Bill Text: NY A07191 | 2017-2018 | General Assembly | Amended


Bill Title: Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.

Spectrum: Moderate Partisan Bill (Democrat 36-5)

Status: (Engrossed - Dead) 2018-06-19 - REFERRED TO RULES [A07191 Detail]

Download: New_York-2017-A07191-Amended.html


                STATE OF NEW YORK
        ________________________________________________________________________
                                         7191--B
                               2017-2018 Regular Sessions
                   IN ASSEMBLY
                                     April 12, 2017
                                       ___________
        Introduced  by  M.  of  A.  WALLACE,  ZEBROWSKI,  ROZIC,  JOHNS,  STECK,
          PHEFFER AMATO, MORINELLO, McDONOUGH,  OTIS,  BRINDISI,  GALEF,  LOPEZ,
          SKOUFIS,  JAFFEE, BUCHWALD, DICKENS, SIMOTAS, ROSENTHAL, LIFTON, SIMA-
          NOWITZ, COLTON,  HYNDMAN,  GOTTFRIED,  SIMON,  RAIA,  PICHARDO,  RYAN,
          JONES,  D'URSO,  LUPARDO,  BRONSON, WRIGHT, STIRPE, SKARTADOS, CAHILL,
          SOLAGES -- Multi-Sponsored by -- M. of A. COOK, CROUCH  --  read  once
          and  referred  to  the Committee on Consumer Affairs and Protection --
          committee discharged, bill amended, ordered reprinted as  amended  and
          recommitted  to said committee -- reported and referred to the Commit-
          tee on Codes -- committee discharged, bill amended, ordered  reprinted
          as amended and recommitted to said committee
        AN ACT to amend the general business law, in relation to prohibiting the
          disclosure  of  personally  identifiable  information  by  an internet
          service provider without the express written approval of the consumer
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section 1. The general business law is amended by adding a new section
     2  399-k to read as follows:
     3    §  399-k.  Disclosure  of  personally  identifiable  information by an
     4  internet service provider; prohibited.  1.  For  the  purposes  of  this
     5  section the following terms shall have the following meanings:
     6    (a)  "Consumer"  means a person who agrees to pay a fee to an internet
     7  service provider for access to the internet  for  personal,  family,  or
     8  household purposes, and who does not resell access.
     9    (b) "Internet service provider" (ISP) means a business entity or indi-
    10  vidual  who  provides consumers authenticated access to, or presence on,
    11  the internet by means of  a  switched  or  dedicated  telecommunications
    12  channel  upon  which  the  provider provides transit routing of internet
    13  protocol packets for and on behalf of  the  consumer.  Internet  service
    14  provider  does  not  include the offering, on a common carrier basis, of
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10928-07-7

        A. 7191--B                          2
     1  telecommunications facilities or of telecommunications by means of these
     2  facilities.
     3    (c) "Personally identifiable information" means information that iden-
     4  tifies:
     5    (i) a consumer by physical or electronic address or telephone number;
     6    (ii)  a  consumer's internet search history or internet usage history;
     7  or
     8    (iii) any of the contents of a consumer's data-storage devices.
     9    2. Except as provided in subdivisions three and four of this  section,
    10  an  ISP shall not knowingly disclose personally identifiable information
    11  resulting from the consumer's use of the telecommunications or ISP with-
    12  out express written approval from the consumer.
    13    (a) A telecommunications or ISP that  has  entered  into  a  franchise
    14  agreement,  right-of-way  agreement, or other contract with the state of
    15  New York or any political subdivision thereof, or that  uses  facilities
    16  that  are  subject  to such agreements, even if it is not a party to the
    17  agreement, shall not collect nor disclose personal  information  from  a
    18  consumer  resulting from the consumer's use of the telecommunications or
    19  ISP without express written approval from the consumer; and
    20    (b) No such telecommunication or  ISP  shall  refuse  to  provide  its
    21  services to a consumer on the grounds that the consumer has not approved
    22  the collection or disclosure of the consumer's personal information.
    23    3.  An ISP may disclose personally identifiable information concerning
    24  a consumer:
    25    (a) pursuant to a grand jury subpoena, in accordance with  subdivision
    26  eight of section 190.30 of the criminal procedure law;
    27    (b)  pursuant  to  a  warrant  issued  in  accordance with article six
    28  hundred ninety or article seven hundred of the criminal procedure law;
    29    (c) pursuant to a court order in a pending criminal proceeding upon  a
    30  showing  that  such  personally identifiable information is relevant and
    31  material to such criminal action or proceeding;
    32    (d) pursuant to a court order in a pending  civil  proceeding  upon  a
    33  showing  of compelling need for such information that cannot be accommo-
    34  dated by other means;
    35    (e) to a court in a civil action for conversion commenced by  the  ISP
    36  or  in  a civil action to enforce collection of unpaid subscription fees
    37  or purchase amounts, and then only to the extent necessary to  establish
    38  the fact of the subscription delinquency or purchase agreement, and with
    39  appropriate safeguards against unauthorized disclosure;
    40    (f)  to the consumer who is the subject of the information, upon writ-
    41  ten or electronic request and upon payment of any fee not to exceed  the
    42  actual cost of retrieving the information;
    43    (g)  to another ISP for purposes of reporting or preventing violations
    44  of the published acceptable use policy or consumer service agreement  of
    45  the  ISP;  except that the recipient may further disclose the personally
    46  identifiable information only as provided by this chapter; or
    47    (h) to any person with the authorization of the consumer.
    48    4. (a) The ISP shall  obtain  the  consumer's  authorization  for  the
    49  disclosure of personally identifiable information in writing or by elec-
    50  tronic means.
    51    (b)  The  request for authorization must reasonably describe the types
    52  of persons to whom personally identifiable information may be  disclosed
    53  and the anticipated uses of the information.
    54    (c)  In order for an authorization to be effective, a contract between
    55  an ISP and the consumer  must  state  that  the  authorization  will  be
    56  obtained by an affirmative act of the consumer.

        A. 7191--B                          3
     1    (d) The provision in the contract must be conspicuous.
     2    (e) Authorization shall be obtained in a manner consistent with guide-
     3  lines  issued  by representatives of the ISP or online industries, or in
     4  any other manner reasonably designed to comply with this section.
     5    5. The ISP shall take all reasonable and necessary steps  to  maintain
     6  the  security and privacy of a consumer's personally identifiable infor-
     7  mation.
     8    6. A consumer who prevails or  substantially  prevails  in  an  action
     9  brought  under  this  section is entitled to the greater of five hundred
    10  dollars or actual damages. Costs, disbursements, and reasonable attorney
    11  fees may be awarded to a party awarded damages for a violation  of  this
    12  section.  The  action  available under this section is exempted from any
    13  mandatory arbitration clauses that may exist in the contract between the
    14  ISP and the consumer. In a civil action under this  section,  it  is  an
    15  affirmative  defense  that  such  information  was released or otherwise
    16  available in violation of this section notwithstanding reasonable  prac-
    17  tices established and implemented by the defendant to prevent violations
    18  of this section.
    19    7.  This  section does not limit any greater protection of the privacy
    20  of information under other law, except that:
    21    (a) nothing in this section shall be deemed  to  limit  the  authority
    22  under  other  state or federal law of law enforcement to obtain informa-
    23  tion; and
    24    (b) if federal law is enacted that regulates the release of personally
    25  identifiable information by ISPs but does not preempt state law  on  the
    26  subject, state law prevails.
    27    §  2.  This  act shall take effect on the ninetieth day after it shall
    28  have become a law.
feedback