NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A1484
SPONSOR: Wallace (MS)
 
TITLE OF BILL:
An act to amend the general business law, in relation to prohibiting the
disclosure of personally identifiable information by an internet service
provider without the express written approval of the consumer
 
PURPOSE OR GENERAL IDEA OF BILL:
The bill provides protections to New Yorkers by requiring that internet
service providers ("ISPs") not sell consumer information, unless author-
ization is conspicuously requested and expressly given; nor may an ISP
refuse to provide service for failure to give consent.
 
SUMMARY OF PROVISIONS:
Section 1. Amends the General Business Law as follows:
Add 399-k (1): defines the terms consumer, internet service provider
(ISP), and personally identifiable information.
Add 399-k (2): prohibits ISPs from disclosing a consumer's personal
information without express written consent.
Add 399-k (3): provides exceptions to the requirements of subsection 2
for the purpose of cooperating with law enforcement.
Add 399-k (4): requires ISPs to obtain consumer authorization for
disclosure and requires the authorization request to be conspicuous.
Add 399-k (5): requires the ISP to take reasonable steps to protect a
consumer's personal information.
Add 399-k (6): grants a right of action against an ISP where this
section is violated and excluding the right of action from any mandatory
arbitration clause that may exist in the contract between the ISP and
the consumer.
Add 399-k (7): to address other laws that may impact this section.
 
JUSTIFICATION:
This legislation is introduced in response to Congress's decision to
repeal internet privacy regulations set to take effect at the end of
2017. This legislation requires ISPs to obtain the consent of their
customers before disclosing any personally identifiable information of
the customer and prohibits an ISP from refusing service if a customer
does not want to give consent to disclosure.
This legislation gives customers control over whether their personal
data may be disclosed and shared. ISP providers have access to "an
unprecedented breath" of electronic personal information, including a
customer's name, address, financial information, every website visited,
the links clicked on in those websites, geo-location information, and
the content of our electronic communications. ISPs should not be permit-
ted to disclose such deeply personal information for commercial gain
without customer consent. This legislation places control over disclo-
sure in the hands of the customer, where it belongs, and prohibits an
ISP from refusing to provide service unless consent is given.
 
PRIOR LEGISLATIVE HISTORY:
2021-2022: A.674 - Referred to Consumer Affairs and Protection
2019-2020: A.2420 - Ordered to third reading
2017-2018: A.7191B - Passed Assembly
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
 
EFFECTIVE DATE:
This act shall take effect on the ninetieth day after it shall become a
law.
STATE OF NEW YORK
________________________________________________________________________
1484
2023-2024 Regular Sessions
IN ASSEMBLY
January 17, 2023
___________
Introduced by M. of A. WALLACE, SIMON, PHEFFER AMATO, FAHY, BRONSON,
ZEBROWSKI, WEPRIN, LUPARDO, COLTON, JONES, STECK, HYNDMAN, L. ROSEN-
THAL, STIRPE, McDONOUGH, MORINELLO, ROZIC, OTIS, DICKENS -- Multi-
Sponsored by -- M. of A. COOK -- read once and referred to the
Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to prohibiting the
disclosure of personally identifiable information by an internet
service provider without the express written approval of the consumer
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 399-k to read as follows:
3 § 399-k. Disclosure of personally identifiable information by an
4 internet service provider; prohibited. 1. For the purposes of this
5 section the following terms shall have the following meanings:
6 (a) "Consumer" means a person who agrees to pay a fee to an internet
7 service provider for access to the internet for personal, family, or
8 household purposes, and who does not resell access.
9 (b) "Internet service provider" (ISP) means a business entity or indi-
10 vidual who provides consumers authenticated access to, or presence on,
11 the internet by means of a switched or dedicated telecommunications
12 channel upon which the provider provides transit routing of internet
13 protocol packets for and on behalf of the consumer. Internet service
14 provider does not include the offering, on a common carrier basis, of
15 telecommunications facilities or of telecommunications by means of these
16 facilities.
17 (c) "Personally identifiable information" means information that iden-
18 tifies:
19 (i) a consumer by physical or electronic address or telephone number;
20 (ii) a consumer's internet search history or internet usage history;
21 or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD00871-01-3
A. 1484 2
1 (iii) any of the contents of a consumer's data-storage devices.
2 2. Except as provided in subdivisions three and four of this section,
3 an ISP shall not knowingly disclose personally identifiable information
4 resulting from the consumer's use of the telecommunications or ISP with-
5 out express written approval from the consumer.
6 (a) A telecommunications or ISP that has entered into a franchise
7 agreement, right-of-way agreement, or other contract with the state of
8 New York or any political subdivision thereof, or that uses facilities
9 that are subject to such agreements, even if it is not a party to the
10 agreement, shall not collect nor disclose personal information from a
11 consumer resulting from the consumer's use of the telecommunications or
12 ISP without express written approval from the consumer; and
13 (b) No such telecommunication or ISP shall refuse to provide its
14 services to a consumer on the grounds that the consumer has not approved
15 the collection or disclosure of the consumer's personal information.
16 3. An ISP may disclose personally identifiable information concerning
17 a consumer:
18 (a) pursuant to a grand jury subpoena, in accordance with subdivision
19 eight of section 190.30 of the criminal procedure law;
20 (b) pursuant to a warrant issued in accordance with article six
21 hundred ninety or article seven hundred of the criminal procedure law;
22 (c) pursuant to a court order in a pending criminal proceeding upon a
23 showing that such personally identifiable information is relevant and
24 material to such criminal action or proceeding;
25 (d) pursuant to a court order in a pending civil proceeding upon a
26 showing of compelling need for such information that cannot be accommo-
27 dated by other means;
28 (e) to a court in a civil action for conversion commenced by the ISP
29 or in a civil action to enforce collection of unpaid subscription fees
30 or purchase amounts, and then only to the extent necessary to establish
31 the fact of the subscription delinquency or purchase agreement, and with
32 appropriate safeguards against unauthorized disclosure;
33 (f) to the consumer who is the subject of the information, upon writ-
34 ten or electronic request and upon payment of any fee not to exceed the
35 actual cost of retrieving the information;
36 (g) to another ISP for purposes of reporting or preventing violations
37 of the published acceptable use policy or consumer service agreement of
38 the ISP; except that the recipient may further disclose the personally
39 identifiable information only as provided by this chapter; or
40 (h) to any person with the authorization of the consumer.
41 4. (a) The ISP shall obtain the consumer's authorization for the
42 disclosure of personally identifiable information in writing or by elec-
43 tronic means.
44 (b) The request for authorization must reasonably describe the types
45 of persons to whom personally identifiable information may be disclosed
46 and the anticipated uses of the information.
47 (c) In order for an authorization to be effective, a contract between
48 an ISP and the consumer must state that the authorization will be
49 obtained by an affirmative act of the consumer.
50 (d) The provision in the contract must be conspicuous.
51 (e) Authorization shall be obtained in a manner consistent with guide-
52 lines issued by representatives of the ISP or online industries, or in
53 any other manner reasonably designed to comply with this section.
54 5. The ISP shall take all reasonable and necessary steps to maintain
55 the security and privacy of a consumer's personally identifiable infor-
56 mation.
A. 1484 3
1 6. A consumer who prevails or substantially prevails in an action
2 brought under this section is entitled to the greater of five hundred
3 dollars or actual damages. Costs, disbursements, and reasonable attorney
4 fees may be awarded to a party awarded damages for a violation of this
5 section. The action available under this section is exempted from any
6 mandatory arbitration clauses that may exist in the contract between the
7 ISP and the consumer. In a civil action under this section, it is an
8 affirmative defense that such information was released or otherwise
9 available in violation of this section notwithstanding reasonable prac-
10 tices established and implemented by the defendant to prevent violations
11 of this section.
12 7. This section does not limit any greater protection of the privacy
13 of information under other law, except that:
14 (a) nothing in this section shall be deemed to limit the authority
15 under other state or federal law of law enforcement to obtain informa-
16 tion; and
17 (b) if federal law is enacted that regulates the release of personally
18 identifiable information by ISPs but does not preempt state law on the
19 subject, state law prevails.
20 § 2. This act shall take effect on the ninetieth day after it shall
21 have become a law.