•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A01484 Summary:

BILL NOA01484
 
SAME ASSAME AS S04367
 
SPONSORWallace (MS)
 
COSPNSRSimon, Pheffer Amato, Fahy, Bronson, Zebrowski, Weprin, Lupardo, Colton, Jones, Steck, Hyndman, Rosenthal L, Stirpe, McDonough, Morinello, Rozic, Otis, Dickens
 
MLTSPNSRCook
 
Add §399-k, Gen Bus L
 
Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
Go to top    

A01484 Actions:

BILL NOA01484
 
01/17/2023referred to consumer affairs and protection
01/03/2024referred to consumer affairs and protection
Go to top

A01484 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1484
 
SPONSOR: Wallace (MS)
  TITLE OF BILL: An act to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer   PURPOSE OR GENERAL IDEA OF BILL: The bill provides protections to New Yorkers by requiring that internet service providers ("ISPs") not sell consumer information, unless author- ization is conspicuously requested and expressly given; nor may an ISP refuse to provide service for failure to give consent.   SUMMARY OF PROVISIONS: Section 1. Amends the General Business Law as follows: Add 399-k (1): defines the terms consumer, internet service provider (ISP), and personally identifiable information. Add 399-k (2): prohibits ISPs from disclosing a consumer's personal information without express written consent. Add 399-k (3): provides exceptions to the requirements of subsection 2 for the purpose of cooperating with law enforcement. Add 399-k (4): requires ISPs to obtain consumer authorization for disclosure and requires the authorization request to be conspicuous. Add 399-k (5): requires the ISP to take reasonable steps to protect a consumer's personal information. Add 399-k (6): grants a right of action against an ISP where this section is violated and excluding the right of action from any mandatory arbitration clause that may exist in the contract between the ISP and the consumer. Add 399-k (7): to address other laws that may impact this section.   JUSTIFICATION: This legislation is introduced in response to Congress's decision to repeal internet privacy regulations set to take effect at the end of 2017. This legislation requires ISPs to obtain the consent of their customers before disclosing any personally identifiable information of the customer and prohibits an ISP from refusing service if a customer does not want to give consent to disclosure. This legislation gives customers control over whether their personal data may be disclosed and shared. ISP providers have access to "an unprecedented breath" of electronic personal information, including a customer's name, address, financial information, every website visited, the links clicked on in those websites, geo-location information, and the content of our electronic communications. ISPs should not be permit- ted to disclose such deeply personal information for commercial gain without customer consent. This legislation places control over disclo- sure in the hands of the customer, where it belongs, and prohibits an ISP from refusing to provide service unless consent is given.   PRIOR LEGISLATIVE HISTORY: 2021-2022: A.674 - Referred to Consumer Affairs and Protection 2019-2020: A.2420 - Ordered to third reading 2017-2018: A.7191B - Passed Assembly   FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: None.   EFFECTIVE DATE: This act shall take effect on the ninetieth day after it shall become a law.
Go to top

A01484 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          1484
 
                               2023-2024 Regular Sessions
 
                   IN ASSEMBLY
 
                                    January 17, 2023
                                       ___________
 
        Introduced  by  M.  of  A. WALLACE, SIMON, PHEFFER AMATO, FAHY, BRONSON,
          ZEBROWSKI, WEPRIN, LUPARDO, COLTON, JONES, STECK,  HYNDMAN,  L. ROSEN-
          THAL,  STIRPE,  McDONOUGH,  MORINELLO,  ROZIC, OTIS, DICKENS -- Multi-
          Sponsored by -- M.   of A. COOK --  read  once  and  referred  to  the
          Committee on Consumer Affairs and Protection

        AN ACT to amend the general business law, in relation to prohibiting the
          disclosure  of  personally  identifiable  information  by  an internet
          service provider without the express written approval of the consumer
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section 1. The general business law is amended by adding a new section
     2  399-k to read as follows:
     3    §  399-k.  Disclosure  of  personally  identifiable  information by an
     4  internet service provider; prohibited.  1.  For  the  purposes  of  this
     5  section the following terms shall have the following meanings:
     6    (a)  "Consumer"  means a person who agrees to pay a fee to an internet
     7  service provider for access to the internet  for  personal,  family,  or
     8  household purposes, and who does not resell access.
     9    (b) "Internet service provider" (ISP) means a business entity or indi-
    10  vidual  who  provides consumers authenticated access to, or presence on,
    11  the internet by means of  a  switched  or  dedicated  telecommunications
    12  channel  upon  which  the  provider provides transit routing of internet
    13  protocol packets for and on behalf of  the  consumer.  Internet  service
    14  provider  does  not  include the offering, on a common carrier basis, of
    15  telecommunications facilities or of telecommunications by means of these
    16  facilities.
    17    (c) "Personally identifiable information" means information that iden-
    18  tifies:
    19    (i) a consumer by physical or electronic address or telephone number;
    20    (ii) a consumer's internet search history or internet  usage  history;
    21  or
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD00871-01-3

        A. 1484                             2
 
     1    (iii) any of the contents of a consumer's data-storage devices.
     2    2.  Except as provided in subdivisions three and four of this section,
     3  an ISP shall not knowingly disclose personally identifiable  information
     4  resulting from the consumer's use of the telecommunications or ISP with-
     5  out express written approval from the consumer.
     6    (a)  A  telecommunications  or  ISP  that has entered into a franchise
     7  agreement, right-of-way agreement, or other contract with the  state  of
     8  New  York  or any political subdivision thereof, or that uses facilities
     9  that are subject to such agreements, even if it is not a  party  to  the
    10  agreement,  shall  not  collect nor disclose personal information from a
    11  consumer resulting from the consumer's use of the telecommunications  or
    12  ISP without express written approval from the consumer; and
    13    (b)  No  such  telecommunication  or  ISP  shall refuse to provide its
    14  services to a consumer on the grounds that the consumer has not approved
    15  the collection or disclosure of the consumer's personal information.
    16    3. An ISP may disclose personally identifiable information  concerning
    17  a consumer:
    18    (a)  pursuant to a grand jury subpoena, in accordance with subdivision
    19  eight of section 190.30 of the criminal procedure law;
    20    (b) pursuant to a  warrant  issued  in  accordance  with  article  six
    21  hundred ninety or article seven hundred of the criminal procedure law;
    22    (c)  pursuant to a court order in a pending criminal proceeding upon a
    23  showing that such personally identifiable information  is  relevant  and
    24  material to such criminal action or proceeding;
    25    (d)  pursuant  to  a  court order in a pending civil proceeding upon a
    26  showing of compelling need for such information that cannot be  accommo-
    27  dated by other means;
    28    (e)  to  a court in a civil action for conversion commenced by the ISP
    29  or in a civil action to enforce collection of unpaid  subscription  fees
    30  or  purchase amounts, and then only to the extent necessary to establish
    31  the fact of the subscription delinquency or purchase agreement, and with
    32  appropriate safeguards against unauthorized disclosure;
    33    (f) to the consumer who is the subject of the information, upon  writ-
    34  ten  or electronic request and upon payment of any fee not to exceed the
    35  actual cost of retrieving the information;
    36    (g) to another ISP for purposes of reporting or preventing  violations
    37  of  the published acceptable use policy or consumer service agreement of
    38  the ISP; except that the recipient may further disclose  the  personally
    39  identifiable information only as provided by this chapter; or
    40    (h) to any person with the authorization of the consumer.
    41    4.  (a)  The  ISP  shall  obtain  the consumer's authorization for the
    42  disclosure of personally identifiable information in writing or by elec-
    43  tronic means.
    44    (b) The request for authorization must reasonably describe  the  types
    45  of  persons to whom personally identifiable information may be disclosed
    46  and the anticipated uses of the information.
    47    (c) In order for an authorization to be effective, a contract  between
    48  an  ISP  and  the  consumer  must  state  that the authorization will be
    49  obtained by an affirmative act of the consumer.
    50    (d) The provision in the contract must be conspicuous.
    51    (e) Authorization shall be obtained in a manner consistent with guide-
    52  lines issued by representatives of the ISP or online industries,  or  in
    53  any other manner reasonably designed to comply with this section.
    54    5.  The  ISP shall take all reasonable and necessary steps to maintain
    55  the security and privacy of a consumer's personally identifiable  infor-
    56  mation.

        A. 1484                             3
 
     1    6.  A  consumer  who  prevails  or substantially prevails in an action
     2  brought under this section is entitled to the greater  of  five  hundred
     3  dollars or actual damages. Costs, disbursements, and reasonable attorney
     4  fees  may  be awarded to a party awarded damages for a violation of this
     5  section.  The  action  available under this section is exempted from any
     6  mandatory arbitration clauses that may exist in the contract between the
     7  ISP and the consumer. In a civil action under this  section,  it  is  an
     8  affirmative  defense  that  such  information  was released or otherwise
     9  available in violation of this section notwithstanding reasonable  prac-
    10  tices established and implemented by the defendant to prevent violations
    11  of this section.
    12    7.  This  section does not limit any greater protection of the privacy
    13  of information under other law, except that:
    14    (a) nothing in this section shall be deemed  to  limit  the  authority
    15  under  other  state or federal law of law enforcement to obtain informa-
    16  tion; and
    17    (b) if federal law is enacted that regulates the release of personally
    18  identifiable information by ISPs but does not preempt state law  on  the
    19  subject, state law prevails.
    20    §  2.  This  act shall take effect on the ninetieth day after it shall
    21  have become a law.
Go to top