Add Art 39-FF §§899-cc - 899-ii, §350-a-1, Gen Bus L; amd §292, add §296-e, Exec L; amd §§8 & 165, St Fin L;
amd §814, Ed L
 
Enacts the "digital fairness act"; requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.
STATE OF NEW YORK
________________________________________________________________________
3308
2023-2024 Regular Sessions
IN ASSEMBLY
February 2, 2023
___________
Introduced by M. of A. CRUZ -- read once and referred to the Committee
on Consumer Affairs and Protection
AN ACT to amend the general business law, the executive law, the state
finance law and the education law, in relation to enacting the
"digital fairness act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "digital fairness act".
3 § 2. Legislative findings. The legislature finds that privacy
4 violations and misuse of personal information in the digital age can
5 lead to a range of harms, including discrimination in employment,
6 healthcare, housing, access to credit, and other areas; unfair price
7 discrimination; and financial, emotional, or reputational harms. Misuse
8 of personal information can limit awareness of and access to opportu-
9 nities, exacerbate information disparities, erode public trust and free
10 expression, disincentivize individuals from participating fully in
11 digital life and utilizing online services, and increase the risk of
12 future harms.
13 The legislature additionally finds that individuals in New York state,
14 like individuals across the nation, do not know or consent to the manner
15 in which entities collect, use, retain, share, and monetize their
16 personal information. This misunderstanding is, at least in part, due to
17 obfuscation on the part of the entities leveraging individuals' personal
18 information. Researchers at Carnegie Mellon found that it would take
19 seventy-six work days for individuals to read all of the privacy poli-
20 cies they encounter in a year. Although the advertising industry devel-
21 oped a common logo and slogan to notify individuals of the opportunity
22 to opt-out of targeted advertising, following market research, the
23 industry selected the slogan and logo that few individuals understood,
24 seemingly to discourage opt-out.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD06719-01-3
A. 3308 2
1 The legislature further finds that entities that collect, use, retain,
2 share, and monetize personal information have specialized knowledge
3 about the algorithms and data security measures they use, as well as
4 about how they collect, use, retain, share, and monetize personal infor-
5 mation, that the average individual is unlikely to understand. Just as
6 banks, lawyers, and medical providers, given their specialized know-
7 ledge, have special obligations to individuals, entities collecting
8 intimate personal information in the digital age and benefiting from
9 similarly specialized knowledge should have similar obligations.
10 The legislature also finds that individuals in New York state, like
11 individuals across the country, value privacy and wish to control who
12 has access to their personal information. Ninety-two percent of Face-
13 book users alter the social network's default privacy settings, demon-
14 strating that they wish to choose with whom they share personal informa-
15 tion. Similarly, ninety-two percent of Americans believe companies
16 should obtain individuals' permission before sharing or selling their
17 personal information.
18 The legislature additionally finds that biometric information is
19 unlike other unique identifiers, because biometric information is
20 biologically unique to an individual and cannot be changed if compro-
21 mised. As a result, biometric information merits special protections.
22 The legislature also finds that it has had a decades long interest in
23 protecting New Yorkers' privacy. For example, since 1996, section 79-l
24 of the New York civil rights law has protected the privacy of genetic
25 information, requiring an individual's informed, written consent prior
26 to genetic testing and restricting the disclosure and retention of
27 genetic information.
28 The legislature further finds that the use of automated decision
29 systems to make core government and business decisions raises concerns
30 around due process, fairness, accountability, and transparency, as well
31 as other civil rights and liberties. Reliance on automated decision
32 systems without adequate transparency, oversight, or safeguards can
33 undermine market predictability, harm consumers, and deny historically
34 disadvantaged or vulnerable groups the full measure of their civil
35 rights and liberties.
36 The legislature finally finds that New York has the longest standing
37 human rights law in the nation and that the state has prioritized root-
38 ing out discrimination in employment, housing, credit, public accommo-
39 dations, and educational institutions based on age, race, national
40 origin, sex, sexual orientation, gender identity, disability, and other
41 protected classes. Ensuring that sophisticated algorithms cannot be used
42 to circumvent the state's civil and human rights laws is an important
43 exercise of the legislature's authority.
44 § 3. The general business law is amended by adding a new article 39-FF
45 to read as follows:
46 ARTICLE 39-FF
47 DIGITAL FAIRNESS ACT
48 Section 899-cc. Definitions.
49 899-dd. Meaningful notice.
50 899-ee. Opt-in consent.
51 899-ff. Affirmative obligations.
52 899-gg. Biometric information; retention, collection, disclosure
53 and destruction.
54 899-hh. Surreptitious surveillance.
55 899-ii. Enforcement.
A. 3308 3
1 § 899-cc. Definitions. For the purposes of this article, the following
2 terms shall have the following meanings:
3 1. "Biometric information" shall mean a record of one or more measur-
4 able biological or behavioral characteristics that can be used singular-
5 ly or in combination with other characteristics, or with other informa-
6 tion, for automated recognition of a known or unknown individual.
7 Examples of such term shall include, but not be limited to: finger-
8 prints, retina and iris patterns, voiceprints, DNA sequence, facial
9 characteristics, gait, handwriting, key stroke dynamics, and mouse move-
10 ments.
11 2. "Collect" shall mean to buy, rent, gather, obtain, receive, or
12 access any personal information pertaining to an individual by any
13 means, online or offline, including but not limited to, receiving infor-
14 mation from the individual or from a third party, actively or passively,
15 or obtaining information by observing such individual's behavior.
16 3. "Conduct business in New York" shall mean to produce, solicit, or
17 offer for use or sale any product or service in a manner that inten-
18 tionally targets, or may reasonably be expected to contact, New York
19 residents, or to engage in any activity that would subject the actor to
20 personal jurisdiction under section three hundred one or section three
21 hundred two of the civil practice law and rules, whether or not for
22 profit.
23 4. "Covered entity" shall mean a legal entity that conducts business
24 in New York state and as part of such business, processes and maintains
25 the personal information of five hundred or more unique individuals.
26 5. "Data processor" shall mean a person that processes personal infor-
27 mation on behalf of a covered entity.
28 6. "De-identified information" shall mean information that cannot
29 reasonably identify, relate to, describe, be capable of being associated
30 with, or be linked, directly or indirectly, to a particular individual;
31 provided that a covered entity that uses de-identified information:
32 (a) Has implemented technical safeguards that prohibit reidentifica-
33 tion of the individual to whom such information may pertain;
34 (b) Has implemented business processes that specifically prohibit
35 reidentification of such information;
36 (c) Has implemented business processes that prevent inadvertent
37 release of such de-identified information; and
38 (d) Makes no attempt to reidentify such information.
39 7. "Device" shall mean a product that is capable of sending, routing,
40 or receiving communications to or from another device and intended for
41 use by a single individual or single household or, if used outside of a
42 home, for use by the general public.
43 8. "Device fingerprinting" shall mean information passively collected
44 for the purpose of identifying a device through a combination of device
45 identifiers, wireless or cellular networks, language settings, software
46 versions, time zone, frequently visited sites, drivers, or other spec-
47 ifications.
48 9. "Device indicator" shall mean any identifier tied to an individual,
49 household, or device, including but not limited to a combinatory method
50 such as device fingerprinting or a technical identifier such as internet
51 protocol address, device advertisement identifier, serial number, inter-
52 national mobile equipment identity, media access control address, cookie
53 identifier, or subscriber identification module card serial number,
54 whether resettable or persistent.
55 10. "Disclose" shall mean any action, set of actions, or omission in
56 which a covered entity, data processor, or third party makes personal
A. 3308 4
1 information available to another person, intentionally or uninten-
2 tionally, including but not limited to, sharing, publishing, releasing,
3 transferring, disseminating, making available, selling, leasing, provid-
4 ing access to, failing to restrict access to, or otherwise communicating
5 orally, in writing, electronically, or by any other means.
6 11. "Division" shall mean the consumer protection division, unless
7 context clearly indicates otherwise.
8 12. "Governmental entity" shall mean a department or agency of the
9 state or a political subdivision thereof, or an individual acting for or
10 on behalf of the state or a political subdivision thereof.
11 13. "Harm" shall mean potential or realized adverse consequences to an
12 individual or to society, including but not limited to:
13 (a) Direct or indirect financial harm.
14 (b) Physical harm or threats to persons or property, including but not
15 limited to bias-related crimes and threats, harassment, and sexual
16 harassment.
17 (c) Discrimination in goods, services, or economic opportunity,
18 including but not limited to housing, employment, credit, insurance,
19 education, or health care on the basis of an individual or class of
20 individuals' actual or perceived age, race, national origin, sex, sexual
21 orientation, gender identity, marital status, disability, military
22 status, and/or membership in another protected class.
23 (d) Interference with or surveillance of first amendment-protected
24 activities by state actors.
25 (e) Interference with the right to vote or with free and fair
26 elections.
27 (f) Interference with due process or equal protection under law.
28 (g) Loss of individual control over personal information, nonconsensu-
29 al sharing of private information, and data breach.
30 (h) The nonconsensual capture of information or communications within
31 an individual's home or where an individual has a reasonable expectation
32 of seclusion or access control.
33 (i) Other effects on an individual that may not be reasonably foresee-
34 able to, contemplated by, or expected by the individual to whom the
35 personal information relates, that are nevertheless reasonably foreseea-
36 ble, contemplated by, or expected by the covered entity that alter or
37 limit such individual's choices or predetermine results.
38 14. "Individual" shall mean a natural person whom a covered entity
39 knows or has reason to know is located within New York state.
40 15. "Personal information" shall mean information that is captured in
41 exchange for any kind of value provided to the individual to whom the
42 information pertains, including but not limited to a good or service,
43 the placement of targeted advertisements, or a membership; as a result
44 of an individual, household, or device's establishment or maintenance of
45 an account with a covered entity; or as a result of an individual,
46 household, or device's interaction with a covered entity. Such term
47 shall also include information that directly or indirectly identifies,
48 relates to, describes, is capable of being associated with, or could
49 reasonably be linked to a particular individual, household, or device
50 that provides or provided information to a covered entity in exchange
51 for any kind of value provided to the individual to whom such informa-
52 tion pertains or that established, maintained, establishes or maintains
53 an account with a covered entity. Information is reasonably linkable to
54 an individual, household, or device if it can be used on its own or in
55 combination with other reasonably available information, regardless of
A. 3308 5
1 whether such other information is held by the covered entity, to identi-
2 fy an individual, household, or device.
3 16. "Monetize" shall mean to sell, rent, release, disclose, dissem-
4 inate, make available, transfer, or otherwise communicate orally, in
5 writing, or by electronic or other means, an individual's personal
6 information by a covered entity, a third party, or a data processor in
7 exchange for monetary or other consideration, as well as to leverage or
8 use an individual's personal information to place a targeted advertise-
9 ment or to otherwise profit, regardless of whether such individual's
10 personal information changes hands.
11 17. "Process" or "processing" shall mean any action or set of actions
12 performed on or with personal information, including but not limited to,
13 collection, access, use, retention, sharing, monetizing, analysis,
14 creation, generation, derivation, decision-making, recording, alter-
15 nation, organization, structuring, storage, disclosure, transmission,
16 sale, licensing, disposal, destruction, de-identifying, or other handl-
17 ing of personal information.
18 18. "Reasonably understandable" shall mean of a length and complexity
19 such that an individual with a fourth-grade reading level, as estab-
20 lished by the New York department of education's fourth grade English
21 language arts learning standards, can read and comprehend the contents
22 in two minutes or less.
23 19. "Targeted advertisement" shall mean an advertisement directed to
24 an individual where the advertisement is selected based on personal
25 information obtained or inferred over time from such individual's or the
26 individual's device's activities, communications, or associations across
27 websites, applications, services, or covered entities. Such term shall
28 not include advertisements directed to an individual solely based upon
29 the individual's current visit to a website, application, service, or
30 covered entity, or in response to the individual's request for informa-
31 tion or feedback.
32 20. "Third party" shall mean, with respect to an individual's personal
33 information, any person that is not the covered entity or a data proces-
34 sor.
35 21. "Use model" shall mean a discrete purpose for which collected
36 personal information is to be processed, including but not limited to,
37 first party marketing, third party marketing, first party research and
38 development, third party research and development, and product improve-
39 ment.
40 § 899-dd. Meaningful notice. 1. In addition to any long form privacy
41 policy, each covered entity shall make persistently and conspicuously
42 available a short-form privacy notice--
43 (a) That an individual must interact with upon the individual's first
44 visit to the covered entity's website or first use of the covered enti-
45 ty's mobile application;
46 (b) Persistently available and readily accessible on a covered enti-
47 ty's website or mobile application;
48 (c) At the physical place of business or any offline equivalent main-
49 tained by the covered entity; and
50 (d) At or prior to the point of sale of a product or service,
51 subscription to a service, or establishment of an account with, the
52 covered entity or if there is no such sale, subscription, or establish-
53 ment, before the individual uses such product or service of the covered
54 entity.
55 2. The short-form privacy notice required by subdivision one of this
56 section shall:
A. 3308 6
1 (a) Be clear, concise, well-organized, and complete;
2 (b) Be clear and prominent in appearance;
3 (c) Use clear and plain language;
4 (d) Use visualizations where appropriate to make complex information
5 understandable by the ordinary user;
6 (e) Be reasonably understandable;
7 (f) Be clearly distinguishable from other matters;
8 (g) Not contain any unrelated, confusing, or contradictory informa-
9 tion;
10 (h) Be no more than five hundred words, excluding the list of third
11 parties required under paragraph (f) of subdivision three of this
12 section; and
13 (i) Be provided free of charge.
14 3. The short-form privacy notice required by subdivision one of this
15 section shall include:
16 (a) What personal information is being processed;
17 (b) The manner in which personal information is processed;
18 (c) How and for what purpose the covered entity processes personal
19 information;
20 (d) How long personal information will be retained;
21 (e) Whether and how the covered entity monetizes personal information;
22 (f) To which third parties the covered entity discloses personal
23 information and for what purposes; and
24 (g) How the covered entity collects personal information, including
25 offline practices, when the individual is not directly interacting with
26 such covered entity.
27 4. The list of third parties required under paragraph (f) of subdivi-
28 sion three of this section, shall be offset by at least two line breaks
29 from the rest of the short-form privacy notice required under subdivi-
30 sion one of this section.
31 5. Within one year of the enactment of this article, the consumer
32 protection division shall establish standardized short-form privacy
33 notices that comply with this section. A covered entity may satisfy the
34 short-form privacy notice requirements by adopting the standardized
35 short-form privacy notice established by the division.
36 6. Within one year of the enactment of this article, the consumer
37 protection division shall develop a recognizable and uniform logo or
38 button to promote individual awareness of the short-form privacy notice
39 that may be used by covered entities.
40 7. The consumer protection division may promulgate rules and regu-
41 lations specifying additional requirements for the format and substance
42 of such short-form privacy notices.
43 § 899-ee. Opt-in consent. 1. A covered entity shall obtain freely
44 given, specific, informed, and unambiguous opt-in consent from an indi-
45 vidual to:
46 (a) Process such individual's personal information; and
47 (b) Make any changes in the processing of such individual's informa-
48 tion that necessitate a change to the entity's short-form privacy notice
49 required under section eight hundred ninety-nine-dd of this article.
50 2. Within one year of the enactment of this article, the division
51 shall promulgate rules and regulations grouping different types of proc-
52 essing of personal information by use model and permitting a covered
53 entity to simultaneously obtain freely given, specific, informed, and
54 unambiguous opt-in consent from an individual for multiple transactions
55 of the same use model.
A. 3308 7
1 3. A covered entity shall ensure that the option to withhold consent
2 is displayed as clearly and prominently as the option to provide
3 consent.
4 4. A covered entity shall provide a mechanism for an individual to
5 withdraw previously-given consent at any time. Such mechanism shall make
6 it as easy for an individual to withdraw their consent as it is for such
7 individual to provide consent.
8 5. A covered entity shall not be required to obtain freely given,
9 specific, informed, and unambiguous opt-in consent from an individual
10 under subdivision one of this section if:
11 (a) The processing is necessary for the primary purpose of the trans-
12 action for which personal information is provided, such as the provision
13 of financial information to complete a purchase or the provision of a
14 mailing address for package delivery; provided that the personal infor-
15 mation shall not be processed or monetized for any other purpose without
16 the freely given, specific, informed, and unambiguous opt-in consent
17 from the individual to whom the personal information pertains.
18 (b) The covered entity, in good faith, believes that an emergency
19 presenting the risk of death or serious physical injury to any individ-
20 ual requires disclosure, without delay, of personal information relating
21 to such emergency, the covered entity may disclose the personal informa-
22 tion relating to such emergency to a governmental entity. A covered
23 entity that discloses the personal information of an individual without
24 obtaining opt-in approval shall, within twenty-four hours, inform the
25 individual of the personal information that the covered entity
26 disclosed, the details of the emergency, and the reasons why the covered
27 entity needed to use, access, or disclose the personal information.
28 (c) Processing the personal information is necessary for engaging in
29 public or peer-reviewed scientific, medical, historical, social science,
30 or statistical research in the public interest that adheres to all other
31 applicable ethical standards or laws, with informed consent.
32 (d) Processing the personal information is necessary for clinical,
33 treatment, public health, medical educational, medical training, or
34 insurance purposes, provided that the personal information shall not be
35 processed or monetized for any other purpose without the freely given,
36 specific, informed, and unambiguous opt-in consent from such individual
37 to whom the personal information pertains.
38 (e) The processing involves only de-identified information.
39 (f) In response to a warrant issued by a court of competent jurisdic-
40 tion under the procedures described in the federal rules of criminal
41 procedure or article six hundred ninety of the criminal procedure law.
42 (g) If required by state or federal law.
43 6. The division is hereby authorized and directed to conduct a study
44 to determine the most effective way for entities to obtain individuals'
45 freely given, specific, informed, and unambiguous opt-in consent for
46 each type of personal information processing and, to the extent possi-
47 ble, to avoid notice fatigue.
48 7. The division may request data and information from covered entities
49 conducting business in New York state, other New York state government
50 entities administering notice and consent regimes, consumer protection
51 and privacy advocates and researchers, internet standards setting
52 bodies, such as the internet engineering taskforce and the institute of
53 electrical and electronics engineers, and other relevant sources to
54 effectuate the purpose of such study. The division shall receive, upon
55 request, data from other New York state governmental entities.
A. 3308 8
1 8. Within one year of the enactment of this article, the division
2 shall promulgate rules and regulations specifying the manner in which
3 covered entities shall obtain individuals' freely given, specific,
4 informed, and unambiguous opt-in consent for each type of personal
5 information processing, as well as the manner in which individuals may
6 withdraw their consent at any time. Such rules and regulations shall
7 require covered entities to make it as easy for an individual to with-
8 draw their consent as it is for the individual to provide consent.
9 9. Under no circumstances shall an individual's interaction with a
10 covered entity or use of a covered entity's product or service, when the
11 covered entity has a terms of service or a privacy policy, including the
12 short-form privacy notice required under section eight hundred ninety-
13 nine-dd of this article, in and of itself constitute freely given,
14 specific, informed, and unambiguous consent.
15 10. To the extent that a covered entity must process internet protocol
16 addresses, system configuration information, URLs of referring pages,
17 locale and language preferences, keystrokes, and other personal informa-
18 tion in order to obtain individuals' freely given, specific, informed,
19 and unambiguous opt-in consent, the covered entity shall:
20 (a) Only process the personal information necessary to request freely
21 given, specific, informed, and unambiguous opt-in consent;
22 (b) Process the personal information solely to request freely given,
23 specific, informed, and unambiguous opt-in consent; and
24 (c) Immediately delete the personal information if consent is withheld
25 or withdrawn.
26 11. A covered entity shall not refuse to serve an individual who does
27 not approve the processing of such individual's personal information
28 under this section, unless the processing is necessary for the primary
29 purpose of the transaction such individual has requested.
30 12. A covered entity shall not offer an individual a program that
31 relates the price or quality of a product or service to the privacy
32 protections afforded to the individual, including by providing a
33 discount or other incentive in exchange for the opt-in approval of such
34 individual to the processing of such individual's personal information,
35 or because an individual declines to exercise the opportunities provided
36 under subdivision two of section eight hundred ninety-nine-ff of this
37 article.
38 13. Notwithstanding subdivision twelve of this section, a covered
39 entity may, with the individual's freely given, specific, informed, and
40 unambiguous opt-in consent given pursuant to this section, operate a
41 program in which information, products, or services sold to the individ-
42 ual are discounted based on such individual's prior purchases from the
43 covered entity; provided that the captured personal information shall be
44 processed solely for the purpose of operating such program.
45 § 899-ff. Affirmative obligations. 1. Care. (a) A covered entity shall
46 store, transmit, and protect from disclosure all personal information
47 using the reasonable standard of care within the covered entity's indus-
48 try; and such covered entity shall store, transmit, and protect from
49 disclosure all personal information in a manner that is the same as or
50 more protective than the manner in which the covered entity stores,
51 transmits, and protects other confidential information.
52 (b) The division, in consultation with the office of information tech-
53 nology services and the department of financial services, may develop
54 appropriate security standards for personal information. This paragraph
55 shall preempt paragraph (a) of this subdivision only to the extent that
A. 3308 9
1 the security standards developed are more protective of personal infor-
2 mation than the industry standard of care.
3 2. Loyalty. (a) Absent freely given, specific, informed, and unambig-
4 uous opt-in consent from the individual engaging in a transaction with a
5 covered entity, a covered entity shall not process personal information
6 beyond what is adequate, relevant, and necessary for the completion of
7 the transaction requested by such individual.
8 (b) A covered entity that maintains an individual's personal informa-
9 tion shall provide such individual with a reasonable means to access
10 their personal information, including any information obtained about
11 that individual from a third-party, whether online or offline, as well
12 as information about where or from whom the covered entity obtained the
13 personal information and the names of the third parties to which the
14 covered entity has disclosed or will disclose the personal information.
15 (c) A covered entity that maintains an individual's personal informa-
16 tion shall provide the access to such personal information under para-
17 graph (b) of this subdivision, in a usable and searchable format that
18 allows the individual to transfer the personal information from one
19 entity to another entity without hindrance.
20 (d) A covered entity that maintains an individual's personal informa-
21 tion in a non-public profile or account shall delete such personal
22 information, and any information derived therefrom, pertaining to an
23 individual upon such individual's request.
24 (e) A covered entity shall provide the opportunities required under
25 paragraphs (b), (c) and (d) of this subdivision, in a form that is:
26 (i) Clear and conspicuous;
27 (ii) Made available at no additional cost to the individual to whom
28 the information pertains; and
29 (iii) In a language other than English if the covered entity communi-
30 cates with the individual to whom the information pertains in such other
31 language.
32 (f) A covered entity shall comply with an individual's request under
33 paragraphs (b), (c) and (d) of this subdivision, not later than ninety
34 days after receiving a verifiable request from the individual; or, if
35 the individual is a minor under the age of thirteen, the individual's
36 parent or guardian; or, if the individual is a minor between the ages of
37 thirteen and eighteen, either the individual or the individual's parent
38 or guardian.
39 (i) Where the covered entity has reasonable doubts or cannot verify
40 the identity of the individual making a request under paragraphs (b),
41 (c) or (d) of this subdivision, the covered entity may request addi-
42 tional personal information necessary for the specific purpose of
43 confirming the identity of such individual. In such cases, the addi-
44 tional personal information shall not be processed for any purpose other
45 than verifying the identity of the individual and shall be deleted imme-
46 diately upon verification or failure to verify the individual.
47 (ii) A covered entity may not de-identify an individual's personal
48 information during the ninety-day period beginning on the date on which
49 the covered entity receives a request from the individual pursuant to
50 paragraphs (b), (c) and (d) of this subdivision.
51 (iii) The division may promulgate rules and regulations specifying
52 additional requirements for a covered entity's response to requests
53 pursuant to paragraphs (b), (c) and (d) of this subdivision.
54 (g) Where an individual has taken steps by the online selection of
55 options related to the processing of personal information, a covered
56 entity shall adhere to such selections.
A. 3308 10
1 (h) A covered entity shall not share an individual's device identifi-
2 ers with any third party without the individual's freely given, specif-
3 ic, informed, and unambiguous opt-in written consent.
4 3. Confidentiality. (a) A covered entity shall not disclose personal
5 information to a third party unless that third party is contractually
6 bound to the covered entity to meet the same privacy and security obli-
7 gations as the covered entity. A covered entity shall exercise reason-
8 able oversight and take reasonable actions, including by auditing the
9 data security and processing practices of the third party no less than
10 once annually, to ensure the third party's compliance. The covered enti-
11 ty shall publish the results of such audit publicly on its website.
12 (i) A covered entity shall not process personal information it has
13 acquired from a third party, without the freely given, specific,
14 informed, and unambiguous opt-in consent from the individual to whom
15 that personal information pertains unless the processing is necessary to
16 obtain such individuals' freely given, specific, informed, and unambig-
17 uous opt-in consent, in which the covered entity shall only process the
18 personal information necessary to request freely given, specific,
19 informed, and unambiguous opt-in consent and shall immediately delete
20 such personal information if consent is withheld or withdrawn.
21 (ii) A covered entity that facilitates access to personal information
22 by other covered entities shall limit access to and seek proof of
23 destruction of such personal information if the first covered entity has
24 actual knowledge that another covered entity has violated this section.
25 (b) A covered entity shall not disclose personal information to a data
26 processor unless the covered entity enters into a contractual agreement
27 with such data processor that prohibits the data processor from process-
28 ing such personal information for any purpose other than the purposes
29 for which the individual provided the personal information to the
30 covered entity, and that requires the data processor to meet the same
31 privacy and security obligations as the covered entity. Such data
32 processor shall not further disclose or process personal information it
33 has acquired from the covered entity except as explicitly authorized by
34 the contract. A covered entity shall exercise reasonable oversight and
35 take reasonable actions, including but not limited to, auditing the data
36 security and processing practices of the data processor no less than
37 once annually, to ensure its data processor's compliance. The covered
38 entity shall publish the results of such audit publicly on its website.
39 4. Duty. A covered entity that collects personal information directly
40 from an individual has a duty, when processing such personal informa-
41 tion, to put the interests of the individual ahead of the interests of
42 the covered entity's business.
43 § 899-gg. Biometric information; retention, collection, disclosure and
44 destruction. 1. A covered entity or governmental entity in possession
45 of biometric information shall develop a written policy, made available
46 to the public, establishing a retention schedule and guidelines for
47 permanently destroying biometric information when the initial purpose
48 for collecting or obtaining such information has been satisfied, or
49 within one year of the individual's last interaction with the covered
50 entity or governmental entity, whichever occurs first. Absent a valid
51 warrant issued by a court of competent jurisdiction, a covered entity or
52 governmental entity in possession of biometric information shall comply
53 with its established retention schedule and destruction guidelines.
54 2. No covered entity shall collect, capture, purchase, receive through
55 trade, or otherwise obtain an individual's biometric information, unless
56 it first:
A. 3308 11
1 (a) Informs the subject or the subject's legally authorized represen-
2 tative in writing that biometric information is being collected or
3 stored;
4 (b) Informs the subject or the subject's legally authorized represen-
5 tative in writing of the specific purpose and length of term for which
6 such biometric information is being collected, stored, and used; and
7 (c) Receives a written release executed by the subject of the biome-
8 tric information or the subject's legally authorized representative.
9 3. Absent a law enforcement investigation pursuant to a criminal inci-
10 dent, no governmental entity shall collect, capture, purchase, receive
11 through trade, or otherwise obtain an individual's biometric informa-
12 tion, unless:
13 (a) It first obtains a valid warrant issued by a court of competent
14 jurisdiction under the procedures described in the federal rules of
15 criminal procedure or article six hundred ninety of the criminal proce-
16 dure law.
17 (b) It believes that an emergency involving immediate danger of death
18 or serious physical injury to any individual requires obtaining, without
19 delay, biometric information related to such emergency and the request
20 is narrowly tailored to address such emergency, subject to the following
21 limitations:
22 (i) The request shall document the factual basis for believing that an
23 emergency involving immediate danger of death or serious physical injury
24 to an individual requires obtaining, without delay, biometric informa-
25 tion relating to such emergency; and
26 (ii) Not later than forty-eight hours after the date on which a
27 governmental entity obtains biometric information under this paragraph,
28 the governmental entity shall file with the appropriate court a signed,
29 sworn statement of a supervisory official of a rank designated by the
30 head of such governmental entity setting forth the grounds for the emer-
31 gency access; or
32 (c) It first informs the subject or the subject's legally authorized
33 representative in writing that biometric information is being collected
34 or stored, the specific purpose and length of term for which such biome-
35 tric information is being collected, stored, and used, and it receives a
36 written release executed by the subject of the biometric information or
37 the subject's legally authorized representative.
38 4. No covered entity or governmental entity in possession of biometric
39 information shall sell, lease, trade, monetize, or otherwise profit from
40 such biometric information.
41 5. No covered entity or governmental entity in possession of an indi-
42 vidual's biometric information shall disclose, redisclose, or otherwise
43 disseminate such individual's biometric information unless:
44 (a) The subject of the biometric information or the subject's legally
45 authorized representative consents in writing to the disclosure or
46 redisclosure of such information;
47 (b) The disclosure or redisclosure of such information completes a
48 financial transaction requested or authorized by the subject of the
49 biometric identifier or the biometric information or the subject's
50 legally authorized representative;
51 (c) The disclosure or redisclosure is required by state or federal
52 law; or
53 (d) The disclosure is required pursuant to a valid warrant issued by a
54 court of competent jurisdiction under the procedures described in the
55 federal rules of criminal procedure or article six hundred ninety of the
56 criminal procedure law.
A. 3308 12
1 6. The requirements of this section are in addition to those imposed
2 by sections eight hundred ninety-nine-dd through eight hundred ninety-
3 nine-ff of this article.
4 7. (a) Subdivisions one through six of this section shall not apply to
5 biometric information captured from a patient by a health care provider
6 or health care facility, as defined in section eighteen of the public
7 health law, or biometric information collected, used, or stored for
8 medical education or research, public health or epidemiological
9 purposes, health care treatment, payment, or operations under the feder-
10 al health insurance portability and accountability act of 1996, or to
11 X-ray, roentgen process, computed tomography, MRI, PET scan, mammogra-
12 phy, or other image or film of the human anatomy used to diagnose, prog-
13 nose, or treat an illness or other medical condition or to further vali-
14 date scientific testing or screening.
15 (b) Biometric information captured, collected, used, or stored pursu-
16 ant to paragraph (a) of this subdivision, including information that has
17 been de-identified or aggregated, shall not be used, disclosed, or
18 otherwise disseminated except for:
19 (i) Clinical, treatment, scientific, public health, medical educa-
20 tional, medical training, research, or insurance purposes;
21 (ii) If required by state or federal law;
22 (iii) To respond to a warrant issued by a court of competent jurisdic-
23 tion under the procedures described in the federal rules of criminal
24 procedure or article six hundred ninety of the criminal procedure law;
25 or
26 (iv) If the subject of the biometric information or the subject's
27 legally authorized representative consents in writing to the disclosure
28 or redisclosure.
29 8. Nothing in subdivision seven of this section shall affect any
30 person or covered entity's rights or obligations under section eighteen
31 of the public health law.
32 § 899-hh. Surreptitious surveillance. A covered entity shall not acti-
33 vate the microphone, camera, or other sensor on a device in the lawful
34 possession of an individual that is capable of collecting or transmit-
35 ting audio, video, or image data or data that can be directly used to
36 measure biometric information, human movement, location, chemicals,
37 light, radiation, air pressure, speed, weight or mass, positional or
38 physical orientation, magnetic fields, temperature, or sound without
39 providing the notice required by section eight hundred ninety-nine-dd of
40 this article and obtaining the individual's freely given, specific,
41 informed, and unambiguous opt-in consent pursuant to section eight
42 hundred ninety-nine-ee of this article.
43 § 899-ii. Enforcement. 1. Any individual may bring a civil action in
44 any court of competent jurisdiction alleging a violation of this arti-
45 cle, or a violation of a rule or regulation promulgated to effectuate
46 the provisions of this article.
47 (a) A violation of this article, or a violation of a rule or regu-
48 lation promulgated to effectuate the provisions of this article, with
49 respect to the personal information of an individual constitutes a
50 rebuttable presumption of harm to such individual.
51 (b) In a civil action in which the plaintiff prevails, the court may
52 award:
53 (i) Liquidated damages of ten thousand dollars or actual damages,
54 whichever is greater;
55 (ii) Punitive damages; and
A. 3308 13
1 (iii) Any other relief, including an injunction, that the court deems
2 appropriate.
3 (c) In addition to any relief awarded under paragraph (b) of this
4 subdivision, the court shall award reasonable attorney's fees and costs
5 to any prevailing plaintiff.
6 2. The attorney general may bring an action in the name of the state,
7 or as a parens patriae proceeding on behalf of persons residing in the
8 state, to enforce this article. In such action, the court may award:
9 (a) Injunctive relief, including preliminary injunctions, to prevent
10 further violations of and compel compliance with the provisions of this
11 article;
12 (b) Civil penalties of up to twenty-five thousand dollars per
13 violation, or up to four percent of annual revenue of the covered enti-
14 ty, data processor, or third party;
15 (c) Other appropriate relief, including restitution, to redress harms
16 to individuals or to mitigate all substantial risk of harm; and
17 (d) Any other relief the court deems appropriate.
18 3. A district attorney, or a city attorney in a city having a popu-
19 lation in excess of seven hundred fifty thousand people, may bring an
20 action to enforce this article. In such action, the court may award:
21 (a) Injunctive relief, including preliminary injunctions, to prevent
22 further violations of and compel compliance with the provisions of this
23 article;
24 (b) Civil penalties of up to twenty-five thousand dollars per
25 violation, or up to four percent of annual revenue of the covered enti-
26 ty, data processor, or third party;
27 (c) Other appropriate relief, including restitution, to redress harms
28 to individuals or to mitigate all substantial risk of harm; and
29 (d) Any other relief the court deems appropriate.
30 4. When calculating damages and civil penalties, the court shall
31 consider the number of affected individuals, the severity of the
32 violation, and the size and revenues of the covered entity.
33 5. Each individual whose personal information is unlawfully processed,
34 and each instance of processing counts as a separate violation. Each
35 provision of this article that is violated counts as a separate
36 violation.
37 6. It is a violation of this article for a covered entity, govern-
38 mental entity, or anyone else acting on behalf of a covered entity or
39 governmental entity to retaliate against an individual who makes a good-
40 faith complaint that there has been a failure to comply with any
41 provision of this article. An individual who is injured by a violation
42 of this subdivision may bring a civil action for monetary damages and
43 injunctive relief in any court of competent jurisdiction.
44 7. If a series of steps or transactions were component parts of a
45 single transaction intended to be taken with the intention of avoiding
46 the reach of this article, a court shall disregard the intermediate
47 steps or transactions for purposes of effectuating the purposes of this
48 article.
49 8. Any provision of a contract or agreement of any kind, including a
50 covered entity's terms of service or a privacy policy, including the
51 short-form privacy notice required under section eight hundred ninety-
52 nine-dd of this article, that purports to waive or limit in any way an
53 individual's rights under this article, including but not limited to,
54 any right to a remedy or means of enforcement, shall be deemed contrary
55 to public policy and shall be void and unenforceable.
A. 3308 14
1 9. No covered entity, that is a provider of an interactive computer
2 service as defined in 47 U.S.C. § 230, shall be liable for any personal
3 information or biometric information posted by another information
4 content provider, as defined in 47 U.S.C. § 230.
5 10. No private or government action brought pursuant to this section
6 shall preclude any other action under this article.
7 § 4. Section 292 of the executive law is amended by adding nine new
8 subdivisions 42, 43, 44, 45, 46, 47, 48, 49 and 50 to read as follows:
9 42. The term "advertiser" shall mean a person who proposes a commer-
10 cial transaction or disseminates a public or private communication of
11 which the primary purpose is to solicit for an opportunity.
12 43. The term "conduct business in New York" shall mean to produce,
13 solicit, or offer for use or sale any product or service in a manner
14 that intentionally targets, or may reasonably be expected to contact,
15 New York residents, or to engage in any activity that would subject the
16 actor to personal jurisdiction under section three hundred one or three
17 hundred two of the civil practice law and rules, whether or not for
18 profit.
19 44. The term "covered entity" shall mean a legal entity that conducts
20 business in New York state and as part of such business, processes and
21 maintains the data of five hundred or more unique individuals.
22 45. The term "governmental entity" shall mean a department or agency
23 of the state or a political subdivision thereof, or an individual acting
24 for or on behalf of the state or a political subdivision thereof.
25 46. The term "individual" shall mean a natural person whom a covered
26 entity knows or has reason to know is located within New York state.
27 47. The term "personal information" shall mean information that
28 directly or indirectly identifies, relates to, describes, is capable of
29 being associated with, or could reasonably be linked to a particular
30 individual, household, or device. Information is reasonably linkable to
31 an individual, household, or device if it can be used on its own or in
32 combination with other reasonably available information, regardless of
33 whether such other information is held by the covered entity, to identi-
34 fy an individual, household, or device.
35 48. The term "process" or "processing" shall mean any action or set of
36 actions performed on or with personal information, including but not
37 limited to, collection, access, use, retention, sharing, monetizing,
38 analysis, creation, generation, derivation, decision-making, recording,
39 alternation, organization, structuring, storage, disclosure, trans-
40 mission, sale, licensing, disposal, destruction, de-identifying, or
41 other handling of personal information.
42 49. The term "proxy" or "proxies" shall mean information that, by
43 itself or in combination with other information, is used by a covered
44 entity in a way that discriminates based on actual or perceived personal
45 characteristics or classes protected under section two hundred ninety-
46 six of this article.
47 50. The term "targeted advertisement" shall mean an advertisement
48 directed to an individual where the advertisement is selected based on
49 personal information obtained or inferred over time from such individ-
50 ual's or the individual's device's activities, communications, or asso-
51 ciations across websites, applications, services, or covered entities.
52 Such term shall not include advertisements directed to an individual
53 solely based upon the individual's current visit to a website, applica-
54 tion, service, or covered entity, or in response to the individual's
55 request for information or feedback.
A. 3308 15
1 § 5. The executive law is amended by adding a new section 296-e to
2 read as follows:
3 § 296-e. Unlawful discriminatory practices relating to targeted adver-
4 tising. 1. It shall be an unlawful discriminatory practice:
5 (a) For a covered entity to process personal information for the
6 purpose of advertising, marketing, soliciting, offering, selling, leas-
7 ing, licensing, renting, or otherwise commercially contracting for
8 employment, finance, health care, credit, insurance, housing, or educa-
9 tion opportunities, in a manner that discriminates against or otherwise
10 makes the opportunity unavailable on the basis of an individual's or
11 class of individuals' actual or perceived age, race, creed, color,
12 national origin, sexual orientation, gender identity or expression, sex,
13 disability, predisposing genetic characteristics, or domestic violence
14 victim status.
15 (b) For a covered entity or governmental entity to process personal
16 information in a manner that discriminates in or otherwise makes
17 unavailable, on the basis of an individual's or class of individuals'
18 actual or perceived age, race, creed, color, national origin, sexual
19 orientation, gender identity or expression, sex, disability, predispos-
20 ing genetic characteristics, or domestic violence victim status, any of
21 the following:
22 (i) The goods, services, facilities, privileges, advantages, or accom-
23 modations of any inn, hotel, motel, or other place of lodging, except
24 for an establishment located within a building that contains not more
25 than five rooms for rent or hire and that is actually occupied by the
26 proprietor of such establishment as the residence of such proprietor;
27 (ii) Any restaurant, bar, or other establishment serving food or drink
28 to the public;
29 (iii) Any motion picture house, theater, concert hall, stadium, audi-
30 torium, convention center, or lecture hall;
31 (iv) Any sales or rental establishment;
32 (v) Any laundromat, dry-cleaner, bank, barber shop, beauty shop, trav-
33 el service, shoe repair service, funeral parlor, gas station, office of
34 an accountant or lawyer, pharmacy, insurance office, professional office
35 of a health care provider, hospital, or other service establishment;
36 (vi) Any terminal, depot, or other station used for specified public
37 transportation;
38 (vii) Any museum, library, or gallery;
39 (viii) Any park, zoo, or amusement park;
40 (ix) A nursery, elementary, secondary, undergraduate, or postgraduate
41 school, or other place of education;
42 (x) Any day care center, senior citizen center, homeless shelter, food
43 bank, adoption agency, or other social service center establishment; or
44 (xi) Any gymnasium, health spa, bowling alley, golf course, or other
45 place of exercise.
46 (c) For a covered entity or governmental entity that offers, facili-
47 tates, sells, places, displays, or provides individual level information
48 to enable targeted advertisements for employment, finance, health care,
49 credit, insurance, housing, education opportunities, or places of public
50 accommodation, resort or amusement, as described in paragraph (b) of
51 this subdivision, to enable advertisers to target such advertisements
52 based on actual or perceived personal characteristics or classes, or
53 proxies therefor, protected under section two hundred ninety-six of this
54 article, including actual or perceived age, race, creed, color, national
55 origin, sexual orientation, gender identity or expression, sex, disabil-
A. 3308 16
1 ity, predisposing genetic characteristics, or domestic violence victim
2 status.
3 2. A covered entity or governmental entity that sells or places
4 targeted advertisements for employment, finance, health care, credit,
5 insurance, housing, education opportunities or places of public accommo-
6 dation, resort or amusement, as described in paragraph (b) of this
7 subdivision, shall require advertisers to certify that they are in
8 compliance with section two hundred ninety-six of this article.
9 3. Nothing in this section shall limit a covered entity from process-
10 ing personal information for legitimate testing for the purpose of
11 preventing unlawful discrimination or otherwise determining the extent
12 or effectiveness of such covered entity's or governmental entity's
13 compliance with this section.
14 § 6. The general business law is amended by adding a new section 350-
15 a-1 to read as follows:
16 § 350-a-1. Targeted advertising. 1. For the purposes of this section,
17 the following terms shall have the following meanings:
18 (a) "Advertiser" shall mean a person who proposes a commercial trans-
19 action or disseminates a public or private communication of which the
20 primary purpose is to solicit for an opportunity.
21 (b) "Conduct business in New York" shall mean to produce, solicit, or
22 offer for use or sale any product or service in a manner that inten-
23 tionally targets, or may reasonably be expected to contact, New York
24 residents, or to engage in any activity that would subject the actor to
25 personal jurisdiction under section three hundred one or section three
26 hundred two of the civil practice law and rules, whether or not for
27 profit.
28 (c) "Covered entity" shall mean a legal entity that conducts business
29 in New York state and as part of such business, processes and maintains
30 the data of five hundred or more unique individuals.
31 (d) "Individual" shall mean a natural person whom a covered entity
32 knows or has reason to know is located within New York state.
33 (e) "Personal information" shall mean information that directly or
34 indirectly identifies, relates to, describes, is capable of being asso-
35 ciated with, or could reasonably be linked to a particular individual,
36 household, or device. Information is reasonably linkable to an individ-
37 ual, household, or device if it can be used on its own or in combination
38 with other reasonably available information, regardless of whether such
39 other information is held by the covered entity, to identify an individ-
40 ual, household, or device.
41 (f) "Process" or "processing" shall mean any action or set of actions
42 performed on or with personal information, including but not limited to,
43 collection, access, use, retention, sharing, monetizing, analysis,
44 creation, generation, derivation, decision-making, recording, alter-
45 nation, organization, structuring, storage, disclosure, transmission,
46 sale, licensing, disposal, destruction, de-identifying, or other handl-
47 ing of personal information.
48 (g) "Proxy" or "proxies" shall mean information that, by itself or in
49 combination with other information, is used by a covered entity in a way
50 that discriminates based on actual or perceived personal characteristics
51 or classes protected under section two hundred ninety-six of the execu-
52 tive law.
53 (h) "Targeted advertisement" shall mean an advertisement directed to
54 an individual where the advertisement is selected based on personal
55 information obtained or inferred over time from such individual's or the
56 individual's device's activities, communications, or associations across
A. 3308 17
1 websites, applications, services, or covered entities. Such term shall
2 not include advertisements directed to an individual solely based upon
3 the individual's current visit to a website, application, service, or
4 covered entity, or in response to the individual's request for informa-
5 tion or feedback.
6 2. It shall be unlawful:
7 (a) For a covered entity to process personal information for the
8 purpose of advertising, marketing, soliciting, offering, selling, leas-
9 ing, licensing, renting, or otherwise commercially contracting for
10 employment, finance, health care, credit, insurance, housing, or educa-
11 tion opportunities, in a manner that discriminates against or otherwise
12 makes the opportunity unavailable on the basis of an individual's or
13 class of individuals' actual or perceived age, race, creed, color,
14 national origin, sexual orientation, gender identity or expression, sex,
15 disability, predisposing genetic characteristics, or domestic violence
16 victim status.
17 (b) For a covered entity or governmental entity to process personal
18 information in a manner that discriminates in or otherwise makes
19 unavailable, on the basis of an individual's or class of individuals'
20 actual or perceived age, race, creed, color, national origin, sexual
21 orientation, gender identity or expression, sex, disability, predispos-
22 ing genetic characteristics, or domestic violence victim status, any of
23 the following:
24 (i) The goods, services, facilities, privileges, advantages, or accom-
25 modations of any inn, hotel, motel, or other place of lodging, except
26 for an establishment located within a building that contains not more
27 than five rooms for rent or hire and that is actually occupied by the
28 proprietor of such establishment as the residence of such proprietor;
29 (ii) Any restaurant, bar, or other establishment serving food or drink
30 to the public;
31 (iii) Any motion picture house, theater, concert hall, stadium, audi-
32 torium, convention center, or lecture hall;
33 (iv) Any sales or rental establishment;
34 (v) Any laundromat, dry-cleaner, bank, barber shop, beauty shop, trav-
35 el service, shoe repair service, funeral parlor, gas station, office of
36 an accountant or lawyer, pharmacy, insurance office, professional office
37 of a health care provider, hospital, or other service establishment;
38 (vi) Any terminal, depot, or other station used for specified public
39 transportation;
40 (vii) Any museum, library, or gallery;
41 (viii) Any park, zoo, or amusement park;
42 (ix) A nursery, elementary, secondary, undergraduate, or postgraduate
43 school, or other place of education;
44 (x) Any day care center, senior citizen center, homeless shelter, food
45 bank, adoption agency, or other social service center establishment; or
46 (xi) Any gymnasium, health spa, bowling alley, golf course, or other
47 place of exercise.
48 (c) For a covered entity that offers, facilitates, sells, places,
49 displays, or provides individual level information to enable targeted
50 advertisements for employment, finance, health care, credit, insurance,
51 housing, education opportunities, or places of public accommodation,
52 resort or amusement, as described in paragraph (b) of this subdivision,
53 to enable advertisers to target such advertisements based on actual or
54 perceived personal characteristics or classes, or proxies therefor,
55 protected under section two hundred ninety-six of the executive law,
56 including actual or perceived age, race, creed, color, national origin,
A. 3308 18
1 sexual orientation, gender identity or expression, sex, disability,
2 predisposing genetic characteristics, or domestic violence victim
3 status.
4 3. A covered entity that sells or places targeted advertisements for
5 employment, finance, health care, credit, insurance, housing, education
6 opportunities or places of public accommodation, resort or amusement, as
7 described in paragraph (b) of subdivision two of this section, shall
8 require advertisers to certify that they are in compliance with section
9 two hundred ninety-six of the executive law.
10 4. Nothing in this section shall limit a covered entity from process-
11 ing personal information for legitimate testing for the purpose of
12 preventing unlawful discrimination or otherwise determining the extent
13 or effectiveness of such covered entity's compliance with this section.
14 § 7. Section 165 of the state finance law is amended by adding two new
15 subdivisions 9 and 10 to read as follows:
16 9. Automated decision system impact assessments.
17 a. For the purpose of this subdivision, the following terms shall have
18 the following meanings:
19 (i) "Automated decision system" shall mean any software, system, or
20 process that is designed to aid or replace human decision making. Such
21 term may include analyzing complex datasets to generate scores, predic-
22 tions, classifications, or some recommended action or actions, which are
23 used by agencies to make decisions that impact human welfare.
24 (ii) "Automated decision system impact assessment" shall mean a study
25 evaluating an automated decision system and the automated decision
26 system's development processes, including the design and training data
27 of the automated decision system, for statistical impacts on classes
28 protected under section two hundred ninety-six of the executive law, as
29 well as for impacts on privacy, and security that includes at a minimum:
30 (A) A detailed description of the automated decision system, its
31 design, its training, its data, and its purpose;
32 (B) An assessment of the relative benefits and costs of the automated
33 decision system in light of its purpose, taking into account relevant
34 factors, including data minimization practices, the duration for which
35 personal information and the results of the automated decision system
36 are stored, what information about the automated decision system are
37 available to the public, and the recipients of the results of the auto-
38 mated decision system;
39 (C) An assessment of the risk of harm posed by the automated decision
40 system and the risk that such automated decision system may result in or
41 contribute to inaccurate, unfair, biased, or discriminatory decisions
42 impacting individuals; and
43 (D) The measures the state agency will employ to minimize the risks
44 described in item (C) of this subparagraph, including technological and
45 physical safeguards.
46 (iii) "Harm" shall mean potential or realized adverse consequences to
47 an individual or to society, including but not limited to:
48 (A) Direct or indirect financial harm.
49 (B) Physical harm or threats to persons or property, including but not
50 limited to bias-related crimes and threats, harassment, and sexual
51 harassment.
52 (C) Discrimination in goods, services, or economic opportunity,
53 including but not limited to housing, employment, credit, insurance,
54 education, or health care on the basis of an individual or class of
55 individuals' actual or perceived age, race, national origin, sex, sexual
A. 3308 19
1 orientation, gender identity, marital status, disability, military
2 status, and/or membership in another protected class.
3 (D) Interference with or surveillance of first amendment-protected
4 activities by state actors.
5 (E) Interference with the right to vote or with free and fair
6 elections.
7 (F) Interference with due process or equal protection under law.
8 (G) Loss of individual control over personal information, nonconsensu-
9 al sharing of private information, and data breach.
10 (H) The nonconsensual capture of information or communications within
11 an individual's home or where an individual has a reasonable expectation
12 of seclusion or access control.
13 (I) Other effects on an individual that may not be reasonably foresee-
14 able to, contemplated by, or expected by the individual to whom the
15 personal information relates, that are nevertheless reasonably foreseea-
16 ble, contemplated by, or expected by the covered entity that alter or
17 limit such individual's choices or predetermine results.
18 (iv) "Individual" shall mean a natural person whom a covered entity
19 knows or has reason to know is located within New York state.
20 (v) "Personal information" shall mean information that directly or
21 indirectly identifies, relates to, describes, is capable of being asso-
22 ciated with, or could reasonably be linked to a particular individual,
23 household, or device. Information is reasonably linkable to an individ-
24 ual, household, or device if it can be used on its own or in combination
25 with other reasonably available information, regardless of whether such
26 other information is held by the state agency, to identify an individ-
27 ual, household, or device.
28 (vi) "Proxy" or "proxies" shall mean information that, by itself or in
29 combination with other information, is used by a covered entity in a way
30 that discriminates based on actual or perceived personal characteristics
31 or classes protected under section two hundred ninety-six of the execu-
32 tive law.
33 (vii) "Training data" shall mean the datasets used to train an auto-
34 mated decision system, machine learning algorithm, or classifier to
35 create and derive patterns from a prediction model.
36 b. The state and any governmental agency, political subdivision or
37 public benefit corporation of the state shall not purchase, obtain,
38 procure, acquire, employ, use, deploy, or access information from an
39 automated decision system unless it first engages a neutral third party
40 to conduct an automated decision system impact assessment and publishes
41 on its public website that automated decision system impact assessment:
42 (i) Of existing automated decision system within one year of the
43 effective date of this subdivision and every two years thereafter.
44 (ii) Of new automated decision systems prior to acquisition and every
45 two years thereafter.
46 c. Upon publication of an automated decision system impact assessment,
47 the public shall have forty-five days to submit comments on such assess-
48 ment to the state and any governmental agency, political subdivision or
49 public benefit corporation. The state and any governmental agency, poli-
50 tical subdivision or public benefit corporation shall consider such
51 public comments when determining whether to purchase, obtain, procure,
52 acquire, employ, use, deploy, or access information from an automated
53 decision system and shall post responses to such public comments to its
54 website within forty-five days after the close of the public comment
55 period.
A. 3308 20
1 d. The state procurement council shall, in consultation with the
2 office of information technology services, the division of human rights
3 and experts and representatives from the communities that will be
4 directly affected by automated decision systems, promulgate rules and
5 regulations to set the minimum standard entities shall meet to serve as
6 neutral third parties conducting automated decision system impact
7 assessments.
8 e. The state procurement council shall maintain a publicly available
9 list of neutral third parties that meet the qualifications outlined in
10 paragraph d of this subdivision.
11 f. Within two years of the effective date of this subdivision, the
12 office of information technology services, in consultation with the
13 division of human rights and experts and representatives from the commu-
14 nities that will be directly affected by automated decision systems,
15 shall complete and publish on its website a comprehensive study of the
16 statistical impacts of automated decision systems on classes protected
17 under section two hundred ninety-six of the executive law, including but
18 not limited to, evaluating the use of proxies and the types of data used
19 in training data sets and the risks associated with particular types of
20 training data.
21 (i) As part of such study, the office of information technology
22 services shall review the automated decision system impact assessments
23 that have been published prior to completion of the study, as well as
24 the public comments submitted in response to such automated decision
25 impact assessments.
26 (ii) The office may request data and information from: state agencies;
27 consumer protection, civil rights, and privacy advocates; researchers
28 and academics; private entities that develop or deploy automated deci-
29 sion systems; and other relevant sources to meet the purpose of such
30 study. The office shall receive, upon request, data from other state
31 agencies.
32 10. Automated decision system use policies; notice and human review
33 requirements.
34 a. For the purpose of this subdivision, the following terms shall have
35 the following meanings:
36 (i) "Automated decision system" shall mean any software, system, or
37 process that is designed to aid or replace human decision making. Such
38 term may include analyzing complex datasets to generate scores, predic-
39 tions, classifications, or some recommended action or actions, which are
40 used by agencies to make decisions that impact human welfare.
41 (ii) "Automated decision system use policy" shall mean:
42 (A) A description of the capabilities of the automated decision
43 system, any decisions that such system is used to make or assist in
44 making and any specific types or groups of persons protected under
45 section two hundred ninety-six of the executive law who are likely to be
46 affected by such decisions;
47 (B) Rules, processes, and guidelines issued by the state agency regu-
48 lating access to or use of such automated decision system, as well as
49 any prohibitions or restrictions on use;
50 (C) Safeguards or security measures designed to protect information
51 collected by or inputted into such automated decision system, including
52 but not limited to, the existence of encryption and access control mech-
53 anisms;
54 (D) Policies and practices relating to the retention, access, and use
55 of data collected by or inputted into such automated decision system, as
56 well as the decisions rendered by such automated decision system;
A. 3308 21
1 (E) Whether other entities outside the state agency have access to the
2 information and data used by or inputted into the automated decision
3 system or the decisions rendered by the automated decision system,
4 including whether the outside entity is local, state, federal, or
5 private, the type of information and data that may be disclosed, and any
6 safeguards or restrictions imposed by the agency on the outside entity
7 regarding the use or dissemination of the information, data, or deci-
8 sion;
9 (F) Whether any training is required by the state agency for an indi-
10 vidual to use such automated decision system or access information
11 collected by or inputted into such automated decision system or the
12 decisions rendered by the automated decision system;
13 (G) A description of the internal and external audit and oversight
14 mechanisms, including the mechanism for human review required under
15 paragraph g of this subdivision, to ensure compliance with the automated
16 decision use policy and that the automated decision system does not
17 result in harm to an individual;
18 (H) Relevant technical information about the automated decision
19 system, including the system's name, vendor, and version, as well as a
20 description of the automated decision system's general capabilities,
21 including reasonably foreseeable capabilities outside the scope of the
22 agency's proposed use;
23 (I) The type or types of data inputs that the automated decision
24 system uses, how that data is generated, collected, and processed, and
25 the types of data the system is reasonably likely to generate;
26 (J) How and when the automated decision system will be deployed or
27 used and by whom, including but not limited to, the factors that will be
28 used to determine where, when, and how the technology is deployed;
29 (K) A description of any public or community engagement held and any
30 future public or community engagement plans in connection with the auto-
31 mated decision system; and
32 (L) A description of the fiscal impact of the automated decision
33 system, including initial acquisition costs, ongoing operating costs,
34 such as maintenance, licensing, personnel, legal compliance, use audit-
35 ing, data retention, and security costs, and any current or potential
36 sources of funding, including any subsidies or free products offered by
37 vendors or governmental entities.
38 (iii) "De-identified information" shall mean information that cannot
39 reasonably identify, relate to, describe, be capable of being associated
40 with, or be linked, directly or indirectly, to a particular individual;
41 provided that a covered entity that uses de-identified information:
42 (A) Has implemented technical safeguards that prohibit reidentifica-
43 tion of the individual to whom such information may pertain;
44 (B) Has implemented business processes that specifically prohibit
45 reidentification of such information;
46 (C) Has implemented business processes that prevent inadvertent
47 release of such de-identified information; and
48 (D) Makes no attempt to reidentify such information.
49 (iv) "Harm" shall mean potential or realized adverse consequences to
50 an individual or to society, including but not limited to:
51 (A) Direct or indirect financial harm.
52 (B) Physical harm or threats to persons or property, including but not
53 limited to bias-related crimes and threats, harassment, and sexual
54 harassment.
55 (C) Discrimination in goods, services, or economic opportunity,
56 including but not limited to housing, employment, credit, insurance,
A. 3308 22
1 education, or health care on the basis of an individual or class of
2 individuals' actual or perceived age, race, national origin, sex, sexual
3 orientation, gender identity, marital status, disability, military
4 status, and/or membership in another protected class.
5 (D) Interference with or surveillance of first amendment-protected
6 activities by state actors.
7 (E) Interference with the right to vote or with free and fair
8 elections.
9 (F) Interference with due process or equal protection under law.
10 (G) Loss of individual control over personal information, nonconsensu-
11 al sharing of private information, and data breach.
12 (H) The nonconsensual capture of information or communications within
13 an individual's home or where an individual has a reasonable expectation
14 of seclusion or access control.
15 (I) Other effects on an individual that may not be reasonably foresee-
16 able to, contemplated by, or expected by the individual to whom the
17 personal information relates, that are nevertheless reasonably foreseea-
18 ble, contemplated by, or expected by the covered entity that alter or
19 limit such individual's choices or predetermine results.
20 (v) "Individual" shall mean a natural person whom a covered entity
21 knows or has reason to know is located within New York state.
22 (vi) "Personal information" shall mean information that directly or
23 indirectly identifies, relates to, describes, is capable of being asso-
24 ciated with, or could reasonably be linked to a particular individual,
25 household, or device. Information is reasonably linkable to an individ-
26 ual, household, or device if it can be used on its own or in combination
27 with other reasonably available information, regardless of whether such
28 other information is held by the state agency, to identify an individ-
29 ual, household, or device.
30 (vii) "Relevant technical information" shall include, but not be
31 limited to, source code, models, documentation on the algorithms used,
32 design documentation and information about technical architecture,
33 training data, data provenance information, justification for the valid-
34 ity of the model, any records of bias, and any validation testing
35 performed on the system.
36 b. The state and any governmental agency, political subdivision or
37 public benefit corporation of the state that purchases, obtains,
38 procures, acquires, employs, uses, deploys, or accesses information from
39 an automated decision system shall publish on its website at least nine-
40 ty days prior to the purchase, obtaining, use, acquisition, or deploy-
41 ment of new automated decision systems and, for existing automated deci-
42 sion systems, within one hundred eighty days of the effective date of
43 this subdivision, an automated decision system use policy.
44 (i) When the state and any governmental agency, political subdivision
45 or public benefit corporation of the state seeks to change or changes an
46 automated decision system in a way that affects the results or outcomes
47 of the automated decision system or uses such automated decision system
48 for a purpose or manner not previously disclosed through an automated
49 decision system use policy, it shall provide an addendum to the existing
50 automated decision system use policy describing such change or addi-
51 tional use and retain an archived copy of the previous automated deci-
52 sion system so that decisions made under the old system use policy may
53 be challenged under paragraph g of this subdivision.
54 (ii) Upon publication of, or addendum to, any proposed automated deci-
55 sion system policy, the public shall have forty-five days to submit
A. 3308 23
1 comments on such policy to the state and any governmental agency or
2 political subdivision or public benefit corporation.
3 (iii) The state and any governmental agency, political subdivision or
4 public benefit corporation shall consider public comments and provide
5 the final automated decision system use policy to the office of informa-
6 tion technology services, the committee on open government, and the
7 state procurement council, and shall post such decision to its website
8 no later than forty-five days after the close of the public comment
9 period.
10 c. The state and any governmental agency, political subdivision or
11 public benefit corporation shall obtain approval from the city or county
12 council with appropriate jurisdiction or the state legislature, follow-
13 ing the public comment period required in paragraph b of this subdivi-
14 sion, and a properly-noticed, germane, public hearing at which the
15 public is afforded a fair and adequate opportunity to provide online,
16 written, and oral testimony, prior to:
17 (i) Seeking funds for an automated decision system that assigns or
18 contributes to the determination of rights, benefits, opportunities, or
19 services for an individual, including but not limited to, applying for a
20 grant, or soliciting or accepting state or federal funds or in-kind or
21 other donations;
22 (ii) Acquiring or borrowing an automated decision system that assigns
23 or contributes to the determination of rights, benefits, opportunities,
24 or services for an individual, whether or not such acquisition is made
25 through the exchange of monies or other consideration;
26 (iii) Using a new or existing automated decision system that assigns
27 or contributes to the determination of rights, benefits, opportunities,
28 or services for an individual, or data derived therefrom, for a purpose
29 or in a manner not previously approved by the city or county council
30 with appropriate jurisdiction or the state legislature; or
31 (iv) Soliciting proposals for or entering into an agreement with any
32 other person or entity to acquire, share, or otherwise use an automated
33 decision system that assigns or contributes to the determination of
34 rights, benefits, opportunities, or services for an individual or auto-
35 mated decision system data.
36 d. The committee on open government shall conduct annual audits of
37 automated decision system use policies that shall:
38 (i) Assess whether each state agency that purchases, obtains,
39 procures, acquires, employs, uses, deploys, or accesses information from
40 an automated decision system complies with the terms of the automated
41 decision system use policy;
42 (ii) Describes any known or reasonably suspected violations of any
43 automated decision system use policies; and
44 (iii) Publish recommendations, if any, relating to revision of the
45 relevant automated decision system use policies.
46 e. The state and any governmental agency, political subdivision or
47 public benefit corporation of the state shall not purchase, obtain,
48 procure, acquire, employ, use, deploy, or access information from an
49 automated decision system that assigns or contributes to the determi-
50 nation of rights, benefits, opportunities, or services for an individual
51 unless it first implements a process to provide a plain-language notifi-
52 cation to any individual whose personal information is processed by the
53 automated decision system and whom the automated decision system's deci-
54 sion affects of the fact that such system is in use, the system's name,
55 vendor, and version, what decision or decisions will be used to make or
56 support; and what policies and guidelines apply to its deployment.
A. 3308 24
1 f. The state and any governmental agency, political subdivision or
2 public benefit corporation of the state shall not purchase, obtain,
3 procure, acquire, employ, use, deploy, or access information from an
4 automated decision system that assigns or contributes to the determi-
5 nation of rights, benefits, opportunities, or services for an individual
6 unless it first implements a process to provide a plain-language notifi-
7 cation to any individual whose personal information is processed by such
8 automated decision system and whom such automated decision system's
9 decision affects, of the involvement of an automated decision system in
10 making the decision, the degree of human intervention in the system, how
11 the automated decision system made the decision, the justification for
12 the decision, the variables considered in rendering the decision, wheth-
13 er and how the decision deviated from the automated decision's system's
14 recommendation, how the individual may contest the decision pursuant to
15 paragraph g of this subdivision, and the process for requesting human
16 review of the decision pursuant to paragraph g of this subdivision.
17 (i) The state and any governmental agency, political subdivision or
18 public benefit corporation of the state shall ensure that it can explain
19 the basis for its decision to any impacted individual in terms under-
20 standable to a layperson including, without limitation, by requiring the
21 vendor to create such explanation.
22 (ii) The committee on open government, in consultation with the divi-
23 sion of human rights, the office of information technology services, and
24 experts and representatives from the communities that will be directly
25 affected by automated decision systems, may promulgate rules and regu-
26 lations specifying the requirements for such notice.
27 g. The state and any governmental agency, political subdivision or
28 public benefit corporation of the state shall not purchase, obtain,
29 procure, acquire, employ, use, deploy, or access information from an
30 automated decision system that assigns or contributes to the determi-
31 nation of rights, benefits, opportunities, or services for an individual
32 unless it first develops a process for human review.
33 (i) The office of information technology services, in consultation
34 with the division of human rights, the committee on open government and
35 experts and representatives from the communities that will be directly
36 affected by automated decision systems, may promulgate rules and regu-
37 lations specifying the requirements for human review of decisions
38 rendered by automated decision systems.
39 (ii) An individual who was denied or assigned a right, benefit, oppor-
40 tunity or service, may request human review of the decision rendered by
41 the automated decision system.
42 (iii) Where the human review overturns a decision rendered by an auto-
43 mated decision system, the affected individual experiences harm as a
44 result of the overturned decision, and the state or any governmental
45 agency, political subdivision or public benefit corporation of the state
46 cannot or will not provide a remedy, or where the human review does not
47 overturn a decision rendered by an automated decision system, the
48 affected individual, or their heirs, assigns, estate, or successors in
49 interest, may bring in any court of competent jurisdiction an action
50 alleging a violation of this subdivision.
51 (iv) The court shall award to the prevailing plaintiff in such action,
52 the following relief:
53 (A) Any injunctive or other equitable relief the court deems appropri-
54 ate;
A. 3308 25
1 (B) Any actual damages resulting from any violation of this subdivi-
2 sion, or ten thousand dollars in damages for each such violation, which-
3 ever is greater;
4 (C) Reasonable attorney's fees and costs; and
5 (D) Any other relief the court deems appropriate.
6 h. The state and any governmental agency, political subdivision or
7 public benefit corporation of the state that purchases, obtains,
8 procures, acquires, employs, uses, deploys, or accesses information from
9 an automated decision system that assigns or contributes to the determi-
10 nation of rights, benefits, opportunities, or services for an individual
11 shall annually publish publicly on its website metrics on the number of
12 requests for human review of a decision rendered by the automated deci-
13 sion system it received and the outcome of such human review. The
14 metrics may include de-identified information in the aggregate but shall
15 not include any personal information.
16 § 8. Section 8 of the state finance law is amended by adding a new
17 subdivision 21 to read as follows:
18 21. Notwithstanding any inconsistent provision of law, no payment
19 shall be made for an automated decision system, as defined in section
20 one hundred sixty-five of this chapter, that assigns or contributes to
21 the determination of rights, benefits, opportunities, or services for an
22 individual unless the automated decision system uses only open source
23 software and the acquiring agency has complied with the automated deci-
24 sion system impact assessment and automated decision system use policy
25 requirements in section one hundred sixty-five of this chapter. For the
26 purposes of this subdivision, "open source software" shall mean software
27 for which the human-readable source code is available for use, study,
28 modification, and enhancement by the users of that software.
29 § 9. Section 8 of the state finance law is amended by adding four new
30 subdivisions 22, 23, 24 and 25 to read as follows:
31 22. Notwithstanding any inconsistent provision of law, no payment
32 shall be made for an automated decision system, as defined in section
33 one hundred sixty-five of this chapter, that assigns or contributes to
34 the determination of rights, benefits, opportunities, or services for an
35 individual, prior to the approval from the city or county council with
36 appropriate jurisdiction or the state legislature as required in section
37 one hundred sixty-five of this chapter.
38 23. Notwithstanding any inconsistent provision of law, no payment
39 shall be made for an automated decision system, as defined in section
40 one hundred sixty-five of this chapter, if the vendor's contract
41 contains nondisclosure or other provisions that prohibit or impair the
42 state and any governmental agency or political subdivision or public
43 benefit corporation of the state's obligations under subdivisions nine
44 and ten of section one hundred sixty-five of this chapter.
45 24. Notwithstanding any inconsistent provision of law, no payment
46 shall be made for an automated decision system, as defined in section
47 one hundred sixty-five of this chapter, if the automated decision system
48 discriminates against an individual, or treats an individual less favor-
49 ably than another, in whole or in part, on the basis of one or more
50 factors enumerated in section two hundred ninety-six of the executive
51 law.
52 25. Notwithstanding any inconsistent provision of law, no payment
53 shall be made for an automated decision system that makes final deci-
54 sions, judgments, or conclusions without human intervention that impact
55 the constitutional or legal rights, duties, or privileges of any indi-
A. 3308 26
1 vidual in New York state or for any automated decision system that
2 deploys or triggers any weapon.
3 § 10. Section 814 of the education law, as added by chapter 526 of the
4 laws of 2006 and subdivision 3 as added by chapter 545 of the laws of
5 2008, is amended to read as follows:
6 § 814. Courses of study in internet safety. 1. [Any school district in
7 the state may provide, to pupils] The regents shall ensure that the
8 course of instruction in grades kindergarten through twelve[, instruc-
9 tion designed to promote the] includes a component on digital literacy,
10 digital privacy, and the proper and safe use of the internet.
11 2. The boards of education and trustees of the cities and school
12 districts of the state shall require instruction to be given in such
13 topics, by the teachers employed in the schools therein, commencing with
14 the two thousand twenty-five--two thousand twenty-six school year. All
15 pupils who attend public or charter schools shall receive such instruc-
16 tion.
17 3. The commissioner, in consultation with the chief privacy officer
18 and the office of information technology services, shall [provide tech-
19 nical assistance to assist in the development of curricula] develop and
20 establish a program for such courses of study which shall be age appro-
21 priate and developed according to the needs and abilities of pupils at
22 successive grade levels in order to provide awareness, skills, informa-
23 tion and support to aid in the safe usage of the internet. Such program
24 shall include:
25 (a) Learning standards for digital literacy, digital privacy, and the
26 proper and safe use of the internet in grades kindergarten through
27 twelve that, at a minimum, instruct students on how to identify online
28 fraud, as well as reliable sources and information, help students to
29 understand how online activities are tracked and recorded, where
30 personal information posted online may go, with whom it may be shared,
31 and how it may be used, and offer best practices for protecting digital
32 security and digital privacy;
33 (b) Model curricula for digital literacy, digital privacy, and the
34 proper and safe use of the internet in grades kindergarten through
35 twelve that are suitable to student age, based on cognitive, emotional,
36 and behavioral capacity;
37 (c) Guidelines and professional training and development resources to
38 support implementation of such instruction in schools;
39 (d) Public availability of all program materials related to digital
40 literacy, digital privacy, and the proper and safe use of the internet
41 on the department's website; and
42 (e) A system to track and evaluate such digital literacy, digital
43 privacy, and the proper and safe use of the internet education, includ-
44 ing, but not limited to, a reporting requirement that tracks and makes
45 district compliance publicly available.
46 4. Such program shall be reviewed periodically by the commissioner, in
47 consultation with the chief privacy officer and the office of informa-
48 tion technology, at intervals specified by the commissioner, and updated
49 as necessary.
50 5. The commissioner shall prescribe rules and regulations relating to
51 such contents, topics, and courses to be included in a digital literacy,
52 digital privacy, and the proper and safe use of the internet curriculum;
53 provided, however, that the curricula need not be uniform throughout the
54 state; and provided further, however, that school districts shall
55 utilize either a curriculum for digital literacy, digital privacy, and
56 the proper and safe use of the internet prescribed by the commissioner
A. 3308 27
1 or a curriculum in accordance with the standards and criteria estab-
2 lished by the commissioner.
3 6. The commissioner shall make recommendations to the board of regents
4 about a program on digital literacy, digital privacy, and the proper and
5 safe use of the internet, relevant learning standards, model curricula,
6 and curriculum resources, guidelines, and professional development
7 resources within one year of the effective date of this section. Upon
8 approval and adoption by the board of regents, the department shall
9 issue guidance to school districts and publish on its website model
10 curricula and instructional resources required by this section.
11 7. Prior to making such recommendations to the regents, the commis-
12 sioner shall seek the recommendations of teachers, school administra-
13 tors, teacher educators, digital privacy and security experts, journal-
14 ism experts, the chief information security office, and others with
15 educational expertise in the proposed curriculum.
16 [3.] 8. The commissioner shall develop age-appropriate resources and
17 technical assistance for schools to provide to students in grades three
18 through twelve and their parents or legal guardians concerning the safe
19 and responsible use of the internet. The resources shall include, but
20 not be limited to, information regarding how child predators may use the
21 internet to lure and exploit children, protecting personal information,
22 internet scams and cyber-bullying.
23 § 11. Severability. If any provision of this act, or any application
24 of any provision of this act, is held to be invalid, that shall not
25 affect the validity or effectiveness of any other provision of this act,
26 or of any other application of any provision of this act, which can be
27 given effect without that provision or application; and to that end, the
28 provisions and applications of this act are severable.
29 § 12. This act shall take effect immediately; provided, however, that
30 sections one, two, three, four, five and six of this act shall take
31 effect one year after it shall have become a law and section eight of
32 this act shall take effect two years after it shall have become a law.
33 Effective immediately, the addition, amendment and/or repeal of any rule
34 or regulation necessary for the implementation of this act on its effec-
35 tive date are authorized to be made and completed on or before such
36 effective date.