Ren Art 40 SS900 & 901 to be Art 41 SS1000 & 1001, add Art 40 SS900 - 907, Gen Bus L
Enacts New York State Internet Privacy Law to which operators of websites may voluntarily be subject; limits disclosure of personal information to those submitting to the law by publicizing that they comply with such law; provides for enforcement.
STATE OF NEW YORK
________________________________________________________________________
1854
2009-2010 Regular Sessions
IN SENATE
February 9, 2009
___________
Introduced by Sen. KLEIN -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to protecting the
privacy of internet users
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 "New York state internet privacy law".
3 § 2. Legislative intent. 1. The legislature finds that the internet is
4 becoming a major part of the personal and commercial lives of Americans.
5 The internet brings with it much good, such as increased personal know-
6 ledge and communications, and increased and more efficient commercial
7 opportunities.
8 2. The privacy of personal information flowing over the internet is of
9 concern. Vast amounts of personal information about individual internet
10 users are collected on the internet and sold or otherwise transferred to
11 third parties. Polls consistently show that individual internet users
12 are highly troubled over their lack of control over their personal
13 information. In fact, concern over personal privacy is one of the
14 biggest factors holding back even greater commercial development of the
15 internet.
16 3. The right to privacy is a personal and fundamental right worthy of
17 protection through appropriate legislation. Industry has developed
18 several self-policing schemes, but none of them are enforceable in a
19 meaningful way. Meaningful, enforceable internet privacy rules would
20 protect New York citizens and would foster the growth of electronic
21 commerce in New York.
22 4. The legislature intends to establish strong privacy rules to which
23 an operator of a website or online service may voluntarily choose to
24 submit. The incentive for the operator to submit will be that it may
25 publicize that it complies with the New York state internet privacy law.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD02645-01-9
S. 1854 2
1 Any operator who does so advertise may be subject to an enforcement
2 action.
3 § 3. Article 40 and sections 900 and 901 of the general business law,
4 as renumbered by chapter 407 of the laws of 1973, are renumbered article
5 41 and sections 1000 and 1001 and a new article 40 is added to read as
6 follows:
7 ARTICLE 40
8 NEW YORK STATE INTERNET PRIVACY LAW
9 Section 900. Definitions.
10 901. Applicability of article.
11 902. Disclosure of personal information.
12 903. Third parties.
13 904. User's right to inspect and correct information.
14 905. Duration of operator's responsibility.
15 906. Enforcement.
16 907. Separability clause.
17 § 900. Definitions. As used in this article:
18 1. The term "internet" means collectively the myriad of computer and
19 telecommunications facilities, including equipment and operating soft-
20 ware, which comprise the interconnected world-wide network of networks
21 that employ the Transmission Control Protocol/Internet Protocol, or any
22 predecessor or successor protocols to such protocol, to communicate
23 information of all kinds by wire or radio.
24 2. The term "operator" means any person who operates a website located
25 on the internet or an online service and who collects or maintains
26 personal information from or about the users of or visitors to such
27 website or online service, or on whose behalf such information is
28 collected or maintained, where such website or online service is oper-
29 ated for commercial purposes, including any person offering products or
30 services for sale through that website or online service, involving
31 commerce.
32 3. The term "user" means a person who uses an online service or visits
33 a website.
34 4. The term "personal information" means individually identifiable
35 information about an individual collected online, including:
36 (a) a first and last name;
37 (b) a home or other physical address including street name and name of
38 a city or town;
39 (c) an e-mail address;
40 (d) a telephone number;
41 (e) a social security number;
42 (f) any other identifier that permits the physical or online contact-
43 ing of a specific individual; or
44 (g) information concerning a child or the parents of that child that
45 the operator collects online from the child and combines with another
46 identifier set forth in this subdivision.
47 5. The term "disclosure" means, with respect to personal information:
48 (a) the release of personal information collected in identifiable form
49 by an operator for any purpose, except where such information is
50 provided to a person other than the operator who provides support for
51 the internal operations of the website and does not disclose or use that
52 information for any other purpose; and
53 (b) making personal information collected from a child by a website or
54 online service directed to children or with actual knowledge that such
55 information was collected from a child, publicly available in identifi-
S. 1854 3
1 able form, by any means including by a public posting, through the
2 internet, or through:
3 (i) a home page of a website;
4 (ii) a pen pal service;
5 (iii) an electronic mail service;
6 (iv) a message board; or
7 (v) a chat room.
8 6. The term "third party" means a person other than the user or the
9 operator, or an employee of the operator.
10 § 901. Applicability of article. An operator is subject to this arti-
11 cle if it advertises or otherwise publicly states that it complies with
12 the "New York State Internet Privacy Law".
13 § 902. Disclosure of personal information. 1. An operator shall not
14 disclose to a third party any personally identifiable information
15 obtained from a user without the user's prior informed, affirmative
16 written consent.
17 2. Informed consent requires that the operator notify the user of the
18 identity of any third party which will receive his or her personal
19 information, and for what purpose the information will be used.
20 3. Informed written consent may be obtained only upon notice to a user
21 of his or her rights under this law. Such notice must be in writing,
22 clear and conspicuous, and in plain English.
23 4. An operator shall permit a person to revoke the consent granted
24 under subdivision one of this section at any time, and upon such revoca-
25 tion, such operator shall cease disclosing such information to a third
26 party.
27 5. An operator or an employee of such operator shall not knowingly
28 disclose to a third party any personally identifiable information
29 provided by a subscriber to such service that such service, or such
30 employee, has knowingly falsified.
31 6. Notwithstanding the provisions of subdivision one of this section,
32 neither an operator nor the operator's agent shall be held to be liable
33 for any disclosure made in good faith and following reasonable proce-
34 dures in responding to a request for disclosure of personal information
35 under the federal Children's Online Privacy Protection Act to the parent
36 of a child.
37 7. Notwithstanding the provisions of subdivision one of this section,
38 an operator may disclose personal information, without notice to the
39 user, when necessary to respond to a court order, subpoena, or other
40 legal process.
41 § 903. Third parties. 1. Prior to disclosing personal information to a
42 third party, an operator shall inform the third party of the provisions
43 of this article, and obtain from the third party a written certification
44 that the third party will comply with this article.
45 2. A third party which receives personal information pursuant to this
46 article may use such information only for the purpose of which the user
47 has been notified.
48 § 904. User's right to inspect and correct information. 1. Upon
49 request an operator shall (a) provide a person with his or her personal
50 information maintained by the operator; (b) permit the user to verify
51 such information maintained by the service; and (c) permit the user to
52 correct any error in such information.
53 2. Upon request, an operator shall provide to the user the identity of
54 the third party recipients of his of her personal information.
55 3. An operator shall not charge a fee for one annual request that a
56 person makes for the information set forth in subdivision four or five
S. 1854 4
1 of section nine hundred of this article. For additional requests, an
2 operator may charge a fee consisting of the operator's actual cost of
3 providing the information. An operator shall provide an ability for a
4 user to electronically request and receive the information set forth in
5 this section.
6 § 905. Duration of operator's responsibility. Any personal information
7 which an operator obtains within thirty days of the operator's last
8 advertisement or public statement pursuant to section nine hundred one
9 of this article shall be subject to this article.
10 § 906. Enforcement. 1. Any person found to have violated this article,
11 knowingly or recklessly, shall be liable to the aggrieved user for all
12 actual damages sustained by such user as a direct result of the
13 violation, provided that any subscriber who prevails or substantially
14 prevails in any action brought under this section shall receive not less
15 than five hundred dollars in damages, regardless of the amount of actual
16 damage proved, plus costs, disbursements and reasonable attorney's fees.
17 An action brought pursuant to this section may be maintained as a class
18 action.
19 2. Whenever there shall be a violation of this article, an application
20 may be made by the attorney general in the name of the people of the
21 state of New York to a court or justice having jurisdiction by a special
22 proceeding to issue an injunction, and upon notice to the defendant of
23 not less than five days, to enjoin and restrain the continuation of such
24 violation; and if it shall appear to the satisfaction of the court or
25 justice that the defendant has, in fact, violated this article, an
26 injunction may be issued by such court or justice, enjoining and
27 restraining any further violation, without requiring proof that any
28 person has, in fact, been injured or damaged thereby. In any such
29 proceeding, the court may make allowances to the attorney general as
30 provided in paragraph six of subdivision (a) of section eighty-three
31 hundred three of the civil practice law and rules and direct restitu-
32 tion. Whenever the court shall determine that a grossly negligent
33 violation of this article has occurred, the court may impose a civil
34 penalty of not more than one thousand dollars for such violation. In
35 connection with any such proposed application, the attorney general is
36 authorized to take proof and make a determination of the relevant facts
37 and to issue subpoenas in accordance with the civil practice law and
38 rules.
39 3. The remedies provided by this article shall be in addition to any
40 other lawful remedy available to a subscriber.
41 4. No action may be brought under the provisions of this section
42 unless such action is commenced within the two years from the date of
43 the act complained of or the date of discovery of such act.
44 § 907. Separability clause. If any clause, paragraph, section or part
45 of this article shall be adjudged by any court of competent jurisdiction
46 to be invalid or unconstitutional, such judgment shall not affect,
47 impair or invalidate the remainder thereof, but shall be confined in its
48 operation to the clause, sentence, paragraph, section or part thereof
49 directly involved in the controversy in which such judgment shall have
50 been rendered.
51 § 4. This act shall take effect on the one hundred eightieth day after
52 it shall have become a law.
