Amd §§50 & 51, Civ Rts L; add Art 32-A §§676 - 676-q, Gen Bus L
Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.
STATE OF NEW YORK
________________________________________________________________________
7736
2019-2020 Regular Sessions
IN ASSEMBLY
May 17, 2019
___________
Introduced by M. of A. KIM -- read once and referred to the Committee on
Consumer Affairs and Protection
AN ACT to amend the civil rights law and the general business law, in
relation to establishing the "It's Your Data Act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "It's Your
2 Data Act".
3 § 2. Section 50 of the civil rights law is amended to read as follows:
4 § 50. Right of privacy. A person, firm or corporation that collects,
5 stores, and/or uses for the purpose of advertising [purposes, or for the
6 purposes of], trade, data-mining, or generating commercial or economic
7 value, the name, portrait [or], picture, video, voice, likeness, and all
8 other personal data, biometric data, and location data of any living
9 person without having first obtained the written consent of such person,
10 or if a minor of his or her parent or guardian, or, if such consent is
11 obtained, subsequently fails to exercise reasonable care consistent with
12 its obligations as bailee of that individual's name, portrait, picture,
13 video, voice, likeness, and all other personal data, biometric data, and
14 location data, is guilty of a misdemeanor.
15 § 3. Section 51 of the civil rights law, as amended by chapter 674 of
16 the laws of 1995, is amended to read as follows:
17 § 51. Action for injunction and for damages. Any person [whose name,
18 portrait, picture or voice is used within this state for advertising
19 purposes or for the purposes of trade without the written consent], firm
20 or corporation that collects, stores, and/or uses for the purpose of
21 advertising, trade, data-mining, or generating commercial or economic
22 value, name, portrait, picture, video, voice, likeness, and all other
23 personal data, biometric data, and location data of any living person
24 without having first obtained the written consent of such person, or if
25 a minor of his or her parent or guardian, or, when such consent is
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11575-01-9
A. 7736 2
1 obtained, subsequently fails to exercise reasonable care consistent with
2 its obligations as bailee of that individual's name, portrait, picture,
3 video, voice, likeness, and all other personal data, biometric data, and
4 location data first obtained as above provided may maintain an equitable
5 action in the supreme court of this state against the person, firm or
6 corporation so using his or her name, portrait, picture [or], video,
7 voice, likeness, and all other personal data, biometric data, and
8 location data to prevent and restrain the use thereof; and may also sue
9 and recover damages for any injuries sustained by reason of such use and
10 if the defendant shall have knowingly used such person's name, portrait,
11 picture [or], video, voice, likeness, and all other personal data, biom-
12 etric data, and location data in such manner as is forbidden or declared
13 to be unlawful by section fifty of this article, the jury, in its
14 discretion, may award exemplary damages. But nothing contained in this
15 article shall be so construed as to prevent any person, firm or corpo-
16 ration from selling or otherwise transferring any material containing
17 such name, portrait, picture [or], video, voice, likeness, and all other
18 personal data, biometric data, and location data in whatever medium to
19 any user of such name, portrait, picture [or], video, voice, likeness,
20 and all other personal data, biometric data, and location data or to any
21 third party [for sale] or transfer directly or indirectly to such a
22 user, for use, provided that the transferring party undertakes reason-
23 able steps to ensure that any such use is consistent with the selling or
24 transferring party's obligations as bailee of that individual's name,
25 portrait, picture, video, voice, likeness, and all other personal data,
26 biometric data, and location data and use in a manner lawful under this
27 article; nothing contained in this article shall be so construed as to
28 prevent any person, firm or corporation, practicing the profession of
29 photography, from exhibiting in or about his or its establishment speci-
30 mens of the work of such establishment, unless the same is continued by
31 such person, firm or corporation after written notice objecting thereto
32 has been given by the person portrayed; and nothing contained in this
33 article shall be so construed as to prevent any person, firm or corpo-
34 ration from using the name, portrait, picture [or], video, voice, like-
35 ness, and all other personal data, biometric data, and location data of
36 any manufacturer or dealer in connection with the goods, wares and
37 merchandise manufactured, produced or dealt in by him or her which he or
38 she has sold or disposed of with such name, portrait, picture [or],
39 video, voice, likeness, and all other personal data, biometric data, and
40 location data used in connection therewith; or from using the name,
41 portrait, picture [or], video, voice, likeness, and all other personal
42 data, biometric data, and location data of any author, composer or
43 artist in connection with his or her literary, musical or artistic
44 productions which he or she has sold or disposed of with such name,
45 portrait, picture [or], video, voice, likeness, and all other personal
46 data, biometric data, and location data used in connection therewith.
47 Nothing contained in this section shall be construed to prohibit the
48 copyright owner of a sound recording from disposing of, dealing in,
49 licensing or selling that sound recording to any party, if the right to
50 dispose of, deal in, license or sell such sound recording has been
51 conferred by contract or other written document by such living person or
52 the holder of such right. Nothing contained in the foregoing sentence
53 shall be deemed to abrogate or otherwise limit any rights or remedies
54 otherwise conferred by federal law or state law.
55 § 4. The general business law is amended by adding a new article 32-A
56 to read as follows:
A. 7736 3
1 ARTICLE 32-A
2 IT'S YOUR DATA ACT
3 Section 676. Definitions.
4 676-a. Transparency of the collection, use, retention, and shar-
5 ing of personal information.
6 676-b. Fair collection and use of personal information.
7 676-c. Deletion of personal information.
8 676-d. Access to retained personal information.
9 676-e. Access to disclosure of personal information.
10 676-f. Consent to additional collection or sharing of personal
11 information.
12 676-g. No discrimination by a business against a consumer for
13 exercise of rights.
14 676-h. Reasonable security.
15 676-i. Business implementation of duties.
16 676-j. Exceptions.
17 676-k. Consumer's private right of action.
18 676-l. Agency enforcement action.
19 676-m. Construction.
20 676-n. Attorney general regulations.
21 676-o. Intermediate transactions.
22 676-p. Non-waiver.
23 676-q. Severability.
24 § 676. Definitions. 1. For the purposes of this article:
25 (a) "Aggregate consumer information" means information that relates to
26 a group of consumers, from which individual consumer identities have
27 been removed, that is not linked or reasonably linkable to any consumer
28 or household, including via a device. Aggregate consumer information
29 does not mean one or more individual consumer records that have been
30 de-identified.
31 (b) "Biometric information" means an individual's physiological,
32 biological or behavioral characteristics or an electronic representation
33 of such, including an individual's deoxyribonucleic acid (DNA), that can
34 be used, singly or in combination with each other or with other identi-
35 fying data, to establish individual identity. Biometric information
36 includes, but is not limited to, imagery of the iris, retina, finger-
37 print, face, hand, palm, vein patterns, and voice recordings, from which
38 an identifier template, such as a faceprint, a minutiae template, or a
39 voiceprint, can be extracted, and keystroke patterns or rhythms, gait
40 patterns or rhythms, and sleep, health, or exercise data that contain
41 identifying information.
42 (c) "Business" means:
43 (i) A sole proprietorship, partnership, limited liability company,
44 corporation, association, or other legal entity that is organized or
45 operated for the profit or financial benefit of its shareholders or
46 other owners, that collects consumers' personal information, or on the
47 behalf of which such information is collected and that alone, or jointly
48 with others, determines the purposes and means of the processing of
49 consumers' personal information, that does business in the state of New
50 York, and that satisfies one or more of the following thresholds:
51 (1) has annual gross revenues in excess of fifty million dollars, as
52 adjusted pursuant to paragraph (f) of subdivision one of section six
53 hundred seventy-six-n of this article;
54 (2) alone or in combination, annually buys, receives for the business'
55 commercial purposes, sells, or discloses for commercial purposes, alone
A. 7736 4
1 or in combination, the personal information of fifty thousand or more
2 consumers, households, or devices; or
3 (3) derives fifty percent or more of its annual revenues from selling
4 consumers' personal information; and
5 (ii) Any entity that controls or is controlled by a business, as
6 defined in subparagraph (i) of this paragraph, and that shares common
7 branding with such business.
8 (d) "Control" or "controlled" means ownership of, or the power to
9 vote, more than fifty percent of the outstanding shares of any class of
10 voting security of a business; control in any manner over the election
11 of a majority of the directors, or of individuals exercising similar
12 functions; or the power to exercise a controlling influence over the
13 management of a business.
14 (e) "Common branding" means a shared name, servicemark, or trademark.
15 (f) "Operational purpose" means the use of personal information when
16 reasonably necessary and proportionate to achieve one of the following
17 operational purposes:
18 (i) auditing related to a current interaction with the consumer and
19 concurrent transactions, including, but not limited to, counting ad
20 impressions to unique visitors, verifying positioning and quality of ad
21 impressions, and auditing compliance with this paragraph and other stan-
22 dards;
23 (ii) detecting and responding to security incidents, protecting
24 against malicious, deceptive, fraudulent, or illegal activity, and pros-
25 ecuting those responsible for that activity;
26 (iii) debugging to identify and repair errors that impair existing
27 intended functionality;
28 (iv) short-term, transient use, provided the personal information is
29 not disclosed to another third party and is not used to build a profile
30 about a consumer or otherwise alter an individual consumer's experience
31 outside the current interaction, including, but not limited to, the
32 contextual customization of ads shown as part of the same interaction;
33 (v) performing or providing services on behalf of the business or
34 service provider, including maintaining or servicing accounts, billing
35 or collecting for requested products or services, providing customer
36 service, processing or fulfilling orders and transactions, verifying
37 customer information, processing payments, providing financing, provid-
38 ing advertising or marketing services, providing analytic services, or
39 providing similar services on behalf of the business or service provid-
40 er;
41 (vi) undertaking internal research for technological development and
42 demonstration;
43 (vii) undertaking activities to verify or maintain the quality or
44 safety of a service or device that is owned, manufactured, manufactured
45 for, or controlled by the business, or to improve, upgrade, or enhance
46 the service or device that is owned, manufactured, manufactured for, or
47 controlled by the business;
48 (viii) customization of content; or
49 (ix) customization of advertising or marketing.
50 (g) "Collects," "collected," or "collection" means buying, renting,
51 gathering, obtaining, receiving, or accessing any personal information
52 pertaining to a consumer by any means. This shall include, but shall not
53 be limited to, receiving information from the consumer, either actively
54 or passively, or by observing the consumer's behavior.
55 (h) "Commercial purposes" means to advance a person's commercial or
56 economic interests, such as by inducing another person to buy, rent,
A. 7736 5
1 lease, join, subscribe to, provide, or exchange products, goods, proper-
2 ty, information, or services, or enabling or effecting, directly or
3 indirectly, a commercial transaction. Commercial purposes shall not
4 include engaging in speech that state or federal courts have recognized
5 as noncommercial speech, including, but not limited to, political speech
6 and journalism.
7 (i) "Consumer" means a natural person who is a resident of the state
8 of New York.
9 (j) "De-identified" means information that cannot reasonably identify,
10 relate to, describe, be capable of being associated with, or be linked,
11 directly or indirectly, to a particular consumer, provided that a busi-
12 ness that uses de-identified information:
13 (i) takes reasonable measures to ensure that the data is de-identi-
14 fied;
15 (ii) publicly commits to maintain and use the data in a de-identified
16 fashion and not to attempt to re-identify the data; and
17 (iii) contractually prohibits downstream recipients from attempting to
18 re-identify the data.
19 (k) "Designated methods for submitting requests" means a mailing
20 address, email address, internet web page, internet web portal, toll-
21 free telephone number, or other applicable contact information, whereby
22 consumers may submit a request under this article, and any new, consum-
23 er-friendly means of contacting a business, as approved by the attorney
24 general pursuant to section six hundred seventy-six-n of this article.
25 (l) "Device" means any physical object that is capable of connecting
26 to the internet, directly or indirectly, or to another device.
27 (m) "Health insurance information" means a consumer's insurance policy
28 number or subscriber identification number, any unique identifier used
29 by a health insurer to identify the consumer, or any information in the
30 consumer's application and claims history, including any appeals
31 records, if the information is linked or reasonably linkable to a
32 consumer or household, including via a device, by a business or service
33 provider.
34 (n) "Infer" or "inference" means the derivation of information, data,
35 assumptions, or conclusions from facts, evidence, or another source of
36 information or data.
37 (o) "Person" means an individual, proprietorship, firm, partnership,
38 joint venture, syndicate, business trust, company, corporation, limited
39 liability company, association, committee, and any other organization or
40 group of persons acting in concert.
41 (p) "Personal information" means information that identifies or could
42 reasonably be linked, directly or indirectly, with a particular consum-
43 er, household, or consumer device. Personal information shall not
44 include publicly available information, information that is de-identi-
45 fied, or aggregate consumer information.
46 (q) "Publicly available" means information that is lawfully made
47 available from federal, state, or local government records. Publicly
48 available does not mean information collected by a business about a
49 consumer without the consumer's knowledge.
50 (r) "Service" or "services" means work, labor, and services, including
51 services furnished in connection with the production, sale or repair of
52 goods.
53 (s) "Service provider" means an individual sole proprietorship, part-
54 nership, limited liability company, corporation, association, or other
55 legal entity that is organized or operated for the profit or financial
56 benefit of its shareholders or other owners, that processes information
A. 7736 6
1 on behalf of a business and to which such business discloses a consum-
2 er's personal information for an operational purpose pursuant to a writ-
3 ten or electronic contract, provided that the contract prohibits the
4 entity receiving the information from retaining, using, or disclosing
5 the personal information for any purpose other than for the specific
6 purpose of performing the services specified in the contract for such
7 business, or as otherwise permitted by this article, including a prohi-
8 bition on retaining, using, or disclosing the personal information for a
9 commercial purpose other than providing the services specified in the
10 contract with such business.
11 (t) "Verifiable consumer request" means a request that is made by a
12 consumer, by a consumer on behalf of the consumer's minor child, or by a
13 natural person or a person registered with the secretary of state,
14 authorized by the consumer to act on the consumer's behalf, and that the
15 business can reasonably verify. A business shall not be obligated to
16 provide any personal information to a consumer if such business cannot
17 verify that the consumer making the request is the consumer about whom
18 such business has collected personal information or is a person author-
19 ized by the consumer to act on such consumer's behalf.
20 (u) "Third party" means a person or business that is not any of the
21 following:
22 (i) the business that collects personal information from consumers
23 under this article; or
24 (ii) a person to whom the business discloses a consumer's personal
25 information for an operational purpose pursuant to a written contract,
26 provided that the contract:
27 (1) prohibits the person receiving the personal information from:
28 (A) selling the personal information;
29 (B) retaining, using, or disclosing the personal information for any
30 purpose other than for the specific purpose of performing the services
31 specified in the contract, including retaining, using, or disclosing the
32 personal information for a commercial purpose other than providing the
33 services specified in the contract; and
34 (C) retaining, using, or disclosing the information outside of the
35 direct business relationship between the person and the business; and
36 (2) includes a certification made by the person receiving the personal
37 information that the person understands the restrictions in clause one
38 of this paragraph and will comply with such restrictions.
39 2. For references to a category or categories of personal information
40 required to be disclosed pursuant to this article:
41 (a) "Processing" means any operation or set of operations that are
42 performed on personal data or on sets of personal data, whether or not
43 by automated means.
44 (b) "Research" means scientific and systematic study and observation,
45 including basic research or applied research that is in the public
46 interest and that adheres to all other applicable ethics and privacy
47 laws or studies conducted in the public interest in the area of public
48 health. Research with personal information that may have been collected
49 from a consumer in the course of the consumer's interactions with a
50 business' service or device for other purposes shall be:
51 (i) compatible with an operational purpose for which the personal
52 information was collected;
53 (ii) subsequently de-identified, or in the aggregate, such that the
54 information cannot reasonably identify, relate to, describe, be capable
55 of being associated with, or be linked, directly or indirectly, to a
56 particular consumer;
A. 7736 7
1 (iii) made subject to technical safeguards to prevent re-identifica-
2 tion of the consumer to whom the information may pertain;
3 (iv) subject to business processes that specifically prohibit re-iden-
4 tification of the information;
5 (v) made subject to business processes to prevent inadvertent release
6 of de-identified information;
7 (vi) protected from any re-identification attempts;
8 (vii) used solely for research purposes that are compatible with the
9 context in which the personal information was collected;
10 (viii) not be used for any commercial purpose; and
11 (ix) subjected by the business conducting the research to additional
12 security controls that limit access to the research data to only those
13 individuals in a business as are necessary to carry out the research
14 purpose.
15 (c) (i) "Sell," "selling," "sale," or "sold," means selling, renting,
16 releasing, disclosing, disseminating, making available, transferring, or
17 otherwise communicating orally, in writing, or by electronic or other
18 means, a consumer's personal information by the business to another
19 business or a third party for monetary or other valuable consideration.
20 (ii) For purposes of this article, a business does not sell personal
21 information when:
22 (1) a consumer uses or directs the business to intentionally disclose
23 personal information or uses the business to intentionally interact with
24 a third party, provided such third party does not also sell the personal
25 information, unless such disclosure would be consistent with the
26 provisions of this article. An intentional interaction occurs when the
27 consumer intends to interact with the third party, via one or more
28 deliberate interactions. Hovering over, muting, pausing, or closing a
29 given piece of content shall not constitute a consumer's intent to
30 interact with a third party;
31 (2) the business uses or discloses an identifier for a consumer who
32 has opted out of the sale of the consumer's personal information for the
33 purposes of alerting third parties that the consumer has opted out of
34 the sale of the consumer's personal information;
35 (3) the business uses or discloses personal information of a consumer
36 with a service provider that is necessary to perform an operational
37 purpose and the business has provided notice that information being used
38 or disclosed in its terms and conditions consistent with section six
39 hundred seventy-six-i of this article; or
40 (4) the business transfers to a third party the personal information
41 of a consumer as an asset that is part of a merger, acquisition, bank-
42 ruptcy, or other transaction in which the third party assumes control of
43 all or part of the business, provided that information is used or
44 disclosed consistently with this article. A third party may not mate-
45 rially alter how it uses or discloses the personal information of a
46 consumer in a manner that is materially inconsistent with the promises
47 made at the time of collection, unless it first obtains opt-in consent,
48 as set forth in this article.
49 § 676-a. Transparency of the collection, use, retention, and sharing
50 of personal information. Any business that collects a consumer's
51 personal information shall disclose the following information in its
52 online privacy policy or policies, if the business has an online privacy
53 policy, and update such information at least once every twelve months:
54 1. a description of a consumer's rights pursuant to sections six
55 hundred seventy-six-b, six hundred seventy-six-d, six hundred seventy-
56 six-e, six hundred seventy-six-f and six hundred seventy-six-g of this
A. 7736 8
1 article and one or more designated methods for submitting requests
2 pursuant to sections six hundred seventy-six-c, six hundred
3 seventy-six-d, and six hundred seventy-six-e of this article;
4 2. a description of the personal information such business collects
5 about consumers;
6 3. the categories of sources from which the personal information is
7 collected;
8 4. a description of the methods such business uses to collect personal
9 information;
10 5. the specific purposes for collecting, disclosing, or retaining
11 personal information;
12 6. a description of the personal information it discloses about
13 consumers, or if the business does not disclose consumers' personal
14 information, the business shall disclose such fact;
15 7. the categories of third parties with whom such business shares
16 personal information with, or if the business does not disclose consum-
17 ers' personal information to third parties, the business shall disclose
18 such fact;
19 8. the categories of service providers with whom such business shares
20 personal information with, or if the business does not disclose consum-
21 ers' personal information to service providers, the business shall
22 disclose such fact;
23 9. a description of the length of time for which personal information
24 is retained; and
25 10. if personal data is de-identified such that it is no longer
26 considered personal information but subsequently retained, used, or
27 shared by the business, a description of the method or methods of de-i-
28 dentification.
29 § 676-b. Fair collection and use of personal information. 1. Subject
30 to section six hundred seventy-six-f of this article a business that
31 collects a consumer's personal information shall limit its collection
32 and sharing of personal information with third parties to what is
33 reasonably necessary to provide a service or conduct an activity that a
34 consumer has requested or is reasonably necessary for security or fraud
35 prevention, and shall require any such third party to exercise care over
36 the consumer's personal information consistent with the original busi-
37 ness's obligations as bailee of such information.
38 2. Subject to section six hundred seventy-six-f of this article, a
39 business that collects a consumer's personal information shall be obli-
40 gated to exercise reasonable care with respect to the collection, stor-
41 age, and use of that information, consistent with its obligations as a
42 bailee, and shall limit its use and retention of personal information to
43 what is reasonably necessary to provide a service or conduct an activity
44 that a consumer has requested or a related operational purpose, provided
45 however that data collected or retained solely for security or fraud
46 prevention may not be used for related operational purposes.
47 § 676-c. Deletion of personal information. 1. A consumer shall have
48 the right to request that a business delete any personal information
49 about such consumer which the business has collected from the consumer.
50 2. A business that collects personal information about consumers shall
51 disclose, pursuant to the notice requirements of section six hundred
52 seventy-six-i of this article, the consumer's rights to request the
53 deletion of the consumer's personal information.
54 3. A business that receives a verifiable consumer request from a
55 consumer to delete the consumer's personal information pursuant to
56 subdivision one of this section shall delete the consumer's personal
A. 7736 9
1 information from its records and direct any service providers to delete
2 the consumer's personal information from their records.
3 4. A business or a service provider shall not be required to comply
4 with a consumer's request to delete the consumer's personal information
5 if:
6 (a) such retention of personal information is reasonably anticipated
7 within the context of a business's ongoing business relationship with
8 the consumer; or
9 (b) it is necessary for the business or service provider to maintain
10 the consumer's personal information in order to:
11 (i) complete the transaction for which the personal information was
12 collected, provide a good or service requested by the consumer, or
13 otherwise perform a contract between the business and the consumer;
14 (ii) detect or respond to security incidents, protect against mali-
15 cious, deceptive, fraudulent, or illegal activity, or prosecute those
16 responsible for that activity;
17 (iii) debug to identify and repair errors that impair existing
18 intended functionality;
19 (iv) exercise free speech, ensure the right of another consumer to
20 exercise his or her right of free speech;
21 (v) engage in public or peer-reviewed scientific, historical, or
22 statistical research in the public interest that adheres to all other
23 applicable ethics and privacy laws, when the businesses' deletion of the
24 information is likely to render impossible or seriously impair the
25 achievement of such research, if the consumer has provided informed
26 consent; or
27 (vi) comply with a legal obligation.
28 § 676-d. Access to retained personal information. 1. If a business
29 collects personal information about a consumer, the consumer shall have
30 the right to ask the business for the following information, and the
31 business shall have the duty to provide it, promptly and free of charge,
32 upon receipt of a verifiable request:
33 (a) the specific pieces of personal information that the business
34 retains about that consumer;
35 (b) the specific sources from which the business collected the
36 personal information; and
37 (c) its purpose for collecting the personal information.
38 2. When a business receives a verifiable consumer request from a
39 consumer for the specific pieces of their personal information, such
40 business shall disclose such information in an electronic, portable,
41 machine-readable, and readily-useable format or formats that allow the
42 consumer to understand such information and to transmit such information
43 to another entity without hindrance.
44 § 676-e. Access to disclosure of personal information. If a business
45 discloses personal information about a consumer to a third party, the
46 consumer shall have the right to request the following information from
47 the business, and such business shall have the duty to provide it,
48 promptly and free of charge, upon receipt of a verifiable request:
49 1. the categories of personal information that the business disclosed
50 about the consumer, and the categories of third parties to whom the
51 personal information was disclosed, by category of personal information
52 for each category of third party; and
53 2. the specific third parties to whom the personal information was
54 disclosed.
55 § 676-f. Consent to additional collection or sharing of personal
56 information. 1. Other than as described in section six hundred seventy-
A. 7736 10
1 six-b of this article, a business shall not collect or share a consum-
2 er's personal information unless the consumer has affirmatively author-
3 ized the collection or disclosure. This right to collect or share a
4 consumer's personal information may be referred to as the right to
5 "opt-in consent".
6 2. Any personal information of a consumer collected or shared by a
7 business upon the affirmative authorization of the consumer shall remain
8 the property of such consumer, and the business shall be required to
9 exercise reasonable care in the collection and sharing of such data,
10 consistent with its obligations towards the consumer as bailee of his or
11 her personal information.
12 3. A business shall request a user's opt-in consent separately from
13 any other permission or consent, with the option to decline consent at
14 least as prominent as the option to provide consent.
15 4. If a consumer declines to provide their opt-in consent to the
16 disclosure of their personal information, a business shall refrain for
17 at least twelve months before again requesting that the consumer provide
18 their opt-in consent to the disclosure of their personal information.
19 5. A business may make available a setting or other user control that
20 the consumer may affirmatively access in order to consent to additional
21 data collection or sharing.
22 6. A business that obtains a consumer's opt-in consent to collect or
23 disclose their personal information pursuant to this section shall
24 provide consumers the ability to withdraw such consent through a readily
25 usable and automated means at any time.
26 § 676-g. No discrimination by a business against a consumer for exer-
27 cise of rights. A business shall not discriminate against a consumer
28 because the consumer exercised any of the consumer's rights under this
29 article or does not provide consent to additional data collection or
30 sharing under section six hundred seventy-six-f of this article includ-
31 ing, but not limited to, by:
32 1. denying goods or services to the consumer;
33 2. charging different prices or rates for goods or services, including
34 through the use of discounts or other benefits or imposing penalties;
35 3. providing a different level or quality of goods or services to the
36 consumer; or
37 4. suggesting that the consumer will receive a different price or rate
38 for goods or services or a different level or quality of goods or
39 services.
40 § 676-h. Reasonable security. 1. A business or service provider shall
41 implement and maintain reasonable security procedures and practices,
42 including administrative, physical, and technical safeguards, appropri-
43 ate to the nature of the information and the purposes for which the
44 personal information will be used, to protect consumers' personal infor-
45 mation from unauthorized use, disclosure, access, destruction, or
46 modification.
47 2. A business or service provider may employ any lawful security meas-
48 ures that allow it to comply with the requirements set forth in this
49 section.
50 § 676-i. Business implementation of duties. 1. A business shall:
51 (a) make available to consumers two or more designated methods for
52 submitting requests pursuant to sections six hundred seventy-six-c, six
53 hundred seventy-six-d, and six hundred seventy-six-e of this article,
54 including, at a minimum, a telephone number, and, if the business main-
55 tains an internet web site, a web site address;
A. 7736 11
1 (b) disclose and deliver the required information to a consumer free
2 of charge within forty-five days of receiving a verifiable consumer
3 request. A business shall take steps to determine whether the request is
4 a verifiable consumer request from the identified consumer. The time
5 period may be extended once by forty-five days when reasonably neces-
6 sary, provided the consumer is provided notice of the extension within
7 the first forty-five day period. The disclosure shall cover the twelve
8 month period preceding the request. It shall be delivered through the
9 consumer's account with the business, if the consumer maintains an
10 account with the business, or by mail or electronically at the consum-
11 er's option, if the consumer does not maintain an account with the busi-
12 ness. The business shall not require the consumer to create an account
13 with the business in order to make a verifiable request;
14 (c) ensure that all individuals responsible for handling consumer
15 inquiries about the business's privacy practices or the business's
16 compliance with this article are informed of all requirements in this
17 article, and how to direct consumers to exercise their rights in this
18 article; and
19 (d) limit the use of any personal information collected from the
20 consumer in connection with a business's verification of the consumer's
21 request solely for the purposes of verification.
22 2. A business shall not be obligated to provide the information
23 required by sections six hundred seventy-six-d and six hundred seventy-
24 six-e of this article to the same consumer more than twice in a twelve
25 month period.
26 § 676-j. Exceptions. 1. The obligations imposed on businesses by this
27 article shall not restrict a business's or service provider's ability
28 to:
29 (a) comply with federal, state, or local laws;
30 (b) comply with a civil, criminal, or regulatory inquiry, investi-
31 gation, subpoena, or summons by federal, state, or local authorities;
32 (c) cooperate with law enforcement agencies concerning conduct or
33 activity that the business, service provider, or third party reasonably
34 and in good faith believes may violate federal, state, or local law;
35 (d) exercise or defend legal claims;
36 (e) collect, use, retain, sell, or disclose consumer information that
37 is de-identified or in the aggregate; or
38 (f) collect or sell a consumer's personal information if every aspect
39 of that commercial conduct takes place wholly outside of the state. For
40 purposes of this section, commercial conduct takes place wholly outside
41 of the state if the business collected information while the consumer
42 was outside of the state, no part of the sale of the consumer's personal
43 information occurred in the state, and no personal information collected
44 while the consumer was in the state is sold. This paragraph shall not
45 permit a business from storing, including on a device, personal informa-
46 tion about a consumer when such consumer is in the state and then
47 collecting such personal information when such consumer and stored
48 personal information is outside of the state.
49 2. Nothing in this article shall require a business to violate an
50 evidentiary privilege under state or federal law or prevent a business
51 from providing the personal information of a consumer who is covered by
52 an evidentiary privilege under state or federal law as part of a privi-
53 leged communication.
54 3. This article shall not apply to any of the following:
55 (a) medical information governed by part 2.6 of the Confidentiality of
56 Medical Information Act or protected health information that is
A. 7736 12
1 collected by a covered entity or business associate governed by the
2 privacy, security, and breach notification rules issued or established
3 by the United States department of health and human services, 45 C.F.R.
4 parts 160 and 164, the Health Insurance Portability and Accountability
5 Act of 1996, or the Health Information Technology for Economic and Clin-
6 ical Health Act;
7 (b) a provider of health care governed by part 2.6 of the Confiden-
8 tiality of Medical Information Act or a covered entity governed by the
9 privacy, security, and breach notification rules issued or established
10 by the United States department of health and human services, 45 C.F.R.
11 parts 160 and 164, or the Health Insurance Portability and Accountabil-
12 ity Act of 1996, to the extent the provider or covered entity maintains
13 patient information in the same manner as medical information or
14 protected health information as described in paragraph (a) of this
15 subdivision;
16 (c) information collected as part of a clinical trial subject to the
17 Federal Policy for the Protection of Human Subjects, also known as the
18 "Common Rule", pursuant to good clinical practice guidelines issued by
19 the International Council for Harmonization or pursuant to human subject
20 protection requirements of the United States Food and Drug Adminis-
21 tration;
22 (d) the sale of personal information to or from a consumer reporting
23 agency if such information is to be reported in, or used to generate, a
24 consumer report as defined in section three hundred eighty-a of this
25 chapter and use of that information is limited by the federal Fair Cred-
26 it Reporting Act, 15 USC 1681;
27 (e) personal information collected, processed, sold, or disclosed
28 pursuant to the federal Gramm-Leach-Bliley Act or any financial privacy
29 laws or regulations of the state of New York, and implementing regu-
30 lations, if it is in conflict with such law; or
31 (f) personal information collected, processed, sold, or disclosed
32 pursuant to the Driver's Privacy Protection Act of 1994, if it is in
33 conflict with such act.
34 4. Notwithstanding a business' obligations to respond to and honor
35 consumer rights requests pursuant to sections six hundred seventy-six-c,
36 six hundred seventy-six-d, and six hundred seventy-six-e of this arti-
37 cle:
38 (a) the time period for a business to respond to any verified consumer
39 request may be extended by up to ninety additional days where necessary,
40 taking into account the complexity and number of the requests. A busi-
41 ness shall inform the consumer of any such extension within forty-five
42 days of receipt of the request, together with the reasons for the delay;
43 (b) if a business does not take action on the request of the consumer,
44 such business shall inform the consumer, without delay and at the latest
45 within the time period permitted of response by this section, of the
46 reasons for not taking action and any rights the consumer may have to
47 appeal the decision to the business; and
48 (c) if requests from a consumer are manifestly unfounded or excessive,
49 in particular because of their repetitive character, a business may
50 either charge a reasonable fee, taking into account the administrative
51 costs of providing the information or communication or taking the action
52 requested, or refuse to act on the request and notify the consumer of
53 the reason for refusing the request. Such business shall bear the burden
54 of demonstrating that any verified consumer request is manifestly
55 unfounded or excessive.
A. 7736 13
1 5. A business that discloses personal information to a service provid-
2 er shall not be liable under this article if the service provider
3 receiving the personal information uses it in violation of the
4 restrictions set forth in this article, provided that, at the time of
5 disclosing the personal information, such business does not have actual
6 knowledge, or reason to believe, that the service provider intends to
7 commit such a violation. A service provider shall not be liable under
8 this article for the obligations of a business for which it provides
9 services as set forth in this article.
10 6. This article shall not be construed to: (a) require a business to
11 collect or retain personal information about a consumer longer than it
12 would be retained such information in the ordinary course of business;
13 or
14 (b) require a business to re-identify or otherwise link information
15 that is not maintained in a manner that would be considered personal
16 information.
17 7. The rights afforded to consumers and the obligations imposed on a
18 business pursuant to this article shall not adversely affect the rights
19 and freedoms of other consumers.
20 8. The rights afforded to consumers and the obligations imposed on any
21 business pursuant to this article shall not apply to the extent that
22 they infringe on the noncommercial activities of a publisher, editor,
23 reporter, or other person connected with or employed upon a newspaper,
24 magazine, or other periodical publication, or by a press association or
25 wire service.
26 § 676-k. Consumer's private right of action. 1. A consumer who has
27 suffered a violation of this article may bring a lawsuit against the
28 business that committed such violation. A violation of this article
29 shall be deemed to constitute an injury in fact to the consumer who has
30 suffered such violation, and the consumer need not suffer monetary or
31 property loss as a result of such violation in order to bring an action
32 for a violation of this article.
33 2. A consumer who prevails in such an action shall obtain the follow-
34 ing remedies:
35 (a) damages in an amount not to exceed seven hundred fifty dollars per
36 consumer per violation or actual damages, whichever is greater;
37 (b) injunctive or declaratory relief, as the court deems proper;
38 (c) reasonable attorney fees and costs; and
39 (d) any other relief the court deems proper.
40 3. In assessing the amount of statutory damages, the court shall
41 consider any one or more of the relevant circumstances presented by any
42 of the parties to the case, including, but not limited to, the nature
43 and seriousness of the misconduct, the number of violations, the
44 persistence of the misconduct, the length of time over which the miscon-
45 duct occurred, the willfulness of the defendant's misconduct, and the
46 defendant's assets, liabilities, and net worth.
47 4. A consumer bringing an action pursuant to this section shall notify
48 the attorney general within thirty days of the filing of such action.
49 § 676-l. Agency enforcement action. 1. The attorney general, county
50 district attorney, or city corporation counsel having proper jurisdic-
51 tion may bring a civil action in the name of the people of the state of
52 New York against any person, business, or service provider who violates
53 any provision of this article.
54 2. Any person, business, or service provider who violates the
55 provisions of this article may be liable for a civil penalty of up to
56 seven thousand five hundred dollars for each intentional violation and
A. 7736 14
1 of up to two thousand five hundred dollars for each unintentional
2 violation.
3 § 676-m. Construction. This article is intended to further the consti-
4 tutional right of privacy and to supplement existing laws relating to
5 consumers' personal information. The provisions of this article are not
6 limited to information collected electronically or over the internet,
7 but shall apply to the collection and sale of all personal information
8 collected by a business from consumers. Wherever possible, law relating
9 to consumers' personal information should be construed to harmonize with
10 the provisions of this article, but in the event of a conflict between
11 other laws and the provisions of this article, the provisions of the law
12 that afford the greatest protection for the right of privacy for consum-
13 ers shall control.
14 § 676-n. Attorney general regulations. 1. Within one year of the
15 effective date of this article, the attorney general shall adopt regu-
16 lations to further the purposes of this article, including, but not
17 limited to:
18 (a) detailing as needed the types of information that are personal
19 information in technology, data collection practices, obstacles to
20 implementation, and privacy concerns;
21 (b) establishing any exceptions necessary to comply with state or
22 federal law, including, but not limited to, those relating to trade
23 secrets and intellectual property rights;
24 (c) facilitating and governing the submission of a request by a
25 consumer to opt out of the sale of personal information pursuant to
26 section six hundred seventy-six-f of this article;
27 (d) governing business compliance with a consumer's opt-out request;
28 (e) developing a recognizable and uniform opt-out logo or button by
29 all businesses to promote consumer awareness of the opportunity to opt-
30 out of the sale of personal information;
31 (f) adjusting the monetary threshold in clause one of subparagraph (i)
32 of paragraph (c) of subdivision one of section six hundred seventy-six
33 of this article in January of every odd-numbered year to reflect any
34 increase in the consumer price index;
35 (g) establishing rules, procedures, and any exceptions necessary to
36 ensure that the notices and information that businesses are required to
37 provide pursuant to this article are provided in a manner that may be
38 easily understood by the average consumer, are accessible to consumers
39 with disabilities, and are available in the language primarily used to
40 interact with the consumer, including establishing rules and guidelines
41 regarding financial incentive offerings; and
42 (h) establishing rules and procedures to further the purposes of
43 sections six hundred seventy-six-d and six hundred seventy-six-e of this
44 article and to facilitate a consumer's or the consumer's authorized
45 agent's ability to obtain information pursuant to section six hundred
46 seventy-six-i of this article, with the goal of minimizing the adminis-
47 trative burden on consumers, taking into account available technology,
48 security concerns, and the burden on the business, to govern a business'
49 determination that a request for information received by a consumer is a
50 verifiable consumer request, including treating a request submitted
51 through a password-protected account maintained by the consumer with the
52 business while the consumer is logged into the account as a verifiable
53 consumer request and providing a mechanism for a consumer who does not
54 maintain an account with the business to request information through the
55 business' authentication of the consumer's identity.
A. 7736 15
1 2. The attorney general may update the foregoing regulations, and
2 adopt additional regulations, as necessary to further the purposes of
3 this article.
4 3. Before adopting any regulations, the attorney general shall solicit
5 broad public participation concerning those regulations.
6 § 676-o. Intermediate transactions. If a series of steps or trans-
7 actions were component parts of a single transaction intended from the
8 beginning to be taken with the intention of avoiding the reach of this
9 article, a court shall disregard the intermediate steps or transactions
10 for purposes of effectuating the purposes of this article.
11 § 676-p. Non-waiver. Any provision of a contract or agreement of any
12 kind that purports to waive or limit in any way a consumer's rights
13 under this article, including, but not limited to, any right to a remedy
14 or means of enforcement, shall be deemed contrary to public policy and
15 shall be void and unenforceable. This section shall not prevent a
16 consumer from declining to request information from a business, declin-
17 ing to opt out of a business' sale of the consumer's personal informa-
18 tion, or authorizing a business to sell the consumer's personal informa-
19 tion after previously opting out.
20 § 676-q. Severability. If any provision of this article or the appli-
21 cation thereof to any person, business, service provider, or circum-
22 stances is held invalid, such invalidity shall not affect other
23 provisions or applications of this article which can be given effect
24 without the invalid provision or application, and to this end the
25 provisions of this article are declared to be severable.
26 § 5. This act shall take effect one year after it shall have become a
27 law.
