Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1366
SPONSOR: Rozic (MS)
 
TITLE OF BILL:
An act to amend the general business law, in relation to establishing
the online consumer protection act
 
PURPOSE:
This bill, called the Online Consumer Protection Act, would establish
rules and privacy policies with respect to how website publishers and
advertising networks collect and disseminate the online behavior of
consumers. It would require that consumers are given adequate notice of
how advertisers operate as well as a clear and conspicuous mechanism on
websites for consumers to opt-out of such online advertising.
 
SUMMARY OF PROVISIONS:
Section 1 of the bill establishes the short title as the "Online Consum-
er Protection Act."
Section 2 of the bill establishes legislative findings relating to the
act.
Section 3 of the bill adds a new section 390-bb to the general business
law. It has several important provisions and requirements including:
Prohibiting website publishers and advertising networks from collecting
personally identifying information online; requiring website publishers
and advertising networks to disclose data collection and use practices
on its website; requiring website publishers that use advertising
networks to state so on its website; requiring that consumers have the
ability to opt-out from any profiling activity; requiring advertising
networks to make reasonable efforts to protect all data it collects.
Section 4 of the bill sets forth the effective date.
 
JUSTIFICATION:
This bill is a critical step in protecting personal privacy in the
Internet Age. The necessity of this legislation stems from the fact that
in order to sustain the viability of online business models, companies
have had to move to targeted online advertising.
This bill does not ban targeted online advertising. Instead, it codifies
what the industry says it doesn't do: use personally identifying infor-
mation for the purposes of advertising. We additionally require websites
and ad networks to allow individuals to say no to being tracked. Like
the "Do Not Call" Registry, this bill will empower consumers to make
decisions for themselves and their families. The Internet industry
currently relies too heavily on self-regulation and while they should be
applauded for their desire to update their regulations, we feel this law
is vital to the protection of online consumers.
This bill still allows the Internet industry to continue to innovate and
stay flexible in an industry where technology and standards change
rapidly, however, there is no time when we feel that notification of
tracking practices and an ability for the consumer to opt-out of being
tracked would be bad public policy. Self-regulation cannot universally
protect people's privacy and some companies are better at establishing
consumer protection practices than others. Moreover, the lack of a
uniform policy on online privacy has resulted in significant breaches in
personal privacy.
New York has long been a leader in public policy. Our federal system
allows states to innovate and experiment in public policy. Waiting for
other states or for the Congress to act is not in the best interest of
New Yorkers. New York has an obligation to enact common sense consumer
protections. The industry has stated that one state should not address
an issue that is as large in scope and as technically complicated as
online advertising. Additionally, there are claims that the Dormant
Commerce Clause prevents New York from acting in the first place. This
bill is not intended to usurp Constitutional provisions or to hurt the
Internet industry. Instead, the only aim is to protect Internet consum-
ers. The fact that our proposal could influence other states or the
federal government is something to be viewed as positive and not nega-
tive.
 
FISCAL IMPACT ON THE STATE:
None.
 
FISCAL IMPACT ON LOCALITIES:
None.
 
IMPACT ON REGULATION OF BUSINESSES AND INDIVIDUALS:
This bill would prohibit publishers of websites, as well as advertising
networks contracted with publishers of websites, from gathering personal
identifying information from consumers online; it would require website
publishers and advertising networks to disclose their data collection
methods on their websites; it would further require website publishers
and advertising networks to give consumers an option to opt out from any
profiling.
 
IMPACT ON FINES, IMPRISONMENT, FORFEITURE OF RIGHTS, OR OTHER PENAL
SANCTIONS:
The Attorney General may bring an action against a person who violates
this section to enjoin their violation, and those found to have
collected personally identifying information in violation of certain
provisions of the law may be subject to a judgment of up to $250,000 for
each violation.
 
LEGISLATIVE HISTORY:
2022: A405 (Rozic) - Consumer Affairs and Protection
2021: A405 (Rozic) - Consumer Affairs and Protection
2020: A3818 (Rozic) - Consumer Affairs and Protection
2019: A3818 (Rozic) - Consumer Affairs and Protection
2018: A9691 (Rozic) - Consumer Affairs and Protection
2017: A03367 (Kavanagh) - Consumer Affairs and Protection
2016: A05830 (Kavanagh) - Consumer Affairs and Protection
2015: A05830 (Kavanagh) - Consumer Affairs and Protection
2014: A01117 (Kavanagh) - Consumer Affairs and Protection
2013: A01117 (Kavanagh) - Consumer Affairs and Protection
2012: A04809 (Kavanagh) - Consumer Affairs and Protection
2011: A04809 (Kavanagh) - Consumer Affairs and Protection
2010: A01393 (Brodsky) - Consumer Affairs and Protection
2009: A01393 (Brodsky) - Codes
2008: A09275D (Brodsky) - Rules
2007: A09275 (Brodsky) - Consumer Affairs and Protection
 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become a law.
STATE OF NEW YORK
________________________________________________________________________
1366
2023-2024 Regular Sessions
IN ASSEMBLY
January 17, 2023
___________
Introduced by M. of A. ROZIC, COLTON, GUNTHER, LUPARDO, ZEBROWSKI, BENE-
DETTO, PRETLOW, L. ROSENTHAL, WEPRIN -- Multi-Sponsored by -- M. of A.
DINOWITZ, HEVESI, PEOPLES-STOKES -- read once and referred to the
Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to establishing
the online consumer protection act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "online consumer protection act".
3 § 2. Legislative findings. The state has the authority to enact
4 consumer regulations to protect the people of the state. Recently, the
5 state has enacted a series of laws to address problems arising from the
6 ubiquity of the internet. From protecting consumers from electronic
7 breaches of security to enacting laws prohibiting the practice of
8 "phishing" -- an electronic form of identity theft -- the state has an
9 obligation to enact sensible protections for the people.
10 The internet age has changed, often for the better, the way people
11 work, enjoy entertainment and interact with one another. However, with
12 the internet age new problems have arisen that must be addressed, chief
13 among them, the loss of personal privacy. Recent examples, including one
14 where search engine results were tracked to an individual, have illus-
15 trated that a person's privacy can be breached easily and with grave
16 consequences. There is a fundamental rift between tracking technology
17 and consumers' right to control what data is collected and where it
18 goes. Action must be taken in order to prevent more egregious violations
19 of privacy occurring including price discrimination, exposure of
20 personal information to subpoenas and warrantless government access.
21 This act establishes provisions to allow consumers the ability to
22 simply opt-out of being monitored on the internet. Such protections,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD02251-01-3
A. 1366 2
1 akin to the do not call registry, are a fair, sensible and common sense
2 way to give consumers a clear choice with respect to being monitored.
3 § 3. The general business law is amended by adding a new section 390-e
4 to read as follows:
5 § 390-e. Online consumer protection. 1. For the purposes of this
6 section the following terms shall have the following meanings:
7 (a) The term "online preference marketing" shall mean a type of adver-
8 tisement delivery and reporting whereby data is collected to determine
9 or predict consumer characteristics or preference for use in advertise-
10 ment delivery on the internet.
11 (b) The term "personally identifiable information" shall mean data
12 that, by itself, can be used to identify, contact or locate a person,
13 including name, address, telephone number, sensitive medical or finan-
14 cial data, sexual behavior, sexual orientation, or email address.
15 (c) The term "publisher" shall mean any company, individual or other
16 group that has a website, webpage or other internet page.
17 (d) The term "consumer" shall mean any natural person using or access-
18 ing a website, webpage or online service that includes the display of
19 advertisements.
20 (e) The term "advertising network" shall mean any company, individual
21 or other group that is collecting online consumer activity for the
22 purposes of ad delivery.
23 2. No publisher of a webpage or advertising network contracted with a
24 publisher shall collect personally identifiable information for the
25 purposes of online preference marketing. This subdivision shall not
26 apply to the collection of personally identifiable information provided
27 to a publisher of a webpage or advertising network contracted with a
28 publisher by the consumer with his or her consent.
29 3. No publisher of a webpage or advertising network contracted with a
30 publisher shall collect any other information from a consumer that is
31 not defined as personally identifiable information pursuant to subdivi-
32 sion one of this section for the purposes of online preference marketing
33 unless the consumer is given an opportunity to opt-out of the use of
34 such information for online marketing purposes.
35 4. An advertising network shall post clear and conspicuous notice on
36 the home page of its own website about its privacy policy and its data
37 collection and use practices related to its advertising delivery activ-
38 ities. If a publisher has contracted with an advertising network, the
39 publisher shall post clear and conspicuous notice on its website that
40 describes the collection and use of information by the advertising
41 network. If the advertising network engages in online preference market-
42 ing, the privacy policies of both the advertising network and the
43 publisher shall describe the ability to opt-out of online preference
44 marketing by such network.
45 5. An advertising network shall make reasonable efforts to protect the
46 data it collects or logs as a result of ad delivery and reporting from
47 loss, misuse, alteration, destruction or improper access.
48 6. The attorney general may bring an action against a person who
49 violates the provisions of this section:
50 (a) to enjoin further violation of the provisions of this section; and
51 (b) to recover up to two hundred fifty dollars for each instance in
52 which identifying information is collected from a person in violation of
53 the provisions of subdivision two or three of this section.
54 In an action under paragraph (b) of this subdivision, a court may
55 increase the damages up to three times the damages allowed by such para-
56 graph where the defendant has been found to have engaged in a pattern
A. 1366 3
1 and practice of violating the provisions of subdivision two or three of
2 this section.
3 7. Nothing in this section shall in any way limit rights or remedies
4 which are otherwise available under law to the attorney general or any
5 other person authorized to bring an action under subdivision five of
6 this section.
7 § 4. This act shall take effect on the one hundred eightieth day after
8 it shall have become a law.