  different  level  or  quality  of  goods  or
    43  services.
    44    §  676-h. Reasonable security. 1. A business or service provider shall
    45  implement and maintain reasonable  security  procedures  and  practices,
    46  including  administrative, physical, and technical safeguards, appropri-
    47  ate to the nature of the information and  the  purposes  for  which  the
    48  personal information will be used, to protect consumers' personal infor-
    49  mation  from  unauthorized  use,  disclosure,  access,  destruction,  or
    50  modification.
    51    2. A business or service provider may employ any lawful security meas-
    52  ures that allow it to comply with the requirements  set  forth  in  this
    53  section.
    54    § 676-i. Business implementation of duties. 1. A business shall:
    55    (a)  make  available  to  consumers two or more designated methods for
    56  submitting requests pursuant to sections six hundred seventy-six-c,  six

        A. 3586                            11
 
     1  hundred  seventy-six-d,  and  six hundred seventy-six-e of this article,
     2  including, at a minimum, a telephone number, and, if the business  main-
     3  tains an internet web site, a web site address;
     4    (b)  disclose  and deliver the required information to a consumer free
     5  of charge within forty-five days  of  receiving  a  verifiable  consumer
     6  request. A business shall take steps to determine whether the request is
     7  a  verifiable  consumer  request  from the identified consumer. The time
     8  period may be extended once by forty-five days  when  reasonably  neces-
     9  sary,  provided  the consumer is provided notice of the extension within
    10  the first forty-five day period. The disclosure shall cover  the  twelve
    11  month  period  preceding  the request. It shall be delivered through the
    12  consumer's account with the  business,  if  the  consumer  maintains  an
    13  account  with  the business, or by mail or electronically at the consum-
    14  er's option, if the consumer does not maintain an account with the busi-
    15  ness. The business shall not require the consumer to create  an  account
    16  with the business in order to make a verifiable request;
    17    (c)  ensure  that  all  individuals  responsible for handling consumer
    18  inquiries about the  business's  privacy  practices  or  the  business's
    19  compliance  with  this  article are informed of all requirements in this
    20  article, and how to direct consumers to exercise their  rights  in  this
    21  article; and
    22    (d)  limit  the  use  of  any  personal information collected from the
    23  consumer in connection with a business's verification of the  consumer's
    24  request solely for the purposes of verification.
    25    2.  A  business  shall  not  be  obligated  to provide the information
    26  required by sections six hundred seventy-six-d and six hundred  seventy-
    27  six-e  of  this article to the same consumer more than twice in a twelve
    28  month period.
    29    § 676-j. Exceptions. 1. The obligations imposed on businesses by  this
    30  article  shall  not  restrict a business's or service provider's ability
    31  to:
    32    (a) comply with federal, state, or local laws;
    33    (b) comply with a civil, criminal,  or  regulatory  inquiry,  investi-
    34  gation, subpoena, or summons by federal, state, or local authorities;
    35    (c)  cooperate  with  law  enforcement  agencies concerning conduct or
    36  activity that the business, service provider, or third party  reasonably
    37  and in good faith believes may violate federal, state, or local law;
    38    (d) exercise or defend legal claims;
    39    (e)  collect, use, retain, sell, or disclose consumer information that
    40  is de-identified or in the aggregate; or
    41    (f) collect or sell a consumer's personal information if every  aspect
    42  of  that commercial conduct takes place wholly outside of the state. For
    43  purposes of this section, commercial conduct takes place wholly  outside
    44  of  the  state  if the business collected information while the consumer
    45  was outside of the state, no part of the sale of the consumer's personal
    46  information occurred in the state, and no personal information collected
    47  while the consumer was in the state is sold. This  paragraph  shall  not
    48  permit a business from storing, including on a device, personal informa-
    49  tion  about  a  consumer  when  such  consumer  is in the state and then
    50  collecting such personal  information  when  such  consumer  and  stored
    51  personal information is outside of the state.
    52    2.  Nothing  in  this  article  shall require a business to violate an
    53  evidentiary privilege under state or federal law or prevent  a  business
    54  from  providing the personal information of a consumer who is covered by
    55  an evidentiary privilege under state or federal law as part of a  privi-
    56  leged communication.

        A. 3586                            12
 
     1    3. This article shall not apply to any of the following:
     2    (a) medical information governed by part 2.6 of the Confidentiality of
     3  Medical   Information  Act  or  protected  health  information  that  is
     4  collected by a covered entity or  business  associate  governed  by  the
     5  privacy,  security,  and breach notification rules issued or established
     6  by the United States department of health and human services, 45  C.F.R.
     7  parts  160  and 164, the Health Insurance Portability and Accountability
     8  Act of 1996, or the Health Information Technology for Economic and Clin-
     9  ical Health Act;
    10    (b) a provider of health care governed by part 2.6  of  the  Confiden-
    11  tiality  of  Medical Information Act or a covered entity governed by the
    12  privacy, security, and breach notification rules issued  or  established
    13  by  the United States department of health and human services, 45 C.F.R.
    14  parts 160 and 164, or the Health Insurance Portability and  Accountabil-
    15  ity  Act of 1996, to the extent the provider or covered entity maintains
    16  patient information  in  the  same  manner  as  medical  information  or
    17  protected  health  information  as  described  in  paragraph (a) of this
    18  subdivision;
    19    (c) information collected as part of a clinical trial subject  to  the
    20  Federal  Policy  for the Protection of Human Subjects, also known as the
    21  "Common Rule", pursuant to good clinical practice guidelines  issued  by
    22  the International Council for Harmonization or pursuant to human subject
    23  protection  requirements  of  the  United  States Food and Drug Adminis-
    24  tration;
    25    (d) the sale of personal information to or from a  consumer  reporting
    26  agency  if such information is to be reported in, or used to generate, a
    27  consumer report as defined in section three  hundred  eighty-a  of  this
    28  chapter and use of that information is limited by the federal Fair Cred-
    29  it Reporting Act, 15 USC 1681;
    30    (e)  personal  information  collected,  processed,  sold, or disclosed
    31  pursuant to the federal Gramm-Leach-Bliley Act or any financial  privacy
    32  laws  or  regulations  of  the state of New York, and implementing regu-
    33  lations, if it is in conflict with such law; or
    34    (f) personal information  collected,  processed,  sold,  or  disclosed
    35  pursuant  to  the  Driver's  Privacy Protection Act of 1994, if it is in
    36  conflict with such act.
    37    4. Notwithstanding a business' obligations to  respond  to  and  honor
    38  consumer rights requests pursuant to sections six hundred seventy-six-c,
    39  six  hundred  seventy-six-d, and six hundred seventy-six-e of this arti-
    40  cle:
    41    (a) the time period for a business to respond to any verified consumer
    42  request may be extended by up to ninety additional days where necessary,
    43  taking into account the complexity and number of the requests.  A  busi-
    44  ness  shall  inform the consumer of any such extension within forty-five
    45  days of receipt of the request, together with the reasons for the delay;
    46    (b) if a business does not take action on the request of the consumer,
    47  such business shall inform the consumer, without delay and at the latest
    48  within the time period permitted of response by  this  section,  of  the
    49  reasons  for  not  taking action and any rights the consumer may have to
    50  appeal the decision to the business; and
    51    (c) if requests from a consumer are manifestly unfounded or excessive,
    52  in particular because of their  repetitive  character,  a  business  may
    53  either  charge  a reasonable fee, taking into account the administrative
    54  costs of providing the information or communication or taking the action
    55  requested, or refuse to act on the request and notify  the  consumer  of
    56  the reason for refusing the request. Such business shall bear the burden

        A. 3586                            13
 
     1  of  demonstrating  that  any  verified  consumer  request  is manifestly
     2  unfounded or excessive.
     3    5. A business that discloses personal information to a service provid-
     4  er  shall  not  be  liable  under  this  article if the service provider
     5  receiving  the  personal  information  uses  it  in  violation  of   the
     6  restrictions  set  forth  in this article, provided that, at the time of
     7  disclosing the personal information, such business does not have  actual
     8  knowledge,  or  reason  to believe, that the service provider intends to
     9  commit such a violation. A service provider shall not  be  liable  under
    10  this  article  for  the  obligations of a business for which it provides
    11  services as set forth in this article.
    12    6. This article shall not be construed to: (a) require a  business  to
    13  collect  or  retain personal information about a consumer longer than it
    14  would be retained such information in the ordinary course  of  business;
    15  or
    16    (b)  require  a  business to re-identify or otherwise link information
    17  that is not maintained in a manner that  would  be  considered  personal
    18  information.
    19    7.  The  rights afforded to consumers and the obligations imposed on a
    20  business pursuant to this article shall not adversely affect the  rights
    21  and freedoms of other consumers.
    22    8. The rights afforded to consumers and the obligations imposed on any
    23  business  pursuant  to  this  article shall not apply to the extent that
    24  they infringe on the noncommercial activities of  a  publisher,  editor,
    25  reporter,  or  other person connected with or employed upon a newspaper,
    26  magazine, or other periodical publication, or by a press association  or
    27  wire service.
    28    §  676-k.  Consumer's  private  right of action. 1. A consumer who has
    29  suffered a violation of this article may bring  a  lawsuit  against  the
    30  business  that  committed  such  violation.  A violation of this article
    31  shall be deemed to constitute an injury in fact to the consumer who  has
    32  suffered  such  violation,  and the consumer need not suffer monetary or
    33  property loss as a result of such violation in order to bring an  action
    34  for a violation of this article.
    35    2.  A consumer who prevails in such an action shall obtain the follow-
    36  ing remedies:
    37    (a) damages in an amount not to exceed seven hundred fifty dollars per
    38  consumer per violation or actual damages, whichever is greater;
    39    (b) injunctive or declaratory relief, as the court deems proper;
    40    (c) reasonable attorney fees and costs; and
    41    (d) any other relief the court deems proper.
    42    3. In assessing the amount  of  statutory  damages,  the  court  shall
    43  consider  any one or more of the relevant circumstances presented by any
    44  of the parties to the case, including, but not limited  to,  the  nature
    45  and  seriousness  of  the  misconduct,  the  number  of  violations, the
    46  persistence of the misconduct, the length of time over which the miscon-
    47  duct occurred, the willfulness of the defendant's  misconduct,  and  the
    48  defendant's assets, liabilities, and net worth.
    49    4. A consumer bringing an action pursuant to this section shall notify
    50  the attorney general within thirty days of the filing of such action.
    51    §  676-l.  Agency  enforcement action. 1. The attorney general, county
    52  district attorney, or city corporation counsel having  proper  jurisdic-
    53  tion  may bring a civil action in the name of the people of the state of
    54  New York against any person, business, or service provider who  violates
    55  any provision of this article.

        A. 3586                            14
 
     1    2.  Any  person,  business,  or  service  provider  who  violates  the
     2  provisions of this article may be liable for a civil penalty  of  up  to
     3  seven  thousand  five hundred dollars for each intentional violation and
     4  of up to two  thousand  five  hundred  dollars  for  each  unintentional
     5  violation.
     6    § 676-m. Construction. This article is intended to further the consti-
     7  tutional  right  of  privacy and to supplement existing laws relating to
     8  consumers' personal information. The provisions of this article are  not
     9  limited  to  information  collected electronically or over the internet,
    10  but shall apply to the collection and sale of all  personal  information
    11  collected  by a business from consumers. Wherever possible, law relating
    12  to consumers' personal information should be construed to harmonize with
    13  the provisions of this article, but in the event of a  conflict  between
    14  other laws and the provisions of this article, the provisions of the law
    15  that afford the greatest protection for the right of privacy for consum-
    16  ers shall control.
    17    §  676-n.  Attorney  general  regulations.  1.  Within one year of the
    18  effective date of this article, the attorney general shall  adopt  regu-
    19  lations  to  further  the  purposes  of this article, including, but not
    20  limited to:
    21    (a) detailing as needed the types of  information  that  are  personal
    22  information  in  technology,  data  collection  practices,  obstacles to
    23  implementation, and privacy concerns;
    24    (b) establishing any exceptions necessary  to  comply  with  state  or
    25  federal  law,  including,  but  not  limited to, those relating to trade
    26  secrets and intellectual property rights;
    27    (c) facilitating and governing  the  submission  of  a  request  by  a
    28  consumer  to  opt  out  of  the sale of personal information pursuant to
    29  section six hundred seventy-six-f of this article;
    30    (d) governing business compliance with a consumer's opt-out request;
    31    (e) developing a recognizable and uniform opt-out logo  or  button  by
    32  all  businesses to promote consumer awareness of the opportunity to opt-
    33  out of the sale of personal information;
    34    (f) adjusting the monetary threshold in clause one of subparagraph (i)
    35  of paragraph (c) of subdivision one of section six  hundred  seventy-six
    36  of  this  article  in  January of every odd-numbered year to reflect any
    37  increase in the consumer price index;
    38    (g) establishing rules, procedures, and any  exceptions  necessary  to
    39  ensure  that the notices and information that businesses are required to
    40  provide pursuant to this article are provided in a manner  that  may  be
    41  easily  understood  by the average consumer, are accessible to consumers
    42  with disabilities, and are available in the language primarily  used  to
    43  interact  with the consumer, including establishing rules and guidelines
    44  regarding financial incentive offerings; and
    45    (h) establishing rules and  procedures  to  further  the  purposes  of
    46  sections six hundred seventy-six-d and six hundred seventy-six-e of this
    47  article  and  to  facilitate  a  consumer's or the consumer's authorized
    48  agent's ability to obtain information pursuant to  section  six  hundred
    49  seventy-six-i  of this article, with the goal of minimizing the adminis-
    50  trative burden on consumers, taking into account  available  technology,
    51  security concerns, and the burden on the business, to govern a business'
    52  determination that a request for information received by a consumer is a
    53  verifiable  consumer  request,  including  treating  a request submitted
    54  through a password-protected account maintained by the consumer with the
    55  business while the consumer is logged into the account as  a  verifiable
    56  consumer  request  and providing a mechanism for a consumer who does not

        A. 3586                            15

     1  maintain an account with the business to request information through the
     2  business' authentication of the consumer's identity.
     3    2.  The  attorney  general  may  update the foregoing regulations, and
     4  adopt additional regulations, as necessary to further  the  purposes  of
     5  this article.
     6    3. Before adopting any regulations, the attorney general shall solicit
     7  broad public participation concerning those regulations.
     8    §  676-o.  Intermediate  transactions.  If a series of steps or trans-
     9  actions were component parts of a single transaction intended  from  the
    10  beginning  to  be taken with the intention of avoiding the reach of this
    11  article, a court shall disregard the intermediate steps or  transactions
    12  for purposes of effectuating the purposes of this article.
    13    §  676-p.  Non-waiver. Any provision of a contract or agreement of any
    14  kind that purports to waive or limit in  any  way  a  consumer's  rights
    15  under this article, including, but not limited to, any right to a remedy
    16  or  means  of enforcement, shall be deemed contrary to public policy and
    17  shall be void and  unenforceable.  This  section  shall  not  prevent  a
    18  consumer  from declining to request information from a business, declin-
    19  ing to opt out of a business' sale of the consumer's  personal  informa-
    20  tion, or authorizing a business to sell the consumer's personal informa-
    21  tion after previously opting out.
    22    §  676-q. Severability. If any provision of this article or the appli-
    23  cation thereof to any person, business,  service  provider,  or  circum-
    24  stances  is  held  invalid,  such  invalidity  shall  not  affect  other
    25  provisions or applications of this article which  can  be  given  effect
    26  without  the  invalid  provision  or  application,  and  to this end the
    27  provisions of this article are declared to be severable.
    28    § 5. This act shall take effect one year after it shall have become  a
    29  law.
Go to top