|SAME AS||SAME AS A07191-B|
|COSPNSR||ALCANTARA, BROOKS, COMRIE, HAMILTON, KAMINSKY, PERALTA, SAVINO, SEPULVEDA|
|Add §399-k, Gen Bus L|
|Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.|
Go to top
STATE OF NEW YORK ________________________________________________________________________ 5603--B 2017-2018 Regular Sessions IN SENATE April 19, 2017 ___________ Introduced by Sens. CARLUCCI, ALCANTARA, BROOKS, COMRIE, HAMILTON, KAMINSKY, PERALTA, SAVINO -- read twice and ordered printed, and when printed to be committed to the Committee on Consumer Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee -- reported favorably from said commit- tee and committed to the Committee on Rules -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 399-k to read as follows: 3 § 399-k. Disclosure of personally identifiable information by an 4 internet service provider; prohibited. 1. For the purposes of this 5 section the following terms shall have the following meanings: 6 (a) "Consumer" means a person who agrees to pay a fee to an internet 7 service provider for access to the internet for personal, family, or 8 household purposes, and who does not resell access. 9 (b) "Internet service provider" (ISP) means a business entity or indi- 10 vidual who provides consumers authenticated access to, or presence on, 11 the internet by means of a switched or dedicated telecommunications 12 channel upon which the provider provides transit routing of internet 13 protocol packets for and on behalf of the consumer. Internet service 14 provider does not include the offering, on a common carrier basis, of 15 telecommunications facilities or of telecommunications by means of these 16 facilities. 17 (c) "Personally identifiable information" means information that iden- 18 tifies: EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD10928-08-7S. 5603--B 2 1 (i) a consumer by physical or electronic address or telephone number; 2 (ii) a consumer's internet search history or internet usage history; 3 or 4 (iii) any of the contents of a consumer's data-storage devices. 5 2. Except as provided in subdivisions three and four of this section, 6 an ISP shall not knowingly disclose personally identifiable information 7 resulting from the consumer's use of the telecommunications or ISP with- 8 out express written approval from the consumer. 9 (a) A telecommunications or ISP that has entered into a franchise 10 agreement, right-of-way agreement, or other contract with the state of 11 New York or any political subdivision thereof, or that uses facilities 12 that are subject to such agreements, even if it is not a party to the 13 agreement, shall not collect nor disclose personal information from a 14 consumer resulting from the consumer's use of the telecommunications or 15 ISP without express written approval from the consumer; and 16 (b) No such telecommunication or ISP shall refuse to provide its 17 services to a consumer on the grounds that the consumer has not approved 18 the collection or disclosure of the consumer's personal information. 19 3. An ISP may disclose personally identifiable information concerning 20 a consumer: 21 (a) pursuant to a grand jury subpoena, in accordance with subdivision 22 eight of section 190.30 of the criminal procedure law; 23 (b) pursuant to a warrant issued in accordance with article six 24 hundred ninety or article seven hundred of the criminal procedure law; 25 (c) pursuant to a court order in a pending criminal proceeding upon a 26 showing that such personally identifiable information is relevant and 27 material to such criminal action or proceeding; 28 (d) pursuant to a court order in a pending civil proceeding upon a 29 showing of compelling need for such information that cannot be accommo- 30 dated by other means; 31 (e) to a court in a civil action for conversion commenced by the ISP 32 or in a civil action to enforce collection of unpaid subscription fees 33 or purchase amounts, and then only to the extent necessary to establish 34 the fact of the subscription delinquency or purchase agreement, and with 35 appropriate safeguards against unauthorized disclosure; 36 (f) to the consumer who is the subject of the information, upon writ- 37 ten or electronic request and upon payment of any fee not to exceed the 38 actual cost of retrieving the information; 39 (g) to another ISP for purposes of reporting or preventing violations 40 of the published acceptable use policy or consumer service agreement of 41 the ISP; except that the recipient may further disclose the personally 42 identifiable information only as provided by this chapter; or 43 (h) to any person with the authorization of the consumer. 44 4. (a) The ISP shall obtain the consumer's authorization for the 45 disclosure of personally identifiable information in writing or by elec- 46 tronic means. 47 (b) The request for authorization must reasonably describe the types 48 of persons to whom personally identifiable information may be disclosed 49 and the anticipated uses of the information. 50 (c) In order for an authorization to be effective, a contract between 51 an ISP and the consumer must state that the authorization will be 52 obtained by an affirmative act of the consumer. 53 (d) The provision in the contract must be conspicuous. 54 (e) Authorization shall be obtained in a manner consistent with guide- 55 lines issued by representatives of the ISP or online industries, or in 56 any other manner reasonably designed to comply with this section.S. 5603--B 3 1 5. The ISP shall take all reasonable and necessary steps to maintain 2 the security and privacy of a consumer's personally identifiable infor- 3 mation. 4 6. A consumer who prevails or substantially prevails in an action 5 brought under this section is entitled to the greater of five hundred 6 dollars or actual damages. Costs, disbursements, and reasonable attorney 7 fees may be awarded to a party awarded damages for a violation of this 8 section. The action available under this section is exempted from any 9 mandatory arbitration clauses that may exist in the contract between the 10 ISP and the consumer. In a civil action under this section, it is an 11 affirmative defense that such information was released or otherwise 12 available in violation of this section notwithstanding reasonable prac- 13 tices established and implemented by the defendant to prevent violations 14 of this section. 15 7. This section does not limit any greater protection of the privacy 16 of information under other law, except that: 17 (a) nothing in this section shall be deemed to limit the authority 18 under other state or federal law of law enforcement to obtain informa- 19 tion; and 20 (b) if federal law is enacted that regulates the release of personally 21 identifiable information by ISPs but does not preempt state law on the 22 subject, state law prevails. 23 § 2. This act shall take effect on the ninetieth day after it shall 24 have become a law.