Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.
STATE OF NEW YORK
________________________________________________________________________
2998
2023-2024 Regular Sessions
IN SENATE
January 26, 2023
___________
Introduced by Sen. KAVANAGH -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to establishing
the online consumer protection act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "online consumer protection act".
3 § 2. Legislative findings. The state has the authority to enact
4 consumer regulations to protect the people of the state. Recently, the
5 state has enacted a series of laws to address problems arising from the
6 ubiquity of the internet. From protecting consumers from electronic
7 breaches of security to enacting laws prohibiting the practice of
8 "phishing" -- an electronic form of identity theft -- the state has an
9 obligation to enact sensible protections for the people.
10 The internet age has changed, often for the better, the way people
11 work, enjoy entertainment and interact with one another. However, with
12 the internet age new problems have arisen that must be addressed, chief
13 among them, the loss of personal privacy. Recent examples, including one
14 where search engine results were tracked to an individual, have illus-
15 trated that a person's privacy can be breached easily and with grave
16 consequences. There is a fundamental rift between tracking technology
17 and consumers' right to control what data is collected and where it
18 goes. Action must be taken in order to prevent more egregious violations
19 of privacy occurring including price discrimination, exposure of
20 personal information to subpoenas and warrantless government access.
21 This act establishes provisions to allow consumers the ability to
22 simply opt-out of being monitored on the internet. Such protections,
23 akin to the do not call registry, are a fair, sensible and common sense
24 way to give consumers a clear choice with respect to being monitored.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD02251-01-3
S. 2998 2
1 § 3. The general business law is amended by adding a new section 390-e
2 to read as follows:
3 § 390-e. Online consumer protection. 1. For the purposes of this
4 section the following terms shall have the following meanings:
5 (a) The term "online preference marketing" shall mean a type of adver-
6 tisement delivery and reporting whereby data is collected to determine
7 or predict consumer characteristics or preference for use in advertise-
8 ment delivery on the internet.
9 (b) The term "personally identifiable information" shall mean data
10 that, by itself, can be used to identify, contact or locate a person,
11 including name, address, telephone number, sensitive medical or finan-
12 cial data, sexual behavior, sexual orientation, or email address.
13 (c) The term "publisher" shall mean any company, individual or other
14 group that has a website, webpage or other internet page.
15 (d) The term "consumer" shall mean any natural person using or access-
16 ing a website, webpage or online service that includes the display of
17 advertisements.
18 (e) The term "advertising network" shall mean any company, individual
19 or other group that is collecting online consumer activity for the
20 purposes of ad delivery.
21 2. No publisher of a webpage or advertising network contracted with a
22 publisher shall collect personally identifiable information for the
23 purposes of online preference marketing. This subdivision shall not
24 apply to the collection of personally identifiable information provided
25 to a publisher of a webpage or advertising network contracted with a
26 publisher by the consumer with his or her consent.
27 3. No publisher of a webpage or advertising network contracted with a
28 publisher shall collect any other information from a consumer that is
29 not defined as personally identifiable information pursuant to subdivi-
30 sion one of this section for the purposes of online preference marketing
31 unless the consumer is given an opportunity to opt-out of the use of
32 such information for online marketing purposes.
33 4. An advertising network shall post clear and conspicuous notice on
34 the home page of its own website about its privacy policy and its data
35 collection and use practices related to its advertising delivery activ-
36 ities. If a publisher has contracted with an advertising network, the
37 publisher shall post clear and conspicuous notice on its website that
38 describes the collection and use of information by the advertising
39 network. If the advertising network engages in online preference market-
40 ing, the privacy policies of both the advertising network and the
41 publisher shall describe the ability to opt-out of online preference
42 marketing by such network.
43 5. An advertising network shall make reasonable efforts to protect the
44 data it collects or logs as a result of ad delivery and reporting from
45 loss, misuse, alteration, destruction or improper access.
46 6. The attorney general may bring an action against a person who
47 violates the provisions of this section:
48 (a) to enjoin further violation of the provisions of this section; and
49 (b) to recover up to two hundred fifty dollars for each instance in
50 which identifying information is collected from a person in violation of
51 the provisions of subdivision two or three of this section.
52 In an action under paragraph (b) of this subdivision, a court may
53 increase the damages up to three times the damages allowed by such para-
54 graph where the defendant has been found to have engaged in a pattern
55 and practice of violating the provisions of subdivision two or three of
56 this section.
S. 2998 3
1 7. Nothing in this section shall in any way limit rights or remedies
2 which are otherwise available under law to the attorney general or any
3 other person authorized to bring an action under subdivision five of
4 this section.
5 § 4. This act shall take effect on the one hundred eightieth day after
6 it shall have become a law.