STATE OF NEW YORK
________________________________________________________________________
10392
IN ASSEMBLY
May 21, 2024
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. Rozic,
Jensen) -- read once and referred to the Committee on Governmental
Operations
AN ACT to amend the executive law, in relation to prohibiting sharing or
selling personal data to third parties by government entities and
contractors
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The executive law is amended by adding a new article 5-A to
2 read as follows:
3 ARTICLE 5-A
4 SHARING AND SELLING OF PERSONAL DATA
5 Section 81. Definitions.
6 82. Data collection disclosure.
7 83. Sharing and selling of personal information prohibited.
8 84. Limitation on restrictions.
9 § 81. Definitions. As used in this article, the following terms shall
10 have the following meanings unless otherwise specified:
11 1. "Aggregate personal information" shall mean information that
12 relates to a group or category of individuals, from which individual
13 identities have been removed, that is not linked or reasonably linkable
14 to any individual or household, including via a device. "Aggregate
15 personal information" shall not mean one or more individual's records
16 that have been deidentified.
17 2. "Collects", "collected", or "collection" shall mean gathering,
18 obtaining, receiving, or accessing any personal information pertaining
19 to an individual by any means. This includes receiving information from
20 such individual either actively or passively.
21 3. "Contractor" means a contractor, or subcontractor of a contractor,
22 that contracts to process information on behalf of a government entity
23 and to which such government entity discloses an individual's personal
24 information for a legitimate government purpose pursuant to a written
25 contract, provided that such contract prohibits such contractor or
26 subcontractor receiving such personal information from retaining, using,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD15346-01-4
A. 10392 2
1 or disclosing such personal information for any purpose other than for
2 the specific purpose of performing the services specified in such
3 contract, or as otherwise permitted by this article, including retain-
4 ing, using, or disclosing such personal information for a commercial
5 purpose other than providing the services specified in the contract.
6 4. "Deidentified" shall mean information that cannot reasonably iden-
7 tify, relate to, describe, be capable of being associated with, or be
8 linked to, directly or indirectly, a particular individual, provided
9 that a government entity that uses such deidentified information:
10 (a) has implemented technical safeguards and processes that prohibit
11 reidentification of the individual to whom such information may pertain;
12 (b) has implemented processes to prevent inadvertent release of
13 deidentified information; and
14 (c) makes no attempt to reidentify such information.
15 5. "Device" shall mean any physical object that is capable of connect-
16 ing to the internet, directly or indirectly, or to another device.
17 6. "Government entity" or "entity" shall mean any state agency or any
18 part, body, or subdivision thereof.
19 7. "Individual" shall mean a person who is a resident of New York
20 state.
21 8. (a) "Personal information" shall mean information that identifies,
22 relates to, describes, is capable of being associated with, or could
23 reasonably be linked to, directly or indirectly, a particular individual
24 or household. Personal information includes, but is not limited to, the
25 following:
26 (i) identifiers such as a real name, alias, postal address, unique
27 personal identifier, internet protocol address, email address, social
28 security number, driver's license number, passport number, photograph,
29 or other similar identifiers;
30 (ii) characteristics of protected classifications under New York or
31 federal law;
32 (iii) commercial information, including records of real or personal
33 property;
34 (iv) biometric information;
35 (v) audio, electronic, visual, or similar information;
36 (vi) professional or employment-related information;
37 (vii) education information, defined as information that is not
38 publicly available personally identifiable information as defined in the
39 family educational rights and privacy act (20 USC 1232g);
40 (viii) inferences drawn from any of the information identified in this
41 paragraph to create a profile about an individual reflecting such indi-
42 vidual's preferences, characteristics, psychological trends, predisposi-
43 tions, behavior, attitudes, intelligence, abilities, and aptitudes; and
44 (ix) financial or tax information.
45 (b) "Personal information" shall not include publicly available infor-
46 mation. For these purposes, "publicly available" shall mean information
47 that is lawfully made available from federal, state, or local government
48 records, or any conditions associated with such information. "Publicly
49 available" shall not include an individual's information that is deiden-
50 tified or aggregate personal information.
51 9. "Probabilistic identifier" shall mean the identification of an
52 individual or a device to a degree of certainty of more probable than
53 not based on any categories of personal information included in, or
54 similar to, the categories enumerated in subdivision eight of this
55 section.
A. 10392 3
1 10. "Process" or "processing" shall mean any operation or set of oper-
2 ations that are performed on personal data or on sets of personal data,
3 whether or not by automated means.
4 11. (a) "Sell", "selling", "sale", or "sold" shall mean selling, rent-
5 ing, releasing, disclosing, disseminating, making available, trans-
6 ferring, or otherwise communicating orally, in writing, or by electronic
7 or other means, an individual's personal information by a government
8 entity or contractor to a third party for monetary or other valuable
9 consideration.
10 (b) A government entity or contractor does not sell personal informa-
11 tion within the meaning of this article when:
12 (i) An individual uses or directs such government entity or contractor
13 to intentionally disclose personal information to a third party,
14 provided such third party also does not sell such personal information,
15 unless such disclosure would be consistent with the provisions of this
16 article.
17 (ii) Such government entity or contractor uses or shares with a third
18 party personal information of an individual that is necessary to perform
19 a legitimate government purpose if both of the following conditions are
20 met:
21 (1) the government entity or contractor has provided notice that
22 information is being used or shared; and
23 (2) the third party does not further collect, sell, or use the
24 personal information of such individual except as necessary to perform
25 the business purpose for which it received such information.
26 (iii) A contractor who transfers to a third party an individual's
27 personal information as an asset that is part of a merger, acquisition,
28 bankruptcy, or other transaction in which such contractor or third party
29 assumes control of all or part of such third party provided that such
30 information is used or shared consistently with this article. If a third
31 party materially alters how it uses or shares personal information of an
32 individual in a manner that is materially inconsistent with the promises
33 made at the time of collection, it shall provide prior notice of the new
34 or changed practice to such individual. Such notice shall be sufficient-
35 ly prominent and robust to ensure that individuals can easily exercise
36 their choices consistently with section eighty-three of this article.
37 12. "Service" or "services" shall mean work, labor, and services,
38 including services furnished in connection with the sale or repair of
39 goods.
40 13. "Third party" shall mean a person or business entity who is not
41 another government entity or contractor thereof.
42 14. "Unique identifier" or "unique personal identifier" shall mean a
43 persistent identifier that can be used to recognize an individual, a
44 family, or a device that is linked to an individual or family, over time
45 and across different services, including, but not limited to, a device
46 identifier; an internet protocol address; cookies, beacons, pixel tags,
47 or similar technology; unique pseudonym, or user alias; telephone
48 numbers, or other forms of persistent or probabilistic identifiers that
49 can be used to identify a particular individual or device. For purposes
50 of this subdivision, "family" means a custodial parent or guardian and
51 any minor children over which such parent or guardian has custody.
52 § 82. Data collection disclosure. 1. A government entity or contractor
53 that collects an individual's personal information shall, at or before
54 the point of collection, inform such individual as to the categories of
55 personal information to be collected and the purposes for which such
56 categories of personal information shall be used. A government entity or
A. 10392 4
1 contractor shall not collect additional categories of personal informa-
2 tion or use personal information collected for additional purposes with-
3 out providing such individual with notice consistent with this article.
4 2. This section shall not require a government entity or contractor
5 to:
6 (a) retain any personal information collected for a single, one-time
7 transaction if such information is not shared or retained by such
8 government entity or contractor; or
9 (b) reidentify or otherwise link information that is not maintained in
10 a manner that would be considered personal information.
11 § 83. Sharing and selling of personal information prohibited. 1. No
12 government entity or contractor shall share any individual's personal
13 information with a contractor or subcontractor unless such information
14 is crucial to the purpose for which such government entity or contractor
15 has contracted such contractor or subcontractor's services.
16 2. No government entity or contractor shall share any individual's
17 personal information with another government entity or contractor unless
18 such information is crucial to the performance of such other government
19 entity or contractor's duties, and such other government entity or
20 contractor cannot procure such personal information on its own without
21 serious hardship.
22 3. No government entity or contractor shall sell personal information
23 about an individual.
24 § 84. Limitation on restrictions. 1. The obligations imposed on
25 government entities and contractors by this article shall not restrict
26 any government entity or contractor's ability to:
27 (a) otherwise comply with federal, state, or local laws;
28 (b) comply with a civil, criminal, or regulatory inquiry, investi-
29 gation, subpoena, or summons by federal, state, or local authorities;
30 (c) comply with a request made under the freedom of information law;
31 or
32 (d) exercise or defend legal claims.
33 2. This article shall not apply to the sale of personal information to
34 or from a consumer reporting agency if such information is to be
35 reported in, or used to generate, a consumer report as defined by the
36 federal fair credit reporting act (15 USC 1681), and use of that infor-
37 mation is limited by such act.
38 3. A government entity that discloses personal information to a
39 contractor shall not be liable under this article if such contractor
40 uses such personal information in violation of the restrictions set
41 forth in this article, provided that, at the time of disclosing such
42 personal information, such government entity does not have actual know-
43 ledge or reason to believe that such contractor intends to commit such a
44 violation. No contractor shall be liable under this article for the
45 obligations of a government entity for which it provides services as set
46 forth in this article.
47 4. This article shall not be construed to require a government entity
48 to reidentify or otherwise link information that is not maintained in a
49 manner that would be considered personal information.
50 5. The rights afforded to individuals and the obligations imposed on
51 government entities and contractors by this article shall not adversely
52 affect the rights and freedoms of any other person.
53 § 2. This act shall take effect one year after it shall have become a
54 law.
