Bill Text: NY S00567 | 2021-2022 | General Assembly | Introduced


Bill Title: Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced) 2021-01-06 - REFERRED TO CONSUMER PROTECTION [S00567 Detail]

Download: New_York-2021-S00567-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                           567

                               2021-2022 Regular Sessions

                    IN SENATE

                                       (Prefiled)

                                     January 6, 2021
                                       ___________

        Introduced  by  Sen. HOYLMAN -- read twice and ordered printed, and when
          printed to be committed to the Committee on Consumer Protection

        AN ACT to amend the general business law and the state finance  law,  in
          relation  to  allowing  consumers the right to request from businesses
          the categories of  personal  information  the  business  has  sold  or
          disclosed to third parties

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. The article heading of article 39-F of the general business
     2  law, as amended by chapter 117 of the laws of 2019, is amended  to  read
     3  as follows:

     4           [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND CONTROL
     5             OF PRIVATE AND PERSONAL INFORMATION; DATA SECURITY
     6                                 PROTECTIONS

     7    §  2. The general business law is amended by adding a new section 899-
     8  cc to read as follows:
     9    § 899-cc. Consumer control of personal information. 1. For purposes of
    10  this section, the following definitions shall apply:
    11    (a) "Biometric data" means an individual's  physiological,  biological
    12  or  behavioral  characteristics,  including an individual's deoxyribonu-
    13  cleic acid that can be used, singly or in combination with each other or
    14  with other identifying data to establish individual identity.  Biometric
    15  data includes but is not limited to imagery of the iris, retina, finger-
    16  print, face, hand, palm, vein patterns, and voice recordings, from which
    17  an  identifier  template, such as a faceprint, a minutiae template, or a
    18  voiceprint, can be extracted, and keystroke patterns  or  rhythms,  gait
    19  patterns  or  rhythms,  and sleep, health, or exercise data that contain
    20  identifying information.

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD02716-01-1

        S. 567                              2

     1    (b) "Business" means:
     2    (1)  a  sole-proprietorship,  partnership,  limited-liability company,
     3  corporation, association, or other legal entity  that  is  organized  or
     4  operated  for  the  profit  or  financial benefit of its shareholders or
     5  other owners, that collects consumers' personal information,  that  does
     6  business  in  the state, and that satisfies one or more of the following
     7  thresholds: (A) has annual gross revenues in  excess  of  fifty  million
     8  dollars,  as  adjusted pursuant to subparagraph five of paragraph (a) of
     9  subdivision fifteen of this section; or (B) annually sells, alone or  in
    10  combination,  the  personal  information of one hundred thousand or more
    11  consumers or devices; or (C) derives fifty percent or more of its annual
    12  revenues from selling consumers' personal information; and
    13    (2) any entity that controls  or  is  controlled  by  a  business,  as
    14  defined  in  paragraph  one  of this subdivision, and that shares common
    15  branding with the business.  "Control" or "controlled"  means  ownership
    16  of,  or  the  power  to vote, more than fifty percent of the outstanding
    17  shares of any class of voting security of a  business;  control  in  any
    18  manner  over the election of a majority of the directors, or of individ-
    19  uals exercising similar functions; or the power to exercise, directly or
    20  indirectly, a controlling influence over the management or policies of a
    21  company.  "Common branding" means a shared name, servicemark, or  trade-
    22  mark.
    23    (c)  "Business  purpose" means the use of personal information for the
    24  business's operational purposes,  provided  that  the  use  of  personal
    25  information  shall  be reasonably necessary and proportionate to achieve
    26  the operational purpose for which it is specifically  permitted.  Unrea-
    27  sonable  or  disproportionate  use  shall  not be considered a "business
    28  purpose".  Business purposes are:
    29    (1) Auditing related to a current interaction with  the  consumer  and
    30  concurrent  transactions,  including  but  not  limited  to, counting ad
    31  impressions to unique visitors, verifying positioning and quality of  ad
    32  impressions  and  auditing  compliance with this specification and other
    33  standards;
    34    (2) Detecting security incidents, protecting against malicious, decep-
    35  tive, fraudulent, or illegal activity, and prosecuting those responsible
    36  for such activity;
    37    (3) Debugging to identify  and  repair  errors  that  impair  existing
    38  intended functionality;
    39    (4)  Short-term,  transient  use, provided the personal information is
    40  not disclosed to another person and is not used to build a profile about
    41  a consumer  or  otherwise  alter  an  individual  consumer's  experience
    42  outside  the  current  interaction,  including  but  not limited to, the
    43  contextual customization of ads shown as part of the  same  interaction;
    44  and
    45    (5) Performing services on behalf of the business, including maintain-
    46  ing  or  servicing  accounts,  providing customer service, processing or
    47  fulfilling orders  and  transactions,  verifying  customer  information,
    48  processing  payments,  providing  financing,  providing  advertising  or
    49  marketing services, providing analytical services, or providing  similar
    50  services on behalf of the business.
    51    (d)  "Clear  and conspicuous" means (1) in a color that contrasts with
    52  the background color or is otherwise  distinguishable;  (2)  written  in
    53  larger type than the surrounding text and in a fashion that calls atten-
    54  tion to the language; and (3) prominently displayed so that a reasonable
    55  viewer would be able to notice, read, and understand it.

        S. 567                              3

     1    (e)  "Commercial  purposes"  means to advance a person's commercial or
     2  economic interests, such as by inducing another  person  to  buy,  rent,
     3  lease, join, subscribe to, provide, or exchange products, goods, proper-
     4  ty,  information,  or  services,  or  enabling or effecting, directly or
     5  indirectly,  a  commercial  transaction.  "Commercial purposes" does not
     6  include for the purpose of engaging in  speech  that  state  or  federal
     7  courts  have  recognized  as  non-commercial speech, including political
     8  speech and journalism.
     9    (f) "Collects", "collected" or  "collection"  means  buying,  renting,
    10  gathering,  obtaining,  storing, using, monitoring, accessing, or making
    11  inferences based upon, any personal information pertaining to a consumer
    12  by any means.
    13    (g) "Consumer" means a natural person who is a resident of the state.
    14    (h) "De-identified" means information that cannot reasonably identify,
    15  relate to, describe, reference, be capable of being associated with,  or
    16  be  linked,  directly or indirectly, to a particular consumer or device,
    17  provided that a business that uses de-identified  information:  (1)  has
    18  implemented  technical safeguards that prohibit re-identification of the
    19  consumer or consumers to whom  the  information  may  pertain;  (2)  has
    20  implemented business processes that specifically prohibit re-identifica-
    21  tion  of  the  information;  (3)  has  implemented business processes to
    22  prevent inadvertent release of de-identified information; and (4)  makes
    23  no attempt to re-identify the information.
    24    (i)  "Designated  methods  for  submitting  requests"  means a mailing
    25  address, e-mail address,  web  page,  web  portal,  toll-free  telephone
    26  number,  or  other applicable contact information, whereby consumers may
    27  submit a request or direction under this section. If the  consumer  does
    28  not maintain an account with the business, the business shall provide an
    29  opportunity for the consumer to designate whether the consumer wishes to
    30  receive  the  information  required to be disclosed pursuant to subdivi-
    31  sions two and three of this section by mail or  electronically,  at  the
    32  consumer's option.
    33    (j)  "Homepage"  means  the  introductory  page  of  a website and any
    34  webpage where personal information is  collected.  In  the  case  of  an
    35  online  service, such as a mobile application, homepage means the appli-
    36  cation's platform page, a link within the application, such as from  the
    37  application configuration, "about", "information", or settings page, and
    38  any  other  location that allows consumers to review the notice required
    39  by paragraph (a) of subdivision seven of this section, including but not
    40  limited to, before downloading the application.
    41    (k) "Infer" or "inference" means the derivation of information,  data,
    42  assumptions,  or  conclusions from facts, evidence, or another source of
    43  information or data.
    44    (l) "Person" means an individual, proprietorship,  firm,  partnership,
    45  joint  venture, syndicate, business trust, company, corporation, limited
    46  liability company, association, committee, and any other organization or
    47  group of persons acting in concert.
    48    (m)  (1)"Personal  information"  means  information  that  identifies,
    49  relates  to, describes, references, is capable of being associated with,
    50  or could reasonably be linked, directly or indirectly, with a particular
    51  consumer or device, including, but not limited to:
    52    (A) any information that identifies,  relates  to,  describes,  or  is
    53  capable  of  being  associated with, a particular individual, including,
    54  but not limited to, his or her name, alias, signature,  social  security
    55  number,  physical  characteristics  or  description, address, electronic
    56  mail address, internet  protocol  address,  unique  identifier,  account

        S. 567                              4

     1  name, telephone number, passport number, driver's license or state iden-
     2  tification  card number, insurance policy number, education, employment,
     3  employment history, bank account number, credit card number, debit  card
     4  number,  or  any  other  financial  information, medical information, or
     5  health insurance information;
     6    (B) characteristics of protected classifications under state or feder-
     7  al law;
     8    (C) commercial information, including records of property, products or
     9  services provided, obtained,  or  considered,  or  other  purchasing  or
    10  consuming histories or tendencies;
    11    (D) biometric data;
    12    (E) internet or other electronic network activity information, includ-
    13  ing  but  not limited to, browsing history, search history, and informa-
    14  tion regarding a consumer's interaction with a website, application,  or
    15  advertisement;
    16    (F) geolocation data;
    17    (G) audio, electronic, visual, thermal, olfactory, or similar informa-
    18  tion;
    19    (H) psychometric information;
    20    (I) professional or employment-related information;
    21    (J) inferences drawn from any of the information identified above; and
    22    (K) any of the categories of information set forth in this subdivision
    23  as they pertain to the minor children of the consumer.
    24    (2)  "Personal  information"  does  not  include  information  that is
    25  publicly available or that is de-identified.
    26    (n) "Probabilistic identifier" means the identification of a  consumer
    27  or  a device to a degree of certainty of more probable than not based on
    28  any categories of personal information included in, or similar  to,  the
    29  categories  enumerated  in  subparagraph  one  of  paragraph (m) of this
    30  subdivision.
    31    (o) "Psychometric information" means information  derived  or  created
    32  from  the  use  or  application of psychometric theory or psychometrics,
    33  whereby through the use of any method, model, tool, or formula, observa-
    34  ble phenomena, such as  actions  or  events,  are  connected,  measured,
    35  assessed,  or  related  to  a  consumer's attributes, including, but not
    36  limited to, psychological trends, preferences,  predispositions,  behav-
    37  ior, attitudes, intelligence, abilities, and aptitudes.
    38    (p)  "Publicly  available"  means  information  that  is lawfully made
    39  available from federal, state, or local government records.    "Publicly
    40  available"  does  not mean biometric information collected by a business
    41  about a consumer without the consumer's knowledge.
    42    (q)(1) "Sell", "selling", "sale" or "sold" means: (A)  selling,  rent-
    43  ing,  releasing,  disclosing,  disseminating,  making  available, trans-
    44  ferring, or otherwise communicating orally, in writing, or by electronic
    45  or other means, a consumer's personal information by the business  to  a
    46  third  party for valuable consideration; or (B) sharing orally, in writ-
    47  ing, or by electronic or other means, a consumer's personal  information
    48  with a third party, whether for valuable consideration or for no consid-
    49  eration, for the third party's commercial purposes.
    50    (2)  For  purposes  of this section, a business does not sell personal
    51  information when:
    52    (A) A consumer  uses  the  business:  (i)  to  intentionally  disclose
    53  personal  information,  or  (ii)  to intentionally interact with a third
    54  party. An intentional interaction occurs when the  consumer  intends  to
    55  interact  with  the third party via one or more deliberate interactions.

        S. 567                              5

     1  Hovering over, muting, pausing, or closing a given piece of content does
     2  not constitute a consumer's intent to interact with a third party; or
     3    (B)  The  business uses an identifier for a consumer who has opted out
     4  of the sale of the consumer's personal information for the  purposes  of
     5  alerting  third  parties  that the consumer has opted out of the sale of
     6  the consumer's personal information.
     7    (r) "Service" or "services" means work, labor, and services, including
     8  services furnished in connection with the sale or repair of goods.
     9    (s) "Third party" means any person who is not:
    10    (1) The business that collects  personal  information  from  consumers
    11  under this section; or
    12    (2)  A  person  to  whom  the business discloses a consumer's personal
    13  information for a business  purpose  pursuant  to  a  written  contract,
    14  provided that the contract:
    15    (A)  Prohibits the person receiving the personal information from: (i)
    16  selling the personal information; (ii) retaining, using,  or  disclosing
    17  the  personal  information  for  any purpose other than for the specific
    18  purpose of performing the services specified in the contract,  including
    19  retaining,  using,  or disclosing the personal information for a commer-
    20  cial  purpose  other  than  providing  the  services  specified  in  the
    21  contract;  and  (iii)  retaining,  using,  or disclosing the information
    22  outside of the direct business relationship between the person  and  the
    23  business; and
    24    (B) Includes a certification made by the person receiving the personal
    25  information  that  the person understands the restrictions in clause (A)
    26  of this subparagraph and will comply with them. A person covered by this
    27  subparagraph that violates any of the restrictions  set  forth  in  this
    28  section  shall be liable for such violations under this section. A busi-
    29  ness that discloses personal information to a  person  covered  by  this
    30  subparagraph  in  compliance  with such subparagraph shall not be liable
    31  under this section if the person receiving the personal information uses
    32  it in violation of the restrictions set forth in this section,  provided
    33  that,  at  the time of disclosing the personal information, the business
    34  does not have actual knowledge, or reason to believe,  that  the  person
    35  intends to commit such a violation.
    36    (t) "Unique identifier" means a persistent identifier that can be used
    37  to  recognize  a  consumer  or  a  device over time and across different
    38  services, including but not limited to, a  device  identifier;  internet
    39  protocol  address;  cookies, beacons, pixel tags, mobile ad identifiers,
    40  or similar technology; customer number, unique pseudonym, or user alias;
    41  and telephone numbers, or other forms  of  persistent  or  probabilistic
    42  identifiers  that  can  be  used  to  identify  a particular consumer or
    43  device.
    44    (u) "Verifiable request" means a  request  that:  (1)  is  made  by  a
    45  consumer, by a consumer on behalf of the consumer's minor child, or by a
    46  person  authorized  by the consumer to act on the consumer's behalf; and
    47  (2) the business has verified, pursuant to regulations  adopted  by  the
    48  attorney  general  pursuant  to  subparagraph  seven of paragraph (a) of
    49  subdivision fifteen of this section, to be the consumer about  whom  the
    50  business has collected personal information. A business is not obligated
    51  to  provide information to the consumer pursuant to subdivisions two and
    52  three of this section if the business cannot verify,  pursuant  to  this
    53  subdivision  and regulations adopted by the attorney general pursuant to
    54  subparagraph seven of paragraph  (a)  of  subdivision  fifteen  of  this
    55  section, that the consumer making the request is the consumer about whom
    56  the business has collected information.

        S. 567                              6

     1    2. (a) A consumer shall have the right to request that a business that
     2  collects personal information about the consumer disclose to the consum-
     3  er  the  categories  of personal information it has collected about that
     4  consumer.
     5    (b)  A  business  that  collects personal information about a consumer
     6  shall disclose to the consumer, pursuant to subparagraph three of  para-
     7  graph  (a) of subdivision six of this section, the information specified
     8  in paragraph (a) of subdivision one of this section upon  receipt  of  a
     9  verifiable request from the consumer.
    10    (c)  A  business  that  collects  personal information about consumers
    11  shall disclose, pursuant to clause (B) of subparagraph five of paragraph
    12  (a) of subdivision six of  this  section,  the  categories  of  personal
    13  information it has collected about consumers.
    14    3. (a) A consumer shall have the right to request that a business that
    15  sells  the  consumer's  personal information, or that discloses it for a
    16  business purpose, disclose to  that  consumer:  (1)  the  categories  of
    17  personal  information  that the business sold about the consumer and the
    18  identity of the third parties to  whom  such  personal  information  was
    19  sold,  by  category or categories of personal information for each third
    20  party to whom such personal information was sold; and (2) the categories
    21  of personal information that the business disclosed about  the  consumer
    22  for  a  business  purpose  and  the identity of the persons to whom such
    23  personal information was disclosed for a business purpose,  by  category
    24  or  categories  of  personal  information  for  each person to whom such
    25  personal information was disclosed for a business purpose.
    26    (b) A business that sells personal information about  a  consumer,  or
    27  that discloses a consumer's personal information for a business purpose,
    28  shall disclose, pursuant to subparagraph four of paragraph (a) of subdi-
    29  vision  six  of this section, the information specified in paragraph (a)
    30  of this subdivision to the consumer upon receipt of a verifiable request
    31  from the consumer.
    32    (c) A business that sells consumers'  personal  information,  or  that
    33  discloses  consumers' personal information for a business purpose, shall
    34  disclose, pursuant to clause (C) of subparagraph five of  paragraph  (a)
    35  of  subdivision  six  of this section: (1) the category or categories of
    36  consumers' personal information it has sold; or if the business has  not
    37  sold  consumers'  personal information, it shall disclose that fact; and
    38  (2) the category or categories of consumers' personal information it has
    39  disclosed for a business purpose; or if the business has  not  disclosed
    40  consumers'  personal  information  for  a  business  purpose,  it  shall
    41  disclose that fact.
    42    4. (a) A consumer shall have the right, at any time, to direct a busi-
    43  ness that sells personal information about the consumer not to sell  the
    44  consumer's  personal  information.  This right may be referred to as the
    45  right to opt out.
    46    (b) Notwithstanding paragraph (a)  of  this  subdivision,  a  business
    47  shall not sell the personal information of consumers if the business has
    48  actual  knowledge,  or  willfully  disregards, that the consumer is less
    49  than sixteen years of age, unless the consumer, in the case of consumers
    50  thirteen, fourteen and fifteen years of age, or the consumer's parent or
    51  guardian, in the case of consumers who are less than thirteen  years  of
    52  age,  has  affirmatively  authorized the sale of the consumer's personal
    53  information. This right may be referred to as the right to opt in.
    54    (c) A  business  that  sells  consumers'  personal  information  shall
    55  provide  notice  to  consumers, pursuant to paragraph (a) of subdivision
    56  seven of this section, that  such  information  may  be  sold  and  that

        S. 567                              7

     1  consumers have the right to opt out of the sale of their personal infor-
     2  mation.
     3    (d) A business that has received direction from a consumer not to sell
     4  the  consumer's personal information, or, in the case of a minor consum-
     5  er's personal information, has not received consent to  sell  the  minor
     6  consumer's  personal  information,  shall  be  prohibited,  pursuant  to
     7  subparagraph four of paragraph (a) of subdivision seven of this section,
     8  from selling the consumer's personal information after  its  receipt  of
     9  the  consumer's  direction,  unless  the  consumer subsequently provides
    10  express authorization for the sale of the consumer's  personal  informa-
    11  tion.
    12    5.  A  business  shall  be  prohibited  from  discriminating against a
    13  consumer because the consumer requested information pursuant to subdivi-
    14  sions two and three of this section, or because  the  consumer  directed
    15  the business not to sell the consumer's personal information pursuant to
    16  subdivision  four  of  this  section,  or because the consumer otherwise
    17  exercised rights under this title, or exercised the consumer's rights to
    18  enforce this section, including but not  limited  to,  by:  (a)  denying
    19  goods  or  services  to  the  consumer; (b) charging different prices or
    20  rates for goods or services, including through the use of  discounts  or
    21  other benefits or imposing penalties; (c) providing a different level or
    22  quality of goods or services to the consumer; or (d) suggesting that the
    23  consumer  will  receive a different price or rate for goods or services,
    24  or a different level or quality of goods or services,  if  the  consumer
    25  exercises the consumer's rights under this section.
    26    6.  (a)  In  order  to comply with subdivisions two, three and five of
    27  this section, a business shall:
    28    (1) Make available to consumers two or  more  designated  methods  for
    29  submitting requests for information required to be disclosed pursuant to
    30  subdivisions  two  and three of this section, including, at a minimum, a
    31  toll-free telephone number, and if the business maintains a  website,  a
    32  website address.
    33    (2)  Disclose  and deliver the required information to a consumer free
    34  of charge within forty-five days of receiving a verifiable request  from
    35  the consumer. The business shall promptly take steps to determine wheth-
    36  er  the  request  is a verifiable request, but this shall not extend the
    37  business's duty to disclose and deliver the  information  within  forty-
    38  five  days  of  receipt  of the consumer's request. The disclosure shall
    39  cover the twelve-month period preceding the business's  receipt  of  the
    40  verifiable  request  and  shall be made in writing and delivered through
    41  the consumer's account with the business, if the consumer  maintains  an
    42  account  with  the business, or by mail or electronically at the consum-
    43  er's option if the consumer does not maintain an account with the  busi-
    44  ness.  The  business shall not require the consumer to create an account
    45  with the business in order to make a verifiable request.
    46    (3) For purposes of paragraph (b) of subdivision two of this  section:
    47  (A)  identify  the  consumer,  associate the information provided by the
    48  consumer in the verifiable request to any personal information previous-
    49  ly collected by the business about the consumer;  and  (B)  identify  by
    50  category  or  categories  the  personal  information collected about the
    51  consumer in the preceding twelve months by reference to  the  enumerated
    52  category  or  categories  in paragraph (c) of this subdivision that most
    53  closely describes the personal information collected.
    54    (4) For purposes  of  paragraph  (b)  of  subdivision  three  of  this
    55  section:  (A)  identify the consumer, associate the information provided
    56  by the consumer in the verifiable request to  any  personal  information

        S. 567                              8

     1  previously collected by the business about the consumer; (B) identify by
     2  category or categories the personal information of the consumer that the
     3  business sold in the preceding twelve months by reference to the enumer-
     4  ated  category  or  categories in paragraph (c) of this subdivision that
     5  most closely describes the personal information,  and  provide  accurate
     6  names  and contact information for the third parties to whom the consum-
     7  er's personal information was sold in the  preceding  twelve  months  by
     8  reference  to  the enumerated category or categories in paragraph (c) of
     9  this subdivision that most closely describes  the  personal  information
    10  sold  for  each  third party; and (C) identify by category or categories
    11  the personal information of the consumer that the business disclosed for
    12  a business purpose in the preceding twelve months by  reference  to  the
    13  enumerated  category  or categories in paragraph (c) of this subdivision
    14  that most closely describes the personal information, and provide  accu-
    15  rate  names  and contact information for the persons to whom the consum-
    16  er's personal information was disclosed for a business  purpose  in  the
    17  preceding twelve months by reference to the enumerated category or cate-
    18  gories  in  paragraph  (c) of this subdivision of this section that most
    19  closely describes the personal information disclosed  for  each  person.
    20  The  business shall disclose the information required by clauses (B) and
    21  (C) of this subparagraph in two separate lists.
    22    (5) Disclose the following information in its online privacy policy or
    23  policies if the business has an online privacy policy or policies and in
    24  any New York-specific description of consumers' privacy  rights,  or  if
    25  the business does not maintain such policies, on its website, and update
    26  such information at least once every twelve months:
    27    (A) A description of a consumer's rights pursuant to subdivisions two,
    28  three  and  five of this section, and one or more designated methods for
    29  submitting requests;
    30    (B) For purposes of paragraph (c) of subdivision two of this  section,
    31  a  list of the categories of personal information it has collected about
    32  consumers in the preceding twelve months by reference to the  enumerated
    33  category  or  categories  in paragraph (c) of this subdivision that most
    34  closely describes the personal information collected; and
    35    (C) For purposes of subparagraphs one and  two  of  paragraph  (c)  of
    36  subdivision three of this section, two separate lists: (i) a list of the
    37  categories  of  personal  information it has sold about consumers in the
    38  preceding twelve months by reference to the enumerated category or cate-
    39  gories in paragraph (c) of this subdivision that most closely  describes
    40  the  personal  information sold, or if the business has not sold consum-
    41  ers' personal information in the preceding twelve months,  the  business
    42  shall  disclose that fact; and (ii) a list of the categories of personal
    43  information it has disclosed about consumers for a business  purpose  in
    44  the  preceding  twelve months by reference to the enumerated category or
    45  categories in paragraph  (c)  of  this  subdivision  that  most  closely
    46  describes the personal information disclosed, or if the business has not
    47  disclosed  consumers' personal information for a business purpose in the
    48  preceding twelve months, the business shall disclose that fact.
    49    (6) Ensure that all  individuals  responsible  for  handling  consumer
    50  inquiries  about  the  business's  privacy  practices  or the business's
    51  compliance with this section are informed of all  requirements  in  this
    52  subdivision,  as  well  as  in  subdivisions two, three and five of this
    53  section, and how to direct consumers  to  exercise  their  rights  under
    54  those sections; and

        S. 567                              9

     1    (7)  Use  any  personal  information  collected  from  the consumer in
     2  connection with the business's verification of  the  consumer's  request
     3  solely for the purposes of verification.
     4    (b) A business is not obligated to provide the information required by
     5  subdivisions  two  and  three  of this section to the same consumer more
     6  than once in a twelve-month period.
     7    (c) The categories of personal information required  to  be  disclosed
     8  pursuant  to  subdivisions  two and three of this section are all of the
     9  following:
    10    (1) Identifiers such as a real name,  alias,  postal  address,  unique
    11  identifier,  internet protocol address, electronic mail address, account
    12  name, social security number, driver's license number, passport  number,
    13  or other similar identifiers;
    14    (2) All categories of personal information enumerated in paragraph (a)
    15  of subdivision one of this section;
    16    (3) All categories of personal information relating to characteristics
    17  of  protected  classifications under state or federal law, with specific
    18  reference to the category of information that has been  collected,  such
    19  as race, ethnicity, or gender;
    20    (4) Commercial information, including records of property, products or
    21  services  provided,  obtained,  or  considered,  or  other purchasing or
    22  consuming histories or tendencies;
    23    (5) Biometric data;
    24    (6) Internet or other electronic network activity information, includ-
    25  ing but not limited to, browsing history, search history,  and  informa-
    26  tion  regarding a consumer's interaction with a website, application, or
    27  advertisement;
    28    (7) Geolocation data;
    29    (8) Audio, electronic, visual, thermal, olfactory, or similar informa-
    30  tion;
    31    (9) Psychometric information;
    32    (10) Professional or employment-related information;
    33    (11) Inferences drawn from any of the  information  identified  above;
    34  and
    35    (12)  Any of the categories of information set forth in this paragraph
    36  as they pertain to the minor children of the consumer.
    37    7. (a) A business that is required to comply with subdivision four  of
    38  this section shall:
    39    (1)  Provide  a clear and conspicuous link on the business's homepage,
    40  titled "Do Not Sell My Personal Information", to a webpage that  enables
    41  a  consumer,  or  a person authorized by the consumer, to opt out of the
    42  sale of the  consumer's  personal  information.  A  business  shall  not
    43  require  a consumer to create an account in order to direct the business
    44  not to sell the consumer's personal information;
    45    (2) Include a description of a consumer's rights pursuant to  subdivi-
    46  sion  four  of  this  section, along with a separate link to the "Do Not
    47  Sell My Personal Information" webpage in: (A) its online privacy  policy
    48  or  policies  if  the business has an online privacy policy or policies,
    49  and (B) any state specific description of consumers' privacy rights;
    50    (3) Ensure that all  individuals  responsible  for  handling  consumer
    51  inquiries  about  the  business's  privacy  practices  or the business's
    52  compliance with this section are informed of all  requirements  in  this
    53  subdivision  as  well  as  subdivision  four of this section, and how to
    54  direct consumers to exercise their rights under those sections;

        S. 567                             10

     1    (4) For consumers who exercise their right to opt out of the  sale  of
     2  their  personal  information,  refrain from selling personal information
     3  collected by the business about the consumer;
     4    (5)  For  a  consumer  who has opted out of the sale of the consumer's
     5  personal information, respect the consumer's decision to opt out for  at
     6  least  twelve  months  before requesting that the consumer authorize the
     7  sale of the consumer's personal information; and
     8    (6) Use any  personal  information  collected  from  the  consumer  in
     9  connection  with the submission of the consumer's opt out request solely
    10  for the purposes of complying with the opt out request.
    11    (b) A consumer may authorize another person to opt out on the  consum-
    12  er's  behalf,  and  a  business  shall  comply  with  an opt out request
    13  received from a person authorized by the consumer to act on the  consum-
    14  er's behalf.
    15    8.  (a)  The obligations imposed on businesses by subdivisions two and
    16  seven of this section shall not restrict a business's ability to:
    17    (1) comply with federal, state, or local laws;
    18    (2) comply with a civil,  criminal,  or  regulatory  investigation  or
    19  subpoena or summons by federal, state, or local authorities;
    20    (3)  cooperate  with  law  enforcement  agencies concerning conduct or
    21  activity that the business reasonably and in  good  faith  believes  may
    22  violate federal, state, or local law; or
    23    (4) collect and sell a consumer's personal information if every aspect
    24  of  such commercial conduct takes place wholly outside of the state. For
    25  purposes of this section, commercial conduct takes place wholly  outside
    26  of  the  state  if  the  business  collected  such information while the
    27  consumer was outside of the state, no part of the sale of the consumer's
    28  personal information occurred in the state, and no personal  information
    29  collected while the consumer was in the state is sold.
    30    (b)  The  obligations  imposed  on  businesses by subdivisions two and
    31  seven of this section shall not apply where compliance by  the  business
    32  with this section would violate an evidentiary privilege under state law
    33  and shall not prevent a business from providing the personal information
    34  of  a  consumer  to  a  person covered by an evidentiary privilege under
    35  state law as part of a privileged communication.
    36    (c) This section shall not apply to protected health information  that
    37  is  collected  by  a  covered entity governed by the medical privacy and
    38  security rules issued by the Federal  Department  of  Health  and  Human
    39  Services,  Parts  160  and  164 of Title 45 of the Code of Federal Regu-
    40  lations, established pursuant to the Health  Insurance  Portability  and
    41  Availability  Act of 1996 (HIPAA). For purposes of this subdivision, the
    42  definitions of "protected health information" and "covered entity"  from
    43  the federal privacy rule shall apply.
    44    (d)  This  section shall not apply to the sale of personal information
    45  to or from a consumer reporting agency if  that  information  is  to  be
    46  reported in, or used to generate, a consumer report as defined by subdi-
    47  vision (d) of Section 1681(a) of Title 15 of the United States Code, and
    48  use  of that information is limited by the federal Fair Credit Reporting
    49  Act, 15 U.S.C. § 1681, et seq.
    50    9. (a) A consumer who has suffered a violation  of  this  section  may
    51  bring an action for statutory damages. A violation of this section shall
    52  be  deemed  to  constitute  an  injury  in  fact to the consumer who has
    53  suffered the violation, and the consumer need not suffer a loss of money
    54  or property as a result of the violation in order to bring an action for
    55  a violation of this section.

        S. 567                             11

     1    (b)(1) Any consumer who suffers an injury in  fact,  as  described  in
     2  paragraph  (a)  of  this subdivision, shall recover statutory damages in
     3  the amount of one thousand  dollars  or  actual  damages,  whichever  is
     4  greater,  for each violation from the business or person responsible for
     5  the  violation,  except  that  in  the  case  of  a  knowing and willful
     6  violation by a business or person, an individual shall recover statutory
     7  damages of not less than one thousand dollars and not  more  than  three
     8  thousand  dollars,  or  actual  damages,  whichever is greater, for each
     9  violation from the business or person responsible for the violation.
    10    (2) In assessing the amount of  statutory  damages,  the  court  shall
    11  consider  any one or more of the relevant circumstances presented by any
    12  of the parties to the case, including, but not limited to,  the  follow-
    13  ing:  the  nature  and  seriousness  of  the  misconduct,  the number of
    14  violations, the persistence of the misconduct, the length of  time  over
    15  which  the  misconduct  occurred,  the  willfulness  of  the defendant's
    16  misconduct, and the defendant's assets, liabilities, and net worth.
    17    (c) Notwithstanding any other law, whenever a judgment, including  any
    18  consent  judgment,  decree,  or settlement agreement, is approved by the
    19  court in a class action based on a violation of  this  section,  any  cy
    20  pres  award, unpaid cash residue, or unclaimed or abandoned class member
    21  funds attributable to a violation of this section shall  be  distributed
    22  exclusively  to  one or more nonprofit organizations to support projects
    23  that will benefit the class or similarly situated persons,  further  the
    24  objectives  and  purposes  of  the  underlying  class action or cause of
    25  action, or promote the law consistent with the objectives  and  purposes
    26  of the underlying class action or cause of action, unless for good cause
    27  shown  the  court  makes a specific finding that an alternative distrib-
    28  ution would better serve the public interest or  the  interests  of  the
    29  class. If not specified in the judgment, the court shall set a date when
    30  the  parties shall submit a report to the court regarding a plan for the
    31  distribution of any moneys pursuant to this subdivision.
    32    (d) The remedies provided by this subdivision are cumulative  to  each
    33  other and to the remedies or penalties available under all other laws of
    34  the state.
    35    10.  (a)  Any  business  or person that violates this section shall be
    36  liable for a civil penalty in a civil action brought in the name of  the
    37  people of the state of New York by the attorney general.
    38    (b) Notwithstanding any other law to the contrary, any person or busi-
    39  ness  that intentionally violates this section may be liable for a civil
    40  penalty of up to seven thousand five hundred dollars for each violation.
    41    (c) Notwithstanding any other law to the contrary, any  civil  penalty
    42  assessed  for  a  violation  of  this  section,  and the proceeds of any
    43  settlement of an action brought pursuant to paragraph (a) of this subdi-
    44  vision, shall be allocated as follows:
    45    (1) twenty percent to the consumer privacy fund, created  pursuant  to
    46  section  ninety-nine-ii  of  the  state  finance law, with the intent to
    47  fully offset any costs incurred by the state  courts  and  the  attorney
    48  general in connection with this section; and
    49    (2)  eighty  percent  to  the  jurisdiction on whose behalf the action
    50  leading to the civil penalty was brought.
    51    (d) The legislature shall adjust the percentages  specified  in  para-
    52  graph (c) of this subdivision and in subdivision eleven of this section,
    53  as necessary to ensure that any civil penalties assessed for a violation
    54  of  this section fully offset any costs incurred by the state courts and
    55  the attorney general in connection with this section, including a suffi-
    56  cient amount to cover any deficit from a prior fiscal year. The legisla-

        S. 567                             12

     1  ture shall not direct a greater percentage of assessed  civil  penalties
     2  to  the  consumer privacy fund than reasonably necessary to fully offset
     3  any costs incurred by the state  courts  and  the  attorney  general  in
     4  connection with this section.
     5    11. (a) Any person who becomes aware, based on non-public information,
     6  that  a  person  or  business has violated this section may file a civil
     7  action for civil penalties pursuant to subdivision ten of this  section,
     8  if  prior  to  filing  such  action,  the person files with the attorney
     9  general a written request for  the  attorney  general  to  commence  the
    10  action.  The  request shall include a clear and concise statement of the
    11  grounds for believing a cause of action exists. The  person  shall  make
    12  the  non-public  information  available  to  the  attorney  general upon
    13  request.
    14    (1) If the attorney general files suit within ninety days from receipt
    15  of the written request to commence the action, no other  action  may  be
    16  brought  unless  the action brought by the attorney general is dismissed
    17  without prejudice.
    18    (2) If the attorney general does not file suit within ninety days from
    19  receipt of the written  request  to  commence  the  action,  the  person
    20  requesting the action may proceed to file a civil action.
    21    (3)  The  time  period  within which a civil action shall be commenced
    22  shall be tolled from the date of receipt by the attorney general of  the
    23  written  request  to  either the date that the civil action is dismissed
    24  without prejudice, or for one hundred fifty days,  whichever  is  later,
    25  but  only  for  a  civil  action brought by the person who requested the
    26  attorney general to commence the action.
    27    (b) Notwithstanding paragraph (c) of subdivision ten of this  section,
    28  if  a  judgment  is  entered  against  the defendant or defendants in an
    29  action brought pursuant to this subdivision, or the matter  is  settled,
    30  amounts  received  as civil penalties or pursuant to a settlement of the
    31  action shall be allocated as follows:
    32    (1) If the action was brought by the attorney general upon  a  request
    33  made  by  a  person  pursuant  to paragraph (a) of this subdivision, the
    34  person who made the request shall be entitled to fifteen percent of  the
    35  civil  penalties,  and  the remaining proceeds shall be deposited in the
    36  consumer privacy fund pursuant to section ninety-nine-ii  of  the  state
    37  finance law.
    38    (2)  If  the  action  was  brought  by the person who made the request
    39  pursuant to paragraph (a) of this subdivision, that person shall receive
    40  an amount the court determines is reasonable for  collecting  the  civil
    41  penalties on behalf of the government. The amount shall be not less than
    42  twenty-five  percent  and not more than fifty percent of the proceeds of
    43  the action and shall be paid out of the proceeds. The remaining proceeds
    44  shall be deposited in the consumer  privacy  fund  pursuant  to  section
    45  ninety-nine-ii of the state finance law.
    46    (c)  For  purposes  of  this  section,  "non-public information" means
    47  information that has not been disclosed in a criminal, civil, or  admin-
    48  istrative  proceeding,  in a government investigation, report, or audit,
    49  or by the news media or other public source of information, and that was
    50  not obtained in violation of the law.
    51    12. A business that suffers a breach of the  security  of  the  system
    52  involving  consumers'  personal  information  shall  be  deemed  to have
    53  violated this section and may be  held  liable  for  such  violation  or
    54  violations  under  subdivisions nine, ten and eleven of this section, if
    55  the business has failed to implement and  maintain  reasonable  security

        S. 567                             13

     1  procedures  and practices, appropriate to the nature of the information,
     2  to protect the personal information from unauthorized disclosure.
     3    13.  This  section  is intended to further the constitutional right of
     4  privacy and to supplement existing laws relating to consumers'  personal
     5  information.  The provisions of this section are not limited to informa-
     6  tion collected electronically or over the internet,  but  apply  to  the
     7  collection  and sale of all personal information collected by a business
     8  from consumers. Wherever possible, existing law relating  to  consumers'
     9  personal   information   should  be  construed  to  harmonize  with  the
    10  provisions of this section, but in the event of conflict between  exist-
    11  ing  law  and  the provisions of this section, the provisions of the law
    12  that afford the greatest protection for the right of privacy for consum-
    13  ers shall control.
    14    14. Nothing in this section shall prevent a  city,  county,  city  and
    15  county,  municipality,  or  local agency from safeguarding the constitu-
    16  tional right of privacy by imposing  additional  requirements  on  busi-
    17  nesses regarding the collection and sale of consumers' personal informa-
    18  tion  by  businesses  provided  that  the requirement does not prevent a
    19  person or business from complying with this section.
    20    15. (a) The attorney general shall adopt regulations in the  following
    21  areas to further the purposes of this section:
    22    (1)  Adding additional categories to those enumerated in paragraph (c)
    23  of subdivision six and paragraph (m) of subdivision one of this  section
    24  in  order  to  address changes in technology, data collection practices,
    25  obstacles to implementation, and privacy  concerns.  In  addition,  upon
    26  receipt of a request made by a city attorney or district attorney to add
    27  a  new  category  or categories, the attorney general shall promulgate a
    28  regulation to add such category or categories unless the attorney gener-
    29  al concludes, based on factual  or  legal  findings,  that  there  is  a
    30  compelling  reason  not  to add the category or categories. The attorney
    31  general may also add additional categories to those enumerated in  para-
    32  graph  (c)  of  subdivision  six and paragraph (m) of subdivision one of
    33  this section in response to a petition filed;
    34    (2) Adding additional items to the definition of "unique  identifiers"
    35  to  address  changes in technology, data collection, obstacles to imple-
    36  mentation, and privacy concerns, and additional categories to the  defi-
    37  nition  of  "designated methods for submitting requests" to facilitate a
    38  consumer's ability to obtain information from  a  business  pursuant  to
    39  subdivision six of this section;
    40    (3)  Establishing  any  exceptions  necessary  to comply with state or
    41  federal law;
    42    (4) Establishing rules and procedures: (A) to  facilitate  and  govern
    43  the submission of a request by a consumer, and by an authorized agent of
    44  the consumer, to opt out of the sale of personal information pursuant to
    45  subparagraph  one of paragraph (a) of subdivision seven of this section;
    46  (B) to govern a business's compliance with a consumer's opt out request;
    47  and (C) for the development and use of a recognizable  and  uniform  opt
    48  out  logo  or  button by all businesses to promote consumer awareness of
    49  the opportunity to opt out of the sale of personal information;
    50    (5) Adjusting the monetary threshold in clause (A) of subparagraph one
    51  of paragraph (b) of subdivision one of this section in January of  every
    52  odd-numbered year to reflect any increase in the Consumer Price Index;
    53    (6)  Establishing  rules,  procedures, and any exceptions necessary to
    54  ensure that the notices and information that businesses are required  to
    55  provide  pursuant  to  this section are provided in a manner so as to be
    56  easily understood by the average consumer, are accessible  to  consumers

        S. 567                             14

     1  with  disabilities,  and are available in the language primarily used to
     2  interact with the consumer;
     3    (7)  Establishing  rules  and  procedures  to  further the purposes of
     4  subdivisions two and three of this section and to facilitate  a  consum-
     5  er's  or the consumer's authorized agent's ability to obtain information
     6  pursuant to subdivision six of this section, with the goal of minimizing
     7  the administrative burden on consumers, taking  into  account  available
     8  technology, security concerns, and the burden on the business, to govern
     9  a  business's determination that a request for information received by a
    10  consumer is a verifiable request, including treating a request submitted
    11  through a password protected account maintained by the consumer with the
    12  business while the consumer is logged into the account as  a  verifiable
    13  request  and  providing a mechanism for a consumer who does not maintain
    14  an account with the business to request information  through  the  busi-
    15  ness's authentication of the consumer's identity;
    16    (8) Defining the term "valuable consideration" as used in subparagraph
    17  one of paragraph (q) of subdivision one of this section to ensure that a
    18  business  that discloses, except as permitted by this section, a consum-
    19  er's personal information to a third party, including through  a  series
    20  of  transactions  involving  multiple third parties, in exchange for any
    21  economic benefit is subject to this section,  and  to  include  business
    22  practices  involving  the disclosure of personal information in exchange
    23  for something of value. Valuable  consideration  does  not  include  the
    24  exchange of value in a transaction involving non-commercial speech, such
    25  as journalism and political speech; and
    26    (9)  Further  interpret  the  terms  "de-identified",  "sell",  "third
    27  party", and "business purpose" as set forth in subdivision one  of  this
    28  section, to address changes in technology, data collection, obstacles to
    29  implementation,  and  privacy concerns and to ensure compliance with the
    30  purposes of this section, provided that such regulations do  not  reduce
    31  consumer  privacy  or the ability of consumers to stop the sale of their
    32  personal information.
    33    (b) The attorney general shall be precluded from adopting  regulations
    34  that  limit  or  reduce  the  number  or scope of categories of personal
    35  information enumerated in paragraph (c) of subdivision six and paragraph
    36  (m) of subdivision one of this section, or  that  limit  or  reduce  the
    37  number  or  scope  of  categories  added pursuant to subparagraph one of
    38  paragraph (a) of this subdivision, except as necessary  to  comply  with
    39  subparagraph  three  of  paragraph (a) of this subdivision. The attorney
    40  general shall also be precluded from reducing the  scope  of  the  defi-
    41  nition  of  "unique  identifiers",  except  as  necessary to comply with
    42  subparagraph three of paragraph (a) of this subdivision.
    43    (c) To the extent the attorney general determines that it is necessary
    44  to adopt certain regulations in order to  implement  this  section,  the
    45  attorney  general  shall adopt any such regulations within six months of
    46  the date this section is adopted.
    47    (d) The attorney general may adopt additional regulations as necessary
    48  to further the purposes of this section.
    49    16. If a series of steps or transactions were  component  parts  of  a
    50  single  transaction  intended  from  the  beginning to be taken with the
    51  intention of avoiding the reach of this section, including  the  disclo-
    52  sure of information by a business to a third party in order to avoid the
    53  definition  of "sell", a court shall disregard the intermediate steps or
    54  transactions for purposes of effectuating the purposes of this section.
    55    17. Any provision of a contract or agreement of any kind that purports
    56  to waive or limit in any way a consumer's  rights  under  this  section,

        S. 567                             15

     1  including  but not limited to any right to a remedy or means of enforce-
     2  ment, shall be deemed contrary to public policy and shall  be  void  and
     3  unenforceable.  This section shall not prevent a consumer from:  declin-
     4  ing  to  request  information from a business; declining to opt out of a
     5  business's sale of the consumer's personal information; or authorizing a
     6  business to sell the consumer's personal  information  after  previously
     7  opting out.
     8    18. If any provision of this section shall be adjudged by any court of
     9  competent  jurisdiction  to  be invalid, such judgment shall not affect,
    10  impair or invalidate the remainder thereof, but shall be confined in its
    11  operation to the provision directly involved in the controversy in which
    12  such judgment shall have been rendered.
    13    § 3. The state finance law is amended by adding a new section 99-ii to
    14  read as follows:
    15    § 99-ii. Consumer privacy fund. 1. There is hereby established in  the
    16  joint  custody of the state comptroller and the commissioner of taxation
    17  and finance an account within the  general  fund  to  be  known  as  the
    18  "consumer privacy fund".
    19    2. Such account shall consist of all penalties received by the depart-
    20  ment  of  state  pursuant to section eight hundred ninety-nine-cc of the
    21  general business law and any additional monies appropriated, credited or
    22  transferred to such account by the legislature. Any interest  earned  by
    23  the investment of monies in such account shall be added to such account,
    24  become  part  of  such  account,  and  be  used for the purposes of such
    25  account.
    26    3. Monies in the account shall be available to  the  office  of  court
    27  administration  and the attorney general to offset any costs incurred by
    28  the state courts in connection with actions brought to  enforce  section
    29  eight  hundred  ninety-nine-cc of the general business law and any costs
    30  incurred by the attorney general in carrying out his or her duties under
    31  such section of law.
    32    4. Monies in the account shall be paid out of the account on the audit
    33  and warrant of the state comptroller on vouchers certified  or  approved
    34  by the office of court administration and/or the attorney general.
    35    § 4. This act shall take effect on the one hundred eightieth day after
    36  it  shall have become a law. Effective immediately, the addition, amend-
    37  ment and/or repeal of any rule or regulation necessary for the implemen-
    38  tation of this act on its effective date are authorized to be made on or
    39  before such effective date.
feedback