•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

S03162 Summary:

BILL NOS03162
 
SAME ASSAME AS A04374
 
SPONSORHOYLMAN-SIGAL
 
COSPNSR
 
MLTSPNSR
 
Amd Art 39-F Art Head, add §899-cc, Gen Bus L; add §99-m, St Fin L
 
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
Go to top

S03162 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          3162
 
                               2023-2024 Regular Sessions
 
                    IN SENATE
 
                                    January 30, 2023
                                       ___________
 
        Introduced  by Sen. HOYLMAN-SIGAL -- read twice and ordered printed, and
          when printed to be committed to the Committee on Consumer Protection
 
        AN ACT to amend the general business law and the state finance  law,  in
          relation  to  allowing  consumers the right to request from businesses
          the categories of  personal  information  the  business  has  sold  or
          disclosed to third parties
 
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. The article heading of article 39-F of the general business
     2  law, as amended by chapter 117 of the laws of 2019, is amended  to  read
     3  as follows:
 
     4           [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND CONTROL
     5             OF PRIVATE AND PERSONAL INFORMATION; DATA SECURITY
     6                                 PROTECTIONS
 
     7    §  2. The general business law is amended by adding a new section 899-
     8  cc to read as follows:
     9    § 899-cc. Consumer control of personal information. 1. For purposes of
    10  this section, the following definitions shall apply:
    11    (a) "Biometric data" means an individual's  physiological,  biological
    12  or  behavioral  characteristics,  including an individual's deoxyribonu-
    13  cleic acid that can be used, singly or in combination with each other or
    14  with other identifying data to establish individual identity.  Biometric
    15  data includes but is not limited to imagery of the iris, retina, finger-
    16  print, face, hand, palm, vein patterns, and voice recordings, from which
    17  an  identifier  template, such as a faceprint, a minutiae template, or a
    18  voiceprint, can be extracted, and keystroke patterns  or  rhythms,  gait
    19  patterns  or  rhythms,  and sleep, health, or exercise data that contain
    20  identifying information.
    21    (b) "Business" means:
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD07607-01-3

        S. 3162                             2
 
     1    (1) a  sole-proprietorship,  partnership,  limited-liability  company,
     2  corporation,  association,  or  other  legal entity that is organized or
     3  operated for the profit or financial  benefit  of  its  shareholders  or
     4  other  owners,  that collects consumers' personal information, that does
     5  business  in  the state, and that satisfies one or more of the following
     6  thresholds: (A) has annual gross revenues in  excess  of  fifty  million
     7  dollars,  as  adjusted pursuant to subparagraph five of paragraph (a) of
     8  subdivision fifteen of this section; or (B) annually sells, alone or  in
     9  combination,  the  personal  information of one hundred thousand or more
    10  consumers or devices; or (C) derives fifty percent or more of its annual
    11  revenues from selling consumers' personal information; and
    12    (2) any entity that controls  or  is  controlled  by  a  business,  as
    13  defined  in  paragraph  one  of this subdivision, and that shares common
    14  branding with the business.  "Control" or "controlled"  means  ownership
    15  of,  or  the  power  to vote, more than fifty percent of the outstanding
    16  shares of any class of voting security of a  business;  control  in  any
    17  manner  over the election of a majority of the directors, or of individ-
    18  uals exercising similar functions; or the power to exercise, directly or
    19  indirectly, a controlling influence over the management or policies of a
    20  company.  "Common branding" means a shared name, servicemark, or  trade-
    21  mark.
    22    (c)  "Business  purpose" means the use of personal information for the
    23  business's operational purposes,  provided  that  the  use  of  personal
    24  information  shall  be reasonably necessary and proportionate to achieve
    25  the operational purpose for which it is specifically  permitted.  Unrea-
    26  sonable  or  disproportionate  use  shall  not be considered a "business
    27  purpose".  Business purposes are:
    28    (1) Auditing related to a current interaction with  the  consumer  and
    29  concurrent  transactions,  including  but  not  limited  to, counting ad
    30  impressions to unique visitors, verifying positioning and quality of  ad
    31  impressions  and  auditing  compliance with this specification and other
    32  standards;
    33    (2) Detecting security incidents, protecting against malicious, decep-
    34  tive, fraudulent, or illegal activity, and prosecuting those responsible
    35  for such activity;
    36    (3) Debugging to identify  and  repair  errors  that  impair  existing
    37  intended functionality;
    38    (4)  Short-term,  transient  use, provided the personal information is
    39  not disclosed to another person and is not used to build a profile about
    40  a consumer  or  otherwise  alter  an  individual  consumer's  experience
    41  outside  the  current  interaction,  including  but  not limited to, the
    42  contextual customization of ads shown as part of the  same  interaction;
    43  and
    44    (5) Performing services on behalf of the business, including maintain-
    45  ing  or  servicing  accounts,  providing customer service, processing or
    46  fulfilling orders  and  transactions,  verifying  customer  information,
    47  processing  payments,  providing  financing,  providing  advertising  or
    48  marketing services, providing analytical services, or providing  similar
    49  services on behalf of the business.
    50    (d)  "Clear  and conspicuous" means (1) in a color that contrasts with
    51  the background color or is otherwise  distinguishable;  (2)  written  in
    52  larger type than the surrounding text and in a fashion that calls atten-
    53  tion to the language; and (3) prominently displayed so that a reasonable
    54  viewer would be able to notice, read, and understand it.
    55    (e)  "Commercial  purposes"  means to advance a person's commercial or
    56  economic interests, such as by inducing another  person  to  buy,  rent,

        S. 3162                             3
 
     1  lease, join, subscribe to, provide, or exchange products, goods, proper-
     2  ty,  information,  or  services,  or  enabling or effecting, directly or
     3  indirectly, a commercial transaction.  "Commercial  purposes"  does  not
     4  include  for  the  purpose  of  engaging in speech that state or federal
     5  courts have recognized as  non-commercial  speech,  including  political
     6  speech and journalism.
     7    (f)  "Collects",  "collected"  or  "collection" means buying, renting,
     8  gathering, obtaining, storing, using, monitoring, accessing,  or  making
     9  inferences based upon, any personal information pertaining to a consumer
    10  by any means.
    11    (g) "Consumer" means a natural person who is a resident of the state.
    12    (h) "De-identified" means information that cannot reasonably identify,
    13  relate  to, describe, reference, be capable of being associated with, or
    14  be linked, directly or indirectly, to a particular consumer  or  device,
    15  provided  that  a  business that uses de-identified information: (1) has
    16  implemented technical safeguards that prohibit re-identification of  the
    17  consumer  or  consumers  to  whom  the  information may pertain; (2) has
    18  implemented business processes that specifically prohibit re-identifica-
    19  tion of the information;  (3)  has  implemented  business  processes  to
    20  prevent  inadvertent release of de-identified information; and (4) makes
    21  no attempt to re-identify the information.
    22    (i) "Designated methods  for  submitting  requests"  means  a  mailing
    23  address,  e-mail  address,  web  page,  web  portal, toll-free telephone
    24  number, or other applicable contact information, whereby  consumers  may
    25  submit  a  request or direction under this section. If the consumer does
    26  not maintain an account with the business, the business shall provide an
    27  opportunity for the consumer to designate whether the consumer wishes to
    28  receive the information required to be disclosed  pursuant  to  subdivi-
    29  sions  two  and  three of this section by mail or electronically, at the
    30  consumer's option.
    31    (j) "Homepage" means the  introductory  page  of  a  website  and  any
    32  webpage  where  personal  information  is  collected.  In the case of an
    33  online service, such as a mobile application, homepage means the  appli-
    34  cation's  platform page, a link within the application, such as from the
    35  application configuration, "about", "information", or settings page, and
    36  any other location that allows consumers to review the  notice  required
    37  by paragraph (a) of subdivision seven of this section, including but not
    38  limited to, before downloading the application.
    39    (k)  "Infer" or "inference" means the derivation of information, data,
    40  assumptions, or conclusions from facts, evidence, or another  source  of
    41  information or data.
    42    (l)  "Person"  means an individual, proprietorship, firm, partnership,
    43  joint venture, syndicate, business trust, company, corporation,  limited
    44  liability company, association, committee, and any other organization or
    45  group of persons acting in concert.
    46    (m)  (1)"Personal  information"  means  information  that  identifies,
    47  relates to, describes, references, is capable of being associated  with,
    48  or could reasonably be linked, directly or indirectly, with a particular
    49  consumer or device, including, but not limited to:
    50    (A)  any  information  that  identifies,  relates to, describes, or is
    51  capable of being associated with, a  particular  individual,  including,
    52  but  not  limited to, his or her name, alias, signature, social security
    53  number, physical characteristics  or  description,  address,  electronic
    54  mail  address,  internet  protocol  address,  unique identifier, account
    55  name, telephone number, passport number, driver's license or state iden-
    56  tification card number, insurance policy number, education,  employment,

        S. 3162                             4
 
     1  employment  history, bank account number, credit card number, debit card
     2  number, or any other  financial  information,  medical  information,  or
     3  health insurance information;
     4    (B) characteristics of protected classifications under state or feder-
     5  al law;
     6    (C) commercial information, including records of property, products or
     7  services  provided,  obtained,  or  considered,  or  other purchasing or
     8  consuming histories or tendencies;
     9    (D) biometric data;
    10    (E) internet or other electronic network activity information, includ-
    11  ing but not limited to, browsing history, search history,  and  informa-
    12  tion  regarding a consumer's interaction with a website, application, or
    13  advertisement;
    14    (F) geolocation data;
    15    (G) audio, electronic, visual, thermal, olfactory, or similar informa-
    16  tion;
    17    (H) psychometric information;
    18    (I) professional or employment-related information;
    19    (J) inferences drawn from any of the information identified above; and
    20    (K) any of the categories of information set forth in this subdivision
    21  as they pertain to the minor children of the consumer.
    22    (2) "Personal  information"  does  not  include  information  that  is
    23  publicly available or that is de-identified.
    24    (n)  "Probabilistic identifier" means the identification of a consumer
    25  or a device to a degree of certainty of more probable than not based  on
    26  any  categories  of personal information included in, or similar to, the
    27  categories enumerated in subparagraph  one  of  paragraph  (m)  of  this
    28  subdivision.
    29    (o)  "Psychometric  information"  means information derived or created
    30  from the use or application of  psychometric  theory  or  psychometrics,
    31  whereby through the use of any method, model, tool, or formula, observa-
    32  ble  phenomena,  such  as  actions  or  events, are connected, measured,
    33  assessed, or related to a  consumer's  attributes,  including,  but  not
    34  limited  to,  psychological trends, preferences, predispositions, behav-
    35  ior, attitudes, intelligence, abilities, and aptitudes.
    36    (p) "Publicly available"  means  information  that  is  lawfully  made
    37  available  from  federal, state, or local government records.  "Publicly
    38  available" does not mean biometric information collected by  a  business
    39  about a consumer without the consumer's knowledge.
    40    (q)(1)  "Sell",  "selling", "sale" or "sold" means: (A) selling, rent-
    41  ing, releasing,  disclosing,  disseminating,  making  available,  trans-
    42  ferring, or otherwise communicating orally, in writing, or by electronic
    43  or  other  means, a consumer's personal information by the business to a
    44  third party for valuable consideration; or (B) sharing orally, in  writ-
    45  ing,  or by electronic or other means, a consumer's personal information
    46  with a third party, whether for valuable consideration or for no consid-
    47  eration, for the third party's commercial purposes.
    48    (2) For purposes of this section, a business does  not  sell  personal
    49  information when:
    50    (A)  A  consumer  uses  the  business:  (i)  to intentionally disclose
    51  personal information, or (ii) to intentionally  interact  with  a  third
    52  party.  An  intentional  interaction occurs when the consumer intends to
    53  interact with the third party via one or more  deliberate  interactions.
    54  Hovering over, muting, pausing, or closing a given piece of content does
    55  not constitute a consumer's intent to interact with a third party; or

        S. 3162                             5
 
     1    (B)  The  business uses an identifier for a consumer who has opted out
     2  of the sale of the consumer's personal information for the  purposes  of
     3  alerting  third  parties  that the consumer has opted out of the sale of
     4  the consumer's personal information.
     5    (r) "Service" or "services" means work, labor, and services, including
     6  services furnished in connection with the sale or repair of goods.
     7    (s) "Third party" means any person who is not:
     8    (1)  The  business  that  collects personal information from consumers
     9  under this section; or
    10    (2) A person to whom the  business  discloses  a  consumer's  personal
    11  information  for  a  business  purpose  pursuant  to a written contract,
    12  provided that the contract:
    13    (A) Prohibits the person receiving the personal information from:  (i)
    14  selling  the  personal information; (ii) retaining, using, or disclosing
    15  the personal information for any purpose other  than  for  the  specific
    16  purpose  of performing the services specified in the contract, including
    17  retaining, using, or disclosing the personal information for  a  commer-
    18  cial  purpose  other  than  providing  the  services  specified  in  the
    19  contract; and (iii) retaining,  using,  or  disclosing  the  information
    20  outside  of  the direct business relationship between the person and the
    21  business; and
    22    (B) Includes a certification made by the person receiving the personal
    23  information that the person understands the restrictions in  clause  (A)
    24  of this subparagraph and will comply with them. A person covered by this
    25  subparagraph  that  violates  any  of the restrictions set forth in this
    26  section shall be liable for such violations under this section. A  busi-
    27  ness  that  discloses  personal  information to a person covered by this
    28  subparagraph in compliance with such subparagraph shall  not  be  liable
    29  under this section if the person receiving the personal information uses
    30  it  in violation of the restrictions set forth in this section, provided
    31  that, at the time of disclosing the personal information,  the  business
    32  does  not  have  actual knowledge, or reason to believe, that the person
    33  intends to commit such a violation.
    34    (t) "Unique identifier" means a persistent identifier that can be used
    35  to recognize a consumer or a  device  over  time  and  across  different
    36  services,  including  but  not limited to, a device identifier; internet
    37  protocol address; cookies, beacons, pixel tags, mobile  ad  identifiers,
    38  or similar technology; customer number, unique pseudonym, or user alias;
    39  and  telephone  numbers,  or  other forms of persistent or probabilistic
    40  identifiers that can be  used  to  identify  a  particular  consumer  or
    41  device.
    42    (u)  "Verifiable  request"  means  a  request  that:  (1) is made by a
    43  consumer, by a consumer on behalf of the consumer's minor child, or by a
    44  person authorized by the consumer to act on the consumer's  behalf;  and
    45  (2)  the  business  has verified, pursuant to regulations adopted by the
    46  attorney general pursuant to subparagraph  seven  of  paragraph  (a)  of
    47  subdivision  fifteen  of this section, to be the consumer about whom the
    48  business has collected personal information. A business is not obligated
    49  to provide information to the consumer pursuant to subdivisions two  and
    50  three  of  this  section if the business cannot verify, pursuant to this
    51  subdivision and regulations adopted by the attorney general pursuant  to
    52  subparagraph  seven  of  paragraph  (a)  of  subdivision fifteen of this
    53  section, that the consumer making the request is the consumer about whom
    54  the business has collected information.
    55    2. (a) A consumer shall have the right to request that a business that
    56  collects personal information about the consumer disclose to the consum-

        S. 3162                             6

     1  er the categories of personal information it has  collected  about  that
     2  consumer.
     3    (b)  A  business  that  collects personal information about a consumer
     4  shall disclose to the consumer, pursuant to subparagraph three of  para-
     5  graph  (a) of subdivision six of this section, the information specified
     6  in paragraph (a) of subdivision one of this section upon  receipt  of  a
     7  verifiable request from the consumer.
     8    (c)  A  business  that  collects  personal information about consumers
     9  shall disclose, pursuant to clause (B) of subparagraph five of paragraph
    10  (a) of subdivision six of  this  section,  the  categories  of  personal
    11  information it has collected about consumers.
    12    3. (a) A consumer shall have the right to request that a business that
    13  sells  the  consumer's  personal information, or that discloses it for a
    14  business purpose, disclose to  that  consumer:  (1)  the  categories  of
    15  personal  information  that the business sold about the consumer and the
    16  identity of the third parties to  whom  such  personal  information  was
    17  sold,  by  category or categories of personal information for each third
    18  party to whom such personal information was sold; and (2) the categories
    19  of personal information that the business disclosed about  the  consumer
    20  for  a  business  purpose  and  the identity of the persons to whom such
    21  personal information was disclosed for a business purpose,  by  category
    22  or  categories  of  personal  information  for  each person to whom such
    23  personal information was disclosed for a business purpose.
    24    (b) A business that sells personal information about  a  consumer,  or
    25  that discloses a consumer's personal information for a business purpose,
    26  shall disclose, pursuant to subparagraph four of paragraph (a) of subdi-
    27  vision  six  of this section, the information specified in paragraph (a)
    28  of this subdivision to the consumer upon receipt of a verifiable request
    29  from the consumer.
    30    (c) A business that sells consumers'  personal  information,  or  that
    31  discloses  consumers' personal information for a business purpose, shall
    32  disclose, pursuant to clause (C) of subparagraph five of  paragraph  (a)
    33  of  subdivision  six  of this section: (1) the category or categories of
    34  consumers' personal information it has sold; or if the business has  not
    35  sold  consumers'  personal information, it shall disclose that fact; and
    36  (2) the category or categories of consumers' personal information it has
    37  disclosed for a business purpose; or if the business has  not  disclosed
    38  consumers'  personal  information  for  a  business  purpose,  it  shall
    39  disclose that fact.
    40    4. (a) A consumer shall have the right, at any time, to direct a busi-
    41  ness that sells personal information about the consumer not to sell  the
    42  consumer's  personal  information.  This right may be referred to as the
    43  right to opt out.
    44    (b) Notwithstanding paragraph (a)  of  this  subdivision,  a  business
    45  shall not sell the personal information of consumers if the business has
    46  actual  knowledge,  or  willfully  disregards, that the consumer is less
    47  than sixteen years of age, unless the consumer, in the case of consumers
    48  thirteen, fourteen and fifteen years of age, or the consumer's parent or
    49  guardian, in the case of consumers who are less than thirteen  years  of
    50  age,  has  affirmatively  authorized the sale of the consumer's personal
    51  information. This right may be referred to as the right to opt in.
    52    (c) A  business  that  sells  consumers'  personal  information  shall
    53  provide  notice  to  consumers, pursuant to paragraph (a) of subdivision
    54  seven of this section, that  such  information  may  be  sold  and  that
    55  consumers have the right to opt out of the sale of their personal infor-
    56  mation.

        S. 3162                             7
 
     1    (d) A business that has received direction from a consumer not to sell
     2  the  consumer's personal information, or, in the case of a minor consum-
     3  er's personal information, has not received consent to  sell  the  minor
     4  consumer's  personal  information,  shall  be  prohibited,  pursuant  to
     5  subparagraph four of paragraph (a) of subdivision seven of this section,
     6  from  selling  the  consumer's personal information after its receipt of
     7  the consumer's direction,  unless  the  consumer  subsequently  provides
     8  express  authorization  for the sale of the consumer's personal informa-
     9  tion.
    10    5. A business  shall  be  prohibited  from  discriminating  against  a
    11  consumer because the consumer requested information pursuant to subdivi-
    12  sions  two  and  three of this section, or because the consumer directed
    13  the business not to sell the consumer's personal information pursuant to
    14  subdivision four of this section,  or  because  the  consumer  otherwise
    15  exercised rights under this title, or exercised the consumer's rights to
    16  enforce  this  section,  including  but  not limited to, by: (a) denying
    17  goods or services to the consumer;  (b)  charging  different  prices  or
    18  rates  for  goods or services, including through the use of discounts or
    19  other benefits or imposing penalties; (c) providing a different level or
    20  quality of goods or services to the consumer; or (d) suggesting that the
    21  consumer will receive a different price or rate for goods  or  services,
    22  or  a  different  level or quality of goods or services, if the consumer
    23  exercises the consumer's rights under this section.
    24    6. (a) In order to comply with subdivisions two,  three  and  five  of
    25  this section, a business shall:
    26    (1)  Make  available  to  consumers two or more designated methods for
    27  submitting requests for information required to be disclosed pursuant to
    28  subdivisions two and three of this section, including, at a  minimum,  a
    29  toll-free  telephone  number, and if the business maintains a website, a
    30  website address.
    31    (2) Disclose and deliver the required information to a  consumer  free
    32  of  charge within forty-five days of receiving a verifiable request from
    33  the consumer. The business shall promptly take steps to determine wheth-
    34  er the request is a verifiable request, but this shall  not  extend  the
    35  business's  duty  to  disclose and deliver the information within forty-
    36  five days of receipt of the consumer's  request.  The  disclosure  shall
    37  cover  the  twelve-month  period preceding the business's receipt of the
    38  verifiable request and shall be made in writing  and  delivered  through
    39  the  consumer's  account with the business, if the consumer maintains an
    40  account with the business, or by mail or electronically at  the  consum-
    41  er's  option if the consumer does not maintain an account with the busi-
    42  ness. The business shall not require the consumer to create  an  account
    43  with the business in order to make a verifiable request.
    44    (3)  For purposes of paragraph (b) of subdivision two of this section:
    45  (A) identify the consumer, associate the  information  provided  by  the
    46  consumer in the verifiable request to any personal information previous-
    47  ly  collected  by  the  business about the consumer; and (B) identify by
    48  category or categories the  personal  information  collected  about  the
    49  consumer  in  the preceding twelve months by reference to the enumerated
    50  category or categories in paragraph (c) of this  subdivision  that  most
    51  closely describes the personal information collected.
    52    (4)  For  purposes  of  paragraph  (b)  of  subdivision  three of this
    53  section: (A) identify the consumer, associate the  information  provided
    54  by  the  consumer  in the verifiable request to any personal information
    55  previously collected by the business about the consumer; (B) identify by
    56  category or categories the personal information of the consumer that the

        S. 3162                             8
 
     1  business sold in the preceding twelve months by reference to the enumer-
     2  ated category or categories in paragraph (c) of  this  subdivision  that
     3  most  closely  describes  the personal information, and provide accurate
     4  names  and contact information for the third parties to whom the consum-
     5  er's personal information was sold in the  preceding  twelve  months  by
     6  reference  to  the enumerated category or categories in paragraph (c) of
     7  this subdivision that most closely describes  the  personal  information
     8  sold  for  each  third party; and (C) identify by category or categories
     9  the personal information of the consumer that the business disclosed for
    10  a business purpose in the preceding twelve months by  reference  to  the
    11  enumerated  category  or categories in paragraph (c) of this subdivision
    12  that most closely describes the personal information, and provide  accu-
    13  rate  names  and contact information for the persons to whom the consum-
    14  er's personal information was disclosed for a business  purpose  in  the
    15  preceding twelve months by reference to the enumerated category or cate-
    16  gories  in  paragraph  (c) of this subdivision of this section that most
    17  closely describes the personal information disclosed  for  each  person.
    18  The  business shall disclose the information required by clauses (B) and
    19  (C) of this subparagraph in two separate lists.
    20    (5) Disclose the following information in its online privacy policy or
    21  policies if the business has an online privacy policy or policies and in
    22  any New York-specific description of consumers' privacy  rights,  or  if
    23  the business does not maintain such policies, on its website, and update
    24  such information at least once every twelve months:
    25    (A) A description of a consumer's rights pursuant to subdivisions two,
    26  three  and  five of this section, and one or more designated methods for
    27  submitting requests;
    28    (B) For purposes of paragraph (c) of subdivision two of this  section,
    29  a  list of the categories of personal information it has collected about
    30  consumers in the preceding twelve months by reference to the  enumerated
    31  category  or  categories  in paragraph (c) of this subdivision that most
    32  closely describes the personal information collected; and
    33    (C) For purposes of subparagraphs one and  two  of  paragraph  (c)  of
    34  subdivision three of this section, two separate lists: (i) a list of the
    35  categories  of  personal  information it has sold about consumers in the
    36  preceding twelve months by reference to the enumerated category or cate-
    37  gories in paragraph (c) of this subdivision that most closely  describes
    38  the  personal  information sold, or if the business has not sold consum-
    39  ers' personal information in the preceding twelve months,  the  business
    40  shall  disclose that fact; and (ii) a list of the categories of personal
    41  information it has disclosed about consumers for a business  purpose  in
    42  the  preceding  twelve months by reference to the enumerated category or
    43  categories in paragraph  (c)  of  this  subdivision  that  most  closely
    44  describes the personal information disclosed, or if the business has not
    45  disclosed  consumers' personal information for a business purpose in the
    46  preceding twelve months, the business shall disclose that fact.
    47    (6) Ensure that all  individuals  responsible  for  handling  consumer
    48  inquiries  about  the  business's  privacy  practices  or the business's
    49  compliance with this section are informed of all  requirements  in  this
    50  subdivision,  as  well  as  in  subdivisions two, three and five of this
    51  section, and how to direct consumers  to  exercise  their  rights  under
    52  those sections; and
    53    (7)  Use  any  personal  information  collected  from  the consumer in
    54  connection with the business's verification of  the  consumer's  request
    55  solely for the purposes of verification.

        S. 3162                             9

     1    (b) A business is not obligated to provide the information required by
     2  subdivisions  two  and  three  of this section to the same consumer more
     3  than once in a twelve-month period.
     4    (c)  The  categories  of personal information required to be disclosed
     5  pursuant to subdivisions two and three of this section are  all  of  the
     6  following:
     7    (1)  Identifiers  such  as  a real name, alias, postal address, unique
     8  identifier, internet protocol address, electronic mail address,  account
     9  name,  social security number, driver's license number, passport number,
    10  or other similar identifiers;
    11    (2) All categories of personal information enumerated in paragraph (a)
    12  of subdivision one of this section;
    13    (3) All categories of personal information relating to characteristics
    14  of protected classifications under state or federal law,  with  specific
    15  reference  to  the category of information that has been collected, such
    16  as race, ethnicity, or gender;
    17    (4) Commercial information, including records of property, products or
    18  services provided, obtained,  or  considered,  or  other  purchasing  or
    19  consuming histories or tendencies;
    20    (5) Biometric data;
    21    (6) Internet or other electronic network activity information, includ-
    22  ing  but  not limited to, browsing history, search history, and informa-
    23  tion regarding a consumer's interaction with a website, application,  or
    24  advertisement;
    25    (7) Geolocation data;
    26    (8) Audio, electronic, visual, thermal, olfactory, or similar informa-
    27  tion;
    28    (9) Psychometric information;
    29    (10) Professional or employment-related information;
    30    (11)  Inferences  drawn  from any of the information identified above;
    31  and
    32    (12) Any of the categories of information set forth in this  paragraph
    33  as they pertain to the minor children of the consumer.
    34    7.  (a) A business that is required to comply with subdivision four of
    35  this section shall:
    36    (1) Provide a clear and conspicuous link on the  business's  homepage,
    37  titled  "Do Not Sell My Personal Information", to a webpage that enables
    38  a consumer, or a person authorized by the consumer, to opt  out  of  the
    39  sale  of  the  consumer's  personal  information.  A  business shall not
    40  require a consumer to create an account in order to direct the  business
    41  not to sell the consumer's personal information;
    42    (2)  Include a description of a consumer's rights pursuant to subdivi-
    43  sion four of this section, along with a separate link  to  the  "Do  Not
    44  Sell  My Personal Information" webpage in: (A) its online privacy policy
    45  or policies if the business has an online privacy  policy  or  policies,
    46  and (B) any state specific description of consumers' privacy rights;
    47    (3)  Ensure  that  all  individuals  responsible for handling consumer
    48  inquiries about the  business's  privacy  practices  or  the  business's
    49  compliance  with  this  section are informed of all requirements in this
    50  subdivision as well as subdivision four of  this  section,  and  how  to
    51  direct consumers to exercise their rights under those sections;
    52    (4)  For  consumers who exercise their right to opt out of the sale of
    53  their personal information, refrain from  selling  personal  information
    54  collected by the business about the consumer;
    55    (5)  For  a  consumer  who has opted out of the sale of the consumer's
    56  personal information, respect the consumer's decision to opt out for  at

        S. 3162                            10
 
     1  least  twelve  months  before requesting that the consumer authorize the
     2  sale of the consumer's personal information; and
     3    (6)  Use  any  personal  information  collected  from  the consumer in
     4  connection with the submission of the consumer's opt out request  solely
     5  for the purposes of complying with the opt out request.
     6    (b)  A consumer may authorize another person to opt out on the consum-
     7  er's behalf, and a  business  shall  comply  with  an  opt  out  request
     8  received  from a person authorized by the consumer to act on the consum-
     9  er's behalf.
    10    8. (a) The obligations imposed on businesses by subdivisions  two  and
    11  seven of this section shall not restrict a business's ability to:
    12    (1) comply with federal, state, or local laws;
    13    (2)  comply  with  a  civil,  criminal, or regulatory investigation or
    14  subpoena or summons by federal, state, or local authorities;
    15    (3) cooperate with law  enforcement  agencies  concerning  conduct  or
    16  activity  that  the  business  reasonably and in good faith believes may
    17  violate federal, state, or local law; or
    18    (4) collect and sell a consumer's personal information if every aspect
    19  of such commercial conduct takes place wholly outside of the state.  For
    20  purposes  of this section, commercial conduct takes place wholly outside
    21  of the state if  the  business  collected  such  information  while  the
    22  consumer was outside of the state, no part of the sale of the consumer's
    23  personal  information occurred in the state, and no personal information
    24  collected while the consumer was in the state is sold.
    25    (b) The obligations imposed on  businesses  by  subdivisions  two  and
    26  seven  of  this section shall not apply where compliance by the business
    27  with this section would violate an evidentiary privilege under state law
    28  and shall not prevent a business from providing the personal information
    29  of a consumer to a person covered  by  an  evidentiary  privilege  under
    30  state law as part of a privileged communication.
    31    (c)  This section shall not apply to protected health information that
    32  is collected by a covered entity governed by  the  medical  privacy  and
    33  security  rules  issued  by  the  Federal Department of Health and Human
    34  Services, Parts 160 and 164 of Title 45 of the  Code  of  Federal  Regu-
    35  lations,  established  pursuant  to the Health Insurance Portability and
    36  Availability Act of 1996 (HIPAA). For purposes of this subdivision,  the
    37  definitions  of "protected health information" and "covered entity" from
    38  the federal privacy rule shall apply.
    39    (d) This section shall not apply to the sale of  personal  information
    40  to  or  from  a  consumer  reporting agency if that information is to be
    41  reported in, or used to generate, a consumer report as defined by subdi-
    42  vision (d) of Section 1681(a) of Title 15 of the United States Code, and
    43  use of that information is limited by the federal Fair Credit  Reporting
    44  Act, 15 U.S.C. § 1681, et seq.
    45    9.  (a)  A  consumer  who has suffered a violation of this section may
    46  bring an action for statutory damages. A violation of this section shall
    47  be deemed to constitute an injury  in  fact  to  the  consumer  who  has
    48  suffered the violation, and the consumer need not suffer a loss of money
    49  or property as a result of the violation in order to bring an action for
    50  a violation of this section.
    51    (b)(1)  Any  consumer  who  suffers an injury in fact, as described in
    52  paragraph (a) of this subdivision, shall recover  statutory  damages  in
    53  the  amount  of  one  thousand  dollars  or actual damages, whichever is
    54  greater, for each violation from the business or person responsible  for
    55  the  violation,  except  that  in  the  case  of  a  knowing and willful
    56  violation by a business or person, an individual shall recover statutory

        S. 3162                            11
 
     1  damages of not less than one thousand dollars and not  more  than  three
     2  thousand  dollars,  or  actual  damages,  whichever is greater, for each
     3  violation from the business or person responsible for the violation.
     4    (2)  In  assessing  the  amount  of statutory damages, the court shall
     5  consider any one or more of the relevant circumstances presented by  any
     6  of  the  parties to the case, including, but not limited to, the follow-
     7  ing: the nature  and  seriousness  of  the  misconduct,  the  number  of
     8  violations,  the  persistence of the misconduct, the length of time over
     9  which the  misconduct  occurred,  the  willfulness  of  the  defendant's
    10  misconduct, and the defendant's assets, liabilities, and net worth.
    11    (c)  Notwithstanding any other law, whenever a judgment, including any
    12  consent judgment, decree, or settlement agreement, is  approved  by  the
    13  court  in  a  class  action based on a violation of this section, any cy
    14  pres award, unpaid cash residue, or unclaimed or abandoned class  member
    15  funds  attributable  to a violation of this section shall be distributed
    16  exclusively to one or more nonprofit organizations to  support  projects
    17  that  will  benefit the class or similarly situated persons, further the
    18  objectives and purposes of the  underlying  class  action  or  cause  of
    19  action,  or  promote the law consistent with the objectives and purposes
    20  of the underlying class action or cause of action, unless for good cause
    21  shown the court makes a specific finding that  an  alternative  distrib-
    22  ution  would  better  serve  the public interest or the interests of the
    23  class. If not specified in the judgment, the court shall set a date when
    24  the parties shall submit a report to the court regarding a plan for  the
    25  distribution of any moneys pursuant to this subdivision.
    26    (d)  The  remedies provided by this subdivision are cumulative to each
    27  other and to the remedies or penalties available under all other laws of
    28  the state.
    29    10. (a) Any business or person that violates  this  section  shall  be
    30  liable  for a civil penalty in a civil action brought in the name of the
    31  people of the state of New York by the attorney general.
    32    (b) Notwithstanding any other law to the contrary, any person or busi-
    33  ness that intentionally violates this section may be liable for a  civil
    34  penalty of up to seven thousand five hundred dollars for each violation.
    35    (c)  Notwithstanding  any other law to the contrary, any civil penalty
    36  assessed for a violation of  this  section,  and  the  proceeds  of  any
    37  settlement of an action brought pursuant to paragraph (a) of this subdi-
    38  vision, shall be allocated as follows:
    39    (1)  twenty  percent to the consumer privacy fund, created pursuant to
    40  section ninety-nine-m of the state finance law, with the intent to fully
    41  offset any costs incurred by the state courts and the  attorney  general
    42  in connection with this section; and
    43    (2)  eighty  percent  to  the  jurisdiction on whose behalf the action
    44  leading to the civil penalty was brought.
    45    (d) The legislature shall adjust the percentages  specified  in  para-
    46  graph (c) of this subdivision and in subdivision eleven of this section,
    47  as necessary to ensure that any civil penalties assessed for a violation
    48  of  this section fully offset any costs incurred by the state courts and
    49  the attorney general in connection with this section, including a suffi-
    50  cient amount to cover any deficit from a prior fiscal year. The legisla-
    51  ture shall not direct a greater percentage of assessed  civil  penalties
    52  to  the  consumer privacy fund than reasonably necessary to fully offset
    53  any costs incurred by the state  courts  and  the  attorney  general  in
    54  connection with this section.
    55    11. (a) Any person who becomes aware, based on non-public information,
    56  that  a  person  or  business has violated this section may file a civil

        S. 3162                            12
 
     1  action for civil penalties pursuant to subdivision ten of this  section,
     2  if  prior  to  filing  such  action,  the person files with the attorney
     3  general a written request for  the  attorney  general  to  commence  the
     4  action.  The  request shall include a clear and concise statement of the
     5  grounds for believing a cause of action exists. The  person  shall  make
     6  the  non-public  information  available  to  the  attorney  general upon
     7  request.
     8    (1) If the attorney general files suit within ninety days from receipt
     9  of the written request to commence the action, no other  action  may  be
    10  brought  unless  the action brought by the attorney general is dismissed
    11  without prejudice.
    12    (2) If the attorney general does not file suit within ninety days from
    13  receipt of the written  request  to  commence  the  action,  the  person
    14  requesting the action may proceed to file a civil action.
    15    (3)  The  time  period  within which a civil action shall be commenced
    16  shall be tolled from the date of receipt by the attorney general of  the
    17  written  request  to  either the date that the civil action is dismissed
    18  without prejudice, or for one hundred fifty days,  whichever  is  later,
    19  but  only  for  a  civil  action brought by the person who requested the
    20  attorney general to commence the action.
    21    (b) Notwithstanding paragraph (c) of subdivision ten of this  section,
    22  if  a  judgment  is  entered  against  the defendant or defendants in an
    23  action brought pursuant to this subdivision, or the matter  is  settled,
    24  amounts  received  as civil penalties or pursuant to a settlement of the
    25  action shall be allocated as follows:
    26    (1) If the action was brought by the attorney general upon  a  request
    27  made  by  a  person  pursuant  to paragraph (a) of this subdivision, the
    28  person who made the request shall be entitled to fifteen percent of  the
    29  civil  penalties,  and  the remaining proceeds shall be deposited in the
    30  consumer privacy fund pursuant to section  ninety-nine-m  of  the  state
    31  finance law.
    32    (2)  If  the  action  was  brought  by the person who made the request
    33  pursuant to paragraph (a) of this subdivision, that person shall receive
    34  an amount the court determines is reasonable for  collecting  the  civil
    35  penalties on behalf of the government. The amount shall be not less than
    36  twenty-five  percent  and not more than fifty percent of the proceeds of
    37  the action and shall be paid out of the proceeds. The remaining proceeds
    38  shall be deposited in the consumer  privacy  fund  pursuant  to  section
    39  ninety-nine-m of the state finance law.
    40    (c)  For  purposes  of  this  section,  "non-public information" means
    41  information that has not been disclosed in a criminal, civil, or  admin-
    42  istrative  proceeding,  in a government investigation, report, or audit,
    43  or by the news media or other public source of information, and that was
    44  not obtained in violation of the law.
    45    12. A business that suffers a breach of the  security  of  the  system
    46  involving  consumers'  personal  information  shall  be  deemed  to have
    47  violated this section and may be  held  liable  for  such  violation  or
    48  violations  under  subdivisions nine, ten and eleven of this section, if
    49  the business has failed to implement and  maintain  reasonable  security
    50  procedures  and practices, appropriate to the nature of the information,
    51  to protect the personal information from unauthorized disclosure.
    52    13. This section is intended to further the  constitutional  right  of
    53  privacy  and to supplement existing laws relating to consumers' personal
    54  information. The provisions of this section are not limited to  informa-
    55  tion  collected  electronically  or  over the internet, but apply to the
    56  collection and sale of all personal information collected by a  business

        S. 3162                            13
 
     1  from  consumers.  Wherever possible, existing law relating to consumers'
     2  personal  information  should  be  construed  to  harmonize   with   the
     3  provisions  of this section, but in the event of conflict between exist-
     4  ing  law  and  the provisions of this section, the provisions of the law
     5  that afford the greatest protection for the right of privacy for consum-
     6  ers shall control.
     7    14. Nothing in this section shall prevent a  city,  county,  city  and
     8  county,  municipality,  or  local agency from safeguarding the constitu-
     9  tional right of privacy by imposing  additional  requirements  on  busi-
    10  nesses regarding the collection and sale of consumers' personal informa-
    11  tion  by  businesses  provided  that  the requirement does not prevent a
    12  person or business from complying with this section.
    13    15. (a) The attorney general shall adopt regulations in the  following
    14  areas to further the purposes of this section:
    15    (1)  Adding additional categories to those enumerated in paragraph (c)
    16  of subdivision six and paragraph (m) of subdivision one of this  section
    17  in  order  to  address changes in technology, data collection practices,
    18  obstacles to implementation, and privacy  concerns.  In  addition,  upon
    19  receipt of a request made by a city attorney or district attorney to add
    20  a  new  category  or categories, the attorney general shall promulgate a
    21  regulation to add such category or categories unless the attorney gener-
    22  al concludes, based on factual  or  legal  findings,  that  there  is  a
    23  compelling  reason  not  to add the category or categories. The attorney
    24  general may also add additional categories to those enumerated in  para-
    25  graph  (c)  of  subdivision  six and paragraph (m) of subdivision one of
    26  this section in response to a petition filed;
    27    (2) Adding additional items to the definition of "unique  identifiers"
    28  to  address  changes in technology, data collection, obstacles to imple-
    29  mentation, and privacy concerns, and additional categories to the  defi-
    30  nition  of  "designated methods for submitting requests" to facilitate a
    31  consumer's ability to obtain information from  a  business  pursuant  to
    32  subdivision six of this section;
    33    (3)  Establishing  any  exceptions  necessary  to comply with state or
    34  federal law;
    35    (4) Establishing rules and procedures: (A) to  facilitate  and  govern
    36  the submission of a request by a consumer, and by an authorized agent of
    37  the consumer, to opt out of the sale of personal information pursuant to
    38  subparagraph  one of paragraph (a) of subdivision seven of this section;
    39  (B) to govern a business's compliance with a consumer's opt out request;
    40  and (C) for the development and use of a recognizable  and  uniform  opt
    41  out  logo  or  button by all businesses to promote consumer awareness of
    42  the opportunity to opt out of the sale of personal information;
    43    (5) Adjusting the monetary threshold in clause (A) of subparagraph one
    44  of paragraph (b) of subdivision one of this section in January of  every
    45  odd-numbered year to reflect any increase in the Consumer Price Index;
    46    (6)  Establishing  rules,  procedures, and any exceptions necessary to
    47  ensure that the notices and information that businesses are required  to
    48  provide  pursuant  to  this section are provided in a manner so as to be
    49  easily understood by the average consumer, are accessible  to  consumers
    50  with  disabilities,  and are available in the language primarily used to
    51  interact with the consumer;
    52    (7) Establishing rules and  procedures  to  further  the  purposes  of
    53  subdivisions  two  and three of this section and to facilitate a consum-
    54  er's or the consumer's authorized agent's ability to obtain  information
    55  pursuant to subdivision six of this section, with the goal of minimizing
    56  the  administrative  burden  on consumers, taking into account available

        S. 3162                            14
 
     1  technology, security concerns, and the burden on the business, to govern
     2  a business's determination that a request for information received by  a
     3  consumer is a verifiable request, including treating a request submitted
     4  through a password protected account maintained by the consumer with the
     5  business  while  the consumer is logged into the account as a verifiable
     6  request and providing a mechanism for a consumer who does  not  maintain
     7  an  account  with  the business to request information through the busi-
     8  ness's authentication of the consumer's identity;
     9    (8) Defining the term "valuable consideration" as used in subparagraph
    10  one of paragraph (q) of subdivision one of this section to ensure that a
    11  business that discloses, except as permitted by this section, a  consum-
    12  er's  personal  information to a third party, including through a series
    13  of transactions involving multiple third parties, in  exchange  for  any
    14  economic  benefit  is  subject  to this section, and to include business
    15  practices involving the disclosure of personal information  in  exchange
    16  for  something  of  value.  Valuable  consideration does not include the
    17  exchange of value in a transaction involving non-commercial speech, such
    18  as journalism and political speech; and
    19    (9)  Further  interpret  the  terms  "de-identified",  "sell",  "third
    20  party",  and  "business purpose" as set forth in subdivision one of this
    21  section, to address changes in technology, data collection, obstacles to
    22  implementation, and privacy concerns and to ensure compliance  with  the
    23  purposes  of  this section, provided that such regulations do not reduce
    24  consumer privacy or the ability of consumers to stop the sale  of  their
    25  personal information.
    26    (b)  The attorney general shall be precluded from adopting regulations
    27  that limit or reduce the number  or  scope  of  categories  of  personal
    28  information enumerated in paragraph (c) of subdivision six and paragraph
    29  (m)  of  subdivision  one  of  this section, or that limit or reduce the
    30  number or scope of categories added  pursuant  to  subparagraph  one  of
    31  paragraph  (a)  of  this subdivision, except as necessary to comply with
    32  subparagraph three of paragraph (a) of this  subdivision.  The  attorney
    33  general  shall  also  be  precluded from reducing the scope of the defi-
    34  nition of "unique identifiers",  except  as  necessary  to  comply  with
    35  subparagraph three of paragraph (a) of this subdivision.
    36    (c) To the extent the attorney general determines that it is necessary
    37  to  adopt  certain  regulations  in order to implement this section, the
    38  attorney general shall adopt any such regulations within six  months  of
    39  the date this section is adopted.
    40    (d) The attorney general may adopt additional regulations as necessary
    41  to further the purposes of this section.
    42    16.  If  a  series  of steps or transactions were component parts of a
    43  single transaction intended from the beginning  to  be  taken  with  the
    44  intention  of  avoiding the reach of this section, including the disclo-
    45  sure of information by a business to a third party in order to avoid the
    46  definition of "sell", a court shall disregard the intermediate steps  or
    47  transactions for purposes of effectuating the purposes of this section.
    48    17. Any provision of a contract or agreement of any kind that purports
    49  to  waive  or  limit  in any way a consumer's rights under this section,
    50  including but not limited to any right to a remedy or means of  enforce-
    51  ment,  shall  be  deemed contrary to public policy and shall be void and
    52  unenforceable. This section shall not prevent a consumer from:   declin-
    53  ing  to  request  information from a business; declining to opt out of a
    54  business's sale of the consumer's personal information; or authorizing a
    55  business to sell the consumer's personal  information  after  previously
    56  opting out.

        S. 3162                            15
 
     1    18. If any provision of this section shall be adjudged by any court of
     2  competent  jurisdiction  to  be invalid, such judgment shall not affect,
     3  impair or invalidate the remainder thereof, but shall be confined in its
     4  operation to the provision directly involved in the controversy in which
     5  such judgment shall have been rendered.
     6    §  3. The state finance law is amended by adding a new section 99-m to
     7  read as follows:
     8    § 99-m. Consumer privacy fund. 1. There is hereby established  in  the
     9  joint  custody of the state comptroller and the commissioner of taxation
    10  and finance an account within the  general  fund  to  be  known  as  the
    11  "consumer privacy fund".
    12    2. Such account shall consist of all penalties received by the depart-
    13  ment  of  state  pursuant to section eight hundred ninety-nine-cc of the
    14  general business law and any additional monies appropriated, credited or
    15  transferred to such account by the legislature. Any interest  earned  by
    16  the investment of monies in such account shall be added to such account,
    17  become  part  of  such  account,  and  be  used for the purposes of such
    18  account.
    19    3. Monies in the account shall be available to  the  office  of  court
    20  administration  and the attorney general to offset any costs incurred by
    21  the state courts in connection with actions brought to  enforce  section
    22  eight  hundred  ninety-nine-cc of the general business law and any costs
    23  incurred by the attorney general in carrying out his or her duties under
    24  such section of law.
    25    4. Monies in the account shall be paid out of the account on the audit
    26  and warrant of the state comptroller on vouchers certified  or  approved
    27  by the office of court administration and/or the attorney general.
    28    § 4. This act shall take effect on the one hundred eightieth day after
    29  it  shall have become a law. Effective immediately, the addition, amend-
    30  ment and/or repeal of any rule or regulation necessary for the implemen-
    31  tation of this act on its effective date are authorized to be  made  and
    32  completed on or before such effective date.
Go to top