STATE OF NEW YORK
        ________________________________________________________________________

                                          1570

                               2021-2022 Regular Sessions

                    IN SENATE

                                    January 13, 2021
                                       ___________

        Introduced  by  Sen. SANDERS -- read twice and ordered printed, and when
          printed to be committed to the Committee on Investigations and Govern-
          ment Operations

        AN ACT to amend the executive law, in relation to enacting the New  York
          data protection act

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Short title. This act shall be known and may  be  cited  as
     2  the "New York data protection act".
     3    §  2. The executive law is amended by adding a new article 5-A to read
     4  as follows:
     5                                 ARTICLE 5-A
     6                        NEW YORK DATA PROTECTION ACT
     7  Section 81. Definitions.
     8          82.   Right to request disclosure.
     9          83.   Right to request deletion of personal information.
    10          84.   Personal information which may be requested.
    11          85.   Shared information; government entities or contractors.
    12          86.   Non-shareable personal information.
    13          87.   Right not to be discriminated against.
    14          88.   Accessibility.
    15          89.   Limitation on restrictions.
    16          89-a. Relief.
    17          89-b. Compliance guidance.
    18  § 81. Definitions. As used in this article, the  following  terms  shall
    19  have the following meanings unless otherwise specified:
    20    1.  "Aggregate  personal  information"  shall  mean  information  that
    21  relates to a group or category of  individuals,  from  which  individual
    22  identities  have been removed, that is not linked or reasonably linkable
    23  to any individual or household, including  via  a  device.    "Aggregate

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD03167-01-1

        S. 1570                             2

     1  personal  information"  shall  not mean one or more individual's records
     2  that have been de-identified.
     3    2.  "Collects",  "collected",  or  "collection"  shall mean gathering,
     4  obtaining, receiving, or accessing any personal  information  pertaining
     5  to  an individual by any means. This includes receiving information from
     6  such individual either actively or passively.
     7    3. "Contractor" means a contractor, or subcontractor of a  contractor,
     8  that  contracts  to process information on behalf of a government entity
     9  and to which such government entity discloses an  individual's  personal
    10  information  for  a  legitimate government purpose pursuant to a written
    11  contract, provided that  such  contract  prohibits  such  contractor  or
    12  subcontractor receiving such personal information from retaining, using,
    13  or  disclosing  such personal information for any purpose other than for
    14  the specific purpose  of  performing  the  services  specified  in  such
    15  contract,  or  as otherwise permitted by this article, including retain-
    16  ing, using, or disclosing such personal  information  for  a  commercial
    17  purpose other than providing the services specified in the contract.
    18    4.  "Deidentified" shall mean information that cannot reasonably iden-
    19  tify, relate to, describe, be capable of being associated  with,  or  be
    20  linked,  directly  or  indirectly,  to a particular individual, provided
    21  that a government entity that uses such deidentified information:
    22    (a) has implemented technical safeguards and processes  that  prohibit
    23  reidentification of the individual to whom such information may pertain;
    24    (b)  has  implemented  processes  to  prevent  inadvertent  release of
    25  deidentified information; and
    26    (c) makes no attempt to reidentify such information.
    27    5. "Designated methods for submitting requests" shall mean  a  mailing
    28  address,  email  address,  internet web page, internet web portal, toll-
    29  free telephone number, or other applicable contact information,  whereby
    30  individuals  may  submit  a request or direction under this article, and
    31  any new means of contacting a government  entity,  as  approved  by  the
    32  attorney general.
    33    6. "Device" shall mean any physical object that is capable of connect-
    34  ing to the internet, directly or indirectly, or to another device.
    35    7.  "Government entity" or "entity" shall mean any state agency or any
    36  part, body, or subdivision thereof.
    37    8. "Homepage" shall mean the introductory page of an internet web site
    38  and any internet web page where personal information is collected.
    39    9. "Individual" shall mean a person who is  a  resident  of  New  York
    40  state.
    41    10. (a) "Personal information" shall mean information that identifies,
    42  relates  to,  describes,  is  capable of being associated with, or could
    43  reasonably be linked, directly or indirectly, with a particular individ-
    44  ual or household. Personal information includes, but is not limited  to,
    45  the following:
    46    (i)  identifiers  such  as  a real name, alias, postal address, unique
    47  personal identifier, internet protocol address,  email  address,  social
    48  security  number,  driver's license number, passport number, photograph,
    49  or other similar identifiers;
    50    (ii) characteristics of protected classifications under  New  York  or
    51  federal law;
    52    (iii)  commercial  information,  including records of real or personal
    53  property;
    54    (iv) biometric information;
    55    (v) audio, electronic, visual, or similar information;
    56    (vi) professional or employment-related information;

        S. 1570                             3

     1    (vii) education  information,  defined  as  information  that  is  not
     2  publicly available personally identifiable information as defined in the
     3  family educational rights and privacy act (20 USC 1232g);
     4    (viii) inferences drawn from any of the information identified in this
     5  subdivision  to  create  a  profile  about an individual reflecting such
     6  individual's preferences, characteristics, psychological trends, predis-
     7  positions, behavior, attitudes, intelligence, abilities, and  aptitudes;
     8  and
     9    (ix) financial or tax information.
    10    (b) "Personal information" shall not include publicly available infor-
    11  mation.  For these purposes, "publicly available" shall mean information
    12  that is lawfully made available from federal, state, or local government
    13  records, or any conditions associated with such  information.  "Publicly
    14  available" shall not include an individual's information that is deiden-
    15  tified or aggregate personal information.
    16    11.  "Probabilistic  identifier"  shall  mean the identification of an
    17  individual or a device to a degree of certainty of  more  probable  than
    18  not  based  on  any  categories  of personal information included in, or
    19  similar to,  the  categories  enumerated  in  subdivision  ten  of  this
    20  section.
    21    12. "Process" or "processing" shall mean any operation or set of oper-
    22  ations  that are performed on personal data or on sets of personal data,
    23  whether or not by automated means.
    24    13. "Pseudonymize" or "pseudonymization" shall mean the processing  of
    25  personal  information in a manner that renders such personal information
    26  no longer attributable to a specific individual without the use of addi-
    27  tional information, provided that such additional  information  is  kept
    28  separately  and  is  subject to technical and organizational measures to
    29  ensure that such personal information is not attributed to an identified
    30  or identifiable individual.
    31    14. (a) "Sell", "selling", "sale", or "sold" shall mean selling, rent-
    32  ing, releasing,  disclosing,  disseminating,  making  available,  trans-
    33  ferring, or otherwise communicating orally, in writing, or by electronic
    34  or  other  means,  an  individual's personal information by a government
    35  entity or contractor to a third party for  monetary  or  other  valuable
    36  consideration.
    37    (b)  A government entity or contractor does not sell personal informa-
    38  tion within the meaning of this article when:
    39    (i) An individual uses or directs such government entity or contractor
    40  to  intentionally  disclose  personal  information  to  a  third  party,
    41  provided  such third party also does not sell such personal information,
    42  unless such disclosure would be consistent with the provisions  of  this
    43  article.
    44    (ii)  Such government entity or contractor uses or shares with a third
    45  party personal information of an individual that is necessary to perform
    46  a legitimate government purpose if both of the following conditions  are
    47  met:
    48    (1)  the  government  entity  or  contractor  has provided notice that
    49  information is being used or shared; and
    50    (2) the third party  does  not  further  collect,  sell,  or  use  the
    51  personal  information  of such individual except as necessary to perform
    52  the business purpose for which it received such information.
    53    (iii) A contractor who transfers to  a  third  party  an  individual's
    54  personal  information as an asset that is part of a merger, acquisition,
    55  bankruptcy, or other transaction in which such contractor or third party
    56  assumes control of all or part of such third party  provided  that  such

        S. 1570                             4

     1  information  is  used  or  shared consistently with this article.   If a
     2  third party materially alters how it uses or shares personal information
     3  of an individual in a manner that is materially  inconsistent  with  the
     4  promises  made  at the time of collection, it shall provide prior notice
     5  of the new or changed practice to such individual.  Such notice shall be
     6  sufficiently prominent and robust to ensure that individuals can  easily
     7  exercise  their  choices  consistently with section eighty-three of this
     8  article.
     9    15. "Service" or "services" shall  mean  work,  labor,  and  services,
    10  including  services  furnished  in connection with the sale or repair of
    11  goods.
    12    16. "Third party" shall mean a person or business entity  who  is  not
    13  another government entity or contractor thereof.
    14    17.  "Unique  identifier" or "unique personal identifier" shall mean a
    15  persistent identifier that can be used to  recognize  an  individual,  a
    16  family, or a device that is linked to an individual or family, over time
    17  and  across  different services, including, but not limited to, a device
    18  identifier; an internet protocol address; cookies, beacons, pixel  tags,
    19  or  similar  technology;  unique  pseudonym,  or  user  alias; telephone
    20  numbers, or other forms of persistent or probabilistic identifiers  that
    21  can  be used to identify a particular individual or device. For purposes
    22  of this subdivision, "family" means a custodial parent or  guardian  and
    23  any minor children over which such parent or guardian has custody.
    24    18. "Verifiable information request" shall mean a request to a govern-
    25  ment entity that is made by an individual, by an individual on behalf of
    26  such individual's minor child, or by a natural person or a person regis-
    27  tered  with the secretary of state, authorized by such individual to act
    28  on such individual's behalf, and that such government entity or contrac-
    29  tor can reasonably verify, pursuant to regulations adopted by the attor-
    30  ney general to be such individual about whom such government  entity  or
    31  contractor  has  collected  personal information. A government entity or
    32  contractor shall not be obligated to provide information to  such  indi-
    33  vidual  pursuant to sections eighty-two and eighty-three of this article
    34  if such government entity or contractor cannot verify that such individ-
    35  ual making such request is the same individual about whom  such  govern-
    36  ment entity has collected information, or is a person authorized by such
    37  individual to act on such individual's behalf.
    38    §  82.  Right  to request disclosure. 1. Any individual shall have the
    39  right to request that a government entity or  contractor  that  collects
    40  personal  information  disclose  to  such  individual the categories and
    41  specific pieces  of  personal  information  such  government  entity  or
    42  contractor has collected.
    43    2. A government entity that collects an individual's personal informa-
    44  tion shall, at or before the point of collection, inform such individual
    45  as  to  the  categories  of personal information to be collected and the
    46  purposes for which such categories  of  personal  information  shall  be
    47  used.  A  government  entity  or contractor shall not collect additional
    48  categories of personal information or use personal information collected
    49  for additional purposes without providing such  individual  with  notice
    50  consistent with this article.
    51    3.  A  government  entity  or contractor shall provide the information
    52  specified in subdivision one of this section to an individual only  upon
    53  receipt of a verifiable information request.
    54    4. A government entity or contractor that receives a verifiable infor-
    55  mation  request  from an individual to access personal information shall
    56  promptly take steps to disclose and deliver,  free  of  charge  to  such

        S. 1570                             5

     1  individual,  such  personal  information  required by this section. Such
     2  information may be delivered by mail or electronically.    A  government
     3  entity  or  contractor may provide personal information to an individual
     4  at  any  time, but shall not be required to provide personal information
     5  to any individual more than twice in a twelve-month period.
     6    5. This section shall not require a government  entity  or  contractor
     7  to:
     8    (a)  retain  any personal information collected for a single, one-time
     9  transaction if such information  is  not  shared  or  retained  by  such
    10  government entity or contractor; or
    11    (b)  re-identify  or otherwise link information that is not maintained
    12  in a manner that would be considered personal information.
    13    § 83. Right to request deletion of personal information. 1. Any  indi-
    14  vidual  shall  have  the  right  to  request that a government entity or
    15  contractor delete any personal information about such  individual  which
    16  such government entity or contractor has collected from such individual.
    17    2.  A  government entity or contractor that collects personal informa-
    18  tion about individuals shall notify such individuals of their rights  to
    19  request the deletion of their personal information.
    20    3. A government entity or contractor that receives a verifiable infor-
    21  mation  request  from an individual to delete such individual's personal
    22  information shall delete such individual's personal information from its
    23  records and direct any contractors to delete such individual's  personal
    24  information from their records.
    25    4.  Notwithstanding  other provisions under this article, a government
    26  entity or contractor shall not be required to comply  with  an  individ-
    27  ual's  request to delete such individual's personal information if it is
    28  necessary for the government entity or contractor to maintain such indi-
    29  vidual's personal information in order to:
    30    (a) complete the  purpose  for  which  the  personal  information  was
    31  collected;
    32    (b) comply with a legal obligation;
    33    (c)  otherwise use such individual's personal information, internally,
    34  in a lawful manner that is compatible with the scope of such  government
    35  entity or contractor's duties.
    36    §  84.  Personal  information which may be requested. 1. An individual
    37  who requests disclosure of information pursuant to section eighty-two of
    38  this article may request the following information:
    39    (a) the categories of personal information such government  entity  or
    40  contractor has collected about such individual;
    41    (b) the categories of sources from which such personal information has
    42  been collected;
    43    (c) the purpose for collecting or sharing such personal information;
    44    (d)  any other government entities, contractors, or third parties with
    45  whom such government entity or contractor shares such personal  informa-
    46  tion; and
    47    (e) the specific pieces of personal information such government entity
    48  or contractor has collected about such individual.
    49    2.  A  government entity or contractor possessing personal information
    50  about an individual shall disclose to such individual  such  information
    51  upon receipt of a verifiable information request submitted by such indi-
    52  vidual.  Within  five  days  of  receipt  of such verifiable information
    53  request, such government entity or contractor shall send a  response  to
    54  such requestor acknowledging receipt of such request.

        S. 1570                             6

     1    3. (a) A government entity or contractor that collects personal infor-
     2  mation  about  individuals  from another government entity or contractor
     3  shall disclose to such individuals the following:
     4    (i) the categories of personal information it has collected about such
     5  individual;
     6    (ii) the categories of sources from which such personal information is
     7  collected;
     8    (iii) the purpose for collecting or sharing such personal information;
     9    (iv)  any  other  government  entities  or  contractors with whom such
    10  government entity or contractor shares personal information; and
    11    (v) the specific pieces of personal information it has collected about
    12  such individual.
    13    (b) Such government entity or contractor shall disclose  the  informa-
    14  tion  required  by paragraph (a) of this subdivision to such individuals
    15  immediately upon receipt of such information, without  the  need  for  a
    16  request to first be submitted.
    17    4. This section shall not require a government entity or contractor to
    18  do the following:
    19    (a)  retain any personal information about an individual collected for
    20  a single one-time transaction if, in the ordinary  course  of  business,
    21  such information about such individual is not retained; or
    22    (b)  re-identify  or  otherwise  link  any  data that, in the ordinary
    23  course of business, is not maintained in a manner that would be  consid-
    24  ered personal information.
    25    §  85.  Shared  information;  government  entities or contractors. Any
    26  individual shall have the right to request that a government entity that
    27  shares such individual's personal information, disclose to such individ-
    28  ual:
    29    (1) the categories of personal information that such government entity
    30  collected about such individual; and
    31    (2) the categories of personal information that such government entity
    32  or contractor has shared about such individual and the other  government
    33  entities  or contractors with whom such personal information was shared,
    34  by category or categories of personal information  for  each  government
    35  entity or contractor to whom such personal information was shared.
    36    §  86.  Non-shareable personal information. 1. No government entity or
    37  contractor shall share any  individual's  personal  information  with  a
    38  contractor  or  subcontractor  unless such information is crucial to the
    39  purpose for which such government entity or  contractor  has  contracted
    40  such contractor or subcontractor's services.
    41    2.  No  government  entity  or contractor shall share any individual's
    42  personal information with another government entity or contractor unless
    43  such information is crucial to the performance of such other  government
    44  entity  or  contractor's  duties,  and  such  other government entity or
    45  contractor cannot procure such personal information on its  own  without
    46  serious hardship.
    47    3.  No government entity or contractor shall sell personal information
    48  about an individual that has been shared with such government entity  or
    49  contractor.
    50    §  87.  Right not to be discriminated against. No government entity or
    51  contractor shall discriminate against  any  individual  in  any  way  in
    52  response  to  such  individual exercising any of his or her rights under
    53  this article.
    54    § 88. Accessibility. 1. In order to comply with  the  requirements  of
    55  this  article, in a method that is reasonably accessible to individuals,
    56  government entities shall:

        S. 1570                             7

     1    (a) Make available to individuals two or more designated  methods  for
     2  submitting  verifiable information requests which include, at a minimum,
     3  a toll-free telephone number, and if such government entity maintains an
     4  internet website, a website address.
     5    (b)  If  such government entity maintains an internet website, provide
     6  on such website information instructing individuals of their  rights  to
     7  request  disclosure or deletion of personal information under this arti-
     8  cle, and all methods available for making such a request. Such  informa-
     9  tion  shall  not  be  required  to be on the homepage of such government
    10  entity's website.
    11    2. In order to comply with the requirements of this  article,  govern-
    12  ment entities and contractors shall:
    13    (a)  Disclose  and  deliver  any information requested in a verifiable
    14  information request free of charge within forty-five days  of  receiving
    15  such  request  from  an  individual.    The  time  period to provide the
    16  required information may be extended once by  an  additional  forty-five
    17  days  when  reasonably  necessary, provided the requesting individual is
    18  provided notice of such extension within the first forty-five day  peri-
    19  od.  Such  disclosure shall cover the twelve-month period preceding such
    20  government entity or contractor's receipt of the verifiable  information
    21  request, and shall be made in writing and delivered by mail or electron-
    22  ically at the requestor's option.
    23    (b)  Disclose  and  deliver the information requested in a manner that
    24  covers all disclosure requirements  under  subdivision  one  of  section
    25  eighty-four of this article.
    26    (c)  Disclose  and  deliver any information shared pursuant to section
    27  eighty-six of this article by such government entity or contractor with-
    28  in the twelve months preceding such request.
    29    (d) Ensure that any employees of such government entity or  contractor
    30  who are responsible for handling inquiries about disclosure requirements
    31  prescribed  by  this article are informed of all disclosure requirements
    32  under this article, and that such  employees  are  informed  of  how  to
    33  direct individuals of how to exercise their rights under this article.
    34    (e)  Use  any  personal  information collected from an individual in a
    35  verifiable information request in connection with such government entity
    36  or contractor's verification of such request solely for the purposes  of
    37  such verification.
    38    (f) Not be required to respond to more than two verifiable information
    39  requests from the same individual within the same twelve-month period.
    40    §  89.  Limitation  on  restrictions.  1.  The  obligations imposed on
    41  government entities and contractors by this article shall  not  restrict
    42  any government entity or contractor's ability to:
    43    (a) otherwise comply with federal, state, or local laws;
    44    (b)  comply  with  a  civil, criminal, or regulatory inquiry, investi-
    45  gation, subpoena, or summons by federal, state, or local authorities;
    46    (c) comply with a request made under the freedom of  information  law;
    47  or
    48    (d) exercise or defend legal claims.
    49    2. This article shall not apply to the sale of personal information to
    50  or  from  a  consumer  reporting  agency  if  such  information is to be
    51  reported in, or used to generate, a consumer report as  defined  by  the
    52  federal  fair credit reporting act (15 USC 1681), and use of that infor-
    53  mation is limited by such act.
    54    3. If requests from an individual are manifestly unfounded  or  exces-
    55  sive,  in particular because of their repetitive character, a government
    56  entity or contractor may either charge a  reasonable  fee,  taking  into

        S. 1570                             8

     1  account the administrative costs of providing such information or commu-
     2  nication  or  taking  the  action  requested,  or  refuse to act on such
     3  request and notify such individual  of  the  reason  for  refusing  such
     4  request.  Such  government entity or contractor shall bear the burden of
     5  demonstrating  that  such  verified  consumer  request   is   manifestly
     6  unfounded or excessive.
     7    4.  A  government  entity  that  discloses  personal  information to a
     8  contractor shall not be liable under this  article  if  such  contractor
     9  uses  such  personal  information  in  violation of the restrictions set
    10  forth in this article, provided that, at the  time  of  disclosing  such
    11  personal  information, such government entity does not have actual know-
    12  ledge or reason to believe that such contractor intends to commit such a
    13  violation. No contractor shall be liable  under  this  article  for  the
    14  obligations of a government entity for which it provides services as set
    15  forth in this article.
    16    5.  This article shall not be construed to require a government entity
    17  to reidentify or otherwise link information that is not maintained in  a
    18  manner that would be considered personal information.
    19    6.  The  rights afforded to individuals and the obligations imposed on
    20  government entities and contractors by this article shall not  adversely
    21  affect the rights and freedoms of any other person.
    22    §  89-a.  Relief.  1.  Any  individual  whose  personal information is
    23  subject to an unauthorized access and exfiltration, theft, or disclosure
    24  as a result of a government entity or contractor's violation of the duty
    25  to implement and maintain reasonable security procedures  and  practices
    26  appropriate  to  the  nature of the information to protect such personal
    27  information request action by the attorney general in response  to  such
    28  violation.
    29    2.  Nothing in this article shall be interpreted to serve as the basis
    30  for a private right of action under any other law.  This  shall  not  be
    31  construed  to  relieve  any party from any duties or obligations imposed
    32  under other law or the United States or New York constitution.
    33    § 89-b. Compliance guidance. Any government entity or  contractor  may
    34  seek  the  opinion of the attorney general for guidance on how to comply
    35  with the provisions of this article.
    36    § 3. This act shall take effect one year after it shall have become  a
    37  law.