STATE OF NEW YORK
        ________________________________________________________________________

                                          6319

                               2023-2024 Regular Sessions

                   IN ASSEMBLY

                                      April 3, 2023
                                       ___________

        Introduced  by M. of A. SOLAGES -- read once and referred to the Commit-
          tee on Science and Technology

        AN ACT to amend the general business law, in  relation  to  establishing
          consumers'  foundational data privacy rights, creating oversight mech-
          anisms, and establishing enforcement  mechanisms;  and  to  amend  the
          state finance law, in relation to establishing the privacy and securi-
          ty victims relief fund

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. The general business law is amended by adding a new article
     2  45 to read as follows:

     3                                 ARTICLE 45
     4                         DATA PRIVACY AND PROTECTION

     5  Title I.   Short title and definitions (§§ 1500--1501).
     6  Title II.  Duty of loyalty (§§ 1510--1513).
     7  Title III. Consumer data rights (§§ 1520--1529).
     8  Title IV.  Corporate accountability (§§ 1540--1544).
     9  Title V.   Enforcement,    applicability,    and    miscellaneous    (§§
    10               1550--1554).

    11                                   TITLE I
    12                         SHORT TITLE AND DEFINITIONS
    13  Section 1500. Short title.
    14          1501. Definitions.
    15    §  1500.  Short title. This article shall be known and may be cited as
    16  the "American Data Privacy and Protection Act".
    17    § 1501. Definitions. As used in this article:
    18    1. (a) "Affirmative express consent" means an affirmative  act  by  an
    19  individual  that  clearly  communicates  the  individual's freely given,

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD09996-01-3

        A. 6319                             2

     1  specific, and unambiguous authorization for an  act  or  practice  after
     2  having  been  informed, in response to a specific request from a covered
     3  entity that meets the requirements of paragraph (b) of this subdivision.
     4    (b)  The requirements of this paragraph with respect to a request from
     5  a covered entity to an individual are the following:
     6    (i) The request is provided to the individual in a clear and conspicu-
     7  ous standalone disclosure made through the primary medium used to  offer
     8  the  covered  entity's  product  or  service,  or only if the product or
     9  service is not offered in a  medium  that  permits  the  making  of  the
    10  request  under this paragraph, another medium regularly used in conjunc-
    11  tion with the covered entity's product or service.
    12    (ii) The request includes a description of the processing purpose  for
    13  which the individual's consent is sought and:
    14    (A)  clearly  states  the specific categories of covered data that the
    15  covered entity shall collect, process, and transfer necessary to  effec-
    16  tuate the processing purpose; and
    17    (B)  includes a prominent heading and is written in easy-to-understand
    18  language that would enable  a  reasonable  individual  to  identify  and
    19  understand  the  processing  purpose for which consent is sought and the
    20  covered data to be collected, processed, or transferred by  the  covered
    21  entity for such processing purpose.
    22    (iii)  The request clearly explains the individual's applicable rights
    23  related to consent.
    24    (iv) The request is made in a  manner  reasonably  accessible  to  and
    25  usable by individuals with disabilities.
    26    (v)  The  request  is made available to the individual in each covered
    27  language in which the covered entity provides a product or  service  for
    28  which authorization is sought.
    29    (vi)  The  option  to refuse consent shall be at least as prominent as
    30  the option to accept, and the option to refuse consent  shall  take  the
    31  same number of steps or fewer as the option to accept.
    32    (vii)  Processing  or transferring any covered data collected pursuant
    33  to affirmative express consent for a different processing  purpose  than
    34  that  for  which  affirmative express consent was obtained shall require
    35  affirmative express consent for the subsequent processing purpose.
    36    (c) A covered entity may not infer that  an  individual  has  provided
    37  affirmative  express  consent to an act or practice from the inaction of
    38  the individual or the individual's continued use of a service or product
    39  provided by the covered entity.
    40    (d) A covered entity may not obtain or attempt to obtain the  affirma-
    41  tive express consent of an individual through:
    42    (i)  the  use  of  any  false,  fictitious,  fraudulent, or materially
    43  misleading statement or representation; or
    44    (ii) the design, modification, or manipulation of any  user  interface
    45  with  the  purpose  or  substantial  effect of obscuring, subverting, or
    46  impairing a reasonable individual's autonomy, decision making, or choice
    47  to provide such consent or any covered data.
    48    2. "Authentication" means the process of verifying  an  individual  or
    49  entity for security purposes.
    50    3.  (a)  "Biometric information" means any covered data generated from
    51  the technological processing of an individual's unique biological, phys-
    52  ical, or physiological characteristics  that  is  linked  or  reasonably
    53  linkable to an individual, including:
    54    (i) fingerprints;
    55    (ii) voice prints;
    56    (iii) iris or retina scans;

        A. 6319                             3

     1    (iv) facial or hand mapping, geometry, or templates; or
     2    (v) gait or personally identifying physical movements.
     3    (b) "Biometric information" does not include:
     4    (i) a digital or physical photograph;
     5    (ii) an audio or video recording; or
     6    (iii)  data  generated  from  a  digital or physical photograph, or an
     7  audio or video recording, that cannot be used to identify an individual.
     8    4. "Collect" and "collection" mean buying, renting, gathering, obtain-
     9  ing, receiving, accessing, or otherwise acquiring covered  data  by  any
    10  means.
    11    5. "Control" means, with respect to an entity:
    12    (a) ownership of, or the power to vote, more than fifty percent of the
    13  outstanding shares of any class of voting security of the entity;
    14    (b)  control  over  the election of a majority of the directors of the
    15  entity (or of individuals exercising similar functions); or
    16    (c) the power to exercise a controlling influence over the  management
    17  of the entity.
    18    6. "Covered algorithm" means a computational process that uses machine
    19  learning,  natural  language  processing,  artificial intelligence tech-
    20  niques, or other  computational  processing  techniques  of  similar  or
    21  greater  complexity and that makes a decision or facilitates human deci-
    22  sion-making with respect to covered data,  including  to  determine  the
    23  provision of products or services or to rank, order, promote, recommend,
    24  amplify,  or  similarly determine the delivery or display of information
    25  to an individual.
    26    7. (a) "Covered data" means information that identifies or  is  linked
    27  or  reasonably linkable, alone or in combination with other information,
    28  to an individual or a device that identifies or is linked or  reasonably
    29  linkable  to  an  individual,  and  may  include derived data and unique
    30  persistent identifiers.
    31    (b) "Covered data" does not include:
    32    (i) de-identified data;
    33    (ii) employee data;
    34    (iii) publicly available information; or
    35    (iv) inferences made exclusively from multiple independent sources  of
    36  publicly available information that do not reveal sensitive covered data
    37  with respect to an individual.
    38    8. (a) "Covered entity":
    39    (i) means any entity or any person, other than an individual acting in
    40  a  non-commercial  context, that alone or jointly with others determines
    41  the purposes  and  means  of  collecting,  processing,  or  transferring
    42  covered data and:
    43    (A)  is  subject  to  the  Federal Trade Division Act (15 U.S.C. 41 et
    44  seq.);
    45    (B) is a common carrier subject to the Communications Act of 1934  (47
    46  U.S.C.  151  et  seq.) and all acts amendatory thereof and supplementary
    47  thereto; or
    48    (C) is an organization not organized to carry on business for its  own
    49  profit or that of its members; and
    50    (ii) includes any entity or person that controls, is controlled by, or
    51  is under common control with the covered entity.
    52    (b) "Covered entity" does not include:
    53    (i)  a federal, state, tribal, territorial, or local government entity
    54  such as a body, authority, board, bureau, division, district, agency, or
    55  political subdivision of the federal  government  or  a  state,  tribal,
    56  territorial, or local government;

        A. 6319                             4

     1    (ii)  a  person or an entity that is collecting, processing, or trans-
     2  ferring covered data on behalf of a federal, state, tribal, territorial,
     3  or local government entity, in so far as such person or entity is acting
     4  as a service provider to the government entity; or
     5    (iii)  an  entity  that  serves  as  a  designated nonprofit, national
     6  resource center, and clearinghouse to  provide  assistance  to  victims,
     7  families, child-serving professionals, and the general public on missing
     8  and exploited children issues.
     9    (c)  An  entity  shall  not  be  considered to be a covered entity for
    10  purposes of this article in so far as the entity is acting as a  service
    11  provider as defined in subdivision thirty of this section.
    12    9.  "Covered  language" means the ten languages with the most users in
    13  the United States, according to the most recent United States Census.
    14    10. "Covered minor" means an individual under the age of seventeen.
    15    11. "De-identified data" means information that does not identify  and
    16  is  not  linked  or  reasonably  linkable  to a distinct individual or a
    17  device, regardless of whether the information is aggregated, and if  the
    18  covered entity or service provider:
    19    (a) takes reasonable technical measures to ensure that the information
    20  cannot,  at  any  point, be used to re-identify any individual or device
    21  that identifies or is linked or reasonably linkable to an individual;
    22    (b) publicly commits in a clear and conspicuous manner:
    23    (i) to process and transfer the information solely in a  de-identified
    24  form without any reasonable means for re-identification; and
    25    (ii) to not attempt to re-identify the information with any individual
    26  or  device  that  identifies  or  is linked or reasonably linkable to an
    27  individual; and
    28    (c) contractually obligates any person or  entity  that  receives  the
    29  information from the covered entity or service provider:
    30    (i)  to  comply  with  all  of  the  provisions of this paragraph with
    31  respect to the information; and
    32    (ii) to require that such contractual obligations be included contrac-
    33  tually in all subsequent instances for which the data may be received.
    34    12. "Derived data" means covered data that is created by  the  deriva-
    35  tion   of  information,  data,  assumptions,  correlations,  inferences,
    36  predictions, or conclusions from facts, evidence, or another  source  of
    37  information or data about an individual or an individual's device.
    38    13.  "Device"  means  any  electronic equipment capable of collecting,
    39  processing, or transferring covered data that is used  by  one  or  more
    40  individuals.
    41    14. "Division" means the division of consumer protection.
    42    15. "Employee" means an individual who is an employee, director, offi-
    43  cer,  staff  member individual working as an independent contractor that
    44  is not a service provider, trainee, volunteer, or intern of an employer,
    45  regardless of whether such individual is paid, unpaid, or employed on  a
    46  temporary basis.
    47    16. "Employee data" means:
    48    (a)  information  relating  to  a job applicant collected by a covered
    49  entity acting as a prospective employer of such  job  applicant  in  the
    50  course  of  the  application,  or hiring process, if such information is
    51  collected, processed, or transferred by the prospective employer  solely
    52  for purposes related to the employee's status as a current or former job
    53  applicant of such employer;
    54    (b)  information  processed by an employer relating to an employee who
    55  is acting in a professional capacity for  the  employer,  provided  that
    56  such  information  is  collected,  processed,  or transferred solely for

        A. 6319                             5

     1  purposes related to such employee's professional activities on behalf of
     2  the employer;
     3    (c)  the  business  contact  information of an employee, including the
     4  employee's name, position or title, business telephone number,  business
     5  address, or business email address that is provided to an employer by an
     6  employee  who  is acting in a professional capacity, if such information
     7  is collected, processed, or transferred solely for purposes  related  to
     8  such employee's professional activities on behalf of the employer;
     9    (d)  emergency  contact  information  collected  by  an  employer that
    10  relates to  an  employee  of  that  employer,  if  such  information  is
    11  collected, processed, or transferred solely for the purpose of having an
    12  emergency  contact on file for the employee and for processing or trans-
    13  ferring such information in case of an emergency; or
    14    (e) information relating to an employee (or a spouse, dependent, other
    15  covered family member, or beneficiary of such employee) that  is  neces-
    16  sary  for  the  employer to collect, process, or transfer solely for the
    17  purpose of administering benefits to which  such  employee  (or  spouse,
    18  dependent, other covered family member, or beneficiary of such employee)
    19  is entitled on the basis of the employee's position with that employer.
    20    17.  "Executive  agency"  means any department, board, bureau, commis-
    21  sion, division, office, council, committee or officer of  the  state,  a
    22  public  benefit  corporation  or  public authority at least one of whose
    23  members is appointed by the governor.
    24    18. "First  party  advertising  or  marketing"  means  advertising  or
    25  marketing  conducted  by  a  first  party either through direct communi-
    26  cations with a user such as direct mail, email, or text message communi-
    27  cations, or advertising  or  marketing  conducted  entirely  within  the
    28  first-party  context,  such  as  in  a physical location operated by the
    29  first party, or on a website or app operated by the first party.
    30    19. "Genetic information" means any covered data,  regardless  of  its
    31  format,  that  concerns an individual's genetic characteristics, includ-
    32  ing:
    33    (a) raw  sequence  data  that  results  from  the  sequencing  of  the
    34  complete,  or a portion of the, extracted deoxyribonucleic acid (DNA) of
    35  an individual; or
    36    (b) genotypic and phenotypic information that results  from  analyzing
    37  raw sequence data described in paragraph (a) of this subdivision.
    38    20. "Individual" means a natural person residing in the state.
    39    21. (a) "Knowledge" means:
    40    (i)  with  respect  to  a covered entity that is a covered high-impact
    41  social media company, the entity knew or should have known the  individ-
    42  ual was a covered minor;
    43    (ii)  with  respect  to a covered entity or service provider that is a
    44  large data holder, and otherwise is not  a  covered  high-impact  social
    45  media  company,  that the covered entity knew or acted in willful disre-
    46  gard of the fact that the individual was a covered minor; and
    47    (iii) with respect to a covered entity or service provider  that  does
    48  not meet the requirements of subparagraph (i) or (ii) of this paragraph,
    49  actual knowledge.
    50    (b)  For  purposes  of this subdivision, the term "covered high-impact
    51  social media company" means a covered entity that  provides  any  inter-
    52  net-accessible platform where:
    53    (i)  such  covered  entity  generates three billion dollars or more in
    54  annual revenue;

        A. 6319                             6

     1    (ii) such platform has three hundred million or  more  monthly  active
     2  users  for  not  fewer  than three of the preceding twelve months on the
     3  online product or service of such covered entity; and
     4    (iii)  such  platform constitutes an online product or service that is
     5  primarily used by users to access or share, user-generated content.
     6    22. (a) "Large data holder" means a covered entity or service provider
     7  that, in the most recent calendar year:
     8    (i) had annual gross revenues of two hundred fifty million dollars  or
     9  more; and
    10    (ii) collected, processed, or transferred:
    11    (A)  the covered data of more than five million individuals or devices
    12  that identify or are linked or reasonably linkable to one or more  indi-
    13  viduals,  excluding  covered data collected and processed solely for the
    14  purpose of initiating, rendering, billing for,  finalizing,  completing,
    15  or otherwise collecting payment for a requested product or service; and
    16    (B) the sensitive covered data of more than two hundred thousand indi-
    17  viduals or devices that identify or are linked or reasonably linkable to
    18  one or more individuals.
    19    (b)  "Large  data  holder"  does not include any instance in which the
    20  covered entity or service provider would qualify as a large data  holder
    21  solely on the basis of collecting or processing:
    22    (i) personal email addresses;
    23    (ii) personal telephone numbers; or
    24    (iii) log-in information of an individual or device to allow the indi-
    25  vidual  or  device  to  log in to an account administered by the covered
    26  entity or service provider.
    27    (c) For purposes of determining whether any covered entity or  service
    28  provider is a large data holder, the term "revenue", with respect to any
    29  covered  entity  or  service  provider that is not organized to carry on
    30  business for its own profit or that of its members:
    31    (i) means the gross receipts the covered entity  or  service  provider
    32  received,  in  whatever  form, from all sources, without subtracting any
    33  costs or expenses; and
    34    (ii) includes contributions, gifts, grants, dues or other assessments,
    35  income from investments, and proceeds from the sale of real or  personal
    36  property.
    37    23. "Market research" means the collection, processing, or transfer of
    38  covered  data  as  reasonably necessary and proportionate to investigate
    39  the market for or marketing of products, services, or ideas,  where  the
    40  covered data is not:
    41    (a) integrated into any product or service;
    42    (b)  otherwise  used to contact any individual or individual's device;
    43  or
    44    (c) used to advertise or market  to  any  individual  or  individual's
    45  device.
    46    24.  "Material"  means, with respect to an act, practice, or represen-
    47  tation of a covered entity  (including  a  representation  made  by  the
    48  covered entity in a privacy policy or similar disclosure to individuals)
    49  involving  the collection, processing, or transfer of covered data, that
    50  such act, practice, or representation is likely to affect  a  reasonable
    51  individual's decision or conduct regarding a product or service.
    52    25.  (a)  "Precise  geolocation information" means information that is
    53  derived from a device or technology that reveals  the  past  or  present
    54  physical  location  of  an  individual  or  device that identifies or is
    55  linked or reasonably linkable to one or more  individuals,  with  suffi-
    56  cient  precision  to  identify  street  level location information of an

        A. 6319                             7

     1  individual or device or the location of an individual or device within a
     2  range of eighteen hundred fifty feet or less.
     3    (b)  "Precise  geolocation  information"  does not include geolocation
     4  information identifiable or derived solely from the visual content of  a
     5  legally  obtained  image,  including  the  location  of  the device that
     6  captured such image.
     7    26. "Process" means to conduct or direct any operation or set of oper-
     8  ations performed  on  covered  data,  including  analyzing,  organizing,
     9  structuring,  retaining,  storing,  using, or otherwise handling covered
    10  data.
    11    27. "Processing purpose" means a reason for which a covered entity  or
    12  service  provider collects, processes, or transfers covered data that is
    13  specific and granular enough for a reasonable individual  to  understand
    14  the material facts of how and why the covered entity or service provider
    15  collects, processes, or transfers the covered data.
    16    28.  (a) "Publicly available information" means any information that a
    17  covered entity or service provider has a reasonable basis to believe has
    18  been lawfully made available to the general public from:
    19    (i) federal, state, or local government records, if the covered entity
    20  collects, processes, and transfers such information in  accordance  with
    21  any  restrictions or terms of use placed on the information by the rele-
    22  vant government entity;
    23    (ii) widely distributed media;
    24    (iii) a website or online service made available to all members of the
    25  public, for free or for a  fee,  including  where  all  members  of  the
    26  public,  for  free  or  for  a  fee, can log in to the website or online
    27  service;
    28    (iv) a disclosure that has been made to the general public as required
    29  by federal, state, or local law; or
    30    (v) the visual observation of the physical presence of  an  individual
    31  or  a device in a public place, not including data collected by a device
    32  in the individual's possession.
    33    (b)(i) For purposes of this paragraph, information from a  website  or
    34  online  service  is  not  available  to all members of the public if the
    35  individual who made the information available via the website or  online
    36  service has restricted the information to a specific audience.
    37    (ii) "Publicly available information" does not include:
    38    (A)  any obscene visual depiction (as defined in section 1460 of title
    39  18, United States Code);
    40    (B) any inference made exclusively from multiple  independent  sources
    41  of  publicly  available  information that reveals sensitive covered data
    42  with respect to an individual;
    43    (C) biometric information;
    44    (D) publicly available information that has been combined with covered
    45  data;
    46    (E) genetic information, unless otherwise made available by the  indi-
    47  vidual  to  whom  the  information pertains as described in subparagraph
    48  (ii) or (iii) of paragraph (a) of this subdivision; or
    49    (F) intimate images known to be nonconsensual.
    50    29. (a) "Sensitive covered data" means the following types of  covered
    51  data:
    52    (i)  A government-issued identifier, such as a social security number,
    53  passport number, or driver's license number, that is not required by law
    54  to be displayed in public.

        A. 6319                             8

     1    (ii) Any information that describes or reveals the past,  present,  or
     2  future physical health, mental health, disability, diagnosis, or health-
     3  care condition or treatment of an individual.
     4    (iii)  A  financial  account  number,  debit  card number, credit card
     5  number, or information that describes or reveals  the  income  level  or
     6  bank account balances of an individual, except that the last four digits
     7  of  a  debit or credit card number shall not be deemed sensitive covered
     8  data.
     9    (iv) Biometric information.
    10    (v) Genetic information.
    11    (vi) Precise geolocation information.
    12    (vii) An  individual's  private  communications  such  as  voicemails,
    13  emails,  texts, direct messages, or mail, or information identifying the
    14  parties to such communications,  voice  communications,  video  communi-
    15  cations,  and  any information that pertains to the transmission of such
    16  communications, including telephone numbers  called,  telephone  numbers
    17  from  which  calls were placed, the time calls were made, call duration,
    18  and location information of the parties to the call, unless the  covered
    19  entity  or  a service provider acting on behalf of the covered entity is
    20  the sender or an intended recipient  of  the  communication.    Communi-
    21  cations  are  not  private  for purposes of this clause if such communi-
    22  cations are made from or to a device  provided  by  an  employer  to  an
    23  employee  insofar as such employer provides conspicuous notice that such
    24  employer may access such communications.
    25    (viii) Account or device log-in credentials,  or  security  or  access
    26  codes for an account or device.
    27    (ix) Information identifying the sexual behavior of an individual in a
    28  manner inconsistent with the individual's reasonable expectation regard-
    29  ing the collection, processing, or transfer of such information.
    30    (x)  Calendar  information,  address  book  information, phone or text
    31  logs, photos, audio recordings, or videos, maintained for private use by
    32  an individual, regardless of whether such information is stored  on  the
    33  individual's  device  or is accessible from that device and is backed up
    34  in a separate location. Such information is not sensitive  for  purposes
    35  of  this  paragraph  if  such  information  is  sent from or to a device
    36  provided by an employer to an employee insofar as such employer provides
    37  conspicuous notice that it may access such information.
    38    (xi) A photograph, film, video recording, or other similar medium that
    39  shows the naked or undergarment-clad private area of an individual.
    40    (xii) Information revealing the video content requested or selected by
    41  an individual collected by a covered entity that is not a provider of  a
    42  service  described in subdivision four of section fifteen hundred eleven
    43  of this article. This subparagraph does not include  covered  data  used
    44  solely for transfers for independent video measurement.
    45    (xiii)  Information  about  an  individual  when the covered entity or
    46  service provider has knowledge that the individual is a covered minor.
    47    (xiv) An individual's  race,  color,  ethnicity,  religion,  or  union
    48  membership.
    49    (xv)  Information  identifying  an individual's online activities over
    50  time and across third party websites or online services.
    51    (xvi) Any other covered data collected, processed, or transferred  for
    52  the  purpose of identifying the types of covered data listed in subpara-
    53  graphs (i) through (xv) of this paragraph.
    54    (b) The director of the division of consumer protection may promulgate
    55  rules and regulations to include in the definition of "sensitive covered
    56  data" any other type of covered data that may require a similar level of

        A. 6319                             9

     1  protection as the types of covered  data  listed  in  subparagraphs  (i)
     2  through  (xvi)  of  paragraph (a) of this subdivision as a result of any
     3  new method of collecting, processing, or transferring covered data.
     4    30. (a) "Service provider" means a person or entity that:
     5    (i)  collects,  processes, or transfers covered data on behalf of, and
     6  at the direction of, a covered  entity  or  a  federal,  state,  tribal,
     7  territorial, or local government entity; and
     8    (ii)  receives covered data from or on behalf of a covered entity or a
     9  federal, state, tribal, territorial, or local government entity.
    10    (b) A service provider that receives service provider data from anoth-
    11  er service provider as permitted under this article shall be treated  as
    12  a service provider under this article with respect to such data.
    13    31.  "Service  provider  data" means covered data that is collected or
    14  processed by or has been transferred to a  service  provider  by  or  on
    15  behalf  of  a  covered entity, a federal, state, tribal, territorial, or
    16  local government entity, or another service provider for the purpose  of
    17  allowing  the  service provider to whom such covered data is transferred
    18  to perform a service or function on behalf of, and at the direction  of,
    19  such  covered  entity  or  federal, state, tribal, territorial, or local
    20  government entity.
    21    32. The term "state privacy authority" means the director of the divi-
    22  sion of consumer protection.
    23    33. "Substantial privacy risk" means the  collection,  processing,  or
    24  transfer  of  covered data in a manner that may result in any reasonably
    25  foreseeable substantial physical injury, economic injury, highly  offen-
    26  sive  intrusion into the privacy expectations of a reasonable individual
    27  under the circumstances, or discrimination on the basis of race,  color,
    28  religion, national origin, sex, or disability.
    29    34.  (a)  "Targeted  advertising" means presenting to an individual or
    30  device identified by a unique identifier, or groups  of  individuals  or
    31  devices  identified  by unique identifiers, an online advertisement that
    32  is selected based on known or predicted preferences, characteristics, or
    33  interests associated with the individual or a  device  identified  by  a
    34  unique identifier; and
    35    (b) "Targeted advertising" does not include:
    36    (i)  advertising  or  marketing  to  an  individual or an individual's
    37  device in response to the individual's specific request for  information
    38  or feedback;
    39    (ii)  contextual  advertising,  which  is  when  an  advertisement  is
    40  displayed based on the content in which the  advertisement  appears  and
    41  does not vary based on who is viewing the advertisement; or
    42    (iii) processing covered data solely for measuring or reporting adver-
    43  tising or content, performance, reach, or frequency, including independ-
    44  ent measurement.
    45    35.  (a) "Third party" means any person or entity, including a covered
    46  entity, that:
    47    (i) collects, processes, or transfers covered data that the person  or
    48  entity  did  not collect directly from the individual linked or linkable
    49  to such covered data; and
    50    (ii) is not a service provider with respect to such data; and
    51    (b) Third party does not include a  person  or  entity  that  collects
    52  covered  data  from  another  entity  if the two entities are related by
    53  common ownership or corporate control, but only if a reasonable  consum-
    54  er's  reasonable  expectation would be that such entities share informa-
    55  tion.
    56    36. (a) "Third-party collecting entity":

        A. 6319                            10

     1    (i) means a covered  entity  whose  principal  source  of  revenue  is
     2  derived  from  processing  or transferring covered data that the covered
     3  entity did not collect directly from the individuals linked or  linkable
     4  to the covered data; and
     5    (ii)  does  not  include a covered entity insofar as such entity proc-
     6  esses employee data  collected  by  and  received  from  a  third  party
     7  concerning  any individual who is an employee of the third party for the
     8  sole purpose of such third party providing benefits to the employee.
     9    (b) For purposes of this subdivision, the term  "principal  source  of
    10  revenue" means, for the prior twelve-month period, either:
    11    (i) more than fifty percent of all revenue of the covered entity; or
    12    (ii)  obtaining  revenue  from  processing or transferring the covered
    13  data of more than five million individuals that the covered  entity  did
    14  not  collect  directly  from  the  individuals linked or linkable to the
    15  covered data.
    16    (c) An entity may not be considered to  be  a  third-party  collecting
    17  entity for purposes of this article if the entity is acting as a service
    18  provider.
    19    37. "Third party data" means covered data that has been transferred to
    20  a third party.
    21    38.  "Transfer"  means  to disclose, release, disseminate, make avail-
    22  able, license, rent, or share covered data orally, in writing, electron-
    23  ically, or by any other means.
    24    39. "Unique identifier":
    25    (a) means an identifier to the extent that such identifier is  reason-
    26  ably linkable to an individual or device that identifies or is linked or
    27  reasonably linkable to one or more individuals, including a device iden-
    28  tifier,  internet protocol address, cookie, beacon, pixel tag, mobile ad
    29  identifier, or similar technology, customer  number,  unique  pseudonym,
    30  user alias, telephone number, or other form of persistent or probabilis-
    31  tic identifier that is linked or reasonably linkable to an individual or
    32  device; and
    33    (b)  does  not  include an identifier assigned by a covered entity for
    34  the specific purpose of giving effect to  an  individual's  exercise  of
    35  affirmative  express  consent or opt-outs of the collection, processing,
    36  and transfer of covered data pursuant to section fifteen  hundred  twen-
    37  ty-three  of this article or otherwise limiting the collection, process-
    38  ing, or transfer of such information.
    39    40. "Widely distributed media" means information that is available  to
    40  the  general  public,  including  information  from  a telephone book or
    41  online directory, a television, internet, or  radio  program,  the  news
    42  media, or an internet site that is available to the general public on an
    43  unrestricted basis, but does not include an obscene visual depiction (as
    44  defined in section 1460 of title 18, United States Code).
    45                                  TITLE II
    46                               DUTY OF LOYALTY
    47  Section 1510. Data minimization.
    48          1511. Loyalty duties.
    49          1512. Privacy by design.
    50          1513. Loyalty to individuals with respect to pricing.
    51    §  1510. Data minimization. 1. A covered entity may not collect, proc-
    52  ess, or transfer covered data  unless  the  collection,  processing,  or
    53  transfer  is  limited  to what is reasonably necessary and proportionate
    54  to:
    55    (a) provide or maintain a specific product or service requested by the
    56  individual to whom the data pertains; or

        A. 6319                            11

     1    (b) effect a purpose permitted under subdivision two of this section.
     2    2. A covered entity may collect, process, or transfer covered data for
     3  any of the following purposes if the collection, processing, or transfer
     4  is  limited  to  what  is reasonably necessary and proportionate to such
     5  purpose:
     6    (a) To initiate, manage, or complete a transaction or fulfill an order
     7  for specific products or services requested by an individual,  including
     8  any  associated routine administrative, operational, and account-servic-
     9  ing activity such as billing, shipping, delivery, storage, and  account-
    10  ing.
    11    (b)  With  respect  to covered data previously collected in accordance
    12  with this article, notwithstanding this exception:
    13    (i) to process such data as necessary to perform system maintenance or
    14  diagnostics;
    15    (ii) to develop, maintain, repair, or enhance a product or service for
    16  which such data was collected;
    17    (iii) to conduct internal research or analytics to improve  a  product
    18  or service for which such data was collected;
    19    (iv) to perform inventory management or reasonable network management;
    20    (v) to protect against spam; or
    21    (vi)  to  debug  or  repair  errors that impair the functionality of a
    22  service or product for which such data was collected.
    23    (c) To authenticate users of a product or service.
    24    (d) To fulfill a product or service warranty.
    25    (e) To prevent, detect, protect against,  or  respond  to  a  security
    26  incident. For purposes of this paragraph, security is defined as network
    27  security  and  physical security and life safety, including an intrusion
    28  or trespass, medical alerts, fire alarms, and access control security.
    29    (f) To prevent, detect, protect against, or respond to fraud,  harass-
    30  ment,  or  illegal  activity.   For purposes of this paragraph, the term
    31  "illegal activity" means a violation of a federal, state, or  local  law
    32  punishable as a felony or misdemeanor that can directly harm.
    33    (g)  To  comply  with  a  legal obligation imposed by federal, tribal,
    34  local, or state law, or to investigate, establish,  prepare  for,  exer-
    35  cise,  or  defend  legal  claims involving the covered entity or service
    36  provider.
    37    (h) To prevent an individual, or group of individuals, from  suffering
    38  harm where the covered entity or service provider believes in good faith
    39  that the individual, or group of individuals, is at risk of death, seri-
    40  ous physical injury, or other serious health risk.
    41    (i) To effectuate a product recall pursuant to federal or state law.
    42    (j)  (i)  To conduct a public or peer-reviewed scientific, historical,
    43  or statistical research project that:
    44    (A) is in the public interest; and
    45    (B) adheres to  all  relevant  laws  and  regulations  governing  such
    46  research, including regulations for the protection of human subjects, or
    47  is excluded from criteria of the institutional review board.
    48    (ii)  Not  later than eighteen months after the effective date of this
    49  article, the division should issue guidelines to help  covered  entities
    50  ensure  the  privacy of affected users and the security of covered data,
    51  particularly as data is being transferred to and stored by  researchers.
    52  Such  guidelines should consider risks as they pertain to projects using
    53  covered data with special considerations for projects  that  are  exempt
    54  under  part  46  of title 45, Code of Federal Regulations (Protection of
    55  Human Subjects under United States Law) (or any successor regulation) or
    56  are excluded from the criteria for institutional review board review.

        A. 6319                            12

     1    (k) To deliver a communication that is  not  an  advertisement  to  an
     2  individual,  if the communication is reasonably anticipated by the indi-
     3  vidual within the context of  the  individual's  interactions  with  the
     4  covered entity.
     5    (l)  To  deliver  a  communication  at  the direction of an individual
     6  between such individual and one or more individuals or entities.
     7    (m) To transfer assets to a third party in the context  of  a  merger,
     8  acquisition,  bankruptcy,  or  similar  transaction when the third party
     9  assumes control, in whole or in part, of the  covered  entity's  assets,
    10  only if the covered entity, in a reasonable time prior to such transfer,
    11  provides each affected individual with:
    12    (i) a notice describing such transfer, including the name of the enti-
    13  ty or entities receiving the individual's covered data and their privacy
    14  policies  as  described  in  section  fifteen hundred twenty-one of this
    15  article; and
    16    (ii)  a  reasonable  opportunity  to  withdraw  any  previously  given
    17  consents  in  accordance  with  the  requirements of affirmative express
    18  consent under this article related to the individual's covered data  and
    19  a  reasonable  opportunity  to  request the deletion of the individual's
    20  covered data, as described in section fifteen hundred twenty-two of this
    21  article.
    22    (n) To ensure the data security and  integrity  of  covered  data,  as
    23  described in section fifteen hundred twenty-seven of this article.
    24    (o)  With  respect  to covered data previously collected in accordance
    25  with this article, a service provider  acting  at  the  direction  of  a
    26  government  entity,  or  a  service provided to a government entity by a
    27  covered entity, and only insofar as authorized by statute,  to  prevent,
    28  detect,  protect against or respond to a public safety incident, includ-
    29  ing trespass, natural disaster,  or  national  security  incident.  This
    30  paragraph  does  not  permit,  however, the transfer of covered data for
    31  payment or other valuable consideration to a government entity.
    32    (p) With respect to covered data collected  in  accordance  with  this
    33  article,  notwithstanding this exception, to process such data as neces-
    34  sary to provide first party advertising  or  marketing  of  products  or
    35  services provided by the covered entity for individuals who are not-cov-
    36  ered minors.
    37    (q)  With  respect  to covered data previously collected in accordance
    38  with this article, notwithstanding  this  exception  and  provided  such
    39  collection,  processing,  and  transferring  otherwise complies with the
    40  requirements of this article, including  subdivision  three  of  section
    41  fifteen hundred twenty-three of this article, to provide targeted adver-
    42  tising.
    43    3.  The  division  shall  issue  guidance regarding what is reasonably
    44  necessary and proportionate to comply with this section.  Such  guidance
    45  shall take into consideration:
    46    (a)  the  size of, and the nature, scope, and complexity of the activ-
    47  ities engaged in by, the covered entity, including whether  the  covered
    48  entity  is  a  large data holder, nonprofit organization, covered entity
    49  meeting the requirements of section fifteen hundred twenty-eight of this
    50  article, third party, or third-party collecting entity;
    51    (b) the sensitivity of covered data collected,  processed,  or  trans-
    52  ferred by the covered entity;
    53    (c) the volume of covered data collected, processed, or transferred by
    54  the covered entity; and
    55    (d)  the  number  of individuals and devices to which the covered data
    56  collected, processed, or transferred by the covered entity relates.

        A. 6319                            13

     1    4. A covered entity or service provider may not  engage  in  deceptive
     2  advertising or marketing with respect to a product or service offered to
     3  an individual.
     4    5.  Nothing  in  this  article shall be construed to limit or diminish
     5  First Amendment freedoms guaranteed under the Constitution of the United
     6  States or under the state constitution.
     7    § 1511. Loyalty duties. 1. Notwithstanding the provisions  of  section
     8  fifteen hundred ten of this title, and unless an exception applies, with
     9  respect to covered data, a covered entity or service provider may not:
    10    (a)  collect,  process,  or  transfer a social security number, except
    11  when necessary to facilitate an  extension  of  credit,  authentication,
    12  fraud  and  identity  fraud  detection  and  prevention,  the payment or
    13  collection of taxes, the enforcement of a contract between  parties,  or
    14  the prevention, investigation, or prosecution of fraud or illegal activ-
    15  ity, or as otherwise required by federal, state, or local law;
    16    (b)  collect  or  process  sensitive  covered  data, except where such
    17  collection or processing is strictly necessary to provide or maintain  a
    18  specific  product  or  service  requested  by the individual to whom the
    19  covered data pertains, or is strictly  necessary  to  effect  a  purpose
    20  enumerated in paragraphs (a) through (l) and (n) through (o) of subdivi-
    21  sion two of section fifteen hundred ten of this article;
    22    (c)  transfer an individual's sensitive covered data to a third party,
    23  unless:
    24    (i) the transfer is made pursuant to the affirmative  express  consent
    25  of the individual;
    26    (ii)  the  transfer  is  necessary  to  comply with a legal obligation
    27  imposed by federal, state, tribal, or local law, or to establish,  exer-
    28  cise, or defend legal claims;
    29    (iii) the transfer is necessary to prevent an individual from imminent
    30  injury where the covered entity believes in good faith that the individ-
    31  ual  is  at  risk  of  death, serious physical injury, or serious health
    32  risk;
    33    (iv) with respect to covered data collected in  accordance  with  this
    34  article,  notwithstanding  this  exception, a service provider acting at
    35  the direction of a government entity, or a service provided to a govern-
    36  ment entity by a covered entity, and only insofar as authorized by stat-
    37  ute, the transfer is necessary to prevent, detect,  protect  against  or
    38  respond  to  a public safety incident including trespass, natural disas-
    39  ter, or national security incident.   This paragraph  does  not  permit,
    40  however,  the  transfer  of  covered  data for payment or other valuable
    41  consideration to a government entity;
    42    (v) in the case of the transfer of a password, the transfer is  neces-
    43  sary  to use a designated password manager or is to a covered entity for
    44  the exclusive purpose of identifying passwords that  are  being  re-used
    45  across sites or accounts;
    46    (vi)  in the case of the transfer of genetic information, the transfer
    47  is necessary to perform a medical diagnosis or medical treatment specif-
    48  ically requested by an individual, or to  conduct  medical  research  in
    49  accordance  with  conditions  of  paragraph  (j)  of  subdivision two of
    50  section fifteen hundred ten of this title; or
    51    (vii) to transfer assets in the manner described in paragraph  (m)  of
    52  subdivision two of section fifteen hundred ten of this title; or
    53    (d)  in  the case of a provider of broadcast television service, cable
    54  service, satellite service, streaming  media  service,  or  other  video
    55  programming service described in section 713(h)(2) of the Communications
    56  Act  of  1934  (47  U.S.C. 613(h)(2)), transfer to an unaffiliated third

        A. 6319                            14

     1  party covered data that reveals the video content or services  requested
     2  or selected by an individual from such service, except with the affirma-
     3  tive express consent of the individual or pursuant to one of the permis-
     4  sible  purposes  enumerated in paragraphs (a) through (o) of subdivision
     5  two of section fifteen hundred ten of this title.
     6    § 1512. Privacy by design. 1. A covered entity and a service  provider
     7  shall establish, implement, and maintain reasonable policies, practices,
     8  and  procedures  that  reflect the role of the covered entity or service
     9  provider in the collection, processing, and transferring of covered data
    10  and that:
    11    (a) consider applicable federal laws, rules, or regulations related to
    12  covered data the covered entity or service provider collects, processes,
    13  or transfers;
    14    (b) identify, assess, and mitigate privacy risks  related  to  covered
    15  minors  (including, if applicable, with respect to a covered entity that
    16  is not an entity meeting the requirements  of  section  fifteen  hundred
    17  twenty-eight  of  this  article, in a manner that considers the develop-
    18  mental needs of different age ranges of covered  minors)  to  result  in
    19  reasonably necessary and proportionate residual risk to covered minors;
    20    (c)  mitigate  privacy  risks,  including  substantial  privacy risks,
    21  related to the products and  services  of  the  covered  entity  or  the
    22  service  provider, including in the design, development, and implementa-
    23  tion of such products and services, taking into account the role of  the
    24  covered  entity or service provider and the information available to it;
    25  and
    26    (d) implement reasonable training and safeguards  within  the  covered
    27  entity  and service provider to promote compliance with all privacy laws
    28  applicable to covered data the covered entity  collects,  processes,  or
    29  transfers  or  covered data the service provider collects, processes, or
    30  transfers on behalf of the covered entity and  mitigate  privacy  risks,
    31  including substantial privacy risks, taking into account the role of the
    32  covered entity or service provider and the information available to it.
    33    2.  The  policies,  practices, and procedures established by a covered
    34  entity and a service provider under subdivision  one  of  this  section,
    35  shall correspond with, as applicable:
    36    (a)  the  size  of  the covered entity or the service provider and the
    37  nature, scope, and complexity  of  the  activities  engaged  in  by  the
    38  covered entity or service provider, including whether the covered entity
    39  or  service  provider  is  a  large data holder, nonprofit organization,
    40  entity meeting the requirements of section fifteen hundred  twenty-eight
    41  of  this  article, third party, or third-party collecting entity, taking
    42  into account the role of the covered entity or service provider and  the
    43  information available to it;
    44    (b)  the  sensitivity  of  the  covered  data collected, processed, or
    45  transferred by the covered entity or service provider;
    46    (c) the volume of covered data collected, processed, or transferred by
    47  the covered entity or service provider;
    48    (d) the number of individuals and devices to which  the  covered  data
    49  collected,  processed,  or  transferred by the covered entity or service
    50  provider relates; and
    51    (e) the cost of implementing such policies, practices, and  procedures
    52  in relation to the risks and nature of the covered data.
    53    3.  Not  later than one year after the date of enactment of this arti-
    54  cle, the division shall issue guidance as to what constitutes reasonable
    55  policies, practices, and procedures as required  by  this  section.  The
    56  division  shall  consider  unique  circumstances applicable to nonprofit

        A. 6319                            15

     1  organizations, to entities meeting the requirements of  section  fifteen
     2  hundred twenty-eight of this article, and to service providers.
     3    §  1513.  Loyalty to individuals with respect to pricing. 1. A covered
     4  entity may not retaliate against an individual for exercising any of the
     5  rights guaranteed by this article, or any regulations promulgated  under
     6  this  article,  including  denying goods or services, charging different
     7  prices or rates for goods or services, or providing a different level of
     8  quality of goods or services.
     9    2. Nothing in subdivision one of this section may be construed to:
    10    (a) prohibit the relation of the price of a service or  the  level  of
    11  service  provided  to an individual to the provision, by the individual,
    12  of financial information that is  necessarily  collected  and  processed
    13  only  for the purpose of initiating, rendering, billing for, or collect-
    14  ing payment for a service or product requested by the individual;
    15    (b) prohibit a covered entity from offering a different  price,  rate,
    16  level,  quality  or  selection  of  goods  or services to an individual,
    17  including offering goods or services for no fee, if the offering  is  in
    18  connection  with  an individual's voluntary participation in a bona fide
    19  loyalty program;
    20    (c) require a covered entity to provide a bona  fide  loyalty  program
    21  that  would  require the covered entity to collect, process, or transfer
    22  covered data that the covered entity otherwise would not collect,  proc-
    23  ess, or transfer;
    24    (d)  prohibit  a covered entity from offering a financial incentive or
    25  other  consideration  to  an  individual  for  participation  in  market
    26  research;
    27    (e) prohibit a covered entity from offering different types of pricing
    28  or  functionalities  with  respect  to  a product or service based on an
    29  individual's exercise of a right under paragraph (c) of subdivision 1 of
    30  section fifteen hundred twenty-two of this article; or
    31    (f) prohibit a covered entity from declining to provide a  product  or
    32  service  insofar  as  the  collection  and processing of covered data is
    33  strictly necessary for such product or service.
    34    3. For purposes of this section, the term "bona fide loyalty  program"
    35  includes rewards, premium features, discount or club card programs.

    36                                  TITLE III
    37                            CONSUMER DATA RIGHTS
    38  Section 1520. Consumer awareness.
    39          1521. Transparency.
    40          1522. Individual data ownership and control.
    41          1523. Right to consent and object.
    42          1524. Data protections for children and minors.
    43          1525. Third-party collecting entities.
    44          1526. Civil rights and algorithms.
    45          1527. Data security and protection of covered data.
    46          1528. Small business protections.
    47          1529. Unified opt-out mechanisms.
    48    §  1520. Consumer  awareness.  1. Not later than ninety days after the
    49  effective date of this article,  the  division  shall  publish,  on  the
    50  public website of the division, a webpage that describes each provision,
    51  right,  obligation,  and  requirement of this article, listed separately
    52  for individuals and for covered entities and service providers, and  the
    53  remedies,  exemptions,  and protections associated with this article, in
    54  plain and concise language and in an easy-to-understand manner.

        A. 6319                            16

     1    2. The division shall update the information published under  subdivi-
     2  sion  one  of  this  section on a quarterly basis as necessitated by any
     3  change in law, regulation, guidance, or judicial decisions.
     4    3. The division shall publish the information required to be published
     5  under subdivision one of this section in the ten languages with the most
     6  users in the state, according to the most recent United States Census.
     7    §  1521. Transparency.  1.  Each  covered  entity  shall make publicly
     8  available, in a clear, conspicuous, not misleading, and easy-to-read and
     9  readily accessible manner, a privacy policy that provides a detailed and
    10  accurate representation of the data collection, processing, and transfer
    11  activities of the covered entity.
    12    2. A covered entity or service provider shall have  a  privacy  policy
    13  that includes, at a minimum, the following:
    14    (a) The identity and the contact information of:
    15    (i) the covered entity or service provider to which the privacy policy
    16  applies  (including the covered entity's or service provider's points of
    17  contact and generic electronic mail addresses, as applicable for privacy
    18  and data security inquiries); and
    19    (ii) any other entity within  the  same  corporate  structure  as  the
    20  covered  entity or service provider to which covered data is transferred
    21  by the covered entity.
    22    (b) The categories of covered  data  the  covered  entity  or  service
    23  provider collects or processes.
    24    (c)  The  processing  purposes  for  each category of covered data the
    25  covered entity or service provider collects or processes.
    26    (d) Whether the covered entity or service provider  transfers  covered
    27  data  and,  if  so, each category of service provider and third party to
    28  which the covered entity or service provider transfers covered data, the
    29  name of each third-party collecting entity to which the  covered  entity
    30  or  service  provider transfers covered data, and the purposes for which
    31  such data is transferred to such categories  of  service  providers  and
    32  third  parties or third-party collecting entities, except for a transfer
    33  to a governmental entity pursuant to a court order or law that prohibits
    34  the covered entity or service provider from disclosing such transfer.
    35    (e) The length of time the covered entity or service provider  intends
    36  to  retain  each  category  of covered data, including sensitive covered
    37  data, or, if it is not possible to identify that timeframe, the criteria
    38  used to determine the length of  time  the  covered  entity  or  service
    39  provider intends to retain categories of covered data.
    40    (f)  A  prominent  description  of  how an individual can exercise the
    41  rights described in this article.
    42    (g) A general description of the covered entity's or  service  provid-
    43  er's data security practices.
    44    (h) The effective date of the privacy policy.
    45    (i) Whether or not any covered data collected by the covered entity or
    46  service  provider  is transferred to, processed in, stored in, or other-
    47  wise accessible to the People's Republic  of  China,  Russia,  Iran,  or
    48  North Korea.
    49    3.  The  privacy policy required under subdivision one of this section
    50  shall be made available to the public in each covered language in  which
    51  the covered entity or service provider:
    52    (a) provides a product or service that is subject to the privacy poli-
    53  cy; or
    54    (b) carries out activities related to such product or service.

        A. 6319                            17

     1    4.  The  covered  entity  or  service  provider shall also provide the
     2  disclosures under this section in a manner that is reasonably accessible
     3  to and usable by individuals with disabilities.
     4    5.  (a)  If  a  covered  entity makes a material change to its privacy
     5  policy or practices, the covered entity  shall  notify  each  individual
     6  affected by such material change before implementing the material change
     7  with  respect to any prospectively collected covered data and, except as
     8  provided in paragraphs (a) through (o) of  subdivision  two  of  section
     9  fifteen  hundred  ten  of this article, provide a reasonable opportunity
    10  for each individual  to  withdraw  consent  to  any  further  materially
    11  different  collection,  processing,  or transfer of previously collected
    12  covered data under the changed policy.
    13    (b) The covered entity shall take all reasonable  electronic  measures
    14  to provide direct notification regarding material changes to the privacy
    15  policy  to  each  affected individual, in each covered language in which
    16  the privacy policy is made available, and taking into account  available
    17  technology and the nature of the relationship.
    18    (c)  Nothing  in  this section may be construed to affect the require-
    19  ments for covered entities  under  section  fifteen  hundred  eleven  or
    20  fifteen hundred twenty-three of this article.
    21    (d) Each large data holder shall retain copies of previous versions of
    22  its  privacy  policy  for at least ten years beginning after the date of
    23  enactment of this article and publish them on its  website.  Such  large
    24  data  holder shall make publicly available, in a clear, conspicuous, and
    25  readily accessible manner, a log describing the date and nature of  each
    26  material  change  to  its  privacy  policy  over the past ten years. The
    27  descriptions shall be sufficient for a reasonable individual  to  under-
    28  stand  the  material effect of each material change.  The obligations in
    29  this paragraph shall not apply to any previous versions of a large  data
    30  holder's  privacy  policy,  or any material changes to such policy, that
    31  precede the date of enactment of this article.
    32    6. (a) In addition to the privacy policy  required  under  subdivision
    33  one  of this section, a large data holder that is a covered entity shall
    34  provide a short-form notice of its covered data practices  in  a  manner
    35  that is:
    36    (i) concise, clear, conspicuous, and not misleading;
    37    (ii) readily accessible to the individual, based on what is reasonably
    38  anticipated  within the context of the relationship between the individ-
    39  ual and the large data holder;
    40    (iii) inclusive of an overview of individual rights and disclosures to
    41  reasonably draw attention to data practices that may reasonably be unex-
    42  pected to a reasonable person or that involve  sensitive  covered  data;
    43  and
    44    (iv) no more than five hundred words in length.
    45    (b)  The  division shall promulgate rules and regulations establishing
    46  the  minimum  data  disclosures  necessary  for  the  short-form  notice
    47  required under paragraph (a) of this subdivision, which shall not exceed
    48  the  content  requirements  in subdivision two of this section and shall
    49  include templates or models of short-form notices.
    50    § 1522. Individual data ownership and control. 1. In  accordance  with
    51  subdivisions  two  and  three  of  this  section, a covered entity shall
    52  provide an individual, after receiving a verified request from the indi-
    53  vidual, with the right to:
    54    (a) access:
    55    (i) in a human-readable format that a reasonable individual can under-
    56  stand and download from the internet, the covered data  (except  covered

        A. 6319                            18

     1  data  in  a  back-up  or  archival  system) of the individual making the
     2  request that is collected, processed,  or  transferred  by  the  covered
     3  entity  or any service provider of the covered entity within the twenty-
     4  four months preceding the request;
     5    (ii)  the  categories of any third party, if applicable, and an option
     6  for consumers to obtain the names of any such third party as well as and
     7  the categories of any service providers to whom the covered  entity  has
     8  transferred  for  consideration  the  covered data of the individual, as
     9  well as the categories of  sources  from  which  the  covered  data  was
    10  collected; and
    11    (iii) a description of the purpose for which the covered entity trans-
    12  ferred  the  covered  data of the individual to a third party or service
    13  provider;
    14    (b) correct any verifiable  substantial  inaccuracy  or  substantially
    15  incomplete  information with respect to the covered data of the individ-
    16  ual that is processed by the covered entity  and  instruct  the  covered
    17  entity to make reasonable efforts to notify all third parties or service
    18  providers  to  which the covered entity transferred such covered data of
    19  the corrected information;
    20    (c) delete covered data of the individual that  is  processed  by  the
    21  covered  entity  and  instruct  the  covered  entity  to make reasonable
    22  efforts to notify all third parties or service  provider  to  which  the
    23  covered  entity  transferred  such  covered  data  of  the  individual's
    24  deletion request; and
    25    (d) to the extent technically feasible, export to  the  individual  or
    26  directly  to  another  entity the covered data of the individual that is
    27  processed by the covered entity, including inferences linked or  reason-
    28  ably  linkable  to  the individual but not including other derived data,
    29  without licensing restrictions that limit such transfers in:
    30    (i) a human-readable format that a reasonable  individual  can  under-
    31  stand and download from the internet; and
    32    (ii)  a  portable,  structured,  interoperable,  and  machine-readable
    33  format.
    34    2. A covered entity may not condition, effectively condition,  attempt
    35  to  condition,  or  attempt  to  effectively condition the exercise of a
    36  right described in subdivision one of this section through:
    37    (a) the use  of  any  false,  fictitious,  fraudulent,  or  materially
    38  misleading statement or representation; or
    39    (b)  the  design,  modification, or manipulation of any user interface
    40  with the purpose or substantial  effect  of  obscuring,  subverting,  or
    41  impairing a reasonable individual's autonomy, decision making, or choice
    42  to exercise such right.
    43    3.  (a)  Subject  to  subdivisions four and five of this section, each
    44  request under subdivision one of this section shall be completed by any:
    45    (i) large data holder within forty-five days of such request  from  an
    46  individual,  unless  it  is  demonstrably impracticable or impracticably
    47  costly to verify such individual;
    48    (ii) covered entity that is not a large data holder or a covered enti-
    49  ty meeting the requirements of section fifteen hundred  twenty-eight  of
    50  this  title within sixty days of such request from an individual, unless
    51  it is demonstrably impracticable or impracticably costly to verify  such
    52  individual; or
    53    (iii)  covered  entity  meeting  the  requirements  of section fifteen
    54  hundred twenty-eight of this title within ninety days  of  such  request
    55  from an individual, unless it is demonstrably impracticable or impracti-
    56  cably costly to verify such individual.

        A. 6319                            19

     1    (b)  A  response  period  set forth in this subsection may be extended
     2  once by forty-five additional days when reasonably necessary,  consider-
     3  ing  the  complexity and number of the individual's requests, so long as
     4  the covered entity informs the individual of any such  extension  within
     5  the initial forty-five-day response period, together with the reason for
     6  the extension.
     7    4. A covered entity:
     8    (a)  shall provide an individual with the opportunity to exercise each
     9  of the rights described in subdivision one of this section; and
    10    (b) with respect to:
    11    (i) the first  two  times  that  an  individual  exercises  any  right
    12  described in subdivision one of this section in any twelve-month period,
    13  shall allow the individual to exercise such right free of charge; and
    14    (ii)  any  time beyond the initial two times described in subparagraph
    15  (i) of this paragraph, may allow the individual to exercise  such  right
    16  for a reasonable fee for each request.
    17    5.  (a)  A  covered  entity may not permit an individual to exercise a
    18  right described in subdivision one of this section, in whole or in part,
    19  if the covered entity:
    20    (i) cannot reasonably verify that the individual making the request to
    21  exercise the right is the individual whose covered data is  the  subject
    22  of the request or an individual authorized to make such a request on the
    23  individual's behalf;
    24    (ii)  reasonably believes that the request is made to interfere with a
    25  contract between the covered entity and another individual;
    26    (iii) determines that the exercise of the right would  require  access
    27  to or correction of another individual's sensitive covered data;
    28    (iv)  reasonably believes that the exercise of the right would require
    29  the covered entity to engage in an unfair or  deceptive  practice  under
    30  section 5 of the Federal Trade Division Act (15 U.S.C. 45); or
    31    (v)  reasonably  believes  that  the request is made to further fraud,
    32  support criminal activity, or the exercise of the right presents a  data
    33  security threat.
    34    (b)  If  a  covered  entity cannot reasonably verify that a request to
    35  exercise a right described in subdivision one of this section is made by
    36  the individual whose covered data is the subject of the request  (or  an
    37  individual  authorized  to  make  such  a  request  on  the individual's
    38  behalf), the covered entity:
    39    (i) may request that the individual making the request to exercise the
    40  right provide any additional information necessary for the sole  purpose
    41  of verifying the identity of the individual; and
    42    (ii)  may  not process or transfer such additional information for any
    43  other purpose.
    44    (c) (i) A covered entity may decline, with adequate explanation to the
    45  individual, to comply with a request to exercise a  right  described  in
    46  subdivision one of this section, in whole or in part, that would:
    47    (A)  require  the  covered entity to retain any covered data collected
    48  for a single, one-time transaction, if such covered data  is  not  proc-
    49  essed  or  transferred  by the covered entity for any purpose other than
    50  completing such transaction;
    51    (B) be demonstrably impracticable or prohibitively  costly  to  comply
    52  with,  and  the covered entity shall provide a description to the reque-
    53  stor detailing the inability to comply with the request;
    54    (C) require the covered entity to attempt to re-identify de-identified
    55  data;

        A. 6319                            20

     1    (D) require the covered entity to maintain covered data  in  an  iden-
     2  tifiable  form  or  collect,  retain,  or access any data in order to be
     3  capable of associating a verified individual request with  covered  data
     4  of such individual;
     5    (E)  result  in  the  release  of trade secrets or other privileged or
     6  confidential business information;
     7    (F) require the covered entity to correct any covered data that cannot
     8  be reasonably verified as being inaccurate or incomplete;
     9    (G) interfere with law  enforcement,  judicial  proceedings,  investi-
    10  gations,  or  reasonable  efforts  to guard against, detect, prevent, or
    11  investigate fraudulent, malicious,  or  unlawful  activity,  or  enforce
    12  valid contracts;
    13    (H) violate federal or state law or the rights and freedoms of another
    14  individual, including under the Constitution of the United States or the
    15  state constitution;
    16    (I)  prevent  a covered entity from being able to maintain a confiden-
    17  tial record of deletion requests, maintained solely for the  purpose  of
    18  preventing  covered  data  of an individual from being recollected after
    19  the individual submitted a  deletion  request  and  requested  that  the
    20  covered entity no longer collect, process, or transfer such data;
    21    (J) fall within an exception enumerated in the regulations promulgated
    22  by the division pursuant to subparagraph (iv) of this subdivision; or
    23    (K) with respect to requests for deletion:
    24    (I)  unreasonably interfere with the provision of products or services
    25  by the covered entity to another person it currently serves;
    26    (II) delete covered data that relates to a public figure and for which
    27  the requesting individual has no reasonable expectation of privacy;
    28    (III) delete covered data reasonably necessary to perform  a  contract
    29  between the covered entity and the individual;
    30    (IV)  delete  covered  data that the covered entity needs to retain in
    31  order to comply with professional ethical obligations;
    32    (V) delete covered data that the covered  entity  reasonably  believes
    33  may be evidence of unlawful activity or an abuse of the covered entity's
    34  products or services; or
    35    (VI)  for private elementary and secondary schools as defined by state
    36  law and private institutions of higher education as defined by  title  I
    37  of  the  Higher  Education  Act  of 1965, delete covered data that would
    38  unreasonably interfere with the provision of education  services  by  or
    39  the ordinary operation of the school or institution.
    40    (ii)  In a circumstance that would allow a denial pursuant to subpara-
    41  graph (i) of this subdivision, a covered entity shall  partially  comply
    42  with  the  remainder  of  the  request  if it is possible and not unduly
    43  burdensome to do so.
    44    (iii) For purposes of clause (B) of subparagraph  (i)  of  this  para-
    45  graph,  the  receipt of a large number of verified requests, on its own,
    46  may not be considered to render compliance with a  request  demonstrably
    47  impracticable.
    48    (iv) The division may, by regulation as described in subdivision seven
    49  of this section, establish additional permissive exceptions necessary to
    50  protect  the  rights  of individuals, alleviate undue burdens on covered
    51  entities, prevent unjust or unreasonable outcomes from the  exercise  of
    52  access,  correction,  deletion,  or  portability rights, or as otherwise
    53  necessary to fulfill the purposes of this section. In establishing  such
    54  exceptions,  the  division should consider any relevant changes in tech-
    55  nology, means for protecting privacy and other  rights,  and  beneficial
    56  uses of covered data by covered entities.

        A. 6319                            21

     1    6. A large data holder that is a covered entity shall, for each calen-
     2  dar year in which it was a large data holder, do the following:
     3    (a) Compile the following metrics for the prior calendar year:
     4    (i)  The  number  of  verified  access requests under paragraph (a) of
     5  subdivision one of this section.
     6    (ii) The number of verified deletion requests under paragraph  (c)  of
     7  subdivision one of this section.
     8    (iii)  The  number  of  requests  to opt-out of covered data transfers
     9  under subdivision two of section fifteen hundred  twenty-three  of  this
    10  title.
    11    (iv)  The  number of requests to opt-out of targeted advertising under
    12  subdivision three of section fifteen hundred twenty-three of this title.
    13    (v) The number of requests in each of subparagraphs (i)  through  (iv)
    14  of this paragraph that such large data holder (A) complied with in whole
    15  or in part and (B) denied.
    16    (vi)  The  median  or mean number of days within which such large data
    17  holder substantively responded to the requests in each of  subparagraphs
    18  (i) through (iv) of this paragraph.
    19    (b) Disclose by July first of each applicable calendar year the infor-
    20  mation  compiled  in paragraph (a) of this subdivision within such large
    21  data holder's privacy policy  required  under  section  fifteen  hundred
    22  twenty-one  of  this title or on the publicly accessible website of such
    23  large data holder that is accessible from a hyperlink  included  in  the
    24  privacy policy.
    25    7.  Not later than two years after the effective date of this article,
    26  the division shall promulgate rules  and  regulations  as  necessary  to
    27  establish  processes  by  which  covered entities are to comply with the
    28  provisions of this section. Such regulations shall take  into  consider-
    29  ation:
    30    (a)  the  size of, and the nature, scope, and complexity of the activ-
    31  ities engaged in by the covered entity, including  whether  the  covered
    32  entity  is  a  large data holder, nonprofit organization, covered entity
    33  meeting the requirements of section fifteen hundred twenty-eight of this
    34  title, third party, or third-party collecting entity;
    35    (b) the sensitivity of covered data collected,  processed,  or  trans-
    36  ferred by the covered entity;
    37    (c) the volume of covered data collected, processed, or transferred by
    38  the covered entity;
    39    (d)  the  number  of individuals and devices to which the covered data
    40  collected, processed, or transferred by the covered entity relates; and
    41    (e) after consulting the National Institute of Standards and Technolo-
    42  gy, standards for ensuring the deletion of covered data under this arti-
    43  cle where appropriate.
    44    8. A covered entity shall facilitate the  ability  of  individuals  to
    45  make  requests  under  subdivision  one  of  this section in any covered
    46  language in which the covered entity provides a product or service.  The
    47  mechanisms  by  which  a  covered  entity  enables  individuals  to make
    48  requests under subdivision one of this section shall be readily accessi-
    49  ble and usable by individuals with disabilities.
    50    § 1523. Right to consent and object. 1. A covered entity shall provide
    51  an individual with a clear and  conspicuous,  easy-to-execute  means  to
    52  withdraw  any  affirmative  express  consent  previously provided by the
    53  individual that is as easy to execute by a reasonable individual as  the
    54  means  to provide consent, with respect to the processing or transfer of
    55  the covered data of the individual.
    56    2. (a) A covered entity:

        A. 6319                            22

     1    (i) may not transfer or direct the transfer of the covered data of  an
     2  individual  to  a third party if the individual objects to the transfer;
     3  and
     4    (ii) shall allow an individual to object to such a transfer through an
     5  opt-out  mechanism,  as described in section fifteen hundred twenty-nine
     6  of this title.
     7    (b) Except as provided in  subparagraph  (iii)  of  paragraph  (c)  of
     8  subdivision  two of section fifteen hundred twenty-five of this title, a
     9  covered  entity  need  not  allow  an  individual  to  opt  out  of  the
    10  collection, processing, or transfer of covered data made pursuant to the
    11  exceptions  in  paragraphs (a) through (o) of subdivision two of section
    12  fifteen hundred ten of this article.
    13    3. (a) A covered entity or service provider that directly  delivers  a
    14  targeted advertisement shall:
    15    (i)  prior  to  engaging  in  targeted advertising to an individual or
    16  device and at all times thereafter, provide such individual with a clear
    17  and conspicuous means to opt out of targeted advertising;
    18    (ii) abide by any opt-out designation by an individual with respect to
    19  targeted advertising and notify the covered  entity  that  directed  the
    20  service  provider  to  deliver the targeted advertisement of the opt-out
    21  decision; and
    22    (iii) allow an individual to make an opt-out designation with  respect
    23  to  targeted  advertising  through an opt-out mechanism, as described in
    24  section fifteen hundred twenty-nine of this title.
    25    (b) A covered entity or service  provider  that  receives  an  opt-out
    26  notification  pursuant  to  subparagraph  (ii)  of paragraph (a) of this
    27  subdivision or this paragraph shall abide by such  opt-out  designations
    28  by  an  individual and notify any other person that directed the covered
    29  entity or service provider to serve, deliver, or  otherwise  handle  the
    30  advertisement of the opt-out decision.
    31    4.  A covered entity may not condition, effectively condition, attempt
    32  to condition, or attempt to effectively condition the  exercise  of  any
    33  individual right under this section through:
    34    (a)  the  use  of  any  false,  fictitious,  fraudulent, or materially
    35  misleading statement or representation; or
    36    (b) the design, modification, or manipulation of  any  user  interface
    37  with  the  purpose  or  substantial  effect of obscuring, subverting, or
    38  impairing a reasonable individual's autonomy, decision making, or choice
    39  to exercise any such right.
    40    § 1524. Data protections for children and minors. 1. A covered  entity
    41  may  not engage in targeted advertising to any individual if the covered
    42  entity has knowledge that the individual is a covered minor.
    43    2. (a) A covered entity may not transfer or direct the transfer of the
    44  covered data of a covered minor to a third party if the covered entity:
    45    (i) has knowledge that the individual is a covered minor; and
    46    (ii) has not obtained affirmative express  consent  from  the  covered
    47  minor or the covered minor's parent or guardian.
    48    (b)  A  covered  entity  or  service provider may collect, process, or
    49  transfer covered data of an individual the  covered  entity  or  service
    50  provider  knows  is  under the age of eighteen solely in order to submit
    51  information relating to child victimization to law enforcement or to the
    52  nonprofit, national resource  center  and  clearinghouse  designated  to
    53  provide  assistance  to  victims, families, child-serving professionals,
    54  and the general public on missing and exploited children issues.

        A. 6319                            23

     1    3. (a) There is established within the division in the privacy  bureau
     2  established  in  title  V  of this article, an office to be known as the
     3  "Youth Privacy and Marketing Office" (the "office").
     4    (b)  The  office shall be headed by a director, who shall be appointed
     5  by the chair of the office.
     6    (c) The office shall be responsible  for  assisting  the  division  in
     7  addressing, as it relates to this article:
     8    (i) the privacy of children and minors; and
     9    (ii) marketing directed at children and minors.
    10    (d)  The director of the office shall hire adequate staff to carry out
    11  the duties described in paragraph (c) of this subdivision, including  by
    12  hiring individuals who are experts in data protection, digital advertis-
    13  ing, data analytics, and youth development.
    14    (e) Not later than two years after the effective date of this article,
    15  and  annually  thereafter,  the office shall submit to the governor, the
    16  majority and minority leaders of the senate and the majority and minori-
    17  ty leaders of the assembly a report that includes:
    18    (i) a description  of  the  work  of  the  office  regarding  emerging
    19  concerns relating to youth privacy and marketing practices; and
    20    (ii) an assessment of how effectively the office has, during the peri-
    21  od  for  which the report is submitted, assisted the division to address
    22  youth privacy and marketing practices.
    23    (f) Not later than ten days after  the  date  on  which  a  report  is
    24  submitted  under  paragraph  (e) of this subdivision, the division shall
    25  publish the report on its website.
    26    § 1525. Third-party  collecting  entities.  1.  (a)  Each  third-party
    27  collecting  entity shall place a clear, conspicuous, not misleading, and
    28  readily accessible notice on the website or mobile  application  of  the
    29  third-party  collecting  entity  (if  the  third-party collecting entity
    30  maintains such a website or mobile application) that:
    31    (a) notifies individuals that the entity is a  third-party  collecting
    32  entity  using  specific language that the division shall develop through
    33  rulemaking under section 553 of title 5, United States Code;
    34    (b) includes a link to the website established under paragraph (c)  of
    35  subdivision two of this section; and
    36    (c)  is  reasonably accessible to and usable by individuals with disa-
    37  bilities.
    38    2. (a) Not later than January thirty-first of each calendar year  that
    39  follows  a calendar year during which a covered entity acted as a third-
    40  party collecting entity and processed covered data  pertaining  to  more
    41  than five thousand individuals or devices that identify or are linked or
    42  reasonably linkable to an individual, such covered entity shall register
    43  with the division in accordance with this subdivision.
    44    (b)  In  registering with the division as required under paragraph (a)
    45  of this subdivision,  a  third-party  collecting  entity  shall  do  the
    46  following:
    47    (i) Pay to the division a registration fee of one hundred dollars.
    48    (ii) Provide the division with the following information:
    49    (A) the legal name and primary physical, email, and internet addresses
    50  of the third-party collecting entity;
    51    (B)  a  description  of the categories of covered data the third-party
    52  collecting entity processes and transfers;
    53    (C) the contact information  of  the  third-party  collecting  entity,
    54  including  a  contact  person,  a  telephone number, an email address, a
    55  website, and a physical mailing address; and

        A. 6319                            24

     1    (D) a link to a website through which an individual may  easily  exer-
     2  cise the rights provided under this subdivision.
     3    (c)  The division shall establish and maintain on a website a searcha-
     4  ble, publicly available,  central  registry  of  third-party  collecting
     5  entities  that  are  registered with the division under this subdivision
     6  that includes the following:
     7    (i) A listing of all registered third-party collecting entities and  a
     8  search  feature that allows members of the public to identify individual
     9  third-party collecting entities.
    10    (ii) For each registered third-party collecting entity,  the  informa-
    11  tion provided under paragraph (b) of this subdivision.
    12    (iii)  (A)  A "Do Not Collect" registry link and mechanism by which an
    13  individual may, easily submit a request to  all  registered  third-party
    14  collecting entities that are not consumer reporting agencies (as defined
    15  in   section  603(f)  of  the  Fair  Credit  Reporting  Act  (15  U.S.C.
    16  1681a(f))), and to the extent such third-party collecting  entities  are
    17  not acting as consumer reporting agencies (as so defined), to:
    18    (I) delete all covered data related to such individual that the third-
    19  party collecting entity did not collect from such individual directly or
    20  when acting as a service provider; and
    21    (II)  ensure that the third-party collecting entity no longer collects
    22  covered data related to such individual without the affirmative  express
    23  consent of such individual, except insofar as the third-party collecting
    24  entity is acting as a service provider.
    25    (B)  Each  third-party  collecting entity that receives such a request
    26  from an individual shall delete all the covered data of  the  individual
    27  not  later  than thirty days after the request is received by the third-
    28  party collecting entity.
    29    (C) Notwithstanding the provisions of clauses  (A)  and  (B)  of  this
    30  subparagraph,  a  third-party collecting entity may decline to fulfill a
    31  "Do Not Collect" request from an individual who it has actual  knowledge
    32  has been convicted of a crime related to the abduction or sexual exploi-
    33  tation of a child, and the data the entity is collecting is necessary to
    34  effectuate the purposes of a national or state-run sex offender registry
    35  or  the  congressionally  designated entity that serves as the nonprofit
    36  national resource center and  clearinghouse  to  provide  assistance  to
    37  victims,  families,  child-serving professionals, and the general public
    38  on missing and exploited children issues.
    39    3. (a) A third-party collecting  entity  that  fails  to  register  or
    40  provide the notice as required under this section shall be liable for:
    41    (i) a civil penalty of one hundred dollars for each day the third-par-
    42  ty  collecting  entity  fails  to register or provide notice as required
    43  under this section, not to exceed a total of ten  thousand  dollars  for
    44  any year; and
    45    (ii)  an  amount equal to the registration fees due under subparagraph
    46  (i) of paragraph (b) of subdivision two of this section  for  each  year
    47  that  the  third-party  collecting entity failed to register as required
    48  under paragraph (a) of such subdivision.
    49    (b) Nothing in this subdivision shall be construed as altering, limit-
    50  ing, or affecting any enforcement authorities  or  remedies  under  this
    51  article.
    52    §  1526.  Civil  rights  and  algorithms. 1. (a) A covered entity or a
    53  service provider may not collect, process, or transfer covered data in a
    54  manner that discriminates in or otherwise makes  unavailable  the  equal
    55  enjoyment  of  goods  or services on the basis of race, color, religion,
    56  national origin, sex, or disability.

        A. 6319                            25

     1    (b) This subdivision shall not apply to:
     2    (i)  the  collection,  processing, or transfer of covered data for the
     3  purpose of:
     4    (A) a covered entity's or a service provider's self-testing to prevent
     5  or mitigate unlawful discrimination; or
     6    (B) diversifying an applicant, participant, or customer pool; or
     7    (ii) any private club or group not open to the public, as described in
     8  section 201(e) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(e)).
     9    2. (a) Whenever the division obtains information that a covered entity
    10  or service  provider  may  have  collected,  processed,  or  transferred
    11  covered  data in violation of subdivision one of this section, the divi-
    12  sion shall transmit such information  as  allowable  under  federal  and
    13  state law to any executive agency with authority to initiate enforcement
    14  actions or proceedings relating to such violation.
    15    (b)  Not later than three years after the effective date of this arti-
    16  cle, and annually thereafter, the division shall submit  to  the  senate
    17  and the assembly a report that includes a summary of:
    18    (i)  the  types  of  information the division transmitted to executive
    19  agencies under paragraph (a) of this  subdivision  during  the  previous
    20  one-year period; and
    21    (ii)  how  such  information  relates to federal or state civil rights
    22  laws.
    23    (c) In transmitting information under paragraph (a) of  this  subdivi-
    24  sion,  the division may consult and coordinate with, and provide techni-
    25  cal and investigative assistance,  as  appropriate,  to  such  executive
    26  agency.
    27    (d)  The  division  may implement this subdivision by executing agree-
    28  ments or memoranda of understanding with the appropriate executive agen-
    29  cies.
    30    3. (a)(i) Notwithstanding any other provision of law, not  later  than
    31  two  years after the effective date of this article, and annually there-
    32  after, a large data holder that uses a covered  algorithm  in  a  manner
    33  that  poses  a  consequential  risk of harm to an individual or group of
    34  individuals, and uses such covered  algorithm  solely  or  in  part,  to
    35  collect,  process,  or  transfer  covered  data  shall conduct an impact
    36  assessment of such algorithm in accordance  with  subparagraph  (ii)  of
    37  this paragraph.
    38    (ii)  The  impact  assessment  required under subparagraph (i) of this
    39  paragraph shall provide the following:
    40    (A) A detailed description of the design process and methodologies  of
    41  the covered algorithm.
    42    (B)  A statement of the purpose and proposed uses of the covered algo-
    43  rithm.
    44    (C) A detailed description of the data used by the covered  algorithm,
    45  including  the  specific  categories  of  data that will be processed as
    46  input and any data used to train the model that  the  covered  algorithm
    47  relies on, if applicable.
    48    (D) A description of the outputs produced by the covered algorithm.
    49    (E)  An assessment of the necessity and proportionality of the covered
    50  algorithm in relation to its stated purpose.
    51    (F) A detailed description of steps the large data holder has taken or
    52  will take to mitigate potential harms from the covered algorithm  to  an
    53  individual or group of individuals, including related to:
    54    (I) covered minors;

        A. 6319                            26

     1    (II) making or facilitating advertising for, or determining access to,
     2  or  restrictions  on  the use of housing, education, employment, health-
     3  care, insurance, or credit opportunities;
     4    (III)  determining access to, or restrictions on the use of, any place
     5  of public accommodation,  particularly  as  such  harms  relate  to  the
     6  protected  characteristics  of individuals, including race, color, reli-
     7  gion, national origin, sex, or disability;
     8    (IV) disparate impact on the basis of individuals' race, color,  reli-
     9  gion, national origin, sex, or disability status; or
    10    (V)  disparate  impact  on  the  basis of individuals' political party
    11  registration status.
    12    (b) Notwithstanding any other provision of law,  not  later  than  two
    13  years  after  the  effective  date  of this article, a covered entity or
    14  service provider that knowingly develops a  covered  algorithm  that  is
    15  designed,  solely  or  in part, to collect, process, or transfer covered
    16  data in furtherance of a consequential decision shall prior to deploying
    17  the covered algorithm in interstate commerce evaluate the design, struc-
    18  ture, and inputs of the covered algorithm, including any  training  data
    19  used  to develop the covered algorithm, to reduce the risk of the poten-
    20  tial harms identified under subparagraph (ii) of paragraph (a)  of  this
    21  subdivision.
    22    (c)  (i) In complying with paragraphs (a) and (b) of this subdivision,
    23  a covered entity and a service provider may focus the impact  assessment
    24  or  evaluation  on any covered algorithm, or portions of a covered algo-
    25  rithm, that will be put to use and may reasonably contribute to the risk
    26  of the potential harms identified under subparagraph (ii)  of  paragraph
    27  (a) of this subdivision.
    28    (ii) (A) A covered entity and a service provider:
    29    (I)  shall,  not  later  than  thirty  days after completing an impact
    30  assessment or evaluation, submit the  impact  assessment  or  evaluation
    31  conducted  under paragraphs (a) and (b) of this subdivision to the divi-
    32  sion;
    33    (II) shall, upon request, make such impact assessment  and  evaluation
    34  available to the legislature; and
    35    (III)  may  make  a  summary  of such impact assessment and evaluation
    36  publicly available in a place that is easily accessible to individuals.
    37    (B) Covered entities and service providers may  redact  and  segregate
    38  any  trade secret (as defined in section 1839 of title 18, United States
    39  Code) or other  confidential  or  proprietary  information  from  public
    40  disclosure  under  this subparagraph and the division shall abide by its
    41  obligations under federal and state law in regard to such information.
    42    (iii) The division may not use any  information  obtained  solely  and
    43  exclusively  through a covered entity or a service provider's disclosure
    44  of information to the division in compliance with this section  for  any
    45  purpose  other than enforcing this article with the exception of enforc-
    46  ing consent orders, including the study and report provisions  in  para-
    47  graph  (f) of this subdivision.  This subparagraph does not preclude the
    48  division from providing this information to the legislature in  response
    49  to a subpoena.
    50    (d) Not later than two years after the effective date of this article,
    51  the  division  shall,  in  consultation  with the secretary of state, or
    52  their respective designees, publish guidance regarding  compliance  with
    53  this section.
    54    (e)  The  division  shall have authority to promulgate rules and regu-
    55  lations as necessary to establish processes by which a large data  hold-
    56  er:

        A. 6319                            27

     1    (i)  shall  submit an impact assessment to the division under item (I)
     2  of clause (A) of subparagraph (ii) of paragraph (c) of this subdivision;
     3  and
     4    (ii)  may  exclude  from  this  subdivision any covered algorithm that
     5  presents low or minimal consequential risk of harm to an  individual  or
     6  group of individuals.
     7    (f)  (i)  The division, in consultation with the secretary of state or
     8  the secretary's designee, shall conduct a study, to  review  any  impact
     9  assessment  or  evaluation  submitted under this subdivision. Such study
    10  shall include an examination of:
    11    (A) best practices for the assessment and evaluation of covered  algo-
    12  rithms; and
    13    (B)  methods  to  reduce  the  risk of harm to individuals that may be
    14  related to the use of covered algorithms.
    15    (ii) (A) Not later than three years after the effective date  of  this
    16  article,  the division, in consultation with the secretary or the secre-
    17  tary's designee, shall submit to the  governor  and  the  legislature  a
    18  report  containing the results of the study conducted under subparagraph
    19  (i) of this paragraph, together with  recommendations  for  such  legis-
    20  lation and administrative action as the division determines appropriate.
    21    (B)  Not later than three years after submission of the initial report
    22  under clause (A) of this subparagraph, and as  the  division  determines
    23  necessary  thereafter, the division shall submit to the governor and the
    24  legislature an updated version of such report.
    25    § 1527. Data security and protection of covered data. 1. (a) A covered
    26  entity or service provider  shall  establish,  implement,  and  maintain
    27  reasonable  administrative,  technical, and physical data security prac-
    28  tices and procedures to protect and secure covered  data  against  unau-
    29  thorized access and acquisition.
    30    (b)  The reasonable administrative, technical, and physical data secu-
    31  rity practices required under paragraph (a) of this subdivision shall be
    32  appropriate to:
    33    (i) the size and complexity of the covered entity or service provider;
    34    (ii) the nature and scope of the covered entity or the service provid-
    35  er's collecting, processing, or transferring of covered data;
    36    (iii) the volume and nature of the covered data collected,  processed,
    37  or transferred by the covered entity or service provider;
    38    (iv)  the  sensitivity  of  the  covered data collected, processed, or
    39  transferred;
    40    (v) the current state of the art (and limitations thereof) in adminis-
    41  trative, technical, and physical safeguards for protecting such  covered
    42  data; and
    43    (vi)  the  cost  of  available  tools  to  improve security and reduce
    44  vulnerabilities to unauthorized access and acquisition of  such  covered
    45  data in relation to the risks and nature of the covered data.
    46    2.  The  data  security  practices  of  the  covered entity and of the
    47  service provider required under subdivision one of  this  section  shall
    48  include,  for each respective entity's own system or systems, at a mini-
    49  mum, the following practices:
    50    (a) Identifying and assessing any material internal and external  risk
    51  to,  and vulnerability in, the security of each system maintained by the
    52  covered entity that collects, processes, or transfers covered  data,  or
    53  service  provider that collects, processes, or transfers covered data on
    54  behalf of the covered entity, including unauthorized access to or  risks
    55  to  such covered data, human vulnerabilities, access rights, and the use
    56  of service providers. With respect to large data  holders,  such  activ-

        A. 6319                            28

     1  ities shall include a plan to receive and reasonably respond to unsolic-
     2  ited  reports  of  vulnerabilities  by  any  entity or individual and by
     3  performing a reasonable investigation of such reports.
     4    (b)  Taking  preventive  and  corrective  action  designed to mitigate
     5  reasonably foreseeable risks or vulnerabilities to covered data  identi-
     6  fied  by  the  covered  entity  or service provider, consistent with the
     7  nature of such risk or vulnerability and the entity's role  in  collect-
     8  ing,  processing,  or  transferring  the  data.  Such action may include
     9  implementing administrative, technical, or physical safeguards or chang-
    10  es to data security practices  or  the  architecture,  installation,  or
    11  implementation of network or operating software, among other actions.
    12    (c)  Evaluating  and  making  reasonable  adjustments  to  the  action
    13  described in paragraph (b) of this subdivision in light of any  material
    14  changes in technology, internal or external threats to covered data, and
    15  the  covered entity or service provider's own changing business arrange-
    16  ments or operations.
    17    (d) Disposing of covered data in accordance with a retention  schedule
    18  that  shall  require  the  deletion  of  covered  data when such data is
    19  required to be deleted by law or is no longer necessary for the  purpose
    20  for  which  the data was collected, processed, or transferred, unless an
    21  individual has provided affirmative express consent to  such  retention.
    22  Such  disposal  shall include destroying, permanently erasing, or other-
    23  wise modifying the covered data to make such data permanently unreadable
    24  or indecipherable and unrecoverable to ensure  ongoing  compliance  with
    25  this  section.  Service providers shall establish practices to delete or
    26  return covered data to a covered entity as requested at the end  of  the
    27  provision  of  services unless retention of the covered data is required
    28  by law, consistent with paragraph (f)  of  subdivision  one  of  section
    29  fifteen hundred forty-one of this article.
    30    (e) Training each employee with access to covered data on how to safe-
    31  guard covered data and updating such training as necessary.
    32    (f)  Designating  an  officer,  employee, or employees to maintain and
    33  implement such  practices.
    34    (g) Implementing procedures to detect, respond  to,  or  recover  from
    35  security incidents, including breaches.
    36    3.  The  division  may  promulgate  technology-neutral rules and regu-
    37  lations to establish processes for  complying  with  this  section.  The
    38  division  shall  consult  with  the  office  of  information  technology
    39  services in establishing such processes.
    40    § 1528. Small business protections. 1. Any covered entity  or  service
    41  provider  that  can  establish that it met the requirements described in
    42  subdivision two of this section for the period of  the  three  preceding
    43  calendar  years  (or  for  the period during which the covered entity or
    44  service provider has been in existence if such period is less than three
    45  years) shall:
    46    (a) be exempt from compliance with paragraph (d) of subdivision one of
    47  section fifteen hundred twenty-two of this title, paragraphs  (a),  (b),
    48  (c),  (e),  (f)  and  (g)  of subdivision two of section fifteen hundred
    49  twenty-seven of this title, and subdivision  three  of  section  fifteen
    50  hundred forty of this article; and
    51    (b)  at  the  covered  entity's  sole  discretion,  have the option of
    52  complying with paragraph (b)  of  subdivision  one  of  section  fifteen
    53  hundred  twenty-two of this title by, after receiving a verified request
    54  from an individual to correct covered data of the individual under  such
    55  section,  deleting  such  covered data in its entirety instead of making
    56  the requested correction.

        A. 6319                            29

     1    2. The requirements of this subdivision are, with respect to a covered
     2  entity or a service provider, the following:
     3    (a)  The  covered  entity  or  service provider's average annual gross
     4  revenues during the period did not exceed forty-one million dollars.
     5    (b) The covered entity or service provider, on average, did not  annu-
     6  ally  collect or process the covered data of more than two hundred thou-
     7  sand individuals during the period beyond  the  purpose  of  initiating,
     8  rendering,  billing for, finalizing, completing, or otherwise collecting
     9  payment for a requested service or product, so long as all covered  data
    10  for such purpose was deleted or de-identified within ninety days, except
    11  when  necessary  to  investigate  fraud  or as consistent with a covered
    12  entity's return policy.
    13    (c) The covered entity or service provider did not  derive  more  than
    14  fifty  percent  of its revenue from transferring covered data during any
    15  year (or part of a year if the covered entity has been in existence  for
    16  less than one year) that occurs during the period.
    17    3.  For  purposes of this section, the term "revenue" as it relates to
    18  any covered entity or service provider that is not organized to carry on
    19  business for its own profit or that of  its  members,  means  the  gross
    20  receipts  the  covered  entity  or service provider received in whatever
    21  form from all sources without subtracting any  costs  or  expenses,  and
    22  includes contributions, gifts, grants, dues or other assessments, income
    23  from  investments, or proceeds from the sale of real or personal proper-
    24  ty.
    25    § 1529. Unified opt-out mechanisms.  1.  For  the  rights  established
    26  under subdivisions two and three of section fifteen hundred twenty-three
    27  (except  as  provided  for  under  paragraph  (p)  of subdivision two of
    28  section fifteen hundred ten of this article), and subparagraph (iii)  of
    29  paragraph  (c) of subdivision two of section fifteen hundred twenty-five
    30  of this title, following public notice and opportunity  to  comment  and
    31  not later than eighteen months after the effective date of this article,
    32  the division shall establish or recognize one or more acceptable privacy
    33  protective,  centralized  mechanisms,  including  global privacy signals
    34  such as browser or device  privacy  settings,  other  tools  offered  by
    35  covered  entities  or  service providers, and registries of identifiers,
    36  for individuals to exercise all such rights through a  single  interface
    37  for a covered entity or service provider to utilize to allow an individ-
    38  ual  to  make  such  opt  out  designations with respect to covered data
    39  related to such individual.
    40    2. Any such centralized opt-out mechanism shall:
    41    (a) require covered entities or service providers acting on behalf  of
    42  covered  entities  to  inform  individuals about the centralized opt-out
    43  choice;
    44    (b) not be required to be the default setting, but may be the  default
    45  setting  provided that in all cases the mechanism clearly represents the
    46  individual's affirmative, freely given, and unambiguous  choice  to  opt
    47  out;
    48    (c)  be  consumer-friendly,  clearly  described,  and easy-to-use by a
    49  reasonable individual;
    50    (d) permit the covered entity or service provider acting on behalf  of
    51  a covered entity to have an authentication process the covered entity or
    52  service  provider acting on behalf of a covered entity may use to deter-
    53  mine if the mechanism represents a legitimate request to opt out;
    54    (e) be provided in any covered language in which  the  covered  entity
    55  provides products or services subject to the opt-out; and

        A. 6319                            30

     1    (f)  be  provided  in  a  manner  that is reasonably accessible to and
     2  usable by individuals with disabilities.

     3                                  TITLE IV
     4                          CORPORATE ACCOUNTABILITY
     5  Section 1540. Executive responsibility.
     6          1541. Service providers and third parties.
     7          1542. Technical compliance programs.
     8          1543. Division approved compliance guidelines.
     9          1544. Digital content forgeries.
    10    §  1540.  Executive  responsibility.  1.  Beginning one year after the
    11  effective date of this article, an executive officer  of  a  large  data
    12  holder  shall  annually  certify,  in  good faith, to the division, in a
    13  manner specified by the division that the entity maintains:
    14    (a) internal controls reasonably designed to comply with this article;
    15  and
    16    (b) internal reporting structures to ensure that such certifying exec-
    17  utive officer is involved in and  responsible  for  the  decisions  that
    18  impact the compliance by the large data holder with this article.
    19    2.  A  certification  submitted  under subdivision one of this section
    20  shall be based on a review of the effectiveness of the internal controls
    21  and reporting structures of the large data holder that is  conducted  by
    22  the  certifying  executive  officer not more than ninety days before the
    23  submission of the certification. A certification submitted under  subdi-
    24  vision one of this section is made in good faith if the certifying offi-
    25  cer  had, after a reasonable investigation, reasonable ground to believe
    26  and did believe, at the time that certification was submitted, that  the
    27  statements  therein  were true and that there was no omission to state a
    28  material fact required to be stated therein or  necessary  to  make  the
    29  statements therein not misleading.
    30    3. (a) A covered entity or service provider that has more than fifteen
    31  employees, shall designate:
    32    (i) one or more qualified employees as privacy officers; and
    33    (ii)  one  or  more  qualified  employees (in addition to any employee
    34  designated under subparagraph (i) of this paragraph)  as  data  security
    35  officers.
    36    (b)  An  employee  who  is designated by a covered entity or a service
    37  provider as a privacy officer or a data  security  officer  pursuant  to
    38  paragraph (a) of this subdivision shall, at a minimum:
    39    (i)  implement  a  data  privacy  program and data security program to
    40  safeguard the privacy and security of covered data  in  compliance  with
    41  the requirements of this article; and
    42    (ii)  facilitate  the  covered  entity  or  service provider's ongoing
    43  compliance with this article.
    44    (c) A large data holder shall designate at least one of  the  officers
    45  described in paragraph (a) of this subdivision to report directly to the
    46  highest  official at the large data holder as a privacy protection offi-
    47  cer who shall, in addition to the requirements in paragraph (b) of  this
    48  subdivision,  either directly or through a supervised designee or desig-
    49  nees:
    50    (i) establish processes to periodically review and update the  privacy
    51  and security policies, practices, and procedures of the large data hold-
    52  er, as necessary;
    53    (ii) conduct biennial and comprehensive audits to ensure the policies,
    54  practices, and procedures of the large data holder ensure the large data

        A. 6319                            31

     1  holder  is  in  compliance  with this article and ensure such audits are
     2  accessible to the division upon request;
     3    (iii)  develop  a program to educate and train employees about compli-
     4  ance requirements of this article;
     5    (iv) maintain updated, accurate, clear, and understandable records  of
     6  all material privacy and data security practices undertaken by the large
     7  data holder; and
     8    (v)  serve  as  the point of contact between the large data holder and
     9  enforcement authorities.
    10    4. (a) Not later than one year after the effective date of this  arti-
    11  cle or one year after the date on which a covered entity first meets the
    12  definition  of  large  data holder, whichever is earlier, and biennially
    13  thereafter, each covered entity  that  is  a  large  data  holder  shall
    14  conduct  a  privacy  impact  assessment  that weighs the benefits of the
    15  large data holder's covered data collecting,  processing,  and  transfer
    16  practices  against the potential adverse consequences of such practices,
    17  including substantial privacy risks, to individual privacy.
    18    (b) A privacy impact assessment required under paragraph (a)  of  this
    19  subdivision shall be:
    20    (i) reasonable and appropriate in scope given:
    21    (A)  the  nature  of the covered data collected, processed, and trans-
    22  ferred by the large data holder;
    23    (B) the volume of the covered data collected,  processed,  and  trans-
    24  ferred by the large data holder; and
    25    (C)  the  potential material risks posed to the privacy of individuals
    26  by the collecting, processing, and transfer of covered data by the large
    27  data holder;
    28    (ii) documented in written form and maintained by the large data hold-
    29  er unless rendered out of date  by  a  subsequent  assessment  conducted
    30  under paragraph (a) of this subdivision; and
    31    (iii)  approved  by the privacy protection officer designated in para-
    32  graph (c) of subdivision three of this section of the large data holder,
    33  as applicable.
    34    (c) In assessing the  privacy  risks,  including  substantial  privacy
    35  risks,  the large data holder must include reviews of the means by which
    36  technologies, including blockchain and distributed  ledger  technologies
    37  and other emerging technologies, are used to secure covered data.
    38    5.  (a) Not later than one year after the effective date of this arti-
    39  cle, and biennially thereafter, each covered entity that is not a  large
    40  data  holder  and  does  not  meet the requirements for covered entities
    41  under section fifteen hundred twenty-eight of this article shall conduct
    42  a privacy impact assessment. Such assessment shall weigh the benefits of
    43  the covered entity's covered data collecting, processing,  and  transfer
    44  practices  that  may cause a substantial privacy risk against the poten-
    45  tial material adverse  consequences  of  such  practices  to  individual
    46  privacy.
    47    (b)  A  privacy impact assessment required under paragraph (a) of this
    48  subdivision shall be:
    49    (i) reasonable and appropriate in scope given:
    50    (A) the nature of the covered data collected,  processed,  and  trans-
    51  ferred by the covered entity;
    52    (B)  the  volume  of the covered data collected, processed, and trans-
    53  ferred by the covered entity; and
    54    (C) the potential risks posed to the privacy  of  individuals  by  the
    55  collecting,  processing,  and  transfer  of  covered data by the covered
    56  entity; and

        A. 6319                            32

     1    (ii) documented in written form and maintained by the  covered  entity
     2  unless  rendered  out of date by a subsequent assessment conducted under
     3  paragraph (a) of this subdivision.
     4    (c)  In  assessing  the  privacy  risks, including substantial privacy
     5  risks, the covered entity may include reviews  of  the  means  by  which
     6  technologies,  including  blockchain and distributed ledger technologies
     7  and other emerging technologies, are used to secure covered data.
     8    § 1541. Service providers and third parties. 1. A service provider:
     9    (a) shall adhere to the instructions of  a  covered  entity  and  only
    10  collect,  process,  and  transfer  service  provider  data to the extent
    11  necessary and proportionate  to  provide  a  service  requested  by  the
    12  covered  entity,  as set out in the contract required by subdivision two
    13  of this section, and this paragraph does not require a service  provider
    14  to  collect,  process,  or transfer covered data if the service provider
    15  would not otherwise do so;
    16    (b) may not collect, process, or transfer service provider data if the
    17  service provider has actual knowledge that  a  covered  entity  violated
    18  this article with respect to such data;
    19    (c)  shall  assist a covered entity in responding to a request made by
    20  an individual  under  section  fifteen  hundred  twenty-two  or  fifteen
    21  hundred twenty-three of this article, by either:
    22    (i)  providing  appropriate  technical  and  organizational  measures,
    23  taking into account the nature of the  processing  and  the  information
    24  reasonably  available to the service provider, for the covered entity to
    25  comply with such request for service provider data; or
    26    (ii) fulfilling a request by a covered entity to execute an individual
    27  rights request that the covered entity has determined should be complied
    28  with, by either:
    29    (A) complying with  the  request  pursuant  to  the  covered  entity's
    30  instructions; or
    31    (B)  providing written verification to the covered entity that it does
    32  not hold covered data related to the request, that  complying  with  the
    33  request  would  be  inconsistent with its legal obligations, or that the
    34  request falls within an exception to section fifteen hundred  twenty-two
    35  or fifteen hundred twenty-three of this article;
    36    (d)  may  engage  another  service provider for purposes of processing
    37  service provider data on behalf of a covered entity only after providing
    38  that covered entity with notice and pursuant to a written contract  that
    39  requires  such  other service provider to satisfy the obligations of the
    40  service provider with respect to such service provider  data,  including
    41  that  the  other service provider be treated as a service provider under
    42  this article;
    43    (e) shall, upon the reasonable request of  the  covered  entity,  make
    44  available to the covered entity information necessary to demonstrate the
    45  compliance  of  the service provider with the requirements of this arti-
    46  cle, which may include making  available  a  report  of  an  independent
    47  assessment  arranged  by  the service provider on terms agreed to by the
    48  service provider and the covered entity, providing information necessary
    49  to enable the covered entity to conduct and document  a  privacy  impact
    50  assessment  required  by  subdivision  four  or  five of section fifteen
    51  hundred forty of this title, and making available  the  report  required
    52  under  paragraph  (b)  of  subdivision  three of section fifteen hundred
    53  twenty-six of this article;
    54    (f) shall, at the covered entity's direction,  delete  or  return  all
    55  covered  data  to  the  covered  entity  as  requested at the end of the

        A. 6319                            33

     1  provision of services, unless retention of the covered data is  required
     2  by law;
     3    (g)  shall develop, implement, and maintain reasonable administrative,
     4  technical, and physical safeguards that  are  designed  to  protect  the
     5  security  and confidentiality of covered data the service provider proc-
     6  esses consistent with section fifteen hundred twenty-seven of this arti-
     7  cle; and
     8    (h) shall allow and cooperate  with,  reasonable  assessments  by  the
     9  covered entity or the covered entity's designated assessor; alternative-
    10  ly,  the  service  provider  may arrange for a qualified and independent
    11  assessor to conduct an assessment of the service provider's policies and
    12  technical and organizational measures  in  support  of  the  obligations
    13  under this article using an appropriate and accepted control standard or
    14  framework  and  assessment  procedure  for such assessments. The service
    15  provider shall provide a report of such assessment to the covered entity
    16  upon request.
    17    2. (a) A person or entity may only act as a service provider  pursuant
    18  to a written contract between the covered entity and the service provid-
    19  er,  or  a  written  contract  between one service provider and a second
    20  service provider as described under paragraph (d) of subdivision one  of
    21  this section, if the contract:
    22    (i)  sets forth the data processing procedures of the service provider
    23  with respect to collection, processing, or transfer performed on  behalf
    24  of the covered entity or service provider;
    25    (ii) clearly sets forth:
    26    (A) instructions for collecting, processing, or transferring data;
    27    (B) the nature and purpose of collecting, processing, or transferring;
    28    (C)  the  type  of  data  subject to collecting, processing, or trans-
    29  ferring;
    30    (D) the duration of processing; and
    31    (E) the rights and obligations of both parties, including a method  by
    32  which  the  service provider shall notify the covered entity of material
    33  changes to its privacy practices;
    34    (iii) does not relieve a covered entity or a service provider  of  any
    35  requirement  or  liability  imposed  on  such  covered entity or service
    36  provider under this article; and
    37    (iv) prohibits:
    38    (A) collecting, processing, or transferring covered data in contraven-
    39  tion to subdivision one of this section; and
    40    (B) combining service  provider  data  with  covered  data  which  the
    41  service provider receives from or on behalf of another person or persons
    42  or  collects  from the interaction of the service provider with an indi-
    43  vidual, provided that such combining is not necessary  to  effectuate  a
    44  purpose  described  in  paragraphs (a) through (o) of subdivision two of
    45  section fifteen hundred ten of this article and is  otherwise  permitted
    46  under the contract required by this subdivision.
    47    (b)  Each  service  provider shall retain copies of previous contracts
    48  entered into in compliance with this subdivision with each covered enti-
    49  ty to which it provides requested products or services.
    50    3. (a) Determining whether a person is acting as a covered  entity  or
    51  service  provider  with respect to a specific processing of covered data
    52  is a fact-based determination that depends upon  the  context  in  which
    53  such data is processed.
    54    (b)  A  person  that  is not limited in its processing of covered data
    55  pursuant to the instructions of a  covered  entity,  or  that  fails  to
    56  adhere  to  such  instructions,  is  a  covered entity and not a service

        A. 6319                            34

     1  provider with respect to  a  specific  processing  of  covered  data.  A
     2  service  provider  that  continues  to  adhere  to the instructions of a
     3  covered entity with respect to a specific  processing  of  covered  data
     4  remains  a  service  provider.  If  a  service provider begins, alone or
     5  jointly with others, determining the purposes and means of the  process-
     6  ing  of  covered data, it is a covered entity and not a service provider
     7  with respect to the processing of such data.
     8    (c) A covered entity that transfers covered data to a service provider
     9  or a service provider that transfers covered data to a covered entity or
    10  another service provider, in compliance with the  requirements  of  this
    11  article,  is  not  liable for a violation of this article by the service
    12  provider or covered entity to whom such covered data was transferred, if
    13  at the time of transferring such covered data,  the  covered  entity  or
    14  service provider did not have actual knowledge that the service provider
    15  or covered entity would violate this article.
    16    (d) A covered entity or service provider that receives covered data in
    17  compliance  with the requirements of this article is not in violation of
    18  this article as a result of a violation by a covered entity  or  service
    19  provider from which such data was received.
    20    4. A third party:
    21    (a)  shall not process third party data for a processing purpose other
    22  than, in the case of sensitive covered data, the processing purpose  for
    23  which  the  individual  gave  affirmative express consent or to effect a
    24  purpose enumerated in paragraph (a), (c), or (e) of subdivision  two  of
    25  section fifteen hundred ten of this article and, in the case of non-sen-
    26  sitive  data, the processing purpose for which the covered entity made a
    27  disclosure pursuant to paragraph  (d)  of  subdivision  two  of  section
    28  fifteen hundred twenty-one of this article; and
    29    (b)  for purposes of paragraph (a) of this subdivision, may reasonably
    30  rely on representations made by the covered entity that transferred  the
    31  third party data if the third party conducts reasonable due diligence on
    32  the  representations  of  the covered entity and finds those representa-
    33  tions to be credible.
    34    5. (a) A covered entity or service provider shall exercise  reasonable
    35  due diligence in:
    36    (i) selecting a service provider; and
    37    (ii) deciding to transfer covered data to a third party.
    38    (b) Not later than two years after the effective date of this article,
    39  the  division  shall  publish  guidance  regarding  compliance with this
    40  subdivision, taking into consideration the burdens on large  data  hold-
    41  ers,  covered entities who are not large data holders, and covered enti-
    42  ties meeting the requirements of section fifteen hundred twenty-eight of
    43  this article.
    44    6. Solely for the purposes  of  this  section,  the  requirements  for
    45  service  providers to contract with, assist, and follow the instructions
    46  of covered entities shall be read to include  requirements  to  contract
    47  with,  assist, and follow the instructions of a government entity if the
    48  service provider is providing a service to a government entity.
    49    § 1542. Technical compliance programs. 1. Not later than  three  years
    50  after  the effective date of this article, the division shall promulgate
    51  rules and regulations to  establish  a  process  for  the  proposal  and
    52  approval  of  technical compliance programs under this section used by a
    53  covered entity to collect, process, or transfer covered data.
    54    2. The technical compliance programs established  under  this  section
    55  shall, with respect to a technology, product, service, or method used by
    56  a covered entity to collect, process, or transfer covered data:

        A. 6319                            35

     1    (i)  establish  publicly available guidelines for compliance with this
     2  article; and
     3    (ii) meet or exceed the requirements of this article.
     4    3.  (a)  Any request for approval, amendment, or repeal of a technical
     5  compliance program may be submitted  to  the  division  by  any  person,
     6  including  a  covered  entity,  a representative of a covered entity, an
     7  association of covered entities, or a public interest group or organiza-
     8  tion.  Within ninety days after the request is made, the division  shall
     9  publish the request and provide an opportunity for public comment on the
    10  proposal.
    11    (b)  Beginning  one year after the effective date of this article, the
    12  division shall act upon a request for the proposal  and  approval  of  a
    13  technical compliance program not later than one year after the filing of
    14  the  request  and shall set forth publicly in writing the conclusions of
    15  the division with regard to such request.
    16    4. Final action by the division on a request for approval,  amendment,
    17  or repeal of a technical compliance program, or the failure to act with-
    18  in  the  one-year  period  after  a  request for approval, amendment, or
    19  repeal of a technical compliance program is made under subdivision three
    20  of this section, may be appealed to a court of appropriate jurisdiction.
    21    5. (a) Prior to commencing  an  investigation  or  enforcement  action
    22  against  any  covered  entity  under  this article, the division and the
    23  attorney general shall consider the covered entity's history of  compli-
    24  ance  with  any technical compliance program approved under this section
    25  and any action taken by the covered entity to remedy noncompliance  with
    26  such  program.  If  such enforcement action described in section fifteen
    27  hundred fifty-two of this  article  is  brought,  the  covered  entity's
    28  history  of  compliance  with  any technical compliance program approved
    29  under this section and any action taken by the covered entity to  remedy
    30  noncompliance  with  such program shall be taken into consideration when
    31  determining liability or a penalty.  The  covered  entity's  history  of
    32  compliance  with  any  technical compliance program shall not affect any
    33  burden of proof or the weight given to evidence  in  an  enforcement  or
    34  judicial proceeding.
    35    (b)  Approval  of  a  technical compliance program shall not limit the
    36  authority  of  the  division,  including  the  division's  authority  to
    37  commence  an  investigation  or  enforcement  action against any covered
    38  entity under this article or any other provision of law.
    39    (c) Nothing in this subdivision shall provide any individual, class of
    40  individuals, or person with any right to seek discovery of any non-publ-
    41  ic division deliberation or activity or impose any pleading  requirement
    42  on  the  division  if  the  division brings an enforcement action of any
    43  kind.
    44    § 1543. Division approved compliance  guidelines.  1.  (a)  A  covered
    45  entity  that  is  not  a  third-party  collecting  entity  and meets the
    46  requirements of section fifteen hundred twenty-eight of this article, or
    47  a group of such covered entities, may apply to the division for approval
    48  of one or more sets of compliance guidelines governing  the  collection,
    49  processing,  and transfer of covered data by the covered entity or group
    50  of covered entities.
    51    (b) Such application shall include:
    52    (i) a description of how the proposed guidelines will meet  or  exceed
    53  the requirements of this article;
    54    (ii)  a  description of the entities or activities the proposed set of
    55  compliance guidelines is designed to cover;

        A. 6319                            36

     1    (iii) a list of the covered entities that  meet  the  requirements  of
     2  section  fifteen hundred twenty-eight of this article and are not third-
     3  party collecting entities, if any are known at the time of  application,
     4  that intend to adhere to the compliance guidelines; and
     5    (iv)  a description of how such covered entities will be independently
     6  assessed for adherence to  such  compliance  guidelines,  including  the
     7  independent organization not associated with any of the covered entities
     8  that may participate in guidelines that will administer such guidelines.
     9    (c) (i)(A) Within ninety days after the receipt of proposed guidelines
    10  submitted  pursuant  to  paragraph (b) of this subdivision, the division
    11  shall publish the application and  provide  an  opportunity  for  public
    12  comment on such compliance guidelines.
    13    (B)  The  division  shall  approve  an  application regarding proposed
    14  guidelines under paragraph (b) of  this  subdivision  if  the  applicant
    15  demonstrates that the compliance guidelines:
    16    (I) meet or exceed requirements of this article;
    17    (II)  provide  for the regular review and validation by an independent
    18  organization not associated with any of the covered  entities  that  may
    19  participate  in  the  guidelines and that is approved by the division to
    20  conduct such reviews of the compliance guidelines of the covered  entity
    21  or  entities  to  ensure that the covered entity or entities continue to
    22  meet or exceed the requirements of this article; and
    23    (III) include a means of enforcement if a covered entity does not meet
    24  or exceed the requirements in the guidelines, which may include referral
    25  to the division for enforcement consistent with section fifteen  hundred
    26  fifty  of  this article or referral to the attorney general for enforce-
    27  ment consistent with section fifteen hundred fifty-one of this article.
    28    (C) Within one year after receiving an application regarding  proposed
    29  guidelines  under  paragraph (b) of this subdivision, the division shall
    30  issue a determination approving or denying the application and providing
    31  its reasons for approving or denying such application.
    32    (ii) (A) If the independent organization administering a set of guide-
    33  lines makes material changes to guidelines previously  approved  by  the
    34  division,  the  independent organization shall submit the updated guide-
    35  lines to the division for approval. As soon as  feasible,  the  division
    36  shall  publish  the  updated  guidelines  and provide an opportunity for
    37  public comment.
    38    (B) The division shall approve or deny  any  material  change  to  the
    39  guidelines within one year after receipt of the submission for approval.
    40    2.  If  at any time the division determines that the guidelines previ-
    41  ously approved no longer meet the requirements  of  this  article  or  a
    42  regulation  promulgated  under  this article or that compliance with the
    43  approved guidelines is insufficiently enforced by the independent organ-
    44  ization administering the guidelines,  the  division  shall  notify  the
    45  covered entities or group of such entities and the independent organiza-
    46  tion  of  the determination of the division to withdraw approval of such
    47  guidelines and the basis for doing so.  Within one hundred  eighty  days
    48  after  receipt of such notice, the covered entity or group of such enti-
    49  ties and the independent organization may cure  any  alleged  deficiency
    50  with  the  guidelines  or  the enforcement of such guidelines and submit
    51  each proposed cure to the division. If the division determines that such
    52  cures eliminate the alleged deficiency in the guidelines, then the divi-
    53  sion may not withdraw approval of such guidelines on the basis  of  such
    54  determination.
    55    3.  A  covered  entity that is eligible to participate under paragraph
    56  (a) of subdivision one of this section and  participates  in  guidelines

        A. 6319                            37

     1  approved under this section shall be deemed in compliance with the rele-
     2  vant  provisions of this article if such covered entity is in compliance
     3  with such guidelines.
     4    §  1544.  Digital content forgeries. Not later than one year after the
     5  effective date of this article, and annually thereafter,  the  secretary
     6  of  state  or  the secretary's designee shall publish a report regarding
     7  digital content forgeries. Each report under this section shall  include
     8  the following:
     9    1.  A  definition of digital content forgeries along with accompanying
    10  explanatory materials.
    11    2. A description of the common sources of digital content forgeries in
    12  the United States and commercial  sources  of  digital  content  forgery
    13  technologies.
    14    3.  An  assessment  of  the  uses,  applications, and harms of digital
    15  content forgeries.
    16    4. An analysis of the methods  and  standards  available  to  identify
    17  digital  content  forgeries  as  well as a description of the commercial
    18  technological counter-measures that are, or could be,  used  to  address
    19  concerns with digital content forgeries, which may include the provision
    20  of warnings to viewers of suspect content.
    21    5.  A description of the types of digital content forgeries, including
    22  those used to commit fraud, cause harm, or violate any provision of law.
    23    6. Any other information determined appropriate by  the  secretary  of
    24  state or the secretary's designee.
    25                                   TITLE V
    26                ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
    27  Section 1550. Enforcement by the division of consumer protection.
    28          1551. Enforcement by the attorney general.
    29          1552. Enforcement by persons.
    30          1553. Construction.
    31          1554. Severability.
    32    § 1550. Enforcement  by the division of consumer protection. 1.(a) The
    33  division shall establish within the division a new bureau to be known as
    34  the "bureau of privacy" ("the bureau") related  to  consumer  protection
    35  and competition.
    36    (b)  The  mission  of  the  bureau  shall be to assist the division in
    37  carrying out the duties of the division under this article  and  related
    38  duties under other provisions of law.
    39    (c)  The  bureau  shall be established, staffed, and fully operational
    40  not later than one year after the effective date of this article.
    41    2. The director of the bureau shall establish  within  the  bureau  an
    42  office  to  be  known  as the "office of business mentorship" to provide
    43  guidance and education to covered entities and service providers regard-
    44  ing compliance with this article. Covered entities or service  providers
    45  may  request  advice from the division or the office of business mentor-
    46  ship with respect to a course of  action  that  the  covered  entity  or
    47  service  provider proposes to pursue and that may relate to the require-
    48  ments of this article.
    49    3. (a) A violation of this article or of a rule or regulation  promul-
    50  gated  under  this  article  shall  be  treated as a violation of a rule
    51  defining an unfair or deceptive act or practice.
    52    (b) (i) Except as provided in paragraphs (c), (d),  and  (e)  of  this
    53  subdivision, the division shall enforce this article and the regulations
    54  promulgated under this article.
    55    (ii)  Any  person  who  violates  this article or a rule or regulation
    56  promulgated under this article shall be subject  to  the  penalties  and

        A. 6319                            38

     1  entitled  to the privileges and immunities provided in the Federal Trade
     2  Division Act (15 U.S.C. 41 et seq.).
     3    (c)  If  the  division  brings  a civil action alleging that an act or
     4  practice violates this article or a regulation  promulgated  under  this
     5  article,  the division may not seek a cease and desist order against the
     6  same defendant to stop that same act or practice  on  the  grounds  that
     7  such act or practice constitutes an unfair or deceptive act or practice.
     8    (d) Notwithstanding any jurisdictional limitation of the division with
     9  respect  to  consumer  protection or privacy, the division shall enforce
    10  this article and the rules and regulations promulgated under this  arti-
    11  cle, in the same manner provided in paragraphs (a), (b), (c), and (e) of
    12  this  subdivision, with respect to common carriers subject to the Commu-
    13  nications Act of 1934 (47 U.S.C. 151 et seq.) and  all  acts  amendatory
    14  thereof  and  supplementary  thereto  and organizations not organized to
    15  carry on business for their own profit or that of their members.
    16    (e) In any judicial or administrative action to enforce  this  article
    17  or  a  rule  or regulation promulgated under this article, the amount of
    18  any civil penalty obtained against a covered entity or service provider,
    19  or any other monetary relief ordered to be paid by a covered  entity  or
    20  service  provider  to  provide  redress, payment, compensation, or other
    21  relief to individuals that cannot be located or  the  payment  of  which
    22  would  otherwise not be practicable, shall be deposited into the privacy
    23  and security victims relief fund established by section  eighty-five  of
    24  the state finance law.
    25    §  1551.  Enforcement by the attorney general. 1. In any case in which
    26  the attorney general has reason to believe that an interest of the resi-
    27  dents of that state has been, may be, or  is  adversely  affected  by  a
    28  violation  of  this article or of a rule or regulation promulgated under
    29  this article by a covered  entity  or  service  provider,  the  attorney
    30  general  may  bring  a  civil  action or special proceeding to recover a
    31  civil penalty provided for by this article in  any  court  of  competent
    32  jurisdiction  in  this  state, in the name of the people of the state of
    33  New York to:
    34    (a) enjoin such act or practice;
    35    (b) enforce compliance with this article or such rule or regulation;
    36    (c) obtain damages, civil penalties,  restitution,  or  other  compen-
    37  sation on behalf of the residents of the state; or
    38    (d)  obtain  reasonable  attorneys'  fees  and  other litigation costs
    39  reasonably incurred.
    40    2. (a) Except as provided in paragraph (b) of  this  subdivision,  the
    41  attorney  general shall notify the division in writing prior to initiat-
    42  ing a civil action under subdivision one of this section. Such notifica-
    43  tion shall include a copy of the complaint to be filed to initiate  such
    44  action.  Upon receiving such notification, the division may intervene in
    45  such action as a matter of right.
    46    (b)  If  the notification required by paragraph (a) of this section is
    47  not feasible, the attorney general shall notify the division immediately
    48  after initiating the civil action.
    49    3. In any case in which a civil action is instituted by or  on  behalf
    50  of the division for violation of this article or of a rule or regulation
    51  promulgated  under  this  article,  no  attorney general may, during the
    52  pendency of such action, institute a civil action against any  defendant
    53  named  in  the complaint in the action instituted by or on behalf of the
    54  division for a violation of this article or  of  a  rule  or  regulation
    55  promulgated  under  this  article  that is alleged in such complaint, if
    56  such complaint alleges such violation  affected  the  residents  of  the

        A. 6319                            39

     1  state  or  individuals nationwide. If the division brings a civil action
     2  against a covered entity or service provider for  a  violation  of  this
     3  article  or  of a rule or regulation promulgated under this article that
     4  affects the interests of the residents of the state, the attorney gener-
     5  al may intervene in such action as a matter of right.
     6    4.  Nothing  in  this section may be construed to prevent the attorney
     7  general from exercising the powers conferred on the attorney general  to
     8  conduct  investigations,  to  administer  oaths  or  affirmations, or to
     9  compel the attendance of witnesses or the production of  documentary  or
    10  other evidence.
    11    5. Except as provided in subdivision three of this section, nothing in
    12  this  section  may  be construed as altering, limiting, or affecting the
    13  authority of the attorney general to exercise the  powers  conferred  on
    14  the  attorney general by the laws of the state, including the ability to
    15  conduct investigations, administer oaths or affirmations, or compel  the
    16  attendance  of  witnesses  or  the  production  of  documentary or other
    17  evidence.
    18    § 1552. Enforcement by persons. 1. (a) Beginning on the date  that  is
    19  two  years after the effective date of this article, any person or class
    20  of persons for a violation of this article or of a  rule  or  regulation
    21  promulgated  under  this article by a covered entity or service provider
    22  may bring a civil action against such entity in any court  of  competent
    23  jurisdiction.
    24    (b)  In a civil action brought under paragraph (a) of this subdivision
    25  in which a plaintiff prevails, the court may award the plaintiff:
    26    (i) an amount equal to the sum of any compensatory damages;
    27    (ii) injunctive relief;
    28    (iii) declaratory relief; and
    29    (iv) reasonable attorney's fees and litigation costs.
    30    (c) (i) Prior to a person bringing a civil action under paragraph  (a)
    31  of  this  subdivision,  such  person  shall  notify the division and the
    32  attorney general in writing that such person intends to bring such civil
    33  action. Upon receiving such notice, the division  and  attorney  general
    34  shall  each  or  jointly make a determination and respond to such person
    35  not later than sixty days after receiving such  notice,  as  to  whether
    36  they will intervene in such action.
    37    (ii)  Subparagraph  (i)  of  this  paragraph shall not be construed to
    38  limit the authority of the division or the  attorney  general  to  later
    39  commence  a  proceeding  or  civil  action or intervene by motion if the
    40  division or the attorney general does not commence a proceeding or civil
    41  action within the sixty-day period.
    42    (iii) Any written communication from counsel for an aggrieved party to
    43  a covered entity or service provider requesting a monetary payment  from
    44  that  covered  entity  or  service  provider  regarding a specific claim
    45  described in a letter sent pursuant to subdivision four of this section,
    46  not including filings in court  proceedings,  arbitrations,  mediations,
    47  judgment collection processes, or other communications related to previ-
    48  ously  initiated litigation or arbitrations, shall be considered to have
    49  been sent in bad faith and shall be unlawful as defined in this article,
    50  if the written communication was sent prior to the date  that  is  sixty
    51  days  after either a state attorney general or the division has received
    52  the notice required under subparagraph (i) of this paragraph.
    53    (d) Beginning on the date that is five years after the effective  date
    54  of  this  article  and  every  five years thereafter, the division shall
    55  conduct a study to determine the economic impacts in the  United  States
    56  of  demand  letters  sent  pursuant to this section and the scope of the

        A. 6319                            40

     1  rights of a person under this  section  to  bring  forth  civil  actions
     2  against covered entities and service providers. Such study shall include
     3  the following:
     4    (i) The impact on insurance rates in the state.
     5    (ii)  The  impact  on  the  ability  of  covered entities to offer new
     6  products or services.
     7    (iii) The impact on the creation and growth of new startup  companies,
     8  including new technology companies.
     9    (iv)  Any  emerging  risks, benefits, and long-term trends in relevant
    10  marketplaces, supply chains, and labor availability.
    11    (v) The impact on reducing, preventing, or remediating harms to  indi-
    12  viduals,  including  from  fraud,  identity theft, spam, discrimination,
    13  defective products, and violations of rights.
    14    (vi) The impact on the volume and severity of data security incidents,
    15  and the ability to respond to data security incidents.
    16    (vii) Other intangible direct and indirect costs and benefits to indi-
    17  viduals.
    18    (e) Not later than five years after the first day on which persons and
    19  classes of persons are able to bring civil actions under  this  subdivi-
    20  sion,  and every five years thereafter, the division shall submit to the
    21  governor and the legislature a report that contains the results  of  the
    22  study conducted under paragraph (d) of this subdivision.
    23    2.  (a) (i) Notwithstanding any other provision of law, no pre-dispute
    24  arbitration agreement with respect to an individual  under  the  age  of
    25  eighteen  is  enforceable  with  regard  to a dispute arising under this
    26  article.
    27    (ii) Notwithstanding any other provision of law, no pre-dispute  arbi-
    28  tration  agreement is enforceable with regard to a dispute arising under
    29  this article concerning a  claim  related  to  gender  or  partner-based
    30  violence or physical harm.
    31    (b)  Notwithstanding any other provision of law, no pre-dispute joint-
    32  action waiver with respect to an individual under the age of eighteen is
    33  enforceable with regard to a dispute arising under this article.
    34    (c) For purposes of this subdivision:
    35    (i) "Pre-dispute arbitration agreement" means any agreement  to  arbi-
    36  trate  a  dispute  that  has not arisen at the time of the making of the
    37  agreement.
    38    (ii) "Pre-dispute joint-action waiver" means an agreement, whether  or
    39  not  part of a pre-dispute arbitration agreement, that would prohibit or
    40  waive the right of one of the parties to the agreement to participate in
    41  a joint, class, or collective action in a judicial,  arbitral,  adminis-
    42  trative,  or  other related forum, concerning a dispute that has not yet
    43  arisen at the time of the making of the agreement.
    44    3. (a) Subject to paragraph (c) of this subdivision, with respect to a
    45  claim under this section for:
    46    (i) injunctive relief; or
    47    (ii) an action against a covered entity or service provider that meets
    48  the requirements of section fifteen hundred twenty-eight of  this  arti-
    49  cle, such claim may be brought by a person or class of persons if, prior
    50  to  asserting such claim, the person or class of persons provides to the
    51  covered entity or service provider forty-five days' written notice iden-
    52  tifying the specific provisions of this article the person or  class  of
    53  persons alleges have been or are being violated.
    54    (b)  Subject to paragraph (c) of this subdivision, in the event a cure
    55  is possible, if within the forty-five days the covered entity or service
    56  provider demonstrates to  the  court  that  it  has  cured  the  noticed

        A. 6319                            41

     1  violation  or  violations and provides the person or class of persons an
     2  express written statement that the  violation  or  violations  has  been
     3  cured and that no further violations shall occur, a claim for injunctive
     4  relief shall not be permitted and may be reasonably dismissed.
     5    (c)  The notice described in paragraph (a) of this subdivision and the
     6  reasonable dismissal in paragraph (b)  of  this  subdivision  shall  not
     7  apply  more  than  once  to any alleged underlying violation by the same
     8  covered entity.
     9    4. If a person or identified members of a class of persons represented
    10  by counsel in regard to an alleged violation or violations of the  arti-
    11  cle  and has correspondence sent to a covered entity or service provider
    12  by counsel alleging a violation or violations of the provisions of  this
    13  article  and  requests  a  monetary  payment,  such correspondence shall
    14  include the following language:  "Please visit the website  of  the  New
    15  York  State Division of Consumer Protection for a general description of
    16  your rights under the New York Data Privacy and Protection Act" followed
    17  by a hyperlink to the webpage of the  division  required  under  section
    18  fifteen  hundred twenty of this article. If such correspondence does not
    19  include such language and hyperlink, a civil action brought  under  this
    20  section  by  such  person  or identified members of the class of persons
    21  represented by counsel may be dismissed without prejudice and shall  not
    22  be reinstated until such person or persons has complied with this subdi-
    23  vision.
    24    5.  (a)  This section shall only apply to a claim alleging a violation
    25  of section fifteen hundred eleven,  fifteen  hundred  thirteen,  fifteen
    26  hundred  twenty-one, fifteen hundred twenty-two, fifteen hundred twenty-
    27  three, subdivision one or two of section  fifteen  hundred  twenty-four,
    28  paragraph  (iii)  of  subdivision two of section fifteen hundred twenty-
    29  five, subdivision one of section fifteen hundred twenty-six, subdivision
    30  one of section fifteen hundred twenty-seven, or section fifteen  hundred
    31  forty-one  of this article, or of a rule or regulation promulgated under
    32  any such section.
    33    (b) This section shall not apply to any claim against a covered entity
    34  that has less than twenty-five million  dollars  per  year  in  revenue,
    35  collects,  processes,  or transfers the covered data of fewer than fifty
    36  thousand individuals, and derives less than fifty percent of its revenue
    37  from transferring covered data.
    38    § 1553. Construction. 1. Nothing in this article or in a rule or regu-
    39  lation promulgated under this article may  be  construed  to  limit  the
    40  authority  of  the  division,  or  any other executive agency, under any
    41  other provision of law.
    42    2. (a) Nothing in this article or in a rule or regulation  promulgated
    43  under  this  article may be construed to modify, impair or supersede the
    44  operation of the antitrust law or any other provision of law.
    45    (b) Nothing in this article or in a  rule  or  regulation  promulgated
    46  under  this  article  shall  be  construed as operating to limit any law
    47  deterring anticompetitive conduct  or  diminishing  the  need  for  full
    48  application  of the federal antitrust law. Nothing in this article or in
    49  a rule or  regulation  promulgated  under  this  article  explicitly  or
    50  implicitly precludes the application of the antitrust law.
    51    (c)  For purposes of this section, the term antitrust law has the same
    52  meaning as in subsection (a) of the first section of the Clayton Act (15
    53  U.S.C. 12), except that such term includes  section  5  of  the  Federal
    54  Trade  Division  Act  (15  U.S.C.  45) to the extent that such section 5
    55  applies to unfair methods of competition.

        A. 6319                            42

     1    3. (a) A covered entity that is required to comply with title V of the
     2  Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health  Information
     3  Technology  for  Economic  and  Clinical  Health Act (42 U.S.C. 17931 et
     4  seq.), part C of title XI of the Social Security Act (42 U.S.C.    1320d
     5  et  seq.),  the  Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), the
     6  Family Educational Rights and Privacy Act (20 U.S.C. 1232g; part  99  of
     7  title 34, Code of Federal Regulations) to the extent such covered entity
     8  is  a  school as defined in 20 U.S.C.  1232g(a)(3) or 34 C.F.R. 99.1(a),
     9  section 444 of the General Education Provisions Act (commonly  known  as
    10  the  "Family  Educational  Rights  and  Privacy Act of 1974") (20 U.S.C.
    11  1232g) and part 99 of title 34, Code  of  Federal  Regulations  (or  any
    12  successor  regulation),  the  Confidentiality  of Alcohol and Drug Abuse
    13  Patient Records at 42 U.S.C. 290dd-2 and its implementing regulations at
    14  42 CFR part 2, the Genetic Information Non-discrimination Act (GINA), or
    15  the regulations promulgated pursuant to section  264(c)  of  the  Health
    16  Insurance  Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2
    17  note), and is in compliance with the data privacy requirements  of  such
    18  regulations,  part, title, or Act (as applicable), shall be deemed to be
    19  in compliance with the related requirements of this article, except  for
    20  section  fifteen hundred twenty-seven of this article, solely and exclu-
    21  sively with respect to data subject to the requirements  of  such  regu-
    22  lations,  part, title, or Act.  Not later than one year after the effec-
    23  tive date of this article, the division shall issue guidance  describing
    24  the implementation of this paragraph.
    25    (b)  A  covered  entity that is required to comply with title V of the
    26  Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the Health  Information
    27  Technology  for  Economic  and  Clinical  Health Act (42 U.S.C. 17931 et
    28  seq.), part C of title XI of the Social Security Act (42 U.S.C. 1320d et
    29  seq.), or the regulations promulgated pursuant to section 264(c) of  the
    30  Health  Insurance  Portability and Accountability Act of 1996 (42 U.S.C.
    31  1320d-2 note), and  is  in  compliance  with  the  information  security
    32  requirements  of  such regulations, part, title, or Act (as applicable),
    33  shall be deemed to be in compliance with  the  requirements  of  section
    34  fifteen  hundred  twenty-seven  of  this article, solely and exclusively
    35  with respect to data subject to the requirements  of  such  regulations,
    36  part, title, or Act. Not later than one year after the effective date of
    37  this article, the division shall issue guidance describing the implemen-
    38  tation of this paragraph.
    39    4.  Nothing  in  this  article,  nor  any  amendment,  standard, rule,
    40  requirement, assessment, or regulation promulgated under  this  article,
    41  may  be construed to preempt, displace, or supplant any federal or state
    42  common law rights or remedies, or any  statute  creating  a  remedy  for
    43  civil  relief, including any cause of action for personal injury, wrong-
    44  ful death, property damage, or other financial, physical,  reputational,
    45  or  psychological injury based in negligence, strict liability, products
    46  liability, failure to warn, an objectively offensive intrusion into  the
    47  private affairs or concerns of the individual, or any other legal theory
    48  of  liability under any federal or state common law, or any state statu-
    49  tory law.
    50    § 1554. Severability. If any provision of this article, or the  appli-
    51  cation  thereof  to  any  person  or  circumstance, is held invalid, the
    52  remainder of this article, and the  application  of  such  provision  to
    53  other  persons  not  similarly situated or to other circumstances, shall
    54  not be affected by the invalidation.
    55    § 2. The state finance law is amended by adding a new  section  85  to
    56  read as follows:

        A. 6319                            43

     1    §  85.  Privacy  and  security victims relief fund. 1. There is hereby
     2  established in the custody of the state comptroller a special fund to be
     3  known as the privacy and security victims relief fund.
     4    2.  Such  fund shall consist of all moneys required to be deposited in
     5  the privacy and security victims relief fund pursuant to the  provisions
     6  of  section  fifteen hundred fifty of the general business law, together
     7  with moneys appropriated for the purpose of such fund, all moneys trans-
     8  ferred to such fund pursuant to law, contributions consisting  of  prom-
     9  ises  or  grants  of  any money or property of any kind or value, or any
    10  other thing of value, including grants  or  other  financial  assistance
    11  from  any agency of government and all moneys required by the provisions
    12  of this section or any other law to be paid into  or  credited  to  this
    13  fund.
    14    3.  Moneys  of  the  fund,  when  allocated, shall be available to the
    15  director of the division of consumer protection and shall be used, with-
    16  out fiscal year limitation:
    17    (a) to provide  redress,  payment,  compensation,  or  other  monetary
    18  relief  to  individuals  affected by an act or practice for which relief
    19  has been obtained under article forty-five of the general business  law;
    20  and
    21    (b)  to  the extent that the individuals described in paragraph (a) of
    22  this subdivision cannot be located or such  redress,  payments,  compen-
    23  sation,  or  other  monetary  relief  are otherwise not practicable, the
    24  division of consumer protection may use such funds for the purpose of:
    25    (i) funding the activities of the office of business mentorship estab-
    26  lished under subdivision two of section fifteen  hundred  fifty  of  the
    27  general business law; or
    28    (ii)  engaging in technological research that the division of consumer
    29  protection considers necessary to enforce or administer  article  forty-
    30  five of the general business law.
    31    4.  The  moneys  when  allocated, shall be paid out of the fund on the
    32  audit and warrant of the comptroller on vouchers certified  or  approved
    33  by the director of the division of consumer protection, or by an officer
    34  or  employee  of  the  division of consumer protection designated by the
    35  director.
    36    5. The director of the division of consumer protection  shall  promul-
    37  gate  rules  and regulations pertaining to the allocation of moneys from
    38  this fund.
    39    § 3. This act shall take effect on the one hundred eightieth day after
    40  it shall have become a law.