STATE OF NEW YORK
        ________________________________________________________________________
                                          3367
                               2017-2018 Regular Sessions
                   IN ASSEMBLY
                                    January 27, 2017
                                       ___________
        Introduced  by  M. of A. KAVANAGH, ORTIZ, PERRY, COLTON, TITUS, GUNTHER,
          LUPARDO,  JAFFEE,  O'DONNELL,  CUSICK,  ZEBROWSKI,  BENEDETTO,  GALEF,
          CAHILL,  HOOPER,  PRETLOW,  TITONE, ROSENTHAL, WEPRIN, QUART -- Multi-
          Sponsored by -- M. of A. ARROYO, DINOWITZ, GOTTFRIED, HEVESI,  HIKIND,
          PEOPLES-STOKES  -- read once and referred to the Committee on Consumer
          Affairs and Protection
        AN ACT to amend the general business law, in  relation  to  establishing
          the online consumer protection act
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. Short title. This act shall be known and may  be  cited  as
     2  the "online consumer protection act".
     3    §  2.  Legislative  findings.  The  state  has  the authority to enact
     4  consumer regulations to protect the people of the state.  Recently,  the
     5  state  has enacted a series of laws to address problems arising from the
     6  ubiquity of the internet.  From  protecting  consumers  from  electronic
     7  breaches  of  security  to  enacting  laws  prohibiting  the practice of
     8  "phishing" -- an electronic form of identify theft -- the state  has  an
     9  obligation to enact sensible protections for the people.
    10    The  internet  age  has  changed, often for the better, the way people
    11  work, enjoy entertainment and interact with one another.  However,  with
    12  the  internet age new problems have arisen that must be addressed, chief
    13  among them, the loss of personal privacy. Recent examples, including one
    14  where search engine results were tracked to an individual,  have  illus-
    15  trated  that  a  person's  privacy can be breached easily and with grave
    16  consequences. There is a fundamental rift  between  tracking  technology
    17  and  consumers'  right  to  control  what data is collected and where it
    18  goes. Action must be taken in order to prevent more egregious violations
    19  of  privacy  occurring  including  price  discrimination,  exposure   of
    20  personal information to subpoenas and warrantless government access.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD02732-01-7
        A. 3367                             2
     1    This  act  establishes  provisions  to  allow consumers the ability to
     2  simply opt-out of being monitored on  the  internet.  Such  protections,
     3  akin  to the do not call registry, are a fair, sensible and common sense
     4  way to give consumers a clear choice with respect to being monitored.
     5    §  3. The general business law is amended by adding a new section 390-
     6  bb to read as follows:
     7    § 390-bb. Online consumer protection. 1.  For  the  purposes  of  this
     8  section the following terms shall have the following meanings:
     9    (a) The term "online preference marketing" shall mean a type of adver-
    10  tisement  delivery  and reporting whereby data is collected to determine
    11  or predict consumer characteristics or preference for use in  advertise-
    12  ment delivery on the internet.
    13    (b)  The  term  "personally  identifiable information" shall mean data
    14  that, by itself, can be used to identify, contact or  locate  a  person,
    15  including  name,  address, telephone number, sensitive medical or finan-
    16  cial data, sexual behavior, sexual orientation, or email address.
    17    (c) The term "publisher" shall mean any company, individual  or  other
    18  group that has a website, webpage or other internet page.
    19    (d) The term "consumer" shall mean any natural person using or access-
    20  ing  a  website,  webpage or online service that includes the display of
    21  advertisements.
    22    (e) The term "advertising network" shall mean any company,  individual
    23  or  other  group  that  is  collecting  online consumer activity for the
    24  purposes of ad delivery.
    25    2. No publisher of a webpage or advertising network contracted with  a
    26  publisher  shall  collect  personally  identifiable  information for the
    27  purposes of online preference marketing.   This  subdivision  shall  not
    28  apply  to the collection of personally identifiable information provided
    29  to a publisher of a webpage or advertising  network  contracted  with  a
    30  publisher by the consumer with his or her consent.
    31    3.  No publisher of a webpage or advertising network contracted with a
    32  publisher shall collect any other information from a  consumer  that  is
    33  not  defined as personally identifiable information pursuant to subdivi-
    34  sion one of this section for the purposes of online preference marketing
    35  unless the consumer is given an opportunity to opt-out  of  the  use  of
    36  such information for online marketing purposes.
    37    4.  An  advertising network shall post clear and conspicuous notice on
    38  the home page of its own website about its privacy policy and  its  data
    39  collection  and use practices related to its advertising delivery activ-
    40  ities. If a publisher has contracted with an  advertising  network,  the
    41  publisher  shall  post  clear and conspicuous notice on its website that
    42  describes the collection and  use  of  information  by  the  advertising
    43  network. If the advertising network engages in online preference market-
    44  ing,  the  privacy  policies  of  both  the  advertising network and the
    45  publisher shall describe the ability to  opt-out  of  online  preference
    46  marketing by such network.
    47    5. An advertising network shall make reasonable efforts to protect the
    48  data  it  collects or logs as a result of ad delivery and reporting from
    49  loss, misuse, alteration, destruction or improper access.
    50    6. The attorney general may bring  an  action  against  a  person  who
    51  violates the provisions of this section:
    52    (a) to enjoin further violation of the provisions of this section; and
    53    (b)  to  recover  up to two hundred fifty dollars for each instance in
    54  which identifying information is collected from a person in violation of
    55  the provisions of subdivision two or three of this section.
        A. 3367                             3
     1    In an action under paragraph (b) of  this  subdivision,  a  court  may
     2  increase the damages up to three times the damages allowed by such para-
     3  graph  where  the  defendant has been found to have engaged in a pattern
     4  and practice of violating the provisions of subdivision two or three  of
     5  this section.
     6    7.  Nothing  in this section shall in any way limit rights or remedies
     7  which are otherwise available under law to the attorney general  or  any
     8  other  person  authorized  to  bring an action under subdivision five of
     9  this section.
    10    § 4. This act shall take effect on the one hundred eightieth day after
    11  it shall have become a law.