Bill Text: NY S06142 | 2023-2024 | General Assembly | Introduced
Bill Title: Prohibits the disclosure of individualized fare payment data by the metropolitan commuter transportation authority and the New York city transit authority for the purpose of maintaining customer privacy; provides certain exceptions when such data can be disclosed.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2024-01-03 - REFERRED TO TRANSPORTATION [S06142 Detail]
Download: New_York-2023-S06142-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 6142 2023-2024 Regular Sessions IN SENATE March 30, 2023 ___________ Introduced by Sen. FERNANDEZ -- read twice and ordered printed, and when printed to be committed to the Committee on Transportation AN ACT to amend the public authorities law, in relation to prohibiting the disclosure of individualized fare payment data by the metropolitan commuter transportation authority and the New York city transit authority The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 1266 of the public authorities law is amended by 2 adding a new subdivision 16-a to read as follows: 3 16-a. If an entry system requires the purchase of a card, token, or 4 other device in order to enter the system, then (i) such card, token, or 5 other device shall be available for purchase throughout all hours of 6 operation of the passenger station, (ii) such card, token, or other 7 device shall not be registered to or otherwise associated with the iden- 8 tity of any individual, and (iii) such card, token, or other device 9 shall not cost in excess of the present-day value of five dollars as of 10 January first, two thousand twenty-three. 11 § 2. The public authorities law is amended by adding a new section 12 1279-j to read as follows: 13 § 1279-j. Customer privacy. 1. For the purposes of this section, the 14 following terms shall have the following meanings: 15 (a) "Data subject" shall have the same meaning as such term is defined 16 pursuant to subdivision three of section ninety-two of the public offi- 17 cers law. 18 (b) "Disclose" shall have the same meaning as such term is defined 19 pursuant to subdivision four of section ninety-two of the public offi- 20 cers law. 21 (c) "Police agency" shall have the same meaning as such term is 22 defined pursuant to subdivision eight of section eight hundred thirty- 23 five of the executive law. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD09852-02-3S. 6142 2 1 (d) "Law enforcement agency" shall have the same meaning as such term 2 is defined pursuant to subdivision four of section 705.00 of the crimi- 3 nal procedure law. 4 (e) "Law enforcement officer" shall mean a police officer or peace 5 officer, including transit police under subdivision sixteen of section 6 one thousand two hundred four of this article and including any person 7 employed by the authority police force established pursuant to section 8 one thousand two hundred sixty-six of this title. 9 (f) "Police officer" shall have the same meaning as such term is 10 defined pursuant to subdivision thirty-four of section 1.20 of the crim- 11 inal procedure law. 12 (g) "Peace officer" shall mean any individual listed pursuant to 13 section 2.10 of the criminal procedure law. 14 (h) "Person employed" shall mean any employee, independent contractor, 15 or volunteer under the statutory and common law of the state of New York 16 acting in the scope of their duties as an employee, independent contrac- 17 tor, or volunteer. 18 (i) "Individualized fare payment data" shall mean personal informa- 19 tion, as defined in subdivision seven of section ninety-two of the 20 public officers law, related to payment of fares to the authority or its 21 subsidiary corporations in order to enter, access, or otherwise use a 22 transportation system administered by the authority or its subsidiary 23 corporations. "Individualized fare payment data" shall include, but not 24 be limited to, data that correlates a card, token, or device used to pay 25 a fare and the locations at which such card, token or device was used. 26 2. (a) The authority and its subsidiary corporations shall not 27 disclose a data subject's individualized fare payment data to a police 28 agency, law enforcement agency, or law enforcement officer, or use a 29 data subject's individualized fare payment data for law enforcement 30 purposes, unless such a disclosure is: 31 (i) reasonably necessary to prevent a serious and imminent threat to 32 the life or safety of the data subject or others, and notification of 33 the disclosure is transmitted to the data subject within twenty days if 34 such notice is practicable; 35 (ii) pursuant to a search warrant, supported by particularized proba- 36 ble cause with respect to each data subject whose individualized fare 37 payment data is disclosed; or 38 (iii) made to a person or entity that agrees in writing not to 39 disclose any individualized fare payment data except pursuant to this 40 subdivision. 41 (b) If the authority enters into a partnership or agreement with 42 another entity to provide services, including but not limited to fare 43 payment services, and such other entity directly collects individualized 44 fare payment data pursuant to such a partnership or agreement, the enti- 45 ty shall not disclose such individualized fare payment data other than 46 pursuant to exceptions specified in paragraph (a) of this subdivision. 47 (c) The authority shall not enter into an agreement described in para- 48 graph (b) of this subdivision with any police agency or law enforcement 49 agency. 50 3. (a) Any data subject or caller whose communication was disclosed in 51 violation of this section may seek judicial review and relief against 52 the authority or private entity responsible for such disclosure for: 53 (i) five thousand dollars per violation or actual damages, whichever 54 is greater; 55 (ii) punitive damages; and 56 (iii) any other relief the court deems warranted.S. 6142 3 1 (b) In assessing the amount of punitive damages awarded to a plaintiff 2 in an action brought under paragraph (a) of this subdivision, the court 3 shall consider: 4 (i) the defendant's pattern of violations of this section; and 5 (ii) the impact of the violation on the data subject's or caller's 6 exercise of constitutional and statutory rights, including, but not 7 limited to, religion, political views, and medical care. 8 (c) In any action brought under paragraph (a) of this subdivision, the 9 court shall award reasonable attorneys' fees, expenses, and costs to a 10 prevailing plaintiff. 11 (d) The attorney general may seek an injunction from any court of 12 proper jurisdiction for any violation of this section. 13 4. Nothing in this section shall be construed to: 14 (a) limit or abridge the right of any person to obtain judicial review 15 or pecuniary or other relief, in any other form or upon any other basis, 16 otherwise available to a person; or 17 (b) require the authority or any other entity to collect or retain any 18 information about a caller or data subject. 19 § 3. Section 1205 of the public authorities law is amended by adding a 20 new subdivision 9 to read as follows: 21 9. If an entry system requires the purchase of a card, token, or 22 other device in order to enter the system, then (i) such card, token, or 23 other device shall be available for purchase throughout all hours of 24 operation of the passenger station, (ii) such card, token, or other 25 device shall not be registered to or otherwise associated with the iden- 26 tity of any individual, and (iii) such card, token, or other device 27 shall not cost in excess of the present-day value of five dollars as of 28 January first, two thousand twenty-three. 29 § 4. The public authorities law is amended by adding a new section 30 1204-g to read as follows: 31 § 1204-g. Customer privacy. 1. For the purposes of this section, the 32 following terms shall have the following meanings: 33 (a) "Data subject" shall have the same meaning as such term is defined 34 pursuant to subdivision three of section ninety-two of the public offi- 35 cers law. 36 (b) "Disclose" shall have the same meaning as such term is defined 37 pursuant to subdivision four of section ninety-two of the public offi- 38 cers law. 39 (c) "Police agency" shall have the same meaning as such term is 40 defined pursuant to subdivision eight of section eight hundred thirty- 41 five of the executive law. 42 (d) "Law enforcement agency" shall have the same meaning as such term 43 is defined pursuant to subdivision four of section 705.00 of the crimi- 44 nal procedure law. 45 (e) "Law enforcement officer" shall mean a police officer or peace 46 officer, including transit police under subdivision sixteen of section 47 one thousand two hundred four of this title and including any person 48 employed by the authority police force established pursuant to section 49 one thousand two hundred sixty-six of this article. 50 (f) "Police officer" shall have the same meaning as such term is 51 defined pursuant to subdivision thirty-four of section 1.20 of the crim- 52 inal procedure law. 53 (g) "Peace officer" shall mean any individual listed pursuant to 54 section 2.10 of the criminal procedure law. 55 (h) "Person employed" shall mean any employee, independent contractor, 56 or volunteer under the statutory and common law of the state of New YorkS. 6142 4 1 acting in the scope of their duties as an employee, independent contrac- 2 tor, or volunteer. 3 (i) "Individualized fare payment data" shall mean personal informa- 4 tion, as defined in subdivision seven of section ninety-two of the 5 public officers law, related to payment of fares to the authority or its 6 subsidiary corporations in order to enter, access, or otherwise use a 7 transportation system administered by the authority or its subsidiary 8 corporations. "Individualized fare payment data" shall include, but not 9 be limited to, data that correlates a card, token, or device used to pay 10 a fare and the locations at which such card, token or device was used. 11 2. The authority shall comply with the requirements of subdivision two 12 of section one thousand two hundred seventy-nine-j of this article. 13 3. (a) Any data subject or caller whose communication was disclosed in 14 violation of this section may seek judicial review and relief against 15 the authority or private entity responsible for such disclosure for: 16 (i) five thousand dollars per violation or actual damages, whichever 17 is greater; 18 (ii) punitive damages; and 19 (iii) any other relief the court deems warranted. 20 (b) In assessing the amount of punitive damages awarded to a plaintiff 21 in an action brought under paragraph (a) of this subdivision, the court 22 shall consider: 23 (i) the defendant's pattern of violations of this section; and 24 (ii) the impact of the violation on the data subject's or caller's 25 exercise of constitutional and statutory rights, including, but not 26 limited to, religion, political views, and medical care. 27 (c) In any action brought under paragraph (a) of this subdivision, the 28 court shall award reasonable attorneys' fees, expenses, and costs to a 29 prevailing plaintiff. 30 (d) The attorney general may seek an injunction from any court of 31 proper jurisdiction for any violation of this section. 32 4. Nothing in this section shall be construed to: 33 (a) limit or abridge the right of any person to obtain judicial review 34 or pecuniary or other relief, in any other form or upon any other basis, 35 otherwise available to a person; or 36 (b) require the authority or any other entity to collect or retain any 37 information about a caller or data subject. 38 § 5. This act shall take effect immediately.
