Amd Art 39-F Art Head, add §899-cc, Gen Bus L; add §99-m, St Fin L
 
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
STATE OF NEW YORK
________________________________________________________________________
3162
2023-2024 Regular Sessions
IN SENATE
January 30, 2023
___________
Introduced by Sen. HOYLMAN-SIGAL -- read twice and ordered printed, and
when printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law and the state finance law, in
relation to allowing consumers the right to request from businesses
the categories of personal information the business has sold or
disclosed to third parties
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The article heading of article 39-F of the general business
2 law, as amended by chapter 117 of the laws of 2019, is amended to read
3 as follows:
4 [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND CONTROL
5 OF PRIVATE AND PERSONAL INFORMATION; DATA SECURITY
6 PROTECTIONS
7 § 2. The general business law is amended by adding a new section 899-
8 cc to read as follows:
9 § 899-cc. Consumer control of personal information. 1. For purposes of
10 this section, the following definitions shall apply:
11 (a) "Biometric data" means an individual's physiological, biological
12 or behavioral characteristics, including an individual's deoxyribonu-
13 cleic acid that can be used, singly or in combination with each other or
14 with other identifying data to establish individual identity. Biometric
15 data includes but is not limited to imagery of the iris, retina, finger-
16 print, face, hand, palm, vein patterns, and voice recordings, from which
17 an identifier template, such as a faceprint, a minutiae template, or a
18 voiceprint, can be extracted, and keystroke patterns or rhythms, gait
19 patterns or rhythms, and sleep, health, or exercise data that contain
20 identifying information.
21 (b) "Business" means:
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD07607-01-3
S. 3162 2
1 (1) a sole-proprietorship, partnership, limited-liability company,
2 corporation, association, or other legal entity that is organized or
3 operated for the profit or financial benefit of its shareholders or
4 other owners, that collects consumers' personal information, that does
5 business in the state, and that satisfies one or more of the following
6 thresholds: (A) has annual gross revenues in excess of fifty million
7 dollars, as adjusted pursuant to subparagraph five of paragraph (a) of
8 subdivision fifteen of this section; or (B) annually sells, alone or in
9 combination, the personal information of one hundred thousand or more
10 consumers or devices; or (C) derives fifty percent or more of its annual
11 revenues from selling consumers' personal information; and
12 (2) any entity that controls or is controlled by a business, as
13 defined in paragraph one of this subdivision, and that shares common
14 branding with the business. "Control" or "controlled" means ownership
15 of, or the power to vote, more than fifty percent of the outstanding
16 shares of any class of voting security of a business; control in any
17 manner over the election of a majority of the directors, or of individ-
18 uals exercising similar functions; or the power to exercise, directly or
19 indirectly, a controlling influence over the management or policies of a
20 company. "Common branding" means a shared name, servicemark, or trade-
21 mark.
22 (c) "Business purpose" means the use of personal information for the
23 business's operational purposes, provided that the use of personal
24 information shall be reasonably necessary and proportionate to achieve
25 the operational purpose for which it is specifically permitted. Unrea-
26 sonable or disproportionate use shall not be considered a "business
27 purpose". Business purposes are:
28 (1) Auditing related to a current interaction with the consumer and
29 concurrent transactions, including but not limited to, counting ad
30 impressions to unique visitors, verifying positioning and quality of ad
31 impressions and auditing compliance with this specification and other
32 standards;
33 (2) Detecting security incidents, protecting against malicious, decep-
34 tive, fraudulent, or illegal activity, and prosecuting those responsible
35 for such activity;
36 (3) Debugging to identify and repair errors that impair existing
37 intended functionality;
38 (4) Short-term, transient use, provided the personal information is
39 not disclosed to another person and is not used to build a profile about
40 a consumer or otherwise alter an individual consumer's experience
41 outside the current interaction, including but not limited to, the
42 contextual customization of ads shown as part of the same interaction;
43 and
44 (5) Performing services on behalf of the business, including maintain-
45 ing or servicing accounts, providing customer service, processing or
46 fulfilling orders and transactions, verifying customer information,
47 processing payments, providing financing, providing advertising or
48 marketing services, providing analytical services, or providing similar
49 services on behalf of the business.
50 (d) "Clear and conspicuous" means (1) in a color that contrasts with
51 the background color or is otherwise distinguishable; (2) written in
52 larger type than the surrounding text and in a fashion that calls atten-
53 tion to the language; and (3) prominently displayed so that a reasonable
54 viewer would be able to notice, read, and understand it.
55 (e) "Commercial purposes" means to advance a person's commercial or
56 economic interests, such as by inducing another person to buy, rent,
S. 3162 3
1 lease, join, subscribe to, provide, or exchange products, goods, proper-
2 ty, information, or services, or enabling or effecting, directly or
3 indirectly, a commercial transaction. "Commercial purposes" does not
4 include for the purpose of engaging in speech that state or federal
5 courts have recognized as non-commercial speech, including political
6 speech and journalism.
7 (f) "Collects", "collected" or "collection" means buying, renting,
8 gathering, obtaining, storing, using, monitoring, accessing, or making
9 inferences based upon, any personal information pertaining to a consumer
10 by any means.
11 (g) "Consumer" means a natural person who is a resident of the state.
12 (h) "De-identified" means information that cannot reasonably identify,
13 relate to, describe, reference, be capable of being associated with, or
14 be linked, directly or indirectly, to a particular consumer or device,
15 provided that a business that uses de-identified information: (1) has
16 implemented technical safeguards that prohibit re-identification of the
17 consumer or consumers to whom the information may pertain; (2) has
18 implemented business processes that specifically prohibit re-identifica-
19 tion of the information; (3) has implemented business processes to
20 prevent inadvertent release of de-identified information; and (4) makes
21 no attempt to re-identify the information.
22 (i) "Designated methods for submitting requests" means a mailing
23 address, e-mail address, web page, web portal, toll-free telephone
24 number, or other applicable contact information, whereby consumers may
25 submit a request or direction under this section. If the consumer does
26 not maintain an account with the business, the business shall provide an
27 opportunity for the consumer to designate whether the consumer wishes to
28 receive the information required to be disclosed pursuant to subdivi-
29 sions two and three of this section by mail or electronically, at the
30 consumer's option.
31 (j) "Homepage" means the introductory page of a website and any
32 webpage where personal information is collected. In the case of an
33 online service, such as a mobile application, homepage means the appli-
34 cation's platform page, a link within the application, such as from the
35 application configuration, "about", "information", or settings page, and
36 any other location that allows consumers to review the notice required
37 by paragraph (a) of subdivision seven of this section, including but not
38 limited to, before downloading the application.
39 (k) "Infer" or "inference" means the derivation of information, data,
40 assumptions, or conclusions from facts, evidence, or another source of
41 information or data.
42 (l) "Person" means an individual, proprietorship, firm, partnership,
43 joint venture, syndicate, business trust, company, corporation, limited
44 liability company, association, committee, and any other organization or
45 group of persons acting in concert.
46 (m) (1)"Personal information" means information that identifies,
47 relates to, describes, references, is capable of being associated with,
48 or could reasonably be linked, directly or indirectly, with a particular
49 consumer or device, including, but not limited to:
50 (A) any information that identifies, relates to, describes, or is
51 capable of being associated with, a particular individual, including,
52 but not limited to, his or her name, alias, signature, social security
53 number, physical characteristics or description, address, electronic
54 mail address, internet protocol address, unique identifier, account
55 name, telephone number, passport number, driver's license or state iden-
56 tification card number, insurance policy number, education, employment,
S. 3162 4
1 employment history, bank account number, credit card number, debit card
2 number, or any other financial information, medical information, or
3 health insurance information;
4 (B) characteristics of protected classifications under state or feder-
5 al law;
6 (C) commercial information, including records of property, products or
7 services provided, obtained, or considered, or other purchasing or
8 consuming histories or tendencies;
9 (D) biometric data;
10 (E) internet or other electronic network activity information, includ-
11 ing but not limited to, browsing history, search history, and informa-
12 tion regarding a consumer's interaction with a website, application, or
13 advertisement;
14 (F) geolocation data;
15 (G) audio, electronic, visual, thermal, olfactory, or similar informa-
16 tion;
17 (H) psychometric information;
18 (I) professional or employment-related information;
19 (J) inferences drawn from any of the information identified above; and
20 (K) any of the categories of information set forth in this subdivision
21 as they pertain to the minor children of the consumer.
22 (2) "Personal information" does not include information that is
23 publicly available or that is de-identified.
24 (n) "Probabilistic identifier" means the identification of a consumer
25 or a device to a degree of certainty of more probable than not based on
26 any categories of personal information included in, or similar to, the
27 categories enumerated in subparagraph one of paragraph (m) of this
28 subdivision.
29 (o) "Psychometric information" means information derived or created
30 from the use or application of psychometric theory or psychometrics,
31 whereby through the use of any method, model, tool, or formula, observa-
32 ble phenomena, such as actions or events, are connected, measured,
33 assessed, or related to a consumer's attributes, including, but not
34 limited to, psychological trends, preferences, predispositions, behav-
35 ior, attitudes, intelligence, abilities, and aptitudes.
36 (p) "Publicly available" means information that is lawfully made
37 available from federal, state, or local government records. "Publicly
38 available" does not mean biometric information collected by a business
39 about a consumer without the consumer's knowledge.
40 (q)(1) "Sell", "selling", "sale" or "sold" means: (A) selling, rent-
41 ing, releasing, disclosing, disseminating, making available, trans-
42 ferring, or otherwise communicating orally, in writing, or by electronic
43 or other means, a consumer's personal information by the business to a
44 third party for valuable consideration; or (B) sharing orally, in writ-
45 ing, or by electronic or other means, a consumer's personal information
46 with a third party, whether for valuable consideration or for no consid-
47 eration, for the third party's commercial purposes.
48 (2) For purposes of this section, a business does not sell personal
49 information when:
50 (A) A consumer uses the business: (i) to intentionally disclose
51 personal information, or (ii) to intentionally interact with a third
52 party. An intentional interaction occurs when the consumer intends to
53 interact with the third party via one or more deliberate interactions.
54 Hovering over, muting, pausing, or closing a given piece of content does
55 not constitute a consumer's intent to interact with a third party; or
S. 3162 5
1 (B) The business uses an identifier for a consumer who has opted out
2 of the sale of the consumer's personal information for the purposes of
3 alerting third parties that the consumer has opted out of the sale of
4 the consumer's personal information.
5 (r) "Service" or "services" means work, labor, and services, including
6 services furnished in connection with the sale or repair of goods.
7 (s) "Third party" means any person who is not:
8 (1) The business that collects personal information from consumers
9 under this section; or
10 (2) A person to whom the business discloses a consumer's personal
11 information for a business purpose pursuant to a written contract,
12 provided that the contract:
13 (A) Prohibits the person receiving the personal information from: (i)
14 selling the personal information; (ii) retaining, using, or disclosing
15 the personal information for any purpose other than for the specific
16 purpose of performing the services specified in the contract, including
17 retaining, using, or disclosing the personal information for a commer-
18 cial purpose other than providing the services specified in the
19 contract; and (iii) retaining, using, or disclosing the information
20 outside of the direct business relationship between the person and the
21 business; and
22 (B) Includes a certification made by the person receiving the personal
23 information that the person understands the restrictions in clause (A)
24 of this subparagraph and will comply with them. A person covered by this
25 subparagraph that violates any of the restrictions set forth in this
26 section shall be liable for such violations under this section. A busi-
27 ness that discloses personal information to a person covered by this
28 subparagraph in compliance with such subparagraph shall not be liable
29 under this section if the person receiving the personal information uses
30 it in violation of the restrictions set forth in this section, provided
31 that, at the time of disclosing the personal information, the business
32 does not have actual knowledge, or reason to believe, that the person
33 intends to commit such a violation.
34 (t) "Unique identifier" means a persistent identifier that can be used
35 to recognize a consumer or a device over time and across different
36 services, including but not limited to, a device identifier; internet
37 protocol address; cookies, beacons, pixel tags, mobile ad identifiers,
38 or similar technology; customer number, unique pseudonym, or user alias;
39 and telephone numbers, or other forms of persistent or probabilistic
40 identifiers that can be used to identify a particular consumer or
41 device.
42 (u) "Verifiable request" means a request that: (1) is made by a
43 consumer, by a consumer on behalf of the consumer's minor child, or by a
44 person authorized by the consumer to act on the consumer's behalf; and
45 (2) the business has verified, pursuant to regulations adopted by the
46 attorney general pursuant to subparagraph seven of paragraph (a) of
47 subdivision fifteen of this section, to be the consumer about whom the
48 business has collected personal information. A business is not obligated
49 to provide information to the consumer pursuant to subdivisions two and
50 three of this section if the business cannot verify, pursuant to this
51 subdivision and regulations adopted by the attorney general pursuant to
52 subparagraph seven of paragraph (a) of subdivision fifteen of this
53 section, that the consumer making the request is the consumer about whom
54 the business has collected information.
55 2. (a) A consumer shall have the right to request that a business that
56 collects personal information about the consumer disclose to the consum-
S. 3162 6
1 er the categories of personal information it has collected about that
2 consumer.
3 (b) A business that collects personal information about a consumer
4 shall disclose to the consumer, pursuant to subparagraph three of para-
5 graph (a) of subdivision six of this section, the information specified
6 in paragraph (a) of subdivision one of this section upon receipt of a
7 verifiable request from the consumer.
8 (c) A business that collects personal information about consumers
9 shall disclose, pursuant to clause (B) of subparagraph five of paragraph
10 (a) of subdivision six of this section, the categories of personal
11 information it has collected about consumers.
12 3. (a) A consumer shall have the right to request that a business that
13 sells the consumer's personal information, or that discloses it for a
14 business purpose, disclose to that consumer: (1) the categories of
15 personal information that the business sold about the consumer and the
16 identity of the third parties to whom such personal information was
17 sold, by category or categories of personal information for each third
18 party to whom such personal information was sold; and (2) the categories
19 of personal information that the business disclosed about the consumer
20 for a business purpose and the identity of the persons to whom such
21 personal information was disclosed for a business purpose, by category
22 or categories of personal information for each person to whom such
23 personal information was disclosed for a business purpose.
24 (b) A business that sells personal information about a consumer, or
25 that discloses a consumer's personal information for a business purpose,
26 shall disclose, pursuant to subparagraph four of paragraph (a) of subdi-
27 vision six of this section, the information specified in paragraph (a)
28 of this subdivision to the consumer upon receipt of a verifiable request
29 from the consumer.
30 (c) A business that sells consumers' personal information, or that
31 discloses consumers' personal information for a business purpose, shall
32 disclose, pursuant to clause (C) of subparagraph five of paragraph (a)
33 of subdivision six of this section: (1) the category or categories of
34 consumers' personal information it has sold; or if the business has not
35 sold consumers' personal information, it shall disclose that fact; and
36 (2) the category or categories of consumers' personal information it has
37 disclosed for a business purpose; or if the business has not disclosed
38 consumers' personal information for a business purpose, it shall
39 disclose that fact.
40 4. (a) A consumer shall have the right, at any time, to direct a busi-
41 ness that sells personal information about the consumer not to sell the
42 consumer's personal information. This right may be referred to as the
43 right to opt out.
44 (b) Notwithstanding paragraph (a) of this subdivision, a business
45 shall not sell the personal information of consumers if the business has
46 actual knowledge, or willfully disregards, that the consumer is less
47 than sixteen years of age, unless the consumer, in the case of consumers
48 thirteen, fourteen and fifteen years of age, or the consumer's parent or
49 guardian, in the case of consumers who are less than thirteen years of
50 age, has affirmatively authorized the sale of the consumer's personal
51 information. This right may be referred to as the right to opt in.
52 (c) A business that sells consumers' personal information shall
53 provide notice to consumers, pursuant to paragraph (a) of subdivision
54 seven of this section, that such information may be sold and that
55 consumers have the right to opt out of the sale of their personal infor-
56 mation.
S. 3162 7
1 (d) A business that has received direction from a consumer not to sell
2 the consumer's personal information, or, in the case of a minor consum-
3 er's personal information, has not received consent to sell the minor
4 consumer's personal information, shall be prohibited, pursuant to
5 subparagraph four of paragraph (a) of subdivision seven of this section,
6 from selling the consumer's personal information after its receipt of
7 the consumer's direction, unless the consumer subsequently provides
8 express authorization for the sale of the consumer's personal informa-
9 tion.
10 5. A business shall be prohibited from discriminating against a
11 consumer because the consumer requested information pursuant to subdivi-
12 sions two and three of this section, or because the consumer directed
13 the business not to sell the consumer's personal information pursuant to
14 subdivision four of this section, or because the consumer otherwise
15 exercised rights under this title, or exercised the consumer's rights to
16 enforce this section, including but not limited to, by: (a) denying
17 goods or services to the consumer; (b) charging different prices or
18 rates for goods or services, including through the use of discounts or
19 other benefits or imposing penalties; (c) providing a different level or
20 quality of goods or services to the consumer; or (d) suggesting that the
21 consumer will receive a different price or rate for goods or services,
22 or a different level or quality of goods or services, if the consumer
23 exercises the consumer's rights under this section.
24 6. (a) In order to comply with subdivisions two, three and five of
25 this section, a business shall:
26 (1) Make available to consumers two or more designated methods for
27 submitting requests for information required to be disclosed pursuant to
28 subdivisions two and three of this section, including, at a minimum, a
29 toll-free telephone number, and if the business maintains a website, a
30 website address.
31 (2) Disclose and deliver the required information to a consumer free
32 of charge within forty-five days of receiving a verifiable request from
33 the consumer. The business shall promptly take steps to determine wheth-
34 er the request is a verifiable request, but this shall not extend the
35 business's duty to disclose and deliver the information within forty-
36 five days of receipt of the consumer's request. The disclosure shall
37 cover the twelve-month period preceding the business's receipt of the
38 verifiable request and shall be made in writing and delivered through
39 the consumer's account with the business, if the consumer maintains an
40 account with the business, or by mail or electronically at the consum-
41 er's option if the consumer does not maintain an account with the busi-
42 ness. The business shall not require the consumer to create an account
43 with the business in order to make a verifiable request.
44 (3) For purposes of paragraph (b) of subdivision two of this section:
45 (A) identify the consumer, associate the information provided by the
46 consumer in the verifiable request to any personal information previous-
47 ly collected by the business about the consumer; and (B) identify by
48 category or categories the personal information collected about the
49 consumer in the preceding twelve months by reference to the enumerated
50 category or categories in paragraph (c) of this subdivision that most
51 closely describes the personal information collected.
52 (4) For purposes of paragraph (b) of subdivision three of this
53 section: (A) identify the consumer, associate the information provided
54 by the consumer in the verifiable request to any personal information
55 previously collected by the business about the consumer; (B) identify by
56 category or categories the personal information of the consumer that the
S. 3162 8
1 business sold in the preceding twelve months by reference to the enumer-
2 ated category or categories in paragraph (c) of this subdivision that
3 most closely describes the personal information, and provide accurate
4 names and contact information for the third parties to whom the consum-
5 er's personal information was sold in the preceding twelve months by
6 reference to the enumerated category or categories in paragraph (c) of
7 this subdivision that most closely describes the personal information
8 sold for each third party; and (C) identify by category or categories
9 the personal information of the consumer that the business disclosed for
10 a business purpose in the preceding twelve months by reference to the
11 enumerated category or categories in paragraph (c) of this subdivision
12 that most closely describes the personal information, and provide accu-
13 rate names and contact information for the persons to whom the consum-
14 er's personal information was disclosed for a business purpose in the
15 preceding twelve months by reference to the enumerated category or cate-
16 gories in paragraph (c) of this subdivision of this section that most
17 closely describes the personal information disclosed for each person.
18 The business shall disclose the information required by clauses (B) and
19 (C) of this subparagraph in two separate lists.
20 (5) Disclose the following information in its online privacy policy or
21 policies if the business has an online privacy policy or policies and in
22 any New York-specific description of consumers' privacy rights, or if
23 the business does not maintain such policies, on its website, and update
24 such information at least once every twelve months:
25 (A) A description of a consumer's rights pursuant to subdivisions two,
26 three and five of this section, and one or more designated methods for
27 submitting requests;
28 (B) For purposes of paragraph (c) of subdivision two of this section,
29 a list of the categories of personal information it has collected about
30 consumers in the preceding twelve months by reference to the enumerated
31 category or categories in paragraph (c) of this subdivision that most
32 closely describes the personal information collected; and
33 (C) For purposes of subparagraphs one and two of paragraph (c) of
34 subdivision three of this section, two separate lists: (i) a list of the
35 categories of personal information it has sold about consumers in the
36 preceding twelve months by reference to the enumerated category or cate-
37 gories in paragraph (c) of this subdivision that most closely describes
38 the personal information sold, or if the business has not sold consum-
39 ers' personal information in the preceding twelve months, the business
40 shall disclose that fact; and (ii) a list of the categories of personal
41 information it has disclosed about consumers for a business purpose in
42 the preceding twelve months by reference to the enumerated category or
43 categories in paragraph (c) of this subdivision that most closely
44 describes the personal information disclosed, or if the business has not
45 disclosed consumers' personal information for a business purpose in the
46 preceding twelve months, the business shall disclose that fact.
47 (6) Ensure that all individuals responsible for handling consumer
48 inquiries about the business's privacy practices or the business's
49 compliance with this section are informed of all requirements in this
50 subdivision, as well as in subdivisions two, three and five of this
51 section, and how to direct consumers to exercise their rights under
52 those sections; and
53 (7) Use any personal information collected from the consumer in
54 connection with the business's verification of the consumer's request
55 solely for the purposes of verification.
S. 3162 9
1 (b) A business is not obligated to provide the information required by
2 subdivisions two and three of this section to the same consumer more
3 than once in a twelve-month period.
4 (c) The categories of personal information required to be disclosed
5 pursuant to subdivisions two and three of this section are all of the
6 following:
7 (1) Identifiers such as a real name, alias, postal address, unique
8 identifier, internet protocol address, electronic mail address, account
9 name, social security number, driver's license number, passport number,
10 or other similar identifiers;
11 (2) All categories of personal information enumerated in paragraph (a)
12 of subdivision one of this section;
13 (3) All categories of personal information relating to characteristics
14 of protected classifications under state or federal law, with specific
15 reference to the category of information that has been collected, such
16 as race, ethnicity, or gender;
17 (4) Commercial information, including records of property, products or
18 services provided, obtained, or considered, or other purchasing or
19 consuming histories or tendencies;
20 (5) Biometric data;
21 (6) Internet or other electronic network activity information, includ-
22 ing but not limited to, browsing history, search history, and informa-
23 tion regarding a consumer's interaction with a website, application, or
24 advertisement;
25 (7) Geolocation data;
26 (8) Audio, electronic, visual, thermal, olfactory, or similar informa-
27 tion;
28 (9) Psychometric information;
29 (10) Professional or employment-related information;
30 (11) Inferences drawn from any of the information identified above;
31 and
32 (12) Any of the categories of information set forth in this paragraph
33 as they pertain to the minor children of the consumer.
34 7. (a) A business that is required to comply with subdivision four of
35 this section shall:
36 (1) Provide a clear and conspicuous link on the business's homepage,
37 titled "Do Not Sell My Personal Information", to a webpage that enables
38 a consumer, or a person authorized by the consumer, to opt out of the
39 sale of the consumer's personal information. A business shall not
40 require a consumer to create an account in order to direct the business
41 not to sell the consumer's personal information;
42 (2) Include a description of a consumer's rights pursuant to subdivi-
43 sion four of this section, along with a separate link to the "Do Not
44 Sell My Personal Information" webpage in: (A) its online privacy policy
45 or policies if the business has an online privacy policy or policies,
46 and (B) any state specific description of consumers' privacy rights;
47 (3) Ensure that all individuals responsible for handling consumer
48 inquiries about the business's privacy practices or the business's
49 compliance with this section are informed of all requirements in this
50 subdivision as well as subdivision four of this section, and how to
51 direct consumers to exercise their rights under those sections;
52 (4) For consumers who exercise their right to opt out of the sale of
53 their personal information, refrain from selling personal information
54 collected by the business about the consumer;
55 (5) For a consumer who has opted out of the sale of the consumer's
56 personal information, respect the consumer's decision to opt out for at
S. 3162 10
1 least twelve months before requesting that the consumer authorize the
2 sale of the consumer's personal information; and
3 (6) Use any personal information collected from the consumer in
4 connection with the submission of the consumer's opt out request solely
5 for the purposes of complying with the opt out request.
6 (b) A consumer may authorize another person to opt out on the consum-
7 er's behalf, and a business shall comply with an opt out request
8 received from a person authorized by the consumer to act on the consum-
9 er's behalf.
10 8. (a) The obligations imposed on businesses by subdivisions two and
11 seven of this section shall not restrict a business's ability to:
12 (1) comply with federal, state, or local laws;
13 (2) comply with a civil, criminal, or regulatory investigation or
14 subpoena or summons by federal, state, or local authorities;
15 (3) cooperate with law enforcement agencies concerning conduct or
16 activity that the business reasonably and in good faith believes may
17 violate federal, state, or local law; or
18 (4) collect and sell a consumer's personal information if every aspect
19 of such commercial conduct takes place wholly outside of the state. For
20 purposes of this section, commercial conduct takes place wholly outside
21 of the state if the business collected such information while the
22 consumer was outside of the state, no part of the sale of the consumer's
23 personal information occurred in the state, and no personal information
24 collected while the consumer was in the state is sold.
25 (b) The obligations imposed on businesses by subdivisions two and
26 seven of this section shall not apply where compliance by the business
27 with this section would violate an evidentiary privilege under state law
28 and shall not prevent a business from providing the personal information
29 of a consumer to a person covered by an evidentiary privilege under
30 state law as part of a privileged communication.
31 (c) This section shall not apply to protected health information that
32 is collected by a covered entity governed by the medical privacy and
33 security rules issued by the Federal Department of Health and Human
34 Services, Parts 160 and 164 of Title 45 of the Code of Federal Regu-
35 lations, established pursuant to the Health Insurance Portability and
36 Availability Act of 1996 (HIPAA). For purposes of this subdivision, the
37 definitions of "protected health information" and "covered entity" from
38 the federal privacy rule shall apply.
39 (d) This section shall not apply to the sale of personal information
40 to or from a consumer reporting agency if that information is to be
41 reported in, or used to generate, a consumer report as defined by subdi-
42 vision (d) of Section 1681(a) of Title 15 of the United States Code, and
43 use of that information is limited by the federal Fair Credit Reporting
44 Act, 15 U.S.C. § 1681, et seq.
45 9. (a) A consumer who has suffered a violation of this section may
46 bring an action for statutory damages. A violation of this section shall
47 be deemed to constitute an injury in fact to the consumer who has
48 suffered the violation, and the consumer need not suffer a loss of money
49 or property as a result of the violation in order to bring an action for
50 a violation of this section.
51 (b)(1) Any consumer who suffers an injury in fact, as described in
52 paragraph (a) of this subdivision, shall recover statutory damages in
53 the amount of one thousand dollars or actual damages, whichever is
54 greater, for each violation from the business or person responsible for
55 the violation, except that in the case of a knowing and willful
56 violation by a business or person, an individual shall recover statutory
S. 3162 11
1 damages of not less than one thousand dollars and not more than three
2 thousand dollars, or actual damages, whichever is greater, for each
3 violation from the business or person responsible for the violation.
4 (2) In assessing the amount of statutory damages, the court shall
5 consider any one or more of the relevant circumstances presented by any
6 of the parties to the case, including, but not limited to, the follow-
7 ing: the nature and seriousness of the misconduct, the number of
8 violations, the persistence of the misconduct, the length of time over
9 which the misconduct occurred, the willfulness of the defendant's
10 misconduct, and the defendant's assets, liabilities, and net worth.
11 (c) Notwithstanding any other law, whenever a judgment, including any
12 consent judgment, decree, or settlement agreement, is approved by the
13 court in a class action based on a violation of this section, any cy
14 pres award, unpaid cash residue, or unclaimed or abandoned class member
15 funds attributable to a violation of this section shall be distributed
16 exclusively to one or more nonprofit organizations to support projects
17 that will benefit the class or similarly situated persons, further the
18 objectives and purposes of the underlying class action or cause of
19 action, or promote the law consistent with the objectives and purposes
20 of the underlying class action or cause of action, unless for good cause
21 shown the court makes a specific finding that an alternative distrib-
22 ution would better serve the public interest or the interests of the
23 class. If not specified in the judgment, the court shall set a date when
24 the parties shall submit a report to the court regarding a plan for the
25 distribution of any moneys pursuant to this subdivision.
26 (d) The remedies provided by this subdivision are cumulative to each
27 other and to the remedies or penalties available under all other laws of
28 the state.
29 10. (a) Any business or person that violates this section shall be
30 liable for a civil penalty in a civil action brought in the name of the
31 people of the state of New York by the attorney general.
32 (b) Notwithstanding any other law to the contrary, any person or busi-
33 ness that intentionally violates this section may be liable for a civil
34 penalty of up to seven thousand five hundred dollars for each violation.
35 (c) Notwithstanding any other law to the contrary, any civil penalty
36 assessed for a violation of this section, and the proceeds of any
37 settlement of an action brought pursuant to paragraph (a) of this subdi-
38 vision, shall be allocated as follows:
39 (1) twenty percent to the consumer privacy fund, created pursuant to
40 section ninety-nine-m of the state finance law, with the intent to fully
41 offset any costs incurred by the state courts and the attorney general
42 in connection with this section; and
43 (2) eighty percent to the jurisdiction on whose behalf the action
44 leading to the civil penalty was brought.
45 (d) The legislature shall adjust the percentages specified in para-
46 graph (c) of this subdivision and in subdivision eleven of this section,
47 as necessary to ensure that any civil penalties assessed for a violation
48 of this section fully offset any costs incurred by the state courts and
49 the attorney general in connection with this section, including a suffi-
50 cient amount to cover any deficit from a prior fiscal year. The legisla-
51 ture shall not direct a greater percentage of assessed civil penalties
52 to the consumer privacy fund than reasonably necessary to fully offset
53 any costs incurred by the state courts and the attorney general in
54 connection with this section.
55 11. (a) Any person who becomes aware, based on non-public information,
56 that a person or business has violated this section may file a civil
S. 3162 12
1 action for civil penalties pursuant to subdivision ten of this section,
2 if prior to filing such action, the person files with the attorney
3 general a written request for the attorney general to commence the
4 action. The request shall include a clear and concise statement of the
5 grounds for believing a cause of action exists. The person shall make
6 the non-public information available to the attorney general upon
7 request.
8 (1) If the attorney general files suit within ninety days from receipt
9 of the written request to commence the action, no other action may be
10 brought unless the action brought by the attorney general is dismissed
11 without prejudice.
12 (2) If the attorney general does not file suit within ninety days from
13 receipt of the written request to commence the action, the person
14 requesting the action may proceed to file a civil action.
15 (3) The time period within which a civil action shall be commenced
16 shall be tolled from the date of receipt by the attorney general of the
17 written request to either the date that the civil action is dismissed
18 without prejudice, or for one hundred fifty days, whichever is later,
19 but only for a civil action brought by the person who requested the
20 attorney general to commence the action.
21 (b) Notwithstanding paragraph (c) of subdivision ten of this section,
22 if a judgment is entered against the defendant or defendants in an
23 action brought pursuant to this subdivision, or the matter is settled,
24 amounts received as civil penalties or pursuant to a settlement of the
25 action shall be allocated as follows:
26 (1) If the action was brought by the attorney general upon a request
27 made by a person pursuant to paragraph (a) of this subdivision, the
28 person who made the request shall be entitled to fifteen percent of the
29 civil penalties, and the remaining proceeds shall be deposited in the
30 consumer privacy fund pursuant to section ninety-nine-m of the state
31 finance law.
32 (2) If the action was brought by the person who made the request
33 pursuant to paragraph (a) of this subdivision, that person shall receive
34 an amount the court determines is reasonable for collecting the civil
35 penalties on behalf of the government. The amount shall be not less than
36 twenty-five percent and not more than fifty percent of the proceeds of
37 the action and shall be paid out of the proceeds. The remaining proceeds
38 shall be deposited in the consumer privacy fund pursuant to section
39 ninety-nine-m of the state finance law.
40 (c) For purposes of this section, "non-public information" means
41 information that has not been disclosed in a criminal, civil, or admin-
42 istrative proceeding, in a government investigation, report, or audit,
43 or by the news media or other public source of information, and that was
44 not obtained in violation of the law.
45 12. A business that suffers a breach of the security of the system
46 involving consumers' personal information shall be deemed to have
47 violated this section and may be held liable for such violation or
48 violations under subdivisions nine, ten and eleven of this section, if
49 the business has failed to implement and maintain reasonable security
50 procedures and practices, appropriate to the nature of the information,
51 to protect the personal information from unauthorized disclosure.
52 13. This section is intended to further the constitutional right of
53 privacy and to supplement existing laws relating to consumers' personal
54 information. The provisions of this section are not limited to informa-
55 tion collected electronically or over the internet, but apply to the
56 collection and sale of all personal information collected by a business
S. 3162 13
1 from consumers. Wherever possible, existing law relating to consumers'
2 personal information should be construed to harmonize with the
3 provisions of this section, but in the event of conflict between exist-
4 ing law and the provisions of this section, the provisions of the law
5 that afford the greatest protection for the right of privacy for consum-
6 ers shall control.
7 14. Nothing in this section shall prevent a city, county, city and
8 county, municipality, or local agency from safeguarding the constitu-
9 tional right of privacy by imposing additional requirements on busi-
10 nesses regarding the collection and sale of consumers' personal informa-
11 tion by businesses provided that the requirement does not prevent a
12 person or business from complying with this section.
13 15. (a) The attorney general shall adopt regulations in the following
14 areas to further the purposes of this section:
15 (1) Adding additional categories to those enumerated in paragraph (c)
16 of subdivision six and paragraph (m) of subdivision one of this section
17 in order to address changes in technology, data collection practices,
18 obstacles to implementation, and privacy concerns. In addition, upon
19 receipt of a request made by a city attorney or district attorney to add
20 a new category or categories, the attorney general shall promulgate a
21 regulation to add such category or categories unless the attorney gener-
22 al concludes, based on factual or legal findings, that there is a
23 compelling reason not to add the category or categories. The attorney
24 general may also add additional categories to those enumerated in para-
25 graph (c) of subdivision six and paragraph (m) of subdivision one of
26 this section in response to a petition filed;
27 (2) Adding additional items to the definition of "unique identifiers"
28 to address changes in technology, data collection, obstacles to imple-
29 mentation, and privacy concerns, and additional categories to the defi-
30 nition of "designated methods for submitting requests" to facilitate a
31 consumer's ability to obtain information from a business pursuant to
32 subdivision six of this section;
33 (3) Establishing any exceptions necessary to comply with state or
34 federal law;
35 (4) Establishing rules and procedures: (A) to facilitate and govern
36 the submission of a request by a consumer, and by an authorized agent of
37 the consumer, to opt out of the sale of personal information pursuant to
38 subparagraph one of paragraph (a) of subdivision seven of this section;
39 (B) to govern a business's compliance with a consumer's opt out request;
40 and (C) for the development and use of a recognizable and uniform opt
41 out logo or button by all businesses to promote consumer awareness of
42 the opportunity to opt out of the sale of personal information;
43 (5) Adjusting the monetary threshold in clause (A) of subparagraph one
44 of paragraph (b) of subdivision one of this section in January of every
45 odd-numbered year to reflect any increase in the Consumer Price Index;
46 (6) Establishing rules, procedures, and any exceptions necessary to
47 ensure that the notices and information that businesses are required to
48 provide pursuant to this section are provided in a manner so as to be
49 easily understood by the average consumer, are accessible to consumers
50 with disabilities, and are available in the language primarily used to
51 interact with the consumer;
52 (7) Establishing rules and procedures to further the purposes of
53 subdivisions two and three of this section and to facilitate a consum-
54 er's or the consumer's authorized agent's ability to obtain information
55 pursuant to subdivision six of this section, with the goal of minimizing
56 the administrative burden on consumers, taking into account available
S. 3162 14
1 technology, security concerns, and the burden on the business, to govern
2 a business's determination that a request for information received by a
3 consumer is a verifiable request, including treating a request submitted
4 through a password protected account maintained by the consumer with the
5 business while the consumer is logged into the account as a verifiable
6 request and providing a mechanism for a consumer who does not maintain
7 an account with the business to request information through the busi-
8 ness's authentication of the consumer's identity;
9 (8) Defining the term "valuable consideration" as used in subparagraph
10 one of paragraph (q) of subdivision one of this section to ensure that a
11 business that discloses, except as permitted by this section, a consum-
12 er's personal information to a third party, including through a series
13 of transactions involving multiple third parties, in exchange for any
14 economic benefit is subject to this section, and to include business
15 practices involving the disclosure of personal information in exchange
16 for something of value. Valuable consideration does not include the
17 exchange of value in a transaction involving non-commercial speech, such
18 as journalism and political speech; and
19 (9) Further interpret the terms "de-identified", "sell", "third
20 party", and "business purpose" as set forth in subdivision one of this
21 section, to address changes in technology, data collection, obstacles to
22 implementation, and privacy concerns and to ensure compliance with the
23 purposes of this section, provided that such regulations do not reduce
24 consumer privacy or the ability of consumers to stop the sale of their
25 personal information.
26 (b) The attorney general shall be precluded from adopting regulations
27 that limit or reduce the number or scope of categories of personal
28 information enumerated in paragraph (c) of subdivision six and paragraph
29 (m) of subdivision one of this section, or that limit or reduce the
30 number or scope of categories added pursuant to subparagraph one of
31 paragraph (a) of this subdivision, except as necessary to comply with
32 subparagraph three of paragraph (a) of this subdivision. The attorney
33 general shall also be precluded from reducing the scope of the defi-
34 nition of "unique identifiers", except as necessary to comply with
35 subparagraph three of paragraph (a) of this subdivision.
36 (c) To the extent the attorney general determines that it is necessary
37 to adopt certain regulations in order to implement this section, the
38 attorney general shall adopt any such regulations within six months of
39 the date this section is adopted.
40 (d) The attorney general may adopt additional regulations as necessary
41 to further the purposes of this section.
42 16. If a series of steps or transactions were component parts of a
43 single transaction intended from the beginning to be taken with the
44 intention of avoiding the reach of this section, including the disclo-
45 sure of information by a business to a third party in order to avoid the
46 definition of "sell", a court shall disregard the intermediate steps or
47 transactions for purposes of effectuating the purposes of this section.
48 17. Any provision of a contract or agreement of any kind that purports
49 to waive or limit in any way a consumer's rights under this section,
50 including but not limited to any right to a remedy or means of enforce-
51 ment, shall be deemed contrary to public policy and shall be void and
52 unenforceable. This section shall not prevent a consumer from: declin-
53 ing to request information from a business; declining to opt out of a
54 business's sale of the consumer's personal information; or authorizing a
55 business to sell the consumer's personal information after previously
56 opting out.
S. 3162 15
1 18. If any provision of this section shall be adjudged by any court of
2 competent jurisdiction to be invalid, such judgment shall not affect,
3 impair or invalidate the remainder thereof, but shall be confined in its
4 operation to the provision directly involved in the controversy in which
5 such judgment shall have been rendered.
6 § 3. The state finance law is amended by adding a new section 99-m to
7 read as follows:
8 § 99-m. Consumer privacy fund. 1. There is hereby established in the
9 joint custody of the state comptroller and the commissioner of taxation
10 and finance an account within the general fund to be known as the
11 "consumer privacy fund".
12 2. Such account shall consist of all penalties received by the depart-
13 ment of state pursuant to section eight hundred ninety-nine-cc of the
14 general business law and any additional monies appropriated, credited or
15 transferred to such account by the legislature. Any interest earned by
16 the investment of monies in such account shall be added to such account,
17 become part of such account, and be used for the purposes of such
18 account.
19 3. Monies in the account shall be available to the office of court
20 administration and the attorney general to offset any costs incurred by
21 the state courts in connection with actions brought to enforce section
22 eight hundred ninety-nine-cc of the general business law and any costs
23 incurred by the attorney general in carrying out his or her duties under
24 such section of law.
25 4. Monies in the account shall be paid out of the account on the audit
26 and warrant of the state comptroller on vouchers certified or approved
27 by the office of court administration and/or the attorney general.
28 § 4. This act shall take effect on the one hundred eightieth day after
29 it shall have become a law. Effective immediately, the addition, amend-
30 ment and/or repeal of any rule or regulation necessary for the implemen-
31 tation of this act on its effective date are authorized to be made and
32 completed on or before such effective date.