STATE OF NEW YORK
        ________________________________________________________________________

                                         680--B

                               2021-2022 Regular Sessions

                   IN ASSEMBLY

                                       (Prefiled)

                                     January 6, 2021
                                       ___________

        Introduced by M. of A. L. ROSENTHAL, QUART, WEPRIN, D. ROSENTHAL, SIMON,
          DINOWITZ, PAULIN -- read once and referred to the Committee on Consum-
          er  Affairs  and  Protection  --  committee  discharged, bill amended,
          ordered reprinted as amended and  recommitted  to  said  committee  --
          recommitted  to  the  Committee  on Consumer Affairs and Protection in
          accordance with Assembly Rule 3, sec. 2 -- committee discharged,  bill
          amended,  ordered reprinted as amended and recommitted to said commit-
          tee

        AN ACT to amend the general business law, in relation to the  management
          and oversight of personal data

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Short title. This act shall be known and may  be  cited  as
     2  the "New York privacy act".
     3    §  2.  Legislative  intent.  1.  Privacy is a fundamental right and an
     4  essential element of freedom. Advances in technology have produced ramp-
     5  ant growth in the amount and categories of personal  data  being  gener-
     6  ated,   collected,  stored,  analyzed,  and  potentially  shared,  which
     7  presents both promise and peril. Companies collect, use  and  share  our
     8  personal  data  in  ways that can be difficult for ordinary consumers to
     9  understand. Opaque data processing policies make it impossible to evalu-
    10  ate risks  and  compare  privacy-related  protections  across  services,
    11  stifling  competition.  Algorithms  quietly make decisions with critical
    12  consequences for New York consumers, often with no human accountability.
    13  Behavioral advertising generates profits by turning people into products
    14  and their activity into assets. New York consumers deserve  more  notice
    15  and more control over their data and their digital privacy.
    16    2. This act seeks to help New York consumers regain their privacy.  It
    17  gives New York consumers the ability to exercise more control over their
    18  personal data and requires businesses to be responsible, thoughtful, and

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD00516-05-1
        A. 680--B                           2

     1  accountable  managers  of  that  information.  To achieve this, this act
     2  provides New York consumers a number  of  new  rights,  including  clear
     3  notice of how their data is being used, processed and shared; the abili-
     4  ty  to  access  and obtain a copy of their data in a commonly used elec-
     5  tronic format, with the ability to transfer  it  between  services;  the
     6  ability  to  correct  inaccurate  data and to delete their data; and the
     7  ability to challenge certain automated decisions. This act also  imposes
     8  obligations  upon  businesses  to  maintain reasonable data security for
     9  personal data, to notify New York consumers of foreseeable harms arising
    10  from use of their data and to obtain specific consent for that use,  and
    11  to conduct regular assessments to ensure that data is not being used for
    12  unacceptable purposes. These data assessments can be obtained and evalu-
    13  ated  by the New York State Attorney General, who is empowered to obtain
    14  penalties for violations of this act and prevent future violations. This
    15  act also grants New York consumers who have been injured as  the  result
    16  of  a  violation  a  private  right of action, which includes reasonable
    17  attorneys' fees to a prevailing plaintiff.
    18    § 3. The general business law is amended by adding a new article 42 to
    19  read as follows:
    20                                 ARTICLE 42
    21                            NEW YORK PRIVACY ACT
    22  Section 1100. Definitions.
    23          1101. Jurisdictional scope.
    24          1102. Consumer rights.
    25          1103. Controller, processor, and third party responsibilities.
    26          1104. Data brokers.
    27          1105. Limitations.
    28          1106. Enforcement and private right of action.
    29          1107. Miscellaneous.
    30    § 1100. Definitions. The following definitions apply  throughout  this
    31  article unless the context clearly requires otherwise:
    32    1.  "Automated decision-making" or "automated decision" means a compu-
    33  tational process, including one derived from machine  learning,  artifi-
    34  cial  intelligence,  or  any other automated process, involving personal
    35  data that results in a decision affecting a consumer.
    36    2. "Biometric information" means any personal data generated from  the
    37  measurement  or  specific technological processing of a natural person's
    38  biological, physical, or physiological characteristics, including  fing-
    39  erprints, voice prints, iris or retina scans, facial scans or templates,
    40  deoxyribonucleic acid (DNA) information, and gait.
    41    3.  "Business  associate"  has  the same meaning as in Title 45 of the
    42  C.F.R., established pursuant to the federal Health Insurance Portability
    43  and Accountability Act of 1996.
    44    4. "Consent" means a clear affirmative act signifying a freely  given,
    45  specific, informed, and unambiguous indication of a consumer's agreement
    46  to  the  processing  of  data relating to the consumer.   Consent may be
    47  withdrawn at any time, and a controller must provide clear, conspicuous,
    48  and consumer-friendly means to withdraw consent. The  burden  of  estab-
    49  lishing  consent is on the controller.  Consent does not include: (a) an
    50  agreement of general terms of use or a similar document that  references
    51  unrelated  information  in  addition to personal data processing; (b) an
    52  agreement obtained through fraud, deceit or deception; (c) any act  that
    53  does  not constitute a user's intent to interact with another party such
    54  as hovering over, pausing or closing any content; or (d)  a  pre-checked
    55  box or similar default.
        A. 680--B                           3

     1    5. "Consumer" means a natural person who is a New York resident acting
     2  only  in  an  individual  or  household  context.  It does not include a
     3  natural person known to  be  acting  in  a  professional  or  employment
     4  context.
     5    6.  "Controller"  means  the person who, alone or jointly with others,
     6  determines the purposes and means of the processing of personal data.
     7    7. "Covered entity" has the same meaning as in Title 45 of the C.F.R.,
     8  established pursuant to the federal  Health  Insurance  Portability  and
     9  Accountability Act of 1996.
    10    8.  "Data  broker" means a person, or unit or units of a legal entity,
    11  separately or together, that does business in the state of New York  and
    12  knowingly  collects,  and  sells  to  controllers  or third parties, the
    13  personal data of a  consumer  with  whom  it  does  not  have  a  direct
    14  relationship. "Data broker" does not include any of the following:
    15    (a)  a  consumer  reporting agency to the extent that it is covered by
    16  the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or
    17    (b) a financial institution to the extent that it is  covered  by  the
    18  Gramm-Leach-Bliley  Act  (Public  Law  106-102)  and  implementing regu-
    19  lations.
    20    9. "Deidentified data" means data that cannot reasonably  be  used  to
    21  infer  information about, or otherwise be linked to a particular consum-
    22  er, household or device, provided that the processor or controller  that
    23  possesses the data:
    24    (a) implements reasonable technical safeguards to ensure that the data
    25  cannot be associated with a consumer, household or device;
    26    (b) publicly commits to process the data only as deidentified data and
    27  not  attempt  to  reidentify  the  data,  except  that the controller or
    28  processor may attempt to  reidentify  the  information  solely  for  the
    29  purpose  of  determining  whether its deidentification processes satisfy
    30  the requirements of this subdivision; and
    31    (c) contractually obligates any recipients of the data to comply  with
    32  all provisions of this article.
    33    10.  "Device"  means any physical object that is capable of connecting
    34  to the internet, directly or indirectly, or to  another  device  and  is
    35  intended  for  use  by a natural person or household or, if used outside
    36  the home, for use by the general public.
    37    11. "Meaningful human review" means review or oversight by one or more
    38  individuals who (a) are trained in the capabilities and  limitations  of
    39  the  algorithm  at  issue and the procedures to interpret and act on the
    40  output of the algorithm, and (b) have the authority to alter  the  auto-
    41  mated decision under review.
    42    12. "Natural person" means a natural person acting only in an individ-
    43  ual  or household context. It does not include a natural person known to
    44  be acting in a professional or employment context.
    45    13. "Person" means a natural person or a legal entity,  including  but
    46  not  limited  to  a  proprietorship,  partnership,  limited partnership,
    47  corporation, company, limited liability company or corporation,  associ-
    48  ation,  or  other  firm  or similar body, or any unit, division, agency,
    49  department, or similar subdivision thereof.
    50    14. "Personal data" means any data that identifies or could reasonably
    51  be linked, directly or  indirectly,  with  a  specific  natural  person,
    52  household, or device.  Personal data does not include deidentified data.
    53    15.  "Identified  or  identifiable"  means a natural person who can be
    54  identified, directly or indirectly, such as by reference to an identifi-
    55  er such as a name, an identification number, location data, or an online
    56  or device identifier.
        A. 680--B                           4

     1    16. "Process", "processes" or "processing" means an operation  or  set
     2  of  operations which are performed on data or on sets of data, including
     3  but not limited to the collection, use, access,  sharing,  monetization,
     4  analysis, retention, creation, generation, derivation, recording, organ-
     5  ization,   structuring,  storage,  disclosure,  transmission,  analysis,
     6  disposal, licensing, destruction, deletion, modification, or deidentifi-
     7  cation of data.
     8    17. "Processor" means a person that processes data on  behalf  of  the
     9  controller.
    10    18.  "Profiling"  means  any form of automated processing performed on
    11  personal data to evaluate, analyze, or predict personal aspects  related
    12  to  an  identified  or identifiable natural person's economic situation,
    13  health,  personal   preferences,   interests,   reliability,   behavior,
    14  location, or movements.
    15    19. "Protected health information" has the same meaning as in Title 45
    16  C.F.R., established pursuant to the federal Health Insurance Portability
    17  and Accountability Act of 1996.
    18    20.  "Sale", "sell", or "sold" means the disclosure, transfer, convey-
    19  ance, sharing, licensing,  making  available,  processing,  granting  of
    20  permission  or  authorization  to process, or other exchange of personal
    21  data, or providing access to personal data for monetary or  other  valu-
    22  able  consideration by the controller to a third party.  "Sale" includes
    23  enabling, facilitating or providing access to a  consumer  for  targeted
    24  advertising. "Sale" does not include the following:
    25    (a)  the  disclosure  of data to a processor who processes the data on
    26  behalf of the controller and  which  is  contractually  prohibited  from
    27  using it for any purpose other than as instructed by the controller; or
    28    (b)  the  disclosure or transfer of data as an asset that is part of a
    29  merger, acquisition, bankruptcy, or other transaction in  which  another
    30  entity assumes control or ownership of all or a majority of the control-
    31  ler's assets.
    32    21. "Targeted advertising" means displaying online advertisements to a
    33  consumer  where  the  advertisement  is  selected based on personal data
    34  obtained or inferred from a consumer's activities over time  and  across
    35  one   or  more  distinctly-branded  websites,  online  applications,  or
    36  services, to predict the consumer's preferences or interests.   It  does
    37  not  include  advertising (a) based solely on the context of the consum-
    38  er's current search query or visit to a website or online application or
    39  (b) to a consumer in direct  response  to  the  consumer's  request  for
    40  information or feedback.
    41    22.  "Third  party" means, with respect to a particular interaction or
    42  occurrence, a person, public authority, agency, or body other  than  the
    43  consumer, the controller, or processor of the controller.  A third party
    44  may  also  be  a  controller  if  the third party, alone or jointly with
    45  others, determines the purposes and means of the processing of  personal
    46  data.
    47    23. "Verified request" means a request by a consumer or their agent to
    48  exercise  a  right authorized by this article, the authenticity of which
    49  has been ascertained by the controller in accordance with paragraph  (c)
    50  of subdivision eight of section eleven hundred two of this article.
    51    § 1101. Jurisdictional scope. 1. This article applies to legal persons
    52  that  conduct  business in New York or produce products or services that
    53  are targeted to residents of New York, and that satisfy one or  more  of
    54  the following thresholds:
    55    (a) have annual gross revenue of twenty-five million dollars or more;
        A. 680--B                           5

     1    (b)  controls  or  processes  personal  data  of  one hundred thousand
     2  consumers or more;
     3    (c)  controls  or  processes  personal  data  of five hundred thousand
     4  natural persons or more nationwide, and controls or  processes  personal
     5  data of ten thousand consumers or more; or
     6    (d)  derives  over  fifty  percent  of  gross revenue from the sale of
     7  personal data, and controls or processes personal  data  of  twenty-five
     8  thousand consumers or more.
     9    2. This article does not apply to:
    10    (a) personal data processed by state and local governments, and munic-
    11  ipal  corporations, for processes other than sale (filing and processing
    12  fees are not sale);
    13    (b) a national securities association registered pursuant  to  section
    14  15A  of  the Securities Exchange Act of 1934, as amended, or regulations
    15  adopted thereunder or a registered  futures  association  so  designated
    16  pursuant to section 17 of the Commodity Exchange Act, as amended, or any
    17  regulations adopted thereunder;
    18    (c) information that meets the following criteria:
    19    (i) personal data collected, processed, sold, or disclosed pursuant to
    20  and   in  compliance  with  the  federal  Gramm-Leach-Bliley  act  (P.L.
    21  106-102), and implementing regulations;
    22    (ii) personal data collected, processed, sold, or  disclosed  pursuant
    23  to  the  federal Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec.
    24  2721 et seq.), if the collection, processing, sale, or disclosure is  in
    25  compliance with that law;
    26    (iii) personal data regulated by the federal Family Educational Rights
    27  and Privacy Act, U.S.C. Sec. 1232g and its implementing regulations;
    28    (iv)  personal  data collected, processed, sold, or disclosed pursuant
    29  to the federal Farm Credit Act of 1971 (as amended  in  12  U.S.C.  Sec.
    30  2001-2279cc)  and  its  implementing  regulations (12 C.F.R. Part 600 et
    31  seq.) if the collection, processing, sale, or disclosure is  in  compli-
    32  ance with that law;
    33    (v) personal data regulated by section two-d of the education law;
    34    (vi)  data  maintained  as employment records, for purposes other than
    35  sale;
    36    (vii) protected health information that is  lawfully  collected  by  a
    37  covered  entity  or  business  associate and is governed by the privacy,
    38  security, and breach notification rules  issued  by  the  United  States
    39  Department  of  Health and Human Services, Parts 160 and 164 of Title 45
    40  of the Code of Federal Regulations, established pursuant to  the  Health
    41  Insurance  Portability  and  Accountability  Act  of  1996  (Public  Law
    42  104-191) ("HIPAA") and the Health Information  Technology  for  Economic
    43  and Clinical Health Act (Public Law 111-5);
    44    (viii)  patient identifying information for purposes of 42 C.F.R. Part
    45  2, established pursuant to 42 U.S.C. Sec. 290dd-2, as long as such  data
    46  is not sold in violation of HIPAA or any state or federal law;
    47    (ix)  information  and  documents lawfully created for purposes of the
    48  federal Health Care Quality Improvement Act of 1986, and  related  regu-
    49  lations;
    50    (x) patient safety work product created for purposes of 42 C.F.R. Part
    51  3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
    52    (xi)  information  that  is  treated in the same manner as information
    53  exempt under subparagraph (vii) of this paragraph that is maintained  by
    54  a  covered entity or business associate as defined by HIPAA or a program
    55  or a qualified service organization as defined by 42 U.S.C.  §  290dd-2,
        A. 680--B                           6

     1  as  long  as such data is not sold in violation of HIPAA or any state or
     2  federal law;
     3    (xii)  deidentified health information that meets all of the following
     4  conditions:
     5    (A) it is deidentified in accordance with the requirements for deiden-
     6  tification set forth in Section 164.514 of Part 164 of Title 45  of  the
     7  Code of Federal Regulations;
     8    (B)  it  is  derived  from  protected health information, individually
     9  identifiable health information,  or  identifiable  private  information
    10  compliant  with the Federal Policy for the Protection of Human Subjects,
    11  also known as the Common Rule; and
    12    (C) a covered entity or business associate does not attempt to reiden-
    13  tify the information nor do they  actually  reidentify  the  information
    14  except as otherwise allowed under state or federal law;
    15    (xiii)  patient information maintained by a covered entity or business
    16  associate governed by the privacy,  security,  and  breach  notification
    17  rules  issued  by  the  United  States  Department  of  Health and Human
    18  Services, Parts 160 and 164 of Title 45 of the  Code  of  Federal  Regu-
    19  lations,  established  pursuant  to the Health Insurance Portability and
    20  Accountability Act of 1996 (Public  Law  104-191),  to  the  extent  the
    21  covered  entity  or business associate maintains the patient information
    22  in the same manner as  protected  health  information  as  described  in
    23  subparagraph (vii) of this paragraph;
    24    (xiv)  data  collected as part of human subjects research, including a
    25  clinical trial, conducted in accordance with the Federal Policy for  the
    26  Protection of Human Subjects, also known as the Common Rule, pursuant to
    27  good  clinical  practice  guidelines issued by the International Council
    28  for Harmonisation or pursuant to human subject  protection  requirements
    29  of the United States Food and Drug Administration; or
    30    (xv)  personal  data  processed  only for one or more of the following
    31  purposes:
    32    (A) product  registration  and  tracking  consistent  with  applicable
    33  United States Food and Drug Administration regulations and guidance;
    34    (B)  public  health  activities  and  purposes as described in Section
    35  164.512 of Title 45 of the Code of Federal Regulations; and/or
    36    (C) activities related to quality, safety, or effectiveness  regulated
    37  by the United States Food and Drug Administration;
    38    (d) (i) an activity involving the collection, maintenance, disclosure,
    39  sale, communication, or use of any personal data bearing on a consumer's
    40  credit  worthiness, credit standing, credit capacity, character, general
    41  reputation, personal characteristics, or mode of living  by  a  consumer
    42  reporting  agency,  as  defined  in  Title 15 U.S.C. Sec. 1681a(f), by a
    43  furnisher of information, as set forth in Title 15 U.S.C. Sec.  1681s-2,
    44  who provides information for use in a consumer  report,  as  defined  in
    45  Title  15  U.S.C.  Sec. 1861a(d), and by a user of a consumer report, as
    46  set forth in Title 15 U.S.C. Sec. 1681b.; and
    47    (ii) this paragraph shall apply only to the extent that such  activity
    48  involving  the collection, maintenance, disclosure, sale, communication,
    49  or use of such data by that agency, furnisher, or  user  is  subject  to
    50  regulation  under  the  Fair  Credit Reporting Act, Title 15 U.S.C. Sec.
    51  1681 et seq., and the data is not collected, maintained, used,  communi-
    52  cated,  disclosed,  or  sold  except  as  authorized  by the Fair Credit
    53  Reporting Act.
    54    § 1102. Consumer rights. 1. Right to notice. (a) Notice. Each control-
    55  ler that processes a consumer's personal data  must  make  publicly  and
        A. 680--B                           7

     1  persistently  available, in a conspicuous and readily accessible manner,
     2  a notice containing the following:
     3    (i)  a  description  of  the  consumer's rights under subdivisions two
     4  through six of this section  and  how  a  consumer  may  exercise  those
     5  rights, including how to withdraw consent;
     6    (ii)  the  categories of personal data processed by the controller and
     7  by any processor who processes personal data on behalf of  the  control-
     8  ler;
     9    (iii) the sources from which personal data is collected;
    10    (iv) the purposes for processing personal data;
    11    (v) the identity of each third party to whom the controller disclosed,
    12  shared, transferred or sold personal data and, for each identified third
    13  party,  (A)  the  categories  of  personal data being shared, disclosed,
    14  transferred, or sold to the third party,  (B)  the  purposes  for  which
    15  personal  data  is  being shared, disclosed, transferred, or sold to the
    16  third party, (C) the third party's retention period for each category of
    17  personal data processed by the third party or processed on their behalf,
    18  or if that is not possible, the criteria used to determine  the  period,
    19  and  (D)  whether  the  third  party uses the personal data for targeted
    20  advertising;
    21    (vi) the controller's retention period for each category  of  personal
    22  data  that  they  process or is processed on their behalf, or if that is
    23  not possible, the criteria used to determine that period; and
    24    (vii)  for  controllers  engaging  in  targeted  advertising,  average
    25  expected revenue per user (ARPU) or a similar metric for the most recent
    26  fiscal year for the region that covers New York.
    27    (b) Notice requirements.
    28    (i)  The  notice  must be written in easy-to-understand language at an
    29  eighth grade reading level or below.
    30    (ii) The categories of personal data processed and purposes for  which
    31  each category of personal data is processed must be described at a level
    32  specific enough to enable a consumer to exercise meaningful control over
    33  their  personal data but not so specific as to render the notice unhelp-
    34  ful to a reasonable consumer.
    35    (iii) The notice must be dated with its effective date and updated  at
    36  least  annually.    When  the  information required to be disclosed to a
    37  consumer pursuant to paragraph (a) of this subdivision has  not  changed
    38  since  the  immediately  previous  notice  (whether  initial, annual, or
    39  revised) provided to the consumer, a controller may  issue  a  statement
    40  that no changes have been made.
    41    (iv)  The  notice,  as well as each version of the notice in effect in
    42  the preceding six years,   must be easily accessible  to  consumers  and
    43  capable of being viewed by consumers at any time.
    44    2. Opt-in consent.  (a) A controller must obtain freely given, specif-
    45  ic, informed, and unambiguous opt-in consent from a consumer to:
    46    (i)  process  the  consumer's personal data for any purpose other than
    47  those in subdivision two of section eleven hundred five of this article;
    48  or
    49    (ii) make  any  changes  to  the  existing  processing  or  processing
    50  purpose,  including  those regarding the method and scope of collection,
    51  of the consumer's personal data that  may  be  less  protective  of  the
    52  consumer's  personal  data than the processing to which the consumer has
    53  previously given their freely given, specific, informed, and unambiguous
    54  opt-in consent.
    55    (b) Any request for consent must be provided to the consumer, prior to
    56  processing their personal data, in a standalone disclosure that is sepa-
        A. 680--B                           8

     1  rate and apart from any contract or  privacy  policy.  The  request  for
     2  consent must:
     3    (i)  include  a  clear and conspicuous description of each category of
     4  data and processing purpose for which consent is sought;
     5    (ii) clearly identify and distinguish between categories of  data  and
     6  processing  purposes that are necessary to provide the services or goods
     7  requested by the consumer and categories of data and processing purposes
     8  that are not necessary to provide the services or goods requested by the
     9  consumer;
    10    (iii) enable a reasonable consumer to easily identify  the  categories
    11  of data and processing purposes for which consent is sought;
    12    (iv)  clearly  present  as  the  most  conspicuous choice an option to
    13  provide only the consent necessary to  provide  the  services  or  goods
    14  requested by the consumer;
    15    (v) clearly present an option to deny consent; and
    16    (vi) where the request seeks consent to sharing, disclosure, transfer,
    17  or  sale  of  personal  data  to third parties, identify each such third
    18  party, the categories of data sold or shared with them,  the  processing
    19  purposes, the retention period, or if that is not possible, the criteria
    20  used  to  determine  the  period, and for each third party state if such
    21  sharing, disclosure, transfer, or  sale  enables  or  involves  targeted
    22  advertising.  The  details  of identities of such third parties, and the
    23  categories of data, processing purposes, and the retention  period,  may
    24  be  set  forth  in a different disclosure, provided that the request for
    25  consent contains a conspicuous and  directly  accessible  link  to  that
    26  disclosure.
    27    (c)  Targeted  advertising  and  sale  of  personal  data shall not be
    28  considered processing purposes that are necessary to provide services or
    29  goods requested by a consumer.
    30    (d) Once a consumer has provided freely given, specific, informed, and
    31  unambiguous opt-in consent to process their personal data for a process-
    32  ing purpose, a controller may rely on such consent  until  it  is  with-
    33  drawn.
    34    (e)  A  controller must provide a mechanism for a consumer to withdraw
    35  previously given consent at any time. Such mechanism shall  make  it  as
    36  easy for a consumer to withdraw their consent as it is for such consumer
    37  to provide consent.
    38    (f)  A  controller  must not infer that a consumer has provided freely
    39  given, specific, informed,  and  unambiguous  opt-in  consent  from  the
    40  consumer's  inaction  or  the  consumer's  continued use of a service or
    41  product provided by the controller.
    42    (g) To the extent that a controller  must  process  internet  protocol
    43  addresses,  system  configuration  information, URLs of referring pages,
    44  locale and language preferences, keystrokes,  or  any  other  data  that
    45  individually  or  collectively  may  comprise  personal data in order to
    46  obtain a consumer's freely given, specific,  informed,  and  unambiguous
    47  opt-in consent, the controller must:
    48    (i)  process only the personal data necessary to request freely given,
    49  specific, informed, and unambiguous opt-in consent;
    50    (ii) process the personal data solely to request freely given, specif-
    51  ic, informed, and unambiguous opt-in consent; and
    52    (iii) promptly delete  the  personal  data  if  consent  is  withheld,
    53  denied, or withdrawn.
    54    (h)  Controllers  must  not  request  consent  from a consumer who has
    55  previously withheld or denied consent, unless consent  is  necessary  to
    56  provide the services or goods requested by the consumer.
        A. 680--B                           9

     1    (i) Controllers must treat user-enabled privacy controls in a browser,
     2  browser   plug-in,  smartphone  application,  operating  system,  device
     3  setting, or other mechanism that communicates or signals the  consumer's
     4  choice  not  to  be subject to targeted advertising or the sale of their
     5  personal  data as a denial of consent under this act. To the extent that
     6  the privacy control conflicts with a  consumer's  consent,  the  privacy
     7  control  settings  govern,  unless  the  consumer provides freely given,
     8  specific, informed, and  unambiguous  opt-in  consent  to  override  the
     9  privacy control.
    10    (j)  A  controller  must not discriminate against a consumer for with-
    11  holding or denying consent, including, but not limited to, by:
    12    (i) denying services or goods to the  consumer,  unless  the  consumer
    13  does  not  consent  to  processing  necessary to provide the services or
    14  goods requested by the consumer;
    15    (ii) charging  different  prices  for  goods  or  services,  including
    16  through  the  use of discounts or other benefits, imposing penalties, or
    17  providing a different level or quality  of  services  or  goods  to  the
    18  consumer; or
    19    (iii)  suggesting  that the consumer will receive a different price or
    20  rate for goods or services or a different level or quality  of  services
    21  or goods.
    22    (k)  A  controller  may,  with  the consumer's freely given, specific,
    23  informed, and unambiguous opt-in consent given pursuant to this section,
    24  operate a program in which information, products, or  services  sold  to
    25  the  consumer  are  discounted  based  solely  on  such consumer's prior
    26  purchases from the controller, provided that the personal data  used  to
    27  operate  such  program  is processed solely for the purpose of operating
    28  such program.
    29    (l) In the event of a merger, acquisition, bankruptcy, or other trans-
    30  action in which another entity assumes control or ownership  of  all  or
    31  majority  of  the  controller's  assets,  any  consent  provided  to the
    32  controller by a consumer prior to such transaction shall be deemed with-
    33  drawn.
    34    3. Right to access.  Upon  the  verified  request  of  a  consumer,  a
    35  controller shall:
    36    (a)  confirm  whether or not the controller is processing or has proc-
    37  essed personal data of that consumer, and provide access to  a  copy  of
    38  any  such  personal  data  in  a  manner  understandable to a reasonable
    39  consumer when requested; and
    40    (b) provide the identity of each processor or third party to whom  the
    41  controller  disclosed, transferred, or sold the consumer's personal data
    42  and, for each identified processor or third party, (i) the categories of
    43  the consumer's personal data disclosed, transferred,  or  sold  to  each
    44  processor  or  third party and (ii) the purposes for which each category
    45  of the consumer's personal data was disclosed, transferred, or  sold  to
    46  each processor or third party.
    47    4. Right to portable data.  Upon a verified request, and to the extent
    48  technically feasible, the controller must: (a) provide to the consumer a
    49  copy  of  all  of, or a portion of, as designated in a verified request,
    50  the  consumer's  personal  data  in  a  structured,  commonly  used  and
    51  machine-readable  format  and (b) transmit the data to another person of
    52  the consumer's or their agent's designation without hindrance.
    53    5. Right to correct. (a) Upon the verified request of  a  consumer  or
    54  their  agent,  a  controller  must conduct a reasonable investigation to
    55  determine whether personal data, the accuracy of which  is  disputed  by
    56  the  consumer,  is  inaccurate,  with such investigation to be concluded
        A. 680--B                          10

     1  within the time period set forth in paragraph (a) of  subdivision  eight
     2  of this section.
     3    (b)  Notwithstanding  paragraph  (a) of this subdivision, a controller
     4  may terminate an investigation initiated pursuant to such  paragraph  if
     5  the  controller reasonably and in good faith determines that the dispute
     6  by the consumer is wholly without merit, including by reason of a  fail-
     7  ure  by  a consumer to provide sufficient information to investigate the
     8  disputed personal data. Upon making any determination in accordance with
     9  this paragraph that a dispute is  wholly  without  merit,  a  controller
    10  must,  within  the time period set forth in paragraph (a) of subdivision
    11  eight of this section, provide the  affected  consumer  a  statement  in
    12  writing that includes, at a minimum, the specific reasons for the deter-
    13  mination,  and identification of any information required to investigate
    14  the disputed personal data, which may consist  of  a  standardized  form
    15  describing the general nature of such information.
    16    (c)  If,  after any investigation under paragraph (a) of this subdivi-
    17  sion of any personal data  disputed  by  a  consumer,  an  item  of  the
    18  personal  data  is  found  to  be inaccurate or incomplete, or cannot be
    19  verified, the controller must:
    20    (i) correct the inaccurate or incomplete personal data of the  consum-
    21  er; and
    22    (ii)  unless it proves impossible or involves disproportionate effort,
    23  communicate such request to each processor or third party  to  whom  the
    24  controller  disclosed, transferred, or sold the personal data within one
    25  year preceding the consumer's request, and to require  those  processors
    26  or  third  parties  to  do  the same for any further processors or third
    27  parties they disclosed, transferred, or sold the personal data to.
    28    (d) If the investigation does not resolve the  dispute,  the  consumer
    29  may  file with the controller a brief statement setting forth the nature
    30  of the dispute. Whenever a statement of a dispute is filed, unless there
    31  exists reasonable grounds to believe that it is  wholly  without  merit,
    32  the controller must note that it is disputed by the consumer and include
    33  either  the consumer's statement or a clear and accurate codification or
    34  summary  thereof  with  the  disputed  personal  data  whenever  it   is
    35  disclosed, transferred, or sold to any processor or third party.
    36    6.  Right  to  delete.  (a) Upon the verified request of a consumer, a
    37  controller must:
    38    (i) within forty-five  days  after  receiving  the  verified  request,
    39  delete  any  or  all personal data, as directed by the consumer or their
    40  agent,  that the controller possesses or controls; and
    41    (ii) unless it proves impossible or involves  disproportionate  effort
    42  that  is  documented  in  writing  by  the  controller, communicate such
    43  request to  each  processor  or  third  party  to  whom  the  controller
    44  disclosed, transferred or sold the personal data within one year preced-
    45  ing  the  consumer's  request  and  to require those processors or third
    46  parties to do the same for any further processors or third parties  they
    47  disclosed, transferred, or sold the personal data to.
    48    (b) For personal data that is not possessed by the controller but by a
    49  processor  of  the controller, the controller may choose to (i) communi-
    50  cate the consumer's request for  deletion  to  the  processor,  or  (ii)
    51  request  that  the  processor return to the controller the personal data
    52  that is the subject of the consumer's request and delete  such  personal
    53  data upon receipt of the request.
    54    (c) A consumer's deletion of their online account must be treated as a
    55  request  to  the  controller  to  delete all of that consumer's personal
    56  data.
        A. 680--B                          11

     1    (d) A controller  must  maintain  reasonable  procedures  designed  to
     2  prevent  the  reappearance in its systems, and in any data it discloses,
     3  transfers, or sells to any processor or third party, the  personal  data
     4  that is deleted pursuant to this subdivision.
     5    (e)  A  controller is not required to comply with a consumer's request
     6  to delete personal data if:
     7    (i) complying with the  request  would  prevent  the  controller  from
     8  performing  accounting  functions,  processing  refunds,  effectuating a
     9  product recall pursuant to federal or state law, or fulfilling  warranty
    10  claims,  provided  that  the  personal  data  that is the subject of the
    11  request is not processed for any purpose other than such specific activ-
    12  ities; or
    13    (ii) it is necessary for the controller  to  maintain  the  consumer's
    14  personal  data  to engage in public or peer-reviewed scientific, histor-
    15  ical, or statistical research in the public interest that adheres to all
    16  other applicable ethics and privacy laws, when the controller's deletion
    17  of the information is likely to render impossible  or  seriously  impair
    18  the  achievement  of such research, provided that the consumer has given
    19  informed consent and the personal data is not processed for any  purpose
    20  other than such research.
    21    7. Automated decision-making. (a) Whenever a controller makes an auto-
    22  mated  decision  involving  solely  automated processing that materially
    23  contributes to a denial  of  financial  or  lending  services,  housing,
    24  public  accommodation,  insurance,  health  care  services, or access to
    25  basic necessities, such as food and water, the controller must:
    26    (i) disclose in a clear,  conspicuous,  and  consumer-friendly  manner
    27  that the decision was made by a solely automated process;
    28    (ii)  provide  an avenue for the affected consumer to appeal the deci-
    29  sion, which must at minimum allow the affected consumer to (A)  formally
    30  contest the decision, (B) provide information to support their position,
    31  and (C) obtain meaningful human review of the decision; and
    32    (iii) explain the process to appeal the decision.
    33    (b) A controller must respond to a consumer's appeal within forty-five
    34  days  of  receipt  of  the  appeal.  That period may be extended once by
    35  forty-five additional  days  where  reasonably  necessary,  taking  into
    36  account the complexity and number of appeals. The controller must inform
    37  the  consumer of any such extension within forty-five days of receipt of
    38  the appeal, together with the reasons for the delay.
    39    (c) (i) A controller or processor engaged in automated decision-making
    40  affecting financial or lending services, housing, public  accommodation,
    41  insurance,  education  enrollment,  employment, health care services, or
    42  access to basic necessities, such as  food  and  water,  or  engaged  in
    43  assisting  others  in  automated  decision-making  in those fields, must
    44  annually conduct an impact assessment of such automated  decision-making
    45  that:
    46    (A)  describes  and  evaluates  the  objectives and development of the
    47  automated decision-making processes including the  design  and  training
    48  data  used  to  develop  the  automated decision-making process, how the
    49  automated decision-making process was  tested  for  accuracy,  fairness,
    50  bias and discrimination; and
    51    (B)  assesses  whether  the  automated decision-making system produces
    52  discriminatory results on the basis of a consumer's or class of  consum-
    53  ers'  actual  or  perceived  race,  color, ethnicity, religion, national
    54  origin, sex,  gender,  gender  identity,  sexual  orientation,  familial
    55  status, biometric information, lawful source of income, or disability.
        A. 680--B                          12

     1    (ii)  A  controller or processor must utilize an external, independent
     2  auditor or researcher to conduct such assessments.
     3    (iii)  A  controller  or  processor  must make publicly available in a
     4  manner accessible online all impact  assessments  prepared  pursuant  to
     5  this section, retain all such impact assessments for at least six years,
     6  and  make  any  such retained impact assessments available to any state,
     7  federal, or local government authority upon request.
     8    (iv) For purposes of this paragraph, the limitations to jurisdictional
     9  scope set forth in paragraphs (b) and (c) of subdivision two of  section
    10  eleven hundred one of this article shall not apply.
    11    8.  Responding  to  requests.  (a) A controller must take action under
    12  subdivisions three through six of this section and inform  the  consumer
    13  of  any actions taken without undue delay and in any event within forty-
    14  five days of receipt of the request. That period may be extended once by
    15  forty-five additional  days  where  reasonably  necessary,  taking  into
    16  account  the  complexity and number of the requests. The controller must
    17  inform the consumer of any such  extension  within  forty-five  days  of
    18  receipt  of the request, together with the reasons for the delay. When a
    19  controller denies any such request, it must within this period  disclose
    20  to  the  consumer a statement in writing of the specific reasons for the
    21  denial.
    22    (b) A controller shall permit the exercise of rights and carry out its
    23  obligations set forth in subdivisions three through six of this  section
    24  free  of charge, at least twice annually to the consumer. Where requests
    25  from a consumer are manifestly unfounded  or  excessive,  in  particular
    26  because  of  their  repetitive  character, the controller may either (i)
    27  charge a reasonable fee to cover the administrative costs  of  complying
    28  with  the  request  or  (ii) refuse to act on the request and notify the
    29  consumer of the reason for refusing the request.  The  controller  bears
    30  the  burden of demonstrating the manifestly unfounded or excessive char-
    31  acter of the request.
    32    (c) (i)  A  controller  shall  promptly  attempt,  using  commercially
    33  reasonable  efforts,  to verify that all requests to exercise any rights
    34  set forth in any section of this article requiring  a  verified  request
    35  were made by the consumer who is the subject of the data, or by a person
    36  lawfully  exercising  the  right  on  behalf  of the consumer who is the
    37  subject of the data. Commercially reasonable efforts shall be determined
    38  based on the totality of the circumstances, including the nature of  the
    39  data implicated by the request.
    40    (ii)  A  controller  may  require  the  consumer to provide additional
    41  information only if the request cannot reasonably  be  verified  without
    42  the  provision  of  such  additional  information. A controller must not
    43  transfer or process any such additional information provided pursuant to
    44  this section for any other purpose and must delete any  such  additional
    45  information  without undue delay and in any event within forty-five days
    46  after the controller has notified the consumer that it has taken  action
    47  on  a  request  under  subdivisions  two through five of this section as
    48  described in paragraph (a) of this subdivision.
    49    (iii) If a controller discloses this  additional  information  to  any
    50  processor  or  third  party  for  the  purpose  of  verifying a consumer
    51  request, it must notify the receiving processor or third  party  at  the
    52  time  of  such  disclosure,  or as close in time to the disclosure as is
    53  reasonably practicable,  that  such  information  was  provided  by  the
    54  consumer  for  the  sole purpose of verification and cannot be processed
    55  for any purpose other than verification.
        A. 680--B                          13

     1    9. Implementation of rights. Controllers must provide easily  accessi-
     2  ble  and  convenient  means for consumers to exercise their rights under
     3  this article.
     4    10.  Non-waiver of rights. Any provision of a contract or agreement of
     5  any kind that purports to waive or limit in any way a consumer's  rights
     6  under  this  article  is contrary to public policy and is void and unen-
     7  forceable.
     8    § 1103.  Controller, processor, and third party  responsibilities.  1.
     9  Controller  responsibilities. (a) Data protection assessment. A control-
    10  ler shall regularly conduct and document a  data  protection  assessment
    11  for  processing activities that present a heightened risk of harm to the
    12  consumer. Such assessment must identify and weigh the benefits that  may
    13  flow,  directly  and  indirectly, from the processing to the controller,
    14  the consumer, other stakeholders, and the public against  the  potential
    15  risks  to  the rights of the consumer, or class of consumers, associated
    16  with the processing, as mitigated by safeguards that the controller  can
    17  employ  to  reduce  the  risks.  The  controller  shall factor into this
    18  assessment the use of deidentified data and the reasonable  expectations
    19  of consumers, as well as the context of the processing and the relation-
    20  ship between the controller and the consumer whose personal data will be
    21  processed,  with  the goal of restricting or prohibiting such processing
    22  if the risks of harm to the consumer  outweigh  the  benefits  resulting
    23  from the processing to the consumer.  Processing that presents a height-
    24  ened risk of harm to the consumer includes the following:
    25    (i) processing that may benefit the controller to the detriment of the
    26  consumer;
    27    (ii)  processing  that  would  be unexpected and highly offensive to a
    28  reasonable consumer;
    29    (iii) processing personal data for purposes of targeted advertising;
    30    (iv) sale of personal data; and
    31    (v) processing of personal data for purposes of profiling, where  such
    32  profiling presents a reasonably foreseeable risk of:
    33    (A)  unfair  or  deceptive treatment, or unlawful disparate impact on,
    34  consumers or a class of consumers;
    35    (B) financial,  physical,  psychological  or  reputational  injury  to
    36  consumers, or a class of consumers;
    37    (C)  a physical or otherwise intrusion upon the solitude or seclusion,
    38  or the private affairs or concerns, of consumers, where  such  intrusion
    39  would be offensive to a reasonable person; or
    40    (D) other substantial injury to consumers.
    41    (b)  Duty  of  loyalty.  (i) A controller must notify the consumer, or
    42  class of consumers, of the interest that may be  harmed  in  advance  of
    43  requesting consent and as close in time to the processing as practicable
    44  where  it  is  reasonably  foreseeable  to the controller that a process
    45  presents a heightened risk of harm to the consumer or class  of  consum-
    46  ers.
    47    (ii) Controllers must not engage in unfair, deceptive, or abusive acts
    48  or  practices with respect to obtaining consumer consent, the processing
    49  of personal data, and a consumer's exercise of  any  rights  under  this
    50  article, including without limitation:
    51    (A)  designing a user interface with the purpose or substantial effect
    52  of deceiving consumers, obscuring consumers' rights under this  article,
    53  or  subverting or impairing user autonomy, decision-making, or choice in
    54  order to obtain consent; or
    55    (B) obtaining consent in a manner designed to overpower  a  consumer's
    56  resistance; for example, by making excessive requests for consent.
        A. 680--B                          14

     1    (c)  Duty  of  care.  (i)  (A) Controllers must, on at least an annual
     2  basis, conduct and document risk assessments of all  current  processing
     3  of personal data.
     4    (B) Risk assessments must assess at a minimum:
     5    (I)  the nature, sensitivity and context of the personal data that the
     6  controller processes;
     7    (II) the nature, purpose, and value of the processes;
     8    (III) any risks or harms to consumers actually or potentially  arising
     9  out  of  the processes, including physical, financial, psychological, or
    10  reputational harms;
    11    (IV) the adequacy and effect of safeguards implemented by the control-
    12  lers;
    13    (V) the sufficiency  of  the  controller's  notices  to  consumers  at
    14  describing and obtaining consent concerning the processes; and
    15    (VI)  the  adequacy  of  the  safeguards  and  monitoring practices of
    16  processors and  third  parties  to  whom  the  controller  has  provided
    17  personal data.
    18    (C) The controller must retain risk assessments for at least six years
    19  and  make  risk  assessments  available  to  the  attorney  general upon
    20  request.
    21    (ii) Controllers must  develop,  implement,  and  maintain  reasonable
    22  safeguards to protect the security, confidentiality and integrity of the
    23  personal data of consumers including adopting reasonable administrative,
    24  technical  and  physical safeguards appropriate to the volume and nature
    25  of the personal data at issue.
    26    (iii) (A) A controller shall limit the use and retention of a  consum-
    27  er's  personal  data  to  what is necessary to provide a service or good
    28  requested by a consumer or for  purposes  for  which  the  consumer  has
    29  provided  freely  given,  specific,  informed,  and  unambiguous  opt-in
    30  consent.
    31    (B) At least annually, a controller shall review its  retention  prac-
    32  tices  for  the  purpose  of ensuring that it is maintaining the minimum
    33  amount of personal data as is necessary for the operation of  its  busi-
    34  ness.  A  controller must dispose of all personal data that is no longer
    35  (I) necessary to provide the services or goods requested by the  consum-
    36  er,  (II) necessary for the internal business operations of the control-
    37  ler and consistent with the disclosures made to the consumer pursuant to
    38  section eleven hundred two of this article, or (III) necessary to comply
    39  with the legal obligations of the controller.
    40    (iv) Controllers shall be under a continuing obligation to  engage  in
    41  reasonable  measures  to  review their activities for circumstances that
    42  may have altered their ability to identify a specific natural person and
    43  to update their classifications of data as  identified  or  identifiable
    44  accordingly.
    45    (d) Non-discrimination. (i) A controller must not discriminate against
    46  a  consumer  for  exercising  rights  under  this act, including but not
    47  limited to, by:
    48    (A) denying services or goods to consumers;
    49    (B) charging different prices for services or goods, including through
    50  the use of discounts or other benefits; imposing penalties; or providing
    51  a different level or quality of services or goods to the consumer; or
    52    (C) suggesting that the consumer will receive  a  different  price  or
    53  rate  for  services or goods or a different level or quality of services
    54  or goods.
        A. 680--B                          15

     1    (ii) This paragraph does not apply  to  a  controller's  conduct  with
     2  respect  to  opt-in  consent, in which case paragraph (j) of subdivision
     3  two of section eleven hundred two of this article governs.
     4    (e)  Agreements  with  processors.  (i)  Before making any disclosure,
     5  transfer, or sale of personal data to any processor, the controller must
     6  enter into a written, signed contract with that processor. Such contract
     7  must be binding and clearly set forth instructions for processing  data,
     8  the  nature and purpose of processing, the type of data subject to proc-
     9  essing, the duration of processing, and the rights  and  obligations  of
    10  both  parties.  The  contract  must  also  include requirements that the
    11  processor must:
    12    (A) ensure that each person processing personal data is subject  to  a
    13  duty of confidentiality with respect to the data;
    14    (B)  protect  the data in a manner consistent with the requirements of
    15  this act and at least equal to the security requirements of the control-
    16  ler set forth in their publicly available policies, notices, or  similar
    17  statements;
    18    (C)  process  the data only when and to the extent necessary to comply
    19  with its legal obligations to the controller unless otherwise explicitly
    20  authorized by the controller;
    21    (D) not combine the personal data which the processor receives from or
    22  on behalf of the controller  with  personal  data  which  the  processor
    23  receives  from  or  on behalf of another person or collects from its own
    24  interaction with consumers;
    25    (E) comply with any exercises of a  consumer's  rights  under  section
    26  eleven  hundred  two of this article upon the request of the controller,
    27  subject to the limitations set forth in section eleven hundred  five  of
    28  this article;
    29    (F)  at the controller's direction, delete or return all personal data
    30  to the controller as requested at the end of the provision of  services,
    31  unless retention of the personal data is required by law;
    32    (G)  upon  the reasonable request of the controller, make available to
    33  the controller all data in its possession necessary to  demonstrate  the
    34  processor's compliance with the obligations in this act;
    35    (H)  allow, and cooperate with, reasonable assessments by the control-
    36  ler or the controller's designated assessor; alternatively, the process-
    37  or may arrange for a qualified and independent assessor  to  conduct  an
    38  assessment  of the processor's policies and technical and organizational
    39  measures in support of the  obligations  under  this  article  using  an
    40  appropriate  and  accepted  control standard or framework and assessment
    41  procedure for such assessments. The processor shall provide a report  of
    42  such assessment to the controller upon request;
    43    (I) a reasonable time in advance before disclosing or transferring the
    44  data to any further processors, notify the controller of such a proposed
    45  disclosure  or  transfer  and  provide  the controller an opportunity to
    46  approve or reject the proposal; and
    47    (J) engage  any  further  processor  pursuant  to  a  written,  signed
    48  contract  that  includes  the  contractual requirements provided in this
    49  paragraph, containing at minimum the same obligations that the processor
    50  has entered into with regard to the data.
    51    (ii) A controller must not agree  to  indemnify,  defend,  or  hold  a
    52  processor  harmless,  or  agree  to  a  provision that has the effect of
    53  indemnifying, defending, or holding the processor harmless, from  claims
    54  or  liability  arising  from  the  processor's  breach  of  the contract
    55  required by clause (A) of  subparagraph  (i)  of  this  paragraph  or  a
        A. 680--B                          16

     1  violation  of this act. Any provision of an agreement that violates this
     2  subparagraph is contrary to public policy and is void and unenforceable.
     3    (iii)  Nothing  in this paragraph relieves a controller or a processor
     4  from the liabilities imposed on it by virtue of its role in the process-
     5  ing relationship as defined by this article.
     6    (iv) Determining whether a person is acting as a controller or proces-
     7  sor with respect to a specific processing of data is a fact-based deter-
     8  mination that depends upon the context in which personal data is  to  be
     9  processed.  A  processor  that  continues  to  adhere  to a controller's
    10  instructions with respect to a  specific  processing  of  personal  data
    11  remains a processor.
    12    (f)  Third  parties. (i) A controller must not share, disclose, trans-
    13  fer, or sell personal data, or  facilitate  or  enable  the  processing,
    14  disclosure,  transfer,  or  sale  of  personal data to a third party for
    15  which consent of the consumer pursuant to  subdivision  two  of  section
    16  eleven  hundred  two  of  this  article, has not been obtained or is not
    17  currently in effect. Any request for consent to share, disclose,  trans-
    18  fer,  or  sell personal data, or to facilitate or enable the processing,
    19  disclosure, transfer, or sale of personal data to  a  third  party  must
    20  clearly  include  the  identity  of  the  third party and the processing
    21  purposes for which the third party may use the personal data.
    22    (ii) A controller must not share, disclose, transfer, or sell personal
    23  data, or facilitate or enable the processing, disclosure,  transfer,  or
    24  sale of personal data if it can reasonably expect the personal data of a
    25  consumer  to be used for purposes that the consumer has not consented to
    26  pursuant to subdivision two of section eleven hundred two of this  arti-
    27  cle,  or  if  it  can  reasonably expect that any rights of the consumer
    28  provided in this article would be compromised as a result of such trans-
    29  action.
    30    (iii) Before making any disclosure, transfer, or sale of personal data
    31  to any third party, the controller must enter  into  a  written,  signed
    32  contract.  Such  contract  must  be  binding  and the scope, nature, and
    33  purpose of processing, the type of data subject to processing, the dura-
    34  tion of processing, and the rights  and  obligations  of  both  parties.
    35  Such contract must include requirements that the third party:
    36    (A)  Process  that  data only to the extent permitted by the agreement
    37  entered into with the controller; and
    38    (B) Provide a mechanism to comply with any exercises of  a  consumer's
    39  rights under section eleven hundred two of this article upon the request
    40  of  the  controller, subject to any limitations thereon as authorized by
    41  this article; and
    42    (C) To the extent the disclosure, transfer, or sale  of  the  personal
    43  data  causes  the  third  party  to become a controller, comply with all
    44  obligations imposed on controllers under this article.
    45    2. Processor responsibilities. (a)  For  any  personal  data  that  is
    46  obtained,  received,  purchased,  or  otherwise acquired by a processor,
    47  whether directly from a controller or indirectly from another processor,
    48  the processor must comply with the requirements set forth in clauses (A)
    49  through (J) of subparagraph (i) of paragraph (e) of subdivision  one  of
    50  this section.
    51    (b)  A  processor  is  not  required  to  comply with a request by the
    52  consumer submitted pursuant to this article by a  consumer  directly  to
    53  the processor to the extent that the processor has processed the consum-
    54  er's personal data solely in its role as a processor for a controller.
    55    (c)  Processors  shall  be  under a continuing obligation to engage in
    56  reasonable measures to review their activities  for  circumstances  that
        A. 680--B                          17

     1  may have altered their ability to identify a specific natural person and
     2  to  update  their  classifications of data as identified or identifiable
     3  accordingly.
     4    (d)  A  processor  shall not engage in any sale of personal data other
     5  than on behalf of the controller pursuant to any agreement entered  into
     6  with the controller.
     7    3.  Third  party  responsibilities.  (a) For any personal data that is
     8  obtained, received, purchased, or otherwise acquired or  accessed  by  a
     9  third party from a controller or processor, the third party must:
    10    (i)  Process  that data only to the extent permitted by any agreements
    11  entered into with the controller;
    12    (ii) Process only the personal data necessary for purposes  for  which
    13  freely  given,  specific, informed, and unambiguous opt-in consent is in
    14  effect, as conveyed by the controller, limit the use  and  retention  of
    15  that  data to what is necessary for such purposes, and shall immediately
    16  delete such personal data when notified that the  consent  is  withheld,
    17  denied, or withdrawn;
    18    (iii)  Comply  with any exercises of a consumer's rights under section
    19  eleven hundred two of this article upon the request of the controller or
    20  processor, subject to any limitations  thereon  as  authorized  by  this
    21  article; and
    22    (iv)  To  the extent the third party becomes a controller for personal
    23  data, comply with all obligations  imposed  on  controllers  under  this
    24  article.
    25    4. Exceptions. The requirements of this section shall not apply where:
    26    (a) The processing is required by law;
    27    (b)  The processing is made pursuant to a request by a federal, state,
    28  or local government or government entity; or
    29    (c) The processing significantly advances protection against  criminal
    30  or tortious activity.
    31    § 1104. Data brokers. 1. A data broker, as defined under this article,
    32  must:
    33    (a)  Annually,  on  or before January thirty-first following a year in
    34  which a person meets the definition of data broker in this article:
    35    (i) Register with the attorney general;
    36    (ii) Pay a registration fee of one hundred  dollars  or  as  otherwise
    37  determined  by the attorney general pursuant to the regulatory authority
    38  granted to the attorney general under this article, not  to  exceed  the
    39  reasonable  cost of establishing and maintaining the database and infor-
    40  mational website described in this section; and
    41    (iii) Provide the following information:
    42    (A) the name and primary physical, email, and internet website address
    43  of the data broker;
    44    (B) the name and business address of an officer or registered agent of
    45  the data broker authorized to accept legal process on behalf of the data
    46  broker;
    47    (C) a statement describing the method for exercising consumers  rights
    48  under section eleven hundred two of this article;
    49    (D) a statement whether the data broker implements a purchaser creden-
    50  tialing process; and
    51    (E)  any additional information or explanation the data broker chooses
    52  to provide concerning its data collection practices.
    53    2. Notwithstanding any other provision of this article, any controller
    54  that conducts business in the state of New York must:
    55    (a) annually, on or before January thirty-first following  a  year  in
    56  which  a  person meets the definition of controller in this act, provide
        A. 680--B                          18

     1  to the attorney general a list of all data brokers or persons reasonably
     2  believed to be data brokers to which the  controller  provided  personal
     3  data in the preceding year; and
     4    (b)  not  sell a consumer's personal data to a data broker that is not
     5  registered with the attorney general.
     6    3. The attorney general shall establish, manage and maintain a  state-
     7  wide  registry  on its internet website, which shall list all registered
     8  data brokers and make accessible  to  the  public  all  the  information
     9  provided  by  data brokers pursuant to this section. Printed hard copies
    10  of such registry shall be made available upon request and payment  of  a
    11  fee to be determined by the attorney general.
    12    4. A data broker that fails to register as required by this section or
    13  submits  false  information  in  its registration is, in addition to any
    14  other injunction, penalty, or liability that may be imposed  under  this
    15  article,  liable  for  civil  penalties,  fees,  and  costs in an action
    16  brought by the attorney general as follows: (a) a civil penalty  of  one
    17  thousand  dollars  for  each  day  the  data broker fails to register as
    18  required by this section or fails to correct false information,  (b)  an
    19  amount  equal  to  the fees that were due during the period it failed to
    20  register, and (c) expenses incurred  by  the  attorney  general  in  the
    21  investigation and prosecution of the action as the court deems appropri-
    22  ate.
    23    §  1105. Limitations. 1. This article does not require a controller or
    24  processor to do any of the following solely for  purposes  of  complying
    25  with this article:
    26    (a) Reidentify deidentified data;
    27    (b)  Comply  with  a  verified consumer request to access, correct, or
    28  delete personal data pursuant to this article if all  of  the  following
    29  are true:
    30    (i)  The  controller  is  not  reasonably  capable  of associating the
    31  request with the personal data;
    32    (ii) The controller does not associate the personal  data  with  other
    33  personal  data  about  the  same specific consumer as part of its normal
    34  business practice; and
    35    (iii) The controller does not sell the  personal  data  to  any  third
    36  party or otherwise voluntarily disclose or transfer the personal data to
    37  any  processor  or  third  party,  except as otherwise permitted in this
    38  article; or
    39    (c) Maintain personal data in identifiable form, or  collect,  obtain,
    40  retain,  or access any personal data or technology, in order to be capa-
    41  ble of associating a verified consumer request with personal data.
    42    2. The obligations imposed on controllers and  processors  under  this
    43  article  do not restrict a controller's or processor's ability to do any
    44  of the following, to the extent that the use of the consumer's  personal
    45  data is reasonably necessary and proportionate for these purposes:
    46    (a) Comply with federal, state, or local laws, rules, or regulations;
    47    (b)  Comply  with  a  civil, criminal, or regulatory inquiry, investi-
    48  gation, subpoena, or summons by federal, state, local, or other  govern-
    49  mental authorities;
    50    (c)  Cooperate  with  law  enforcement  agencies concerning conduct or
    51  activity that the controller or processor reasonably and in  good  faith
    52  believes  may  violate  federal,  state,  or local laws, rules, or regu-
    53  lations;
    54    (d) Investigate, establish, exercise, prepare  for,  or  defend  legal
    55  claims;
        A. 680--B                          19

     1    (e)  Process  personal data necessary to provide the services or goods
     2  requested by a consumer; perform a contract to which the consumer  is  a
     3  party;  or  take  steps at the request of the consumer prior to entering
     4  into a contract;
     5    (f) Take immediate steps to protect the life or physical safety of the
     6  consumer  or  of another natural person, and where the processing cannot
     7  be manifestly based on another legal basis;
     8    (g) Prevent, detect, protect against, or  respond  to  security  inci-
     9  dents,  identity theft, fraud, harassment, malicious or deceptive activ-
    10  ities, or any illegal activity; preserve the integrity  or  security  of
    11  systems;  or investigate, report, or prosecute those responsible for any
    12  such action;
    13    (h) Identify and repair  technical  errors  that  impair  existing  or
    14  intended functionality; or
    15    (i) Process business contact information, including a natural person's
    16  name,  position  name  or  title,  business  telephone  number, business
    17  address, business electronic mail address, business fax number, or qual-
    18  ifications and any other similar information about the natural person.
    19    3. The obligations imposed on controllers  or  processors  under  this
    20  article  do  not  apply  where compliance by the controller or processor
    21  with this article would violate an evidentiary privilege under New  York
    22  law and do not prevent a controller or processor from providing personal
    23  data  concerning a consumer to a person covered by an evidentiary privi-
    24  lege under New York law as part of a privileged communication.
    25    4. A controller that receives a request pursuant to subdivisions three
    26  through six of section eleven hundred two of this article, or a process-
    27  or or third party to whom a controller communicates such a request,  may
    28  decline to fulfill the relevant part of such request if:
    29    (a)  the controller, processor, or third party is unable to verify the
    30  request using commercially reasonable efforts, as described in paragraph
    31  (c) of subdivision eight of section eleven hundred two of this article;
    32    (b) complying with the request would be demonstrably  impossible  (for
    33  purposes  of  this  paragraph, the receipt of a large number of verified
    34  requests, on its own, is not sufficient  to  render  compliance  with  a
    35  request demonstrably impossible);
    36    (c)  complying  with  the  request would impair the privacy of another
    37  individual or the rights of another to exercise free speech; or
    38    (d) the personal data was created by a natural person other  than  the
    39  consumer  making  the  request and is being processed for the purpose of
    40  facilitating interpersonal relationships or public discussion.
    41    § 1106. Enforcement and  private  right  of  action.  1.  Whenever  it
    42  appears  to  the  attorney  general, either upon complaint or otherwise,
    43  that any person or persons has engaged in or is about to engage  in  any
    44  of  the  acts or practices stated to be unlawful under this article, the
    45  attorney general may bring an action or special proceeding in  the  name
    46  and  on  behalf  of  the  people  of the state of New York to enjoin any
    47  violation of this article, to obtain restitution of any moneys or  prop-
    48  erty  obtained  directly  or indirectly by any such violation, to obtain
    49  disgorgement of any profits obtained directly or indirectly by any  such
    50  violation,  to  obtain civil penalties of not more than fifteen thousand
    51  dollars per violation, and to obtain any such other and  further  relief
    52  as the court may deem proper, including preliminary relief.
    53    (a)  Any  action or special proceeding brought by the attorney general
    54  pursuant to this section must be commenced within six years.
    55    (b)  Each  instance  of  unlawful  processing  counts  as  a  separate
    56  violation.  Unlawful  processing  of  the personal data of more than one
        A. 680--B                          20

     1  consumer counts as a  separate  violation  as  to  each  consumer.  Each
     2  provision  of  this  article  that  is  violated  counts  as  a separate
     3  violation.
     4    (c)  In assessing the amount of penalties, the court must consider any
     5  one or more of the  relevant  circumstances  presented  by  any  of  the
     6  parties,  including,  but  not limited to, the nature and seriousness of
     7  the misconduct, the number of violations, the persistence of the miscon-
     8  duct, the length of time over which the misconduct occurred,  the  will-
     9  fulness  of  the  violator's  misconduct,  and  the violator's financial
    10  condition.
    11    2. In connection with any proposed action or special proceeding  under
    12  this  section, the attorney general is authorized to take proof and make
    13  a determination of the relevant facts, and to issue subpoenas in accord-
    14  ance with the civil practice law and rules.   The attorney  general  may
    15  also require such other data and information as he or she may deem rele-
    16  vant  and  may  require written responses to questions under oath.  Such
    17  power of subpoena and examination shall not abate or terminate by reason
    18  of any action or special proceeding  brought  by  the  attorney  general
    19  under this article.
    20    3.  Any  person, within or outside the state, who the attorney general
    21  believes may be in possession, custody, or control of any books, papers,
    22  or other things, or may have information, relevant to acts or  practices
    23  stated  to  be  unlawful  in this article is subject to the service of a
    24  subpoena issued by  the  attorney  general  pursuant  to  this  section.
    25  Service  may  be  made in any manner that is authorized for service of a
    26  subpoena or a summons by the state in which service is made.
    27    4. (a) Failure to   comply with a subpoena  issued  pursuant  to  this
    28  section  without reasonable cause tolls the applicable statutes of limi-
    29  tations in any action or special  proceeding  brought  by  the  attorney
    30  general  against the noncompliant person that arises out of the attorney
    31  general's investigation.
    32    (b) If a person fails to comply with a  subpoena  issued  pursuant  to
    33  this  section,  the  attorney  general  may move in the supreme court to
    34  compel compliance.  If the court finds that the subpoena was authorized,
    35  it shall order compliance and may impose a civil penalty of up  to  five
    36  hundred dollars per day of noncompliance.
    37    (c)  Such  tolling and civil penalty shall be in addition to any other
    38  penalties or remedies provided by law for noncompliance with a subpoena.
    39    5. This section shall apply to all acts declared to be unlawful  under
    40  this article, whether or not subject to any other law of this state, and
    41  shall  not  supersede, amend or repeal any other law of this state under
    42  which the attorney general is authorized to take any action  or  conduct
    43  any inquiry.
    44    6.  Any  consumer  who  has been injured by a violation of subdivision
    45  two, seven or eight of section eleven hundred two of  this  article  may
    46  bring  an  action  in his or her own name to enjoin such unlawful act or
    47  practice and to recover his  or  her  actual  damages  or  one  thousand
    48  dollars,  whichever  is  greater.  The  court  may also award reasonable
    49  attorneys' fees to a prevailing plaintiff.   Actions  pursuant  to  this
    50  section may be brought on a class-wide basis.
    51    §  1107.  Miscellaneous.  1.  Preemption: This article does not annul,
    52  alter, or affect the laws, ordinances, regulations,  or  the  equivalent
    53  adopted by any local entity regarding the processing, collection, trans-
    54  fer, disclosure, and sale of consumers' personal data by a controller or
    55  processor  subject  to  this  article,  except to the extent those laws,
    56  ordinances, regulations, or the equivalent create requirements or  obli-
        A. 680--B                          21

     1  gations that conflict with or reduce the protections afforded to consum-
     2  ers under this article.
     3    2. Impact report: The attorney general shall issue a report evaluating
     4  this  article,  its scope, any complaints from consumers or persons, the
     5  liability and enforcement provisions of this article including, but  not
     6  limited  to,  the  effectiveness of its efforts to enforce this article,
     7  and any recommendations for changes to  such  provisions.  The  attorney
     8  general shall submit the report to the governor, the temporary president
     9  of  the senate, the speaker of the assembly, and the appropriate commit-
    10  tees of the legislature within two years of the effective date  of  this
    11  section.
    12    3. Regulatory authority: (a) The attorney general is hereby authorized
    13  and empowered to adopt, promulgate, amend and rescind suitable rules and
    14  regulations to carry out the provisions of this article, including rules
    15  governing  the  form  and  content  of any disclosures or communications
    16  required by this article.
    17    (b) The  attorney  general  may  request  data  and  information  from
    18  controllers  conducting business in New York state, other New York state
    19  government entities administering notice and consent  regimes,  consumer
    20  protection  and  privacy  advocates  and researchers, internet standards
    21  setting bodies, such as  the  internet  engineering  taskforce  and  the
    22  institute  of  electrical  and electronics engineers, and other relevant
    23  sources, to conduct studies to inform suitable  rules  and  regulations.
    24  The  attorney  general  shall receive, upon request, data from other New
    25  York state governmental entities.
    26    4. Exercise of rights: Any consumer right set forth  in  this  article
    27  may  be  exercised at any time by the consumer who is the subject of the
    28  data or by a parent or guardian authorized by law  to  take  actions  of
    29  legal  consequence  on  behalf of the consumer who is the subject of the
    30  data. An agent authorized by a consumer may exercise the consumer rights
    31  set forth in subdivisions three through six of  section  eleven  hundred
    32  two of this act on the consumers behalf.
    33    §  4.  This act shall take effect immediately; provided, however, that
    34  sections 1101, 1102, 1103, 1105, 1106 and 1107 of the  general  business
    35  law,  as added by section three of this act, shall take effect two years
    36  after it shall have become a law but the private right of action author-
    37  ized by subdivision 6 of section 1106 of the general business law  shall
    38  take effect three years after such section shall have become a law.