•  Summary 
  •  Actions 
  •  Committee Votes 
  •  Floor Votes 
  •  Memo 
  •  Text 
  •  LFIN 
  •  Chamber Video/Transcript 

S05603 Summary:

Add 399-k, Gen Bus L
Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
Go to top

S05603 Text:

                STATE OF NEW YORK
                               2017-2018 Regular Sessions
                    IN SENATE
                                     April 19, 2017
        Introduced  by  Sens.  CARLUCCI,  ALCANTARA,  BROOKS,  COMRIE, HAMILTON,
          KAMINSKY, PERALTA, SAVINO -- read twice and ordered printed, and  when
          printed  to  be  committed  to the Committee on Consumer Protection --
          committee discharged, bill amended, ordered reprinted as  amended  and
          recommitted  to said committee -- reported favorably from said commit-
          tee and committed to the Committee on Rules --  committee  discharged,
          bill  amended,  ordered  reprinted  as amended and recommitted to said
        AN ACT to amend the general business law, in relation to prohibiting the
          disclosure of  personally  identifiable  information  by  an  internet
          service provider without the express written approval of the consumer
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. The general business law is amended by adding a new section
     2  399-k to read as follows:
     3    § 399-k. Disclosure  of  personally  identifiable  information  by  an
     4  internet  service  provider;  prohibited.  1.  For  the purposes of this
     5  section the following terms shall have the following meanings:
     6    (a) "Consumer" means a person who agrees to pay a fee to  an  internet
     7  service  provider  for  access  to the internet for personal, family, or
     8  household purposes, and who does not resell access.
     9    (b) "Internet service provider" (ISP) means a business entity or indi-
    10  vidual who provides consumers authenticated access to, or  presence  on,
    11  the  internet  by  means  of  a switched or dedicated telecommunications
    12  channel upon which the provider provides  transit  routing  of  internet
    13  protocol  packets  for  and  on behalf of the consumer. Internet service
    14  provider does not include the offering, on a common  carrier  basis,  of
    15  telecommunications facilities or of telecommunications by means of these
    16  facilities.
    17    (c) "Personally identifiable information" means information that iden-
    18  tifies:
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.

        S. 5603--B                          2
     1    (i) a consumer by physical or electronic address or telephone number;
     2    (ii)  a  consumer's internet search history or internet usage history;
     3  or
     4    (iii) any of the contents of a consumer's data-storage devices.
     5    2. Except as provided in subdivisions three and four of this  section,
     6  an  ISP shall not knowingly disclose personally identifiable information
     7  resulting from the consumer's use of the telecommunications or ISP with-
     8  out express written approval from the consumer.
     9    (a) A telecommunications or ISP that  has  entered  into  a  franchise
    10  agreement,  right-of-way  agreement, or other contract with the state of
    11  New York or any political subdivision thereof, or that  uses  facilities
    12  that  are  subject  to such agreements, even if it is not a party to the
    13  agreement, shall not collect nor disclose personal  information  from  a
    14  consumer  resulting from the consumer's use of the telecommunications or
    15  ISP without express written approval from the consumer; and
    16    (b) No such telecommunication or  ISP  shall  refuse  to  provide  its
    17  services to a consumer on the grounds that the consumer has not approved
    18  the collection or disclosure of the consumer's personal information.
    19    3.  An ISP may disclose personally identifiable information concerning
    20  a consumer:
    21    (a) pursuant to a grand jury subpoena, in accordance with  subdivision
    22  eight of section 190.30 of the criminal procedure law;
    23    (b)  pursuant  to  a  warrant  issued  in  accordance with article six
    24  hundred ninety or article seven hundred of the criminal procedure law;
    25    (c) pursuant to a court order in a pending criminal proceeding upon  a
    26  showing  that  such  personally identifiable information is relevant and
    27  material to such criminal action or proceeding;
    28    (d) pursuant to a court order in a pending  civil  proceeding  upon  a
    29  showing  of compelling need for such information that cannot be accommo-
    30  dated by other means;
    31    (e) to a court in a civil action for conversion commenced by  the  ISP
    32  or  in  a civil action to enforce collection of unpaid subscription fees
    33  or purchase amounts, and then only to the extent necessary to  establish
    34  the fact of the subscription delinquency or purchase agreement, and with
    35  appropriate safeguards against unauthorized disclosure;
    36    (f)  to the consumer who is the subject of the information, upon writ-
    37  ten or electronic request and upon payment of any fee not to exceed  the
    38  actual cost of retrieving the information;
    39    (g)  to another ISP for purposes of reporting or preventing violations
    40  of the published acceptable use policy or consumer service agreement  of
    41  the  ISP;  except that the recipient may further disclose the personally
    42  identifiable information only as provided by this chapter; or
    43    (h) to any person with the authorization of the consumer.
    44    4. (a) The ISP shall  obtain  the  consumer's  authorization  for  the
    45  disclosure of personally identifiable information in writing or by elec-
    46  tronic means.
    47    (b)  The  request for authorization must reasonably describe the types
    48  of persons to whom personally identifiable information may be  disclosed
    49  and the anticipated uses of the information.
    50    (c)  In order for an authorization to be effective, a contract between
    51  an ISP and the consumer  must  state  that  the  authorization  will  be
    52  obtained by an affirmative act of the consumer.
    53    (d) The provision in the contract must be conspicuous.
    54    (e) Authorization shall be obtained in a manner consistent with guide-
    55  lines  issued  by representatives of the ISP or online industries, or in
    56  any other manner reasonably designed to comply with this section.

        S. 5603--B                          3
     1    5. The ISP shall take all reasonable and necessary steps  to  maintain
     2  the  security and privacy of a consumer's personally identifiable infor-
     3  mation.
     4    6.  A  consumer  who  prevails  or substantially prevails in an action
     5  brought under this section is entitled to the greater  of  five  hundred
     6  dollars or actual damages. Costs, disbursements, and reasonable attorney
     7  fees  may  be awarded to a party awarded damages for a violation of this
     8  section. The action available under this section is  exempted  from  any
     9  mandatory arbitration clauses that may exist in the contract between the
    10  ISP  and  the  consumer.  In a civil action under this section, it is an
    11  affirmative defense that such  information  was  released  or  otherwise
    12  available  in violation of this section notwithstanding reasonable prac-
    13  tices established and implemented by the defendant to prevent violations
    14  of this section.
    15    7. This section does not limit any greater protection of  the  privacy
    16  of information under other law, except that:
    17    (a)  nothing  in  this  section shall be deemed to limit the authority
    18  under other state or federal law of law enforcement to  obtain  informa-
    19  tion; and
    20    (b) if federal law is enacted that regulates the release of personally
    21  identifiable  information  by ISPs but does not preempt state law on the
    22  subject, state law prevails.
    23    § 2. This act shall take effect on the ninetieth day  after  it  shall
    24  have become a law.
Go to top