Bill Text: NY A08526 | 2019-2020 | General Assembly | Introduced


Bill Title: Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared; creates a special account to fund a new office of privacy and data protection.

Spectrum: Partisan Bill (Democrat 4-0)

Status: (Introduced) 2019-08-07 - referred to consumer affairs and protection [A08526 Detail]

Download: New_York-2019-A08526-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                          8526

                               2019-2020 Regular Sessions

                   IN ASSEMBLY

                                     August 7, 2019
                                       ___________

        Introduced  by  M.  of  A. L. ROSENTHAL -- read once and referred to the
          Committee on Consumer Affairs and Protection

        AN ACT to amend the general business law, in relation to the  management
          and oversight of personal data

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Short title. This act may be known and cited  as  the  "New
     2  York privacy act".
     3    § 2. The general business law is amended by adding a new article 42 to
     4  read as follows:
     5                                 ARTICLE 42
     6                            NEW YORK PRIVACY ACT
     7  Section 1100. Definitions.
     8          1101. Jurisdictional scope.
     9          1102. Data fiduciary.
    10          1103. Consumer rights.
    11          1104. Transparency.
    12          1105. Responsibility according to role.
    13          1106. De-identified data.
    14          1107. Exemptions.
    15          1108. Liability.
    16          1109. Enforcement.
    17          1110. Preemption.
    18    §  1100. Definitions. The definitions in this article apply unless the
    19  context clearly requires otherwise:
    20    1. "Affiliate" means a legal entity that controls, is  controlled  by,
    21  or  is under common control with, another legal entity, where the entity
    22  holds itself out as affiliated or under common  ownership  such  that  a
    23  consumer  acting  reasonably  under  the  circumstances would anticipate
    24  their personal data being provided to an affiliate.

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10868-05-9

        A. 8526                             2

     1    2. "Consent" means a  clear  affirmative  act  establishing  a  freely
     2  given,  specific,  informed,  and unambiguous indication of a consumer's
     3  agreement to the processing of personal data relating to  the  consumer,
     4  such as by a written statement or other clear affirmative action.
     5    3.  "Consumer"  means  a natural person who is a New York resident. It
     6  does not include an employee or contractor of a business acting in their
     7  role as an employee or contractor.
     8    4. "Controller" means the natural or legal person who, alone or joint-
     9  ly with others, determines the purposes and means of the  processing  of
    10  personal data.
    11    5.  "Data  broker"  means  a business, or unit or units of a business,
    12  separately or together, that earns its primary  revenue  from  supplying
    13  data  or inferences about people gathered mainly from sources other than
    14  the data sources themselves.
    15    6. "De-identified data" means:
    16    (a) data that cannot be linked to a known natural person without addi-
    17  tional information not available to the controller; or
    18    (b) data (i) that has been modified to a degree that the risk of re-i-
    19  dentification is small as determined by a person with appropriate  know-
    20  ledge  of  and experience with generally accepted statistical and scien-
    21  tific principles and methods  for  de-identifying  data,  (ii)  that  is
    22  subject to a public commitment by the controller not to attempt to re-i-
    23  dentify the data, and (iii) to which one or more enforceable controls to
    24  prevent  re-identification  has  been  applied.  Enforceable controls to
    25  prevent re-identification may include legal, administrative,  technical,
    26  or contractual controls.
    27    7.  "Developer"  means  a  person  who  creates or modifies the set of
    28  instructions or programs instructing a computer  or  device  to  perform
    29  tasks.
    30    8.  "Identified or identifiable natural person" means a person who can
    31  be identified, directly or indirectly, in  particular  by  reference  to
    32  specific information including, but not limited to, a name, an identifi-
    33  cation number, specific geolocation data, or an online identifier.
    34    9. "Minor" means any person under eighteen years of age.
    35    10.  "Personal  data"  means  information relating to an identified or
    36  identifiable natural person.
    37    (a) "Personal data" includes:
    38    (i) an identifier such as a  real  name,  alias,  signature,  date  of
    39  birth,  gender  identity,  sexual  orientation, marital status, physical
    40  characteristic or description, postal address, telephone number,  unique
    41  personal  identifier, military identification number, online identifier,
    42  Internet Protocol address, email address, account name, mother's  maiden
    43  name,  social security number, driver's license number, passport number,
    44  or other similar identifier;
    45    (ii) information such as employment, employment history, bank  account
    46  number,  credit card number, debit card number, insurance policy number,
    47  or any other financial information, medical information,  mental  health
    48  information, or health insurance information;
    49    (iii) commercial information, including a record of personal property,
    50  income,   assets,  leases,  rentals,  products  or  services  purchased,
    51  obtained, or considered, or other purchasing or consuming history;
    52    (iv) biometric information, including a retina or iris  scan,  finger-
    53  print, voiceprint, or scan of hand or face geometry;
    54    (v) internet or other electronic network activity information, includ-
    55  ing  browsing  history,  search history, content, including text, photo-
    56  graphs, audio or video  recordings,  or  other  user  generated-content,

        A. 8526                             3

     1  non-public  communications,  and  information  regarding an individual's
     2  interaction with an internet website, mobile application, or  advertise-
     3  ment;
     4    (vi) historical or real-time geolocation data;
     5    (vii) audio, electronic, visual, thermal, olfactory, or similar infor-
     6  mation;
     7    (viii)  education  records, as defined in section thirty-three hundred
     8  two of the education law;
     9    (ix) political information or information on criminal  convictions  or
    10  arrests;
    11    (x)  any  required  security  code, access code, password, or username
    12  necessary to permit access to the account of an individual;
    13    (xi) characteristics of protected classes under the human rights  law,
    14  including race, color, national origin, religion, sex, age, or disabili-
    15  ty; or
    16    (xii) an inference drawn from any of the information described in this
    17  paragraph  to  create a profile about an individual reflecting the indi-
    18  vidual's preferences,  characteristics,  psychological  trends,  prefer-
    19  ences, predispositions, behavior, attitudes, intelligence, abilities, or
    20  aptitudes.
    21    (b)  The term personal data does not include publicly available infor-
    22  mation. "Publicly available information":
    23    (i) means information that is lawfully made  available  from  federal,
    24  state, or local government records; and
    25    (ii)  does  not  include  biometric information collected by a covered
    26  entity about an individual without the individual's knowledge, or infor-
    27  mation used for a purpose that is not compatible with  the  purpose  for
    28  which  the  information  is  maintained and made available in government
    29  records.
    30    (c) Personal data does not include de-identified data.
    31    11. "Process" or "processing" means any operation or set of operations
    32  that is performed on personal data or on sets of personal data,  whether
    33  or  not by automated means, such as collection, recording, organization,
    34  structuring, storage, adaptation or alteration, retrieval, consultation,
    35  use, disclosure  by  transmission,  dissemination  or  otherwise  making
    36  available,   alignment   or   combination,   restriction,  deletion,  or
    37  destruction.
    38    12. "Processor" means a natural or legal person who processes personal
    39  data on behalf of the controller.
    40    13. "Profiling" means any form of  automated  processing  of  personal
    41  data consisting of the use of personal data to evaluate certain personal
    42  aspects  relating  to  a  natural  person,  in  particular to analyze or
    43  predict aspects concerning that  natural  person's  economic  situation,
    44  health,   personal   preferences,   interests,   reliability,  behavior,
    45  location, or movements.
    46    14. "Restriction of processing" means the marking of  stored  personal
    47  data  with  the  aim of limiting the processing of such personal data in
    48  the future.
    49    15.(a) "Sale", "sell" or "sold" means the exchange  of  personal  data
    50  for consideration by the controller to a third party.
    51    (b)  "Sale"  does  not  include  the  following: (i) the disclosure of
    52  personal data to a processor who processes the personal data  on  behalf
    53  of the controller; (ii) the disclosure of personal data to a third party
    54  with whom the consumer has a direct relationship for purposes of provid-
    55  ing  a  product  or  service requested by the consumer or otherwise in a
    56  manner that is consistent  with  a  consumer's  reasonable  expectations

        A. 8526                             4

     1  considering the context in which the consumer provided the personal data
     2  to  the controller; (iii) the disclosure or transfer of personal data to
     3  an affiliate of the controller; or (iv) the disclosure  or  transfer  of
     4  personal  data  to  a  third party as an asset that is part of a merger,
     5  acquisition, bankruptcy, or other transaction in which the  third  party
     6  assumes  control of all or part of the controller's assets, if consumers
     7  are notified of the transfer of their data and  of  their  rights  under
     8  this article and affirmatively consent to the disclosure and transfer of
     9  data.
    10    16.  "Targeted  advertising"  means  displaying  advertisements  to  a
    11  consumer where the advertisement is  selected  based  on  personal  data
    12  obtained  or  inferred over time from a consumer's activities across web
    13  sites, applications or online services. It does not include  advertising
    14  to  a  consumer  based  upon the consumer's current visit to a web site,
    15  application, or online service, or in response to the consumer's request
    16  for information or feedback.
    17    17. "Opt-in" means affirmative, express consent of an individual for a
    18  covered entity to use, disclose, or permit access  to  the  individual's
    19  personal data after the individual has received explicit notification of
    20  the request of the covered entity with respect to that data.
    21    §  1101.  Jurisdictional scope. 1. This article applies to legal enti-
    22  ties that conduct business in New York  state  or  produce  products  or
    23  services that are intentionally targeted to residents of New York state.
    24    2. This article does not apply to:
    25    (a) state and local governments;
    26    (b)  personal  data  sets to the extent that they are regulated by the
    27  federal health insurance portability and accountability act of 1996, the
    28  federal health information technology for economic and  clinical  health
    29  act, or the Gramm-Leach-Bliley act of 1999; or
    30    (c) data sets maintained for employment records purposes.
    31    §  1102.  Data  fiduciary.  1. Personal data of consumers shall not be
    32  used, processed or transferred to a third  party,  unless  the  consumer
    33  provides  express  and  documented  consent.  Every legal entity, or any
    34  affiliate of such entity, and every controller and  data  broker,  which
    35  collects,  sells  or  licenses  personal information of consumers, shall
    36  exercise the duty of care, loyalty and  confidentiality  expected  of  a
    37  fiduciary  with  respect  to  securing  the  personal data of a consumer
    38  against a privacy risk; and shall act  in  the  best  interests  of  the
    39  consumer,  without  regard to the interests of the entity, controller or
    40  data broker, in a manner expected by a  reasonable  consumer  under  the
    41  circumstances.
    42    (a)  Every  legal  entity,  or  affiliate  of  such  entity, and every
    43  controller and data broker to which this article applies shall:
    44    (i) reasonably secure personal data from unauthorized access; and
    45    (ii) promptly inform a consumer of any breach of the duty described in
    46  this paragraph with respect to personal data of such consumer.
    47    (b) A legal entity, an affiliate of such entity,  controller  or  data
    48  broker may not use personal data, or data derived from personal data, in
    49  any way that:
    50    (i)  will  benefit  the online service provider to the detriment of an
    51  end user; and
    52    (ii) (A) will result in reasonably foreseeable and  material  physical
    53  or financial harm to a consumer; or
    54    (B) would be unexpected and highly offensive to a reasonable consumer.
    55    (c)  A  legal  entity, or affiliate of such entity, controller or data
    56  broker:

        A. 8526                             5

     1    (i) may not disclose or sell personal data to, or share personal  data
     2  with,  any other person except as consistent with the duties of care and
     3  loyalty under paragraphs (a) and (b) of this subdivision;
     4    (ii) may not disclose or sell personal data to, or share personal data
     5  with,  any  other  person unless that person enters into a contract that
     6  imposes the same duties of care, loyalty, and confidentially toward  the
     7  consumer as are imposed under this section; and
     8    (iii)  shall take reasonable steps to ensure that the practices of any
     9  person to whom the entity, or affiliate of such  entity,  controller  or
    10  data broker discloses or sells, or with whom the entity, or affiliate of
    11  such  entity,  controller  or data broker shares. Personal data fulfills
    12  the duties of care, loyalty, and confidentiality assumed by  the  person
    13  under  the  contract  described  in subparagraph (ii) of this paragraph,
    14  including by auditing, on a regular basis, the data  security  and  data
    15  information  practices  of any such entity, or affiliate of such entity,
    16  controller or data broker.
    17    2. For the purposes of this section  the  term  "privacy  risk"  means
    18  potential adverse consequences to consumers and society arising from the
    19  processing of personal data, including, but not limited to:
    20    (a) direct or indirect financial loss or economic harm;
    21    (b) physical harm;
    22    (c)  psychological  harm,  including anxiety, embarrassment, fear, and
    23  other demonstrable mental trauma;
    24    (d) significant inconvenience or expenditure of time;
    25    (e) adverse outcomes or decisions  with  respect  to  an  individual's
    26  eligibility for rights, benefits or privileges in employment (including,
    27  but  not limited to, hiring, firing, promotion, demotion, compensation),
    28  credit and insurance (including, but not limited to, denial of an appli-
    29  cation or obtaining less favorable terms), housing,  education,  profes-
    30  sional  certification,  or  the  provision  of  health  care and related
    31  services;
    32    (f) stigmatization or reputational harm;
    33    (g) disruption and intrusion from unwanted  commercial  communications
    34  or contacts;
    35    (h) price discrimination;
    36    (i)  effects  on  an  individual  that are not reasonably foreseeable,
    37  contemplated by, or expected by the individual to whom the personal data
    38  relates, that are nevertheless reasonably foreseeable, contemplated  by,
    39  or expected by the controller assessing privacy risk, that:
    40    (A) alters that individual's experiences;
    41    (B) limits that individual's choices;
    42    (C) influences that individual's responses; or
    43    (D) predetermines results; or
    44    (j)  other  adverse  consequences  that affect an individual's private
    45  life, including private family matters, actions and communications with-
    46  in  an  individual's  home  or  similar  physical,  online,  or  digital
    47  location, where an individual has a reasonable expectation that personal
    48  data will not be collected or used.
    49    3.  The  fiduciary  duty  owed  to a consumer under this section shall
    50  supersede any duty owed to owners or shareholders of a legal  entity  or
    51  affiliate  thereof,  controller  or  data  broker,  to whom this article
    52  apples.
    53    § 1103. Consumer rights.  Any entity subject to the provisions of this
    54  article shall provide notice to consumers of  their  rights  under  this
    55  article and shall provide consumers the opportunity to opt in or opt out
    56  of  processing  their  personal  data in such a manner that the consumer

        A. 8526                             6

     1  must select and clearly indicate their consent  or  denial  of  consent.
     2  Controllers  shall  facilitate  requests to exercise the consumer rights
     3  set forth in subdivisions one through  six  of  this  section.    1.  On
     4  request  from  a  consumer,  a  controller  shall confirm whether or not
     5  personal data concerning the consumer is being processed by the control-
     6  ler, including whether such personal data is sold to data brokers,  and,
     7  where  personal  data  concerning the consumer is being processed by the
     8  controller, provide access to such personal data concerning the consumer
     9  and the names of  third  parties  to  whom  personal  data  is  sold  or
    10  licensed.  On request from a consumer, a controller shall provide a copy
    11  of  the  personal data undergoing processing free of charge, up to twice
    12  annually. For any further copies requested by the consumer, the control-
    13  ler may charge a reasonable fee based on administrative costs. Where the
    14  consumer makes the request by electronic  means,  and  unless  otherwise
    15  requested  by  the  consumer,  the  information  shall  be provided in a
    16  commonly used electronic form.
    17    2. On request from a consumer, the controller,  without  undue  delay,
    18  shall  correct inaccurate personal data concerning the consumer.  Taking
    19  into account the  purposes  of  the  processing,  the  controller  shall
    20  complete  incomplete  personal  data,  including by means of providing a
    21  supplementary statement.
    22    3. (a) On request from a  consumer,  a  controller  shall  delete  the
    23  consumer's  personal data without undue delay where one of the following
    24  grounds applies:
    25    (i) The personal data is  no  longer  necessary  in  relation  to  the
    26  purposes  for  which  the personal data was collected or otherwise proc-
    27  essed;
    28    (ii) For processing that requires consent under section eleven hundred
    29  five of this article, the consumer withdraws consent to processing;
    30    (iii) The personal data has been unlawfully processed;
    31    (iv) To comply with a legal obligation under federal, state, or  local
    32  law to which the controller is subject; or
    33    (v) The consumer otherwise requests that the data be deleted.
    34    (b) Where the controller is obliged to delete personal data under this
    35  section  that  has  been  disclosed  to third parties by the controller,
    36  including data brokers that  received  the  data  through  a  sale,  the
    37  controller  shall  take  reasonable  steps,  which may include technical
    38  measures, to inform other controllers that are processing  the  personal
    39  data  that the consumer has requested the deletion by the other control-
    40  lers of any links to, or copy or  replication  of,  the  personal  data.
    41  Compliance  with this obligation shall take into account available tech-
    42  nology and cost of implementation.
    43    (c) This subdivision does not apply to the extent processing is neces-
    44  sary:
    45    (i) for exercising the right of free speech;
    46    (ii) for compliance with a legal obligation that  requires  processing
    47  by  federal,  state,  or local law to which the controller is subject or
    48  for the performance of a task carried out in the public interest  or  in
    49  the exercise of official authority vested in the controller;
    50    (iii)  for  reasons  of  public interest in the area of public health,
    51  where the processing (A) is subject to suitable and specific measures to
    52  safeguard the rights of the consumer; and (B) is processed by  or  under
    53  the  responsibility  of  a professional subject to confidentiality obli-
    54  gations under federal, state, or local law;
    55    (iv) for archiving purposes in  the  public  interest,  scientific  or
    56  historical   research  purposes,  or  statistical  purposes,  where  the

        A. 8526                             7

     1  deletion of such personal data is likely to render impossible  or  seri-
     2  ously impair the achievement of the objectives of the processing; or
     3    (v) for the establishment, exercise, or defense of legal claims.
     4    4.  (a)  The controller shall cease processing if one of the following
     5  grounds applies:
     6    (i) The accuracy of the personal data is contested  by  the  consumer,
     7  for  a  period  enabling  the  controller  to verify the accuracy of the
     8  personal data;
     9    (ii) The processing is unlawful and the consumer opposes the  deletion
    10  of the personal data and requests the restriction of processing instead;
    11    (iii)  The  controller  no  longer  needs  the  personal  data for the
    12  purposes of the processing, but such personal data is  required  by  the
    13  consumer for the establishment, exercise, or defense of legal claims; or
    14    (iv)  The  consumer otherwise requests that the controller cease proc-
    15  essing.
    16    (b) Where personal data is subject  to  a  restriction  or  processing
    17  under  this  subdivision, the personal data shall, with the exception of
    18  storage, only be processed (i) with the consumer's consent; (ii) for the
    19  establishment, exercise, or  defense  of  legal  claims;  or  (iii)  for
    20  reasons of important public interest under federal, state, or local law.
    21    (c)  Where  a  consumer  has  taken  steps  by the online selection of
    22  options related to sharing personal data a controller  is  obligated  to
    23  adhere to such selections.
    24    5.  (a)  On  request from a consumer, the controller shall provide the
    25  consumer any personal data concerning such consumer that  such  consumer
    26  has  provided  to  the  controller  in  a structured, commonly used, and
    27  machine-readable format if (i)(A) the processing of such  personal  data
    28  requires  consent under section eleven hundred five of this article, (B)
    29  the processing of such personal data is necessary for the performance of
    30  a contract to which the consumer is a party, or (C)  in  order  to  take
    31  steps  at the request of the consumer prior to entering into a contract;
    32  and (ii) the processing is carried out by automated means.
    33    (b) Controllers shall transmit the personal data requested under  this
    34  subdivision  directly  from one controller to another, where technically
    35  feasible, and transmit the personal data to another  controller  without
    36  hindrance from the controller to which the personal data was provided.
    37    (c)  Requests for personnel data under this subdivision shall be with-
    38  out prejudice to subdivision three of this section.
    39    (d) The rights provided in this subdivision do not apply to processing
    40  necessary for the performance of a task carried out in the public inter-
    41  est and shall not adversely affect the rights of consumers.
    42    6. A consumer shall not be subject  to  a  decision  based  solely  on
    43  profiling which produces legal effects concerning such consumer or simi-
    44  larly significantly affects the consumer. Legal or similarly significant
    45  effects  include,  but  are  not  limited  to,  denial  of consequential
    46  services or support, such as financial and  lending  services,  housing,
    47  insurance,  education  enrollment, criminal justice, employment opportu-
    48  nities, and health care services.
    49    (a) This subdivision does not apply if the decision is  authorized  by
    50  federal or state law to which the controller is subject and which incor-
    51  porates suitable measures to safeguard the consumer's rights and legiti-
    52  mate interests, as indicated by the risk assessments required by section
    53  eleven hundred five of this article.
    54    (b)  Notwithstanding paragraph (a) of this subdivision, the controller
    55  shall implement suitable measures to  safeguard  consumer's  rights  and
    56  legitimate  interests  with respect to decisions based solely on profil-

        A. 8526                             8

     1  ing, including providing human review of the decision,  to  express  the
     2  consumer's  point  of  view with respect to the decision, and to contest
     3  the decision.
     4    7.  A  controller  shall  communicate  any  correction,  deletion,  or
     5  restriction of processing carried out in  accordance  with  subdivisions
     6  two, three or four of this section to each third-party recipient to whom
     7  the  personal  data  has  been  disclosed,  including third parties that
     8  received the data through a sale, unless this proves  impossible.    The
     9  controller  shall inform the consumer about such third-party recipients,
    10  if any, if the consumer requests such information.
    11    8. A controller shall provide information on action taken on a request
    12  under subdivisions one through six of this section without  undue  delay
    13  and  in  any  event  within  thirty days of receipt of the request. That
    14  period may be extended by sixty additional days where necessary,  taking
    15  into  account  the complexity and number of the requests. The controller
    16  shall inform the consumer of any such extension within  thirty  days  of
    17  receipt  of  the request, together with the reasons for the delay. Where
    18  the consumer makes the request  by  electronic  means,  the  information
    19  shall  be  provided by electronic means where possible, unless otherwise
    20  requested by the consumer.
    21    (a) If a controller does not take action on the request of a consumer,
    22  the controller shall inform the consumer without undue delay and at  the
    23  latest  within  thirty days of receipt of the request of the reasons for
    24  not taking action and any possibility for internal review of  the  deci-
    25  sion by the controller.
    26    (b)  Information  provided  under this section must be provided by the
    27  controller free of charge to the consumer. Where requests from a consum-
    28  er are manifestly unfounded or excessive, in particular because of their
    29  repetitive character, the controller may either: (i) charge a reasonable
    30  fee taking into account the administrative costs of providing the infor-
    31  mation or communication or taking the action requested; or  (ii)  refuse
    32  to  act on the request. The controller bears the burden of demonstrating
    33  the manifestly unfounded or excessive character of the request.
    34    (c) Where the controller has reasonable doubts concerning the identity
    35  of the consumer making a request under subdivisions one through  six  of
    36  this  section,  the  controller  may request the provision of additional
    37  information necessary to confirm the identity of the consumer.
    38    (d) A controller shall conduct an internal review on any action  taken
    39  upon  request  of  a consumer under subdivisions one through six of this
    40  section.
    41    § 1104. Transparency. 1. Controllers shall be transparent and account-
    42  able for their processing of personal data, by  making  available  in  a
    43  form  that  is  reasonably  accessible  to consumers a clear, meaningful
    44  privacy notice that is easily understood and which includes:
    45    (a) the categories of personal data collected by the controller;
    46    (b) the purposes for which the categories of personal data is used and
    47  disclosed to third parties, if any;
    48    (c) the rights that consumers may exercise pursuant to section  eleven
    49  hundred three of this article, if any;
    50    (d)  the  categories  of personal data that the controller shares with
    51  third parties, if any; and
    52    (e) the names and categories of third parties, if any, with  whom  the
    53  controller shares personal data.
    54    2.  Controllers that engage in profiling shall disclose such profiling
    55  to the consumer at or before the time personal data is obtained, includ-

        A. 8526                             9

     1  ing meaningful information about the logic involved and the significance
     2  and envisaged consequences of the profiling.
     3    3.  If  a  controller sells personal data to data brokers or processes
     4  personal data for direct marketing purposes, including targeted  market-
     5  ing  and  profiling  to  the  extent  that  it is related to such direct
     6  marketing, it shall disclose such processing, as well as the  manner  in
     7  which a consumer may exercise the right to object to such processing, in
     8  a clear and prominent manner.
     9    §  1105.  Responsibility according to role. 1. Controllers and brokers
    10  shall be responsible for meeting the obligations set  forth  under  this
    11  article.
    12    2.  Processors  and  brokers  are  responsible  under this article for
    13  adhering to  the  instructions  of  the  controller  and  assisting  the
    14  controller to meet its obligations under this article.
    15    3.  Processing  by a processor shall be governed by a contract between
    16  the controller and the processor that is binding on  the  processor  and
    17  that  sets  out  the  processing  instructions to which the processor is
    18  bound.
    19    § 1106. De-identified data. A controller or processor that uses  de-i-
    20  dentified data shall exercise reasonable oversight to monitor compliance
    21  with  any  contractual  commitments  to  which the de-identified data is
    22  subject, and shall take appropriate steps to  address  any  breaches  of
    23  contractual commitments.
    24    §  1107.  Exemptions.  1.  The  obligations  imposed on controllers or
    25  processors under this article do not restrict a controller's or process-
    26  or's ability to:
    27    (a) comply with federal, state, or local laws;
    28    (b) comply with a civil, criminal,  or  regulatory  inquiry,  investi-
    29  gation,  subpoena, or summons by federal, state, local, or other govern-
    30  mental authorities;
    31    (c) disclose personal data to a law enforcement agency if such  infor-
    32  mation:
    33    (i) was inadvertently obtained by the controller or data broker; and
    34    (ii) appears to pertain to the commission of a crime;
    35    (d)  cooperate  with  a  governmental entity if the controller or data
    36  broker, in good faith, believes that an emergency  involving  danger  of
    37  death  or  serious  physical injury to any person requires disclosure of
    38  personal data without delay;
    39    (e) investigate, exercise, or defend legal claims; or
    40    (f) prevent or detect identity theft, fraud, or other criminal  activ-
    41  ity or verify identities.
    42    2.  The  obligations  imposed  on controllers or processors under this
    43  article do not apply where compliance by  the  controller  or  processor
    44  with  this article would violate an evidentiary privilege under New York
    45  law and do not prevent a controller or processor from providing personal
    46  data concerning a consumer to a person covered by an evidentiary  privi-
    47  lege under New York law as part of a privileged communication.
    48    3.  A controller or processor that discloses personal data to a third-
    49  party controller or processor in compliance  with  the  requirements  of
    50  this  article  is  not  in  violation  of  this article, including under
    51  section eleven hundred eight of this article, if the third-party recipi-
    52  ent processes such personal data in violation of this article,  provided
    53  that,  at  the  time  of  disclosing  the  personal data, the disclosing
    54  controller or processor did not have actual knowledge  that  the  third-
    55  party  recipient intended to commit a violation. A third-party recipient
    56  receiving personal data from a controller or processor is  likewise  not

        A. 8526                            10

     1  liable  under this article, including under section eleven hundred eight
     2  of this article, for the obligations of a  controller  or  processor  to
     3  whom it provides services.
     4    4.  This  article does not require a controller or processor to do the
     5  following:
     6    (a) re-identify de-identified data;
     7    (b) retain personal data concerning a consumer that he  or  she  would
     8  not otherwise retain in the ordinary course of business; or
     9    (c) comply with a request to exercise any of the rights under subdivi-
    10  sions one through six of section eleven hundred three of this article if
    11  the  controller  is  unable  to  verify,  using  commercially reasonable
    12  efforts, the identity of the consumer making the request.
    13    5. Obligations imposed on controllers and processors under this  arti-
    14  cle  do not apply to the processing of personal data by a natural person
    15  in the course of a purely personal or household activity.
    16    § 1108. Liability.  Where more than one controller  or  processor,  or
    17  both  a  controller and a processor, involved in the same processing, is
    18  in violation of this article, the liability shall be allocated among the
    19  parties according  to  principles  of  comparative  fault,  unless  such
    20  liability is otherwise allocated by contract among the parties.
    21    §  1109.  Enforcement.  1.  The  legislature  finds that the practices
    22  covered by this article are matters vitally affecting the public  inter-
    23  est for the purpose of providing consumer protection from deceptive acts
    24  and practices under article twenty-two-A of this chapter. A violation of
    25  this  article is not reasonable in relation to the development and pres-
    26  ervation of business and is an unfair  or  deceptive  act  in  trade  or
    27  commerce and an unfair method of competition for the purpose of applying
    28  article twenty-two-A of this chapter.
    29    2.  The attorney general may bring an action in the name of the state,
    30  or as parens patriae on behalf of persons  residing  in  the  state,  to
    31  enforce this article.
    32    3. In addition to any right of action granted to any governmental body
    33  pursuant to this section, any person who has been injured by reason of a
    34  violation  of this article may bring an action in his or her own name to
    35  enjoin such unlawful act, or to recover his or her  actual  damages,  or
    36  both  such  actions. The court may award reasonable attorney's fees to a
    37  prevailing plaintiff.
    38    4. Any controller or processor who violates this article is subject to
    39  an injunction and liable for damages and a civil penalty. When calculat-
    40  ing damages and civil penalties, the court shall consider the number  of
    41  affected  individuals,  the  severity of the violation, and the size and
    42  revenues of the covered entity. Each individual  whose  information  was
    43  unlawfully  processed  counts as a separate violation. Each provision of
    44  this article that was violated counts as a separate violation.
    45    § 1110. Preemption. This article supersedes and preempts laws  adopted
    46  by  any  local  entity  regarding  the  processing  of  personal data by
    47  controllers or processors.
    48    § 3. This act shall take effect on the one hundred eightieth day after
    49  it shall have become a law.
feedback