•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video 

A05220 Summary:

BILL NOA05220
 
SAME ASSAME AS S00072
 
SPONSORDinowitz
 
COSPNSR
 
MLTSPNSR
 
Amd Art 39-F Art Head, add 899-bb, Gen Bus L
 
Restricts the disclosure of personal information by businesses.
Go to top    

A05220 Actions:

BILL NOA05220
 
02/07/2017referred to consumer affairs and protection
02/09/2017enacting clause stricken
Go to top

A05220 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A5220
 
SPONSOR: Dinowitz
  TITLE OF BILL: An act to amend the general business law, in relation to restricting the disclosure of personal information by businesses   SUMMARY OF PROVISIONS: Section One states that this Act shall be known and cited as the "Right to Know Act 2017" Section Two states the legislative intent Section Three changes the article heading of article 39-F of the General Business Law form "Notification of Unauthorized Acquisition of Private Information" to "Acquisition and Use of Private Information." Section Four of the bill amends the General Business Law to add a new section 899-bb which states that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business. A business that discloses a customer's personal information to a third party shall make the following information available to the customer free of charge: *All categories of the customer's personal information that were disclosed; and *The names and contact information of all third parties that received the customer's personal information from the business, including the third party's designated request address or addresses if available. *A business required to comply with this Act shall make the required information available by one or more of the following means: *By providing a designated request address and, upon receipt of a request, providing the customer within thirty days with the required information for all disclosures occurring in the prior twelve months, provided that: >If the business has an online privacy policy, that policy includes a description of a customer's right, accompanied by one or more designated request addresses;-provided that a business with multiple online privacy policies must include this information in the policy of each product or service that collects personal information that may be disclosed to a third party; >The business ensures that all persons responsible for handling customer inquires about the business' privacy practices or the business' compli- ance with this section are informed of all designated request addresses; and >The business provides information pertaining to the specific customer if that information is reasonably available to the business, and provides information in standardized format if information pertaining to the specific customer is not reasonably available. For information required to be provided under this Act, the business must provide the customer with notice including the required information prior to or immediately following a disclosure. A business is not obligated to provide more than one notice to the same customer in a twelve-month period about the disclosure of the same personal information to the same third party and in not obligated to respond to a request by the same customer more than once within a twelve-month period. A business in not obligated to provide information to the customer if the business cannot reasonably verify that the individual making the request is the customer. "Categories of information" is defined as: *Identity information including, but not limited to, real name, alias, including but not limited to, postal address or nickname or user name; *Address information, email; *Telephone number; *Account name; *Social Security number or other government-issues identification number, including but not limited to, social security number, driver's license number, identification card number and passport number; *Birthdate or age; *Physical characteristic information, including but not limited to height and weight; *Sexual information, including, but not limited to, sexual orientation, sex, gender status, gender identity or expression; *Race or ethnicity; *Religious affiliation or activity; *Political affiliation or activity; *Professional or employment-related information; *Educational information; *Medical information, including but not limited to, medical conditions or drugs, therapies, mental health or medical products or equipment used; *Financial information, including but not limited to, credit, debit, or account numbers account balances, payment history or information related to assets, liabilities or general creditworthiness; *Commercial information, including but not limited to, records of prop- erty, products or services provided, obtained or considered or other purchasing or consuming histories or tendencies; *Location information; *Internet or mobile activity information, including, but not limited to, Internet protocol addresses or information concerning the access or use of any Internet or mobile-based site or service; *Content, including text, photographs, audio or visual recordings or other material generated or provided by the customer. The legislation further provides a definitional section. A violation of the Act constitutes a right to a civil action to recover penalties by the customer, the Attorney General, a District Attorney, a City Attor- ney, or a City Prosecutor in a court of competent jurisdiction.   JUSTIFICATION: The Right to Know Act will modernize current privacy law and give New York consumers an effective tool to monitor how their personal informa- tion, including information about their health, finances, location, politics, religious, sexual orientation, buying habits, and more, is being collected and disclosed in unexpected and possibly harmful ways. Many websites incorporate scores of tracking tools that collect informa- tion about visitors like age, gender, race, income, health concerns and recent purchases for advertising and marketing companies. Many mobile applications (apps) share location, age, gender, phone numbers, and other personal details of both adults and children with third party companies - which can lead to potential danger for the consumer involved in the transaction. And Facebook apps used by a consumer's "friend" can often access sensitive information about that consumer, including religious, political, and sexual preferences. There are numerous examples of companies that collect information about consumer activities inadvertently exposing sensitive personal informa- tion such as pregnancy status or sexual orientation. Data brokers are engaged in the Widespread buying, selling, and trading of personal information obtained from mobile phones, banks, social media sites, and stores creating a secondary market for confidential consumer data. When this information is incorrect, it can impact credit scores, hurting an individual at their place of employment or being denied credit. More- over, scanners are using data broker lists to target vulnerable popu- lations, such as senior citizens   LEGISLATIVE HISTORY: 2015-16 - A.2134A - Referred to Consumer Protection/S.68A - Referred to Consumer Protection   FISCAL IMPLICATIONS: Minimal   EFFECTIVE DATE: This act shall take effect immediately.
Go to top

A05220 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          5220
 
                               2017-2018 Regular Sessions
 
                   IN ASSEMBLY
 
                                    February 7, 2017
                                       ___________
 
        Introduced by M. of A. DINOWITZ -- read once and referred to the Commit-
          tee on Consumer Affairs and Protection
 
        AN ACT to amend the general business law, in relation to restricting the
          disclosure of personal information by businesses
 
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. This act shall be known and may be cited as the  "right  to
     2  know act of 2017".
     3    §  2.  The  legislature  hereby  finds  and declares that the right to
     4  privacy is a personal and fundamental  right  protected  by  the  United
     5  States Constitution. All individuals have a right of privacy in informa-
     6  tion pertaining to them.
     7    This state recognizes the importance of providing consumers with tran-
     8  sparency  about  how their personal information has been shared by busi-
     9  nesses. For free market forces to have a role  in  shaping  the  privacy
    10  practices  and  for  "opt-in"  and  "opt-out"  remedies to be effective,
    11  consumers must be more than vaguely informed that a business might share
    12  personal information  with  third  parties.  Consumers  must  be  better
    13  informed about what kinds of personal information are purchased by busi-
    14  nesses  for  direct  marketing purposes. With these specifics, consumers
    15  can knowledgeably choose to opt-in or opt-out or choose among businesses
    16  that disclose information to third parties for direct marketing purposes
    17  on the basis of how protective the business is of consumers' privacy.
    18    Businesses are now collecting personal  information  and  sharing  and
    19  selling  it  in ways not contemplated or properly covered by the current
    20  law. Some web sites are installing up to one hundred tracking tools when
    21  consumers visit web pages and sending very personal information such  as
    22  age,  gender,  race,  income,  health  concerns, and recent purchases to
    23  third-party advertising and marketing companies. Third-party data broker
    24  companies are buying, selling, and trading personal information obtained

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD03601-01-7

        A. 5220                             2
 
     1  from mobile phones, financial  institutions,  social  media  sites,  and
     2  other online and brick and mortar companies.
     3    Some  mobile  applications  are  sharing personal information, such as
     4  location information, unique  phone  identification  numbers,  and  age,
     5  gender, and other personal details with third-party companies.
     6    Consumers  need  to  know  the ways that their personal information is
     7  being collected by companies and then shared or sold to third parties in
     8  order to properly protect their privacy, personal safety, and  financial
     9  security.
    10    §  3. The article heading of article 39-F of the general business law,
    11  as added by chapter 442 of the laws of  2005,  is  amended  to  read  as
    12  follows:
    13             [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND USE
    14                           OF PRIVATE INFORMATION
    15    §  4. The general business law is amended by adding a new section 899-
    16  bb to read as follows:
    17    § 899-bb. Disclosure of a customer's personal information to  a  third
    18  party.  1. (a) A business that retains a customer's personal information
    19  shall make available to the customer free of charge access to, or copies
    20  of, all of the customer's personal information retained by the business.
    21    (b) A business that discloses a customer's personal information  to  a
    22  third  party  shall  make  the  following  information  available to the
    23  customer free of charge:
    24    (1) All categories of the customer's personal  information  that  were
    25  disclosed, including the categories set forth in paragraph (a) of subdi-
    26  vision four of this section.
    27    (2) The names and contact information of all of the third parties that
    28  received  the customer's personal information from the business, includ-
    29  ing the third party's designated request address or addresses if  avail-
    30  able.
    31    2.  A business required to comply with subdivision one of this section
    32  shall make the required information available by  one  or  more  of  the
    33  following means:
    34    (a)  By  providing a designated request address and, upon receipt of a
    35  request under this section to the designated request address,  providing
    36  the  customer  within  thirty days with the required information for all
    37  disclosures occurring in the prior twelve months, provided that:
    38    (1) if the business has an online privacy policy, that policy includes
    39  a description of a customer's rights pursuant to this  section  accompa-
    40  nied  by one or more designated request addresses; provided that a busi-
    41  ness with multiple online privacy policies must include this information
    42  in the policy of each product or service that collects personal informa-
    43  tion that may be disclosed to a third party;
    44    (2) the business ensures that all  persons  responsible  for  handling
    45  customer  inquiries  about  the business' privacy practices or the busi-
    46  ness' compliance with  this  section  are  informed  of  all  designated
    47  request addresses; and
    48    (3)  the  business  provides  information  pertaining  to the specific
    49  customer if that information is reasonably available  to  the  business,
    50  and  provides information in standardized format if information pertain-
    51  ing to the specific customer is not reasonably available.
    52    (b) For information required to be provided by paragraph (b) of subdi-
    53  vision one of this  section,  by  providing  the  customer  with  notice
    54  including  the  required information prior to or immediately following a
    55  disclosure.

        A. 5220                             3
 
     1    (c) By providing the customer the disclosure required by Section  6803
     2  of  Title  15 of the United States Code, but only if the disclosure also
     3  complies with this section.
     4    3.  (a)  A  business  is not obligated to provide more than one notice
     5  under paragraph (b) of subdivision two  of  this  section  to  the  same
     6  customer  in  a  twelve-month  period  about  the disclosure of the same
     7  personal information to the same third party and is not obligated  under
     8  paragraph (a) of subdivision two of this section to respond to a request
     9  by the same customer more than once within a given twelve-month period.
    10    (b) A business is not obligated to provide information to the customer
    11  pursuant  to  subdivision  one  of  this  section if the business cannot
    12  reasonably verify that the individual making the request is the  custom-
    13  er.
    14    4.  For purposes of this section, the following terms have the follow-
    15  ing meanings:
    16    (a) "Categories of personal information" includes, but is not  limited
    17  to, the following:
    18    (1)  Identity  information  including,  but not limited to, real name,
    19  alias, nickname, and user name.
    20    (2) Address information, including, but not limited to, postal address
    21  or e-mail.
    22    (3) Telephone number.
    23    (4) Account name.
    24    (5) Social security number or other  government-issued  identification
    25  number,  including, but not limited to, social security number, driver's
    26  license number, identification card number, and passport number.
    27    (6) Birthdate or age.
    28    (7) Physical characteristic information, including,  but  not  limited
    29  to, height and weight.
    30    (8)  Sexual  information, including, but not limited to, sexual orien-
    31  tation, sex, gender status, gender identity, and gender expression.
    32    (9) Race or ethnicity.
    33    (10) Religious affiliation or activity.
    34    (11) Political affiliation or activity.
    35    (12) Professional or employment-related information.
    36    (13) Educational information.
    37    (14) Medical information,  including,  but  not  limited  to,  medical
    38  conditions  or  drugs,  therapies, mental health, or medical products or
    39  equipment used.
    40    (15) Financial information, including, but  not  limited  to,  credit,
    41  debit,  or account numbers, account balances, payment history, or infor-
    42  mation related to assets, liabilities, or general creditworthiness.
    43    (16) Commercial information, including, but not limited to, records of
    44  property, products or services provided,  obtained,  or  considered,  or
    45  other purchasing or consumer histories or tendencies.
    46    (17) Location information.
    47    (18)  Internet  or  mobile  activity  information,  including, but not
    48  limited to, Internet protocol addresses or  information  concerning  the
    49  access or use of any Internet or mobile-based site or service.
    50    (19)  Content, including text, photographs, audio or video recordings,
    51  or other material generated by or provided by the customer.
    52    (20) Any of the above categories of information as they pertain to the
    53  children of the customer.
    54    (b) (1) "Customer" means an individual who is a resident of  New  York
    55  state  who  provides personal information to a business, with or without
    56  an exchange of consideration, in  the  course  of  purchasing,  viewing,

        A. 5220                             4
 
     1  accessing, renting, leasing, or otherwise using real or personal proper-
     2  ty,  or any interest therein, or obtaining a product or service from the
     3  business including advertising or any other content.
     4    (2)  An individual is also the customer of a business if that business
     5  obtained the personal information of  that  individual  from  any  other
     6  business.
     7    (c)  "Designated  request  address"  means  a  mailing address, e-mail
     8  address, web page,  toll-free  telephone  number,  or  other  applicable
     9  contact  information, whereby customers may request or obtain the infor-
    10  mation required to be provided under subdivision one of this section.
    11    (d) (1)  "Disclose"  means  to  disclose,  release,  share,  transfer,
    12  disseminate,  make  available, or otherwise communicate orally, in writ-
    13  ing, or by electronic or any other means to any third party  as  defined
    14  in this section.
    15    (2) "Disclose" does not include:
    16    (A)  Disclosure of personal information by a business to a third party
    17  pursuant to a written contract authorizing the third  party  to  utilize
    18  the  personal information to perform services on behalf of the business,
    19  including maintaining or servicing accounts, providing customer service,
    20  processing or fulfilling orders  and  transactions,  verifying  customer
    21  information,   processing  payments,  providing  financing,  or  similar
    22  services, but only if (I) the contract prohibits the  third  party  from
    23  using  the personal information for any reason other than performing the
    24  specified service or  services  on  behalf  of  the  business  and  from
    25  disclosing any such personal information to additional third parties and
    26  (II) the business effectively enforces these prohibitions.
    27    (B)  Disclosure of personal information by a business to a third party
    28  based on a good-faith belief that disclosure is required to comply  with
    29  applicable law, regulation, legal process, or court order.
    30    (C)  Disclosure of personal information by a business to a third party
    31  that is reasonably necessary to address fraud,  security,  or  technical
    32  issues;  to  protect  the disclosing business' rights or property; or to
    33  protect customers or the public from illegal activities as  required  or
    34  permitted by law.
    35    (D)  Disclosure of personal information by a business to a third party
    36  that is otherwise lawfully available to  the  general  public,  provided
    37  that  the business did not direct the third party to the personal infor-
    38  mation.
    39    (e) "Personal information" means:
    40    (1) Any information that identifies or references a  particular  indi-
    41  vidual or electronic device, including, but not limited to, a real name,
    42  alias, postal address, telephone number, electronic mail address, Inter-
    43  net  protocol  address,  account  name, social security number, driver's
    44  license number, passport number, or any  other  identifier  intended  or
    45  able to be uniquely associated with a particular individual or device.
    46    (2) Any information that relates to or describes an individual if such
    47  information is disclosed in connection with any identifying or referenc-
    48  ing information as defined in subparagraph one of this paragraph.
    49    (f) (1) "Retains" means to store or otherwise hold information, wheth-
    50  er the information is collected or obtained directly from the subject of
    51  the information or from any third party.
    52    (2) "Retains" does not include information that is stored or otherwise
    53  held  solely  for  one or more of the following purposes, so long as the
    54  information is deleted as soon as it  is  no  longer  needed  for  those
    55  purposes:

        A. 5220                             5

     1    (A)  To perform a service or complete a transaction initiated by or on
     2  behalf of the customer, including  maintaining  or  servicing  accounts,
     3  providing  customer  service, processing or fulfilling orders and trans-
     4  actions, verifying customer information, processing payments,  providing
     5  financing, or similar services.
     6    (B)  To  address  fraud, security, or technical issues; to protect the
     7  disclosing business' rights or property; or to protect customers or  the
     8  public from illegal activities as required or permitted by law.
     9    (C)  To comply with applicable law or regulation or with a court order
    10  or other legal process where the business has a good-faith  belief  that
    11  the law, regulation, court order, or legal process requires the informa-
    12  tion to be stored or held.
    13    (g)  "Third party" or "third parties" means one or more of the follow-
    14  ing:
    15    (1) A business that is a separate legal entity from the business  that
    16  has disclosed personal information.
    17    (2)  A  business that does not share common ownership or common corpo-
    18  rate control with the business that has disclosed personal information.
    19    (3) A business that does not share a brand  name  or  common  branding
    20  with  the business that has disclosed personal information such that the
    21  affiliate relationship is clear to the customer.
    22    5. The provisions of this section are severable. If any  provision  of
    23  this  section  or its application is held invalid, that invalidity shall
    24  not affect other provisions or applications that  can  be  given  effect
    25  without the invalid provision or application.
    26    6. A violation of this section constitutes an injury to a customer.  A
    27  civil  action  to  recover  penalties  may be brought by a customer, the
    28  attorney general, a district attorney, a city attorney, or a city prose-
    29  cutor, in a court of competent jurisdiction.
    30    § 5. This act shall take effect immediately.
Go to top