Requires the registration of data brokers; imposes regulations upon data brokers; establishes a data deletion mechanism for consumers; imposes penalties upon data brokers for violations of the law.
STATE OF NEW YORK
________________________________________________________________________
9642
IN ASSEMBLY
January 21, 2026
___________
Introduced by M. of A. TORRES -- read once and referred to the Committee
on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to requiring the
registration of data brokers and establishing a data deletion mech-
anism for consumers
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 42-A to read as follows:
3 ARTICLE 42-A
4 DATA BROKERS
5 Section 1150. Definitions.
6 1151. Registration of data brokers.
7 1152. Data deletion mechanism.
8 1153. Audit.
9 1154. Enforcement.
10 § 1150. Definitions. The following definitions apply throughout this
11 article unless the context clearly requires otherwise:
12 1. "artificial intelligence system or model" means an artificial
13 intelligence that can generate derived synthetic content, including
14 text, images, video, and audio, that emulates the structure and charac-
15 teristics of the system's training data.
16 2. "biometric data" means any personal data generated from the meas-
17 urement or specific technological processing of a natural person's
18 biological, physical, or physiological characteristics that allows or
19 confirms the unique identification of a natural person, including fing-
20 erprints, voice prints, iris or retina scans, facial scans or templates,
21 and gait. "Biometric data" does not include a digital or physical photo-
22 graph, an audio or video recording, or any data generated from a digital
23 or physical photograph, or an audio or video recording, unless such data
24 is generated to identify a specific individual.
25 3. "consumer" means a natural person who is a New York resident acting
26 only in an individual or household context. It does not include a
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD14455-01-6
A. 9642 2
1 natural person known to be acting in a professional or employment
2 context.
3 4. "dark patterns" means user interfaces that subvert or impair
4 consumers' autonomy, decision making, or choice when asserting their
5 privacy rights or consenting.
6 5. "data broker" means a person or business that knowingly collects
7 and sells to third parties the personal information of a consumer with
8 whom the person or business does not have a direct relationship.
9 6. "foreign actor" means either:
10 (a) the government of a foreign adversary country.
11 (b) a partnership, association, corporation, organization, or other
12 combination of persons organized under the laws of or having its princi-
13 pal place of business in a foreign adversary country.
14 7. "foreign adversary country" has the same meaning as "covered
15 nation" as defined in Section 4872 of Title 10 of the United States
16 Code.
17 8. "minor" means a natural person under the age of eighteen.
18 9. "personal information" means any data that identifies or could
19 reasonably be linked, directly or indirectly, with a specific natural
20 person, or household. "Personal information" does not include deidenti-
21 fied data, information that is lawfully made publicly available from
22 federal, state or local government records, or information that a
23 controller has a reasonable basis to believe is lawfully made available
24 to the general public by the consumer or from widely distributed media.
25 10. "precise geolocation data" means information derived from technol-
26 ogy, including, but not limited to, global positioning system level
27 latitude and longitude coordinates or other mechanisms, that directly
28 identifies the specific location of an individual with precision and
29 accuracy within a radius of one thousand seven hundred fifty feet,
30 except as prescribed by regulations. Precise geolocation data does not
31 include the content of communications or any data generated by or
32 connected to advance utility metering infrastructure systems or equip-
33 ment for use by a utility.
34 11. "protected health information" has the same meaning as in Title 45
35 C.F.R., established pursuant to the federal Health Insurance Portability
36 and Accountability Act of 1996.
37 § 1151. Registration of data brokers. 1. Each data broker shall:
38 (a) On or before January thirty-first following a year in which a
39 person meets the definition of data broker in this article:
40 (i) Register with the attorney general;
41 (ii) Pay a registration fee of one hundred dollars or as otherwise
42 determined by the attorney general pursuant to the regulatory authority
43 granted to the attorney general under this article, not to exceed the
44 reasonable cost of establishing and maintaining the database and infor-
45 mational website described in this section; and
46 (iii) Provide the following information to the attorney general:
47 (A) the name and primary physical, email, and internet website address
48 of the data broker.
49 (B) the name and business address of an officer or registered agent of
50 the data broker authorized to accept legal process on behalf of the data
51 broker.
52 (C) the number of requests received and the number of such requests
53 complied with, complied with in part, or denied under section eleven
54 hundred fifty-two of this article.
A. 9642 3
1 (D) the median and the mean number of days within which the data
2 broker responded to requests under section eleven hundred fifty-two of
3 this article.
4 (E) whether the data broker collected personal information of minors.
5 (F) whether the data broker collects consumers' names, dates of birth,
6 ZIP codes, email addresses, or phone numbers.
7 (G) whether the data broker collects consumers' account login or
8 account number in combination with any required security code, access
9 code, or password that would permit access to a consumer's account with
10 a third party.
11 (H) whether the data broker collects consumers' drivers' license
12 number, state identification card number, tax identification number,
13 social security number, passport number, military identification number,
14 or other unique identification number issued on a government document
15 commonly used to verify the identity of a specific individual.
16 (I) whether the data broker collects consumers' mobile advertising
17 identification numbers, connected television identification numbers, or
18 vehicle identification numbers (VIN).
19 (J) whether the data broker collects consumers' citizenship data,
20 including immigration status.
21 (K) whether the data broker collects consumers' union membership
22 status.
23 (L) whether the data broker collects consumers' sexual orientation
24 status.
25 (M) whether the data broker collects consumers' gender identity and
26 gender expression data.
27 (N) whether the data broker collects consumers' biometric data.
28 (O) whether the data broker collects consumers' precise geolocation.
29 (P) whether the data broker collects consumers' reproductive health
30 care data.
31 (Q) whether the data broker collects consumers' protected health
32 information.
33 (R) whether the data broker has shared or sold consumers' data to a
34 foreign actor in the past year.
35 (S) whether the data broker has shared or sold consumers' data to the
36 federal government in the past year.
37 (T) whether the data broker has shared or sold consumers' data to
38 other state governments in the past year.
39 (U) whether the data broker has shared or sold consumers' data to law
40 enforcement in the past year, unless that data was shared pursuant to a
41 subpoena or court order.
42 (V) whether the data broker has shared or sold consumers' data to a
43 developer of an artificial intelligence system or model in the past
44 year.
45 (W) up to three, but no fewer than one, of the most common types of
46 personal information that the data broker collects.
47 (X) beginning January first, two thousand thirty, whether the data
48 broker has undergone an audit under this article, and, if so, the most
49 recent year that the data broker has submitted a report resulting from
50 the audit and any related materials to the attorney general.
51 (Y) a link to a page on the data broker's internet website that:
52 (I) details how consumers may exercise their privacy rights by doing
53 all of the following:
54 a. Deleting personal information.
55 b. Correcting inaccurate personal information.
A. 9642 4
1 c. Learning what personal information is being collected and how to
2 access that personal information.
3 d. Learning what personal information is being sold or shared and to
4 whom.
5 e. Learning how to opt out of the sale or sharing of personal informa-
6 tion.
7 f. Learning how to limit the use and disclosure of sensitive personal
8 information.
9 (II) does not make use of any dark patterns.
10 (Z) whether and to what extent the data broker or any of its subsid-
11 iaries is regulated by any of the following:
12 (I) the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et
13 seq.).
14 (II) the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing
15 regulations.
16 (III) any other law, rule, or regulation governing data brokers or any
17 of its subsidiaries.
18 (AA) any additional information or explanation the data broker chooses
19 to provide concerning its data collection practices.
20 (b) be subject to any rules and regulations promulgated under this
21 article.
22 2. The attorney general shall create a webpage on the state website
23 which includes all information regarding all data brokers registered
24 within the state and the deletion mechanism created under section eleven
25 hundred fifty-two of this article.
26 § 1152. Data deletion mechanism. 1. The attorney general shall develop
27 a data deletion mechanism within one year of the effective date of this
28 section. Such data deletion mechanism shall:
29 (a) implement and maintain reasonable security procedures and prac-
30 tices, including, but not limited to, administrative, physical, and
31 technical safeguards appropriate to the nature of the information and
32 the purposes for which the personal information will be used and to
33 protect consumers' personal information from unauthorized use, disclo-
34 sure, access, destruction, or modification.
35 (b) allow a consumer, through a single verifiable consumer request, to
36 request that every data broker that maintains any personal information
37 delete any personal information related to that consumer held by the
38 data broker or associated service provider, contractor, or subsidiary.
39 (c) allow a consumer to selectively exclude specific data brokers from
40 a request made under paragraph (b) of this subdivision.
41 (d) allow a consumer to make a request to alter a previous request
42 made under this section after at least forty-five days have passed since
43 the consumer last made a request under this section.
44 (e) allow a consumer to request the deletion of all personal informa-
45 tion related to that consumer through a single deletion request.
46 (f) permit a consumer to securely submit information in one or more
47 privacy-protecting ways determined by the attorney general to aid in the
48 deletion request.
49 (g) allow data brokers registered with the attorney general to deter-
50 mine whether an individual has submitted a verifiable consumer request
51 to delete the personal information related to that consumer and shall
52 not allow the disclosure of any additional personal information when the
53 data broker accesses the accessible deletion mechanism unless otherwise
54 specified in this article.
55 (h) allow a consumer to make a request under this section using an
56 internet service operated by the attorney general.
A. 9642 5
1 (i) not charge a consumer to make a request under this section.
2 (j) allow a consumer to make a request under this section in any
3 language spoken by any consumer for whom personal information has been
4 collected by data brokers.
5 (k) be readily accessible and usable by consumers with disabilities.
6 (l) support the ability of a consumer's authorized agents to aid in
7 the deletion request.
8 (m) allow the consumer, or their authorized agent, to verify the
9 status of the consumer's deletion request.
10 (n) provide a description of:
11 (i) the deletion permitted by this section;
12 (ii) the process for submitting a deletion request pursuant to this
13 section; and
14 (iii) examples of the types of information that may be deleted.
15 2. Six months after the creation of the data deletion mechanism, each
16 data broker shall, at least once every forty-five days:
17 (a) process all deletion requests made pursuant to this section and
18 delete all personal information related to the consumers making the
19 requests consistent with the requirements of this section within forty-
20 five days of receiving such requests and direct all service providers,
21 contractors, and subsidiaries associated with the data broker to delete
22 all personal information in their possession related to the consumers
23 making such request.
24 (b) where a data broker denies a consumer request to delete under this
25 section because the request cannot be verified, process the request as
26 an opt-out of the sale or sharing of the consumer's personal information
27 within forty-five days of receiving such request and direct all service
28 providers, contractors, and subsidiaries associated with the data broker
29 to process the request as an opt-out of the sale or sharing of the
30 consumer's personal information.
31 3. (a) Notwithstanding any other provision of this section, a data
32 broker shall not be required to delete a consumer's personal information
33 if such personal information is required to:
34 (i) complete the transaction for which the personal information was
35 collected, fulfill the terms of a written warranty or product recall
36 conducted in accordance with federal law, provide a good or service
37 requested by the consumer, or reasonably anticipated by the consumer
38 within the context of a businesses ongoing business relationship with
39 the consumer, or otherwise perform a contract between the business and
40 the consumer.
41 (ii) help to ensure security and integrity to the extent the use of
42 the consumer's personal information is reasonably necessary and propor-
43 tionate for those purposes.
44 (iii) debug to identify and repair errors that impair existing
45 intended functionality.
46 (iv) exercise free speech, ensure the right of another consumer to
47 exercise that consumer's right of free speech, or exercise another right
48 provided for by law.
49 (v) engage in public or peer-reviewed scientific, historical, or
50 statistical research that conforms or adheres to all other applicable
51 ethics and privacy laws, when the businesses deletion of the information
52 is likely to render impossible or seriously impair the ability to
53 complete such research, if the consumer has provided informed consent.
54 (vi) to enable solely internal uses that are reasonably aligned with
55 the expectations of the consumer based on the consumer's relationship
A. 9642 6
1 with the business and compatible with the context in which the consumer
2 provided the information.
3 (vii) comply with a legal obligation.
4 (b) Personal information not required to be deleted under paragraph
5 (a) of this subdivision shall only be used for purposes directly related
6 to such exceptions and shall not be used or disclosed for any other
7 purpose.
8 4. Where a consumer has submitted a deletion request and a data broker
9 has deleted the consumer's data pursuant to this section, the data
10 broker shall:
11 (a) delete all personal information of the consumer at least once
12 every forty-five days pursuant to this section unless the consumer
13 requests otherwise or the deletion is not required pursuant to subdivi-
14 sion three of this section; and
15 (b) not sell or share new personal information of the consumer unless
16 the consumer requests otherwise unless such selling or sharing is
17 permitted under another section of law.
18 5. The attorney general may charge an access fee to a data broker when
19 the data broker accesses the data deletion mechanism that does not
20 exceed the reasonable costs of providing that access.
21 § 1153. Audit. Three years after the effective date of this section
22 and every three years thereafter, each data broker shall undergo an
23 audit by an independent third party to determine compliance with this
24 article. Each data broker shall submit a report resulting from the
25 audit written by such independent third party in a form determined by
26 the attorney general and any other materials required by the attorney
27 general to the attorney general within five business days of a written
28 request by the attorney general. Data brokers shall maintain such
29 reports and any required materials for six years.
30 § 1154. Enforcement. 1. A data broker that fails to register under
31 this article shall be subject to:
32 (a) a civil penalty of two hundred dollars for each day the data
33 broker fails to register as required by this article;
34 (b) a civil penalty equal to the amount of registration fees which
35 would have been paid if the data broker had registered; and
36 (c) a civil penalty equal to the costs incurred by the state to bring
37 such civil action.
38 2. A data broker that violates any provision of this article or any
39 rules and regulations promulgated thereunder, besides subparagraph (i)
40 of paragraph (a) of subdivision one of section eleven hundred fifty-one
41 of this article, shall be subject to:
42 (a) a civil penalty of two hundred dollars for each such violation;
43 and
44 (b) a civil penalty equal to the costs incurred by the state to bring
45 such civil action.
46 § 2. This act shall take effect immediately.
