Bill Text: NY A07191 | 2017-2018 | General Assembly | Amended
Bill Title: Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
Spectrum: Moderate Partisan Bill (Democrat 36-5)
Status: (Engrossed - Dead) 2018-06-19 - REFERRED TO RULES [A07191 Detail]
Download: New_York-2017-A07191-Amended.html
STATE OF NEW YORK ________________________________________________________________________ 7191--B 2017-2018 Regular Sessions IN ASSEMBLY April 12, 2017 ___________ Introduced by M. of A. WALLACE, ZEBROWSKI, ROZIC, JOHNS, STECK, PHEFFER AMATO, MORINELLO, McDONOUGH, OTIS, BRINDISI, GALEF, LOPEZ, SKOUFIS, JAFFEE, BUCHWALD, DICKENS, SIMOTAS, ROSENTHAL, LIFTON, SIMA- NOWITZ, COLTON, HYNDMAN, GOTTFRIED, SIMON, RAIA, PICHARDO, RYAN, JONES, D'URSO, LUPARDO, BRONSON, WRIGHT, STIRPE, SKARTADOS, CAHILL, SOLAGES -- Multi-Sponsored by -- M. of A. COOK, CROUCH -- read once and referred to the Committee on Consumer Affairs and Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee -- reported and referred to the Commit- tee on Codes -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 399-k to read as follows: 3 § 399-k. Disclosure of personally identifiable information by an 4 internet service provider; prohibited. 1. For the purposes of this 5 section the following terms shall have the following meanings: 6 (a) "Consumer" means a person who agrees to pay a fee to an internet 7 service provider for access to the internet for personal, family, or 8 household purposes, and who does not resell access. 9 (b) "Internet service provider" (ISP) means a business entity or indi- 10 vidual who provides consumers authenticated access to, or presence on, 11 the internet by means of a switched or dedicated telecommunications 12 channel upon which the provider provides transit routing of internet 13 protocol packets for and on behalf of the consumer. Internet service 14 provider does not include the offering, on a common carrier basis, of EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10928-07-7A. 7191--B 2 1 telecommunications facilities or of telecommunications by means of these 2 facilities. 3 (c) "Personally identifiable information" means information that iden- 4 tifies: 5 (i) a consumer by physical or electronic address or telephone number; 6 (ii) a consumer's internet search history or internet usage history; 7 or 8 (iii) any of the contents of a consumer's data-storage devices. 9 2. Except as provided in subdivisions three and four of this section, 10 an ISP shall not knowingly disclose personally identifiable information 11 resulting from the consumer's use of the telecommunications or ISP with- 12 out express written approval from the consumer. 13 (a) A telecommunications or ISP that has entered into a franchise 14 agreement, right-of-way agreement, or other contract with the state of 15 New York or any political subdivision thereof, or that uses facilities 16 that are subject to such agreements, even if it is not a party to the 17 agreement, shall not collect nor disclose personal information from a 18 consumer resulting from the consumer's use of the telecommunications or 19 ISP without express written approval from the consumer; and 20 (b) No such telecommunication or ISP shall refuse to provide its 21 services to a consumer on the grounds that the consumer has not approved 22 the collection or disclosure of the consumer's personal information. 23 3. An ISP may disclose personally identifiable information concerning 24 a consumer: 25 (a) pursuant to a grand jury subpoena, in accordance with subdivision 26 eight of section 190.30 of the criminal procedure law; 27 (b) pursuant to a warrant issued in accordance with article six 28 hundred ninety or article seven hundred of the criminal procedure law; 29 (c) pursuant to a court order in a pending criminal proceeding upon a 30 showing that such personally identifiable information is relevant and 31 material to such criminal action or proceeding; 32 (d) pursuant to a court order in a pending civil proceeding upon a 33 showing of compelling need for such information that cannot be accommo- 34 dated by other means; 35 (e) to a court in a civil action for conversion commenced by the ISP 36 or in a civil action to enforce collection of unpaid subscription fees 37 or purchase amounts, and then only to the extent necessary to establish 38 the fact of the subscription delinquency or purchase agreement, and with 39 appropriate safeguards against unauthorized disclosure; 40 (f) to the consumer who is the subject of the information, upon writ- 41 ten or electronic request and upon payment of any fee not to exceed the 42 actual cost of retrieving the information; 43 (g) to another ISP for purposes of reporting or preventing violations 44 of the published acceptable use policy or consumer service agreement of 45 the ISP; except that the recipient may further disclose the personally 46 identifiable information only as provided by this chapter; or 47 (h) to any person with the authorization of the consumer. 48 4. (a) The ISP shall obtain the consumer's authorization for the 49 disclosure of personally identifiable information in writing or by elec- 50 tronic means. 51 (b) The request for authorization must reasonably describe the types 52 of persons to whom personally identifiable information may be disclosed 53 and the anticipated uses of the information. 54 (c) In order for an authorization to be effective, a contract between 55 an ISP and the consumer must state that the authorization will be 56 obtained by an affirmative act of the consumer.A. 7191--B 3 1 (d) The provision in the contract must be conspicuous. 2 (e) Authorization shall be obtained in a manner consistent with guide- 3 lines issued by representatives of the ISP or online industries, or in 4 any other manner reasonably designed to comply with this section. 5 5. The ISP shall take all reasonable and necessary steps to maintain 6 the security and privacy of a consumer's personally identifiable infor- 7 mation. 8 6. A consumer who prevails or substantially prevails in an action 9 brought under this section is entitled to the greater of five hundred 10 dollars or actual damages. Costs, disbursements, and reasonable attorney 11 fees may be awarded to a party awarded damages for a violation of this 12 section. The action available under this section is exempted from any 13 mandatory arbitration clauses that may exist in the contract between the 14 ISP and the consumer. In a civil action under this section, it is an 15 affirmative defense that such information was released or otherwise 16 available in violation of this section notwithstanding reasonable prac- 17 tices established and implemented by the defendant to prevent violations 18 of this section. 19 7. This section does not limit any greater protection of the privacy 20 of information under other law, except that: 21 (a) nothing in this section shall be deemed to limit the authority 22 under other state or federal law of law enforcement to obtain informa- 23 tion; and 24 (b) if federal law is enacted that regulates the release of personally 25 identifiable information by ISPs but does not preempt state law on the 26 subject, state law prevails. 27 § 2. This act shall take effect on the ninetieth day after it shall 28 have become a law.