Requires a business to delete a consumer's financial information after cancellation of an automatic renewal or continuous service, unless such consumer has affirmatively consented to retention of such financial information; requires such business to notify such consumer of such deletion.
STATE OF NEW YORK
________________________________________________________________________
10770
IN ASSEMBLY
April 1, 2026
___________
Introduced by M. of A. ROZIC -- read once and referred to the Committee
on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to deletion of a
consumer's financial information after cancellation of an automatic
renewal or continuous service
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 527 of the general business law is amended by
2 adding a new subdivision 5 to read as follows:
3 5. "Financial information" means any information relating to a consum-
4 er's credit card, debit card, or account with a third party held by a
5 business for the purpose of charging such consumer.
6 § 2. Section 527-a of the general business law is amended by adding a
7 new subdivision 2-a to read as follows:
8 2-a. a. Upon receiving a request from a consumer to cancel an automat-
9 ic renewal or continuous service, a business shall delete all records of
10 such consumer's financial information held by such business unless such
11 business has obtained such consumer's affirmative consent to retain such
12 financial information for future purchases. If such business does not
13 obtain such affirmative consent, such business shall:
14 (i) Delete all records of such consumer's financial information within
15 fourteen days of receipt of such request to cancel such automatic
16 renewal or continuous service; and
17 (ii) Notify such consumer by mail or electronic mail of the date such
18 records were deleted pursuant to paragraph (i) of this subdivision, and
19 of each of such consumer's credit cards, debit cards, or accounts with a
20 third party for which such records were deleted, within seven days of
21 such deletion.
22 b. The provisions of this subdivision shall not apply where a business
23 is otherwise required to retain a consumer's financial information
24 pursuant to state or federal law, rule or regulation.
25 § 3. This act shall take effect on the thirtieth day after it shall
26 have become a law. Effective immediately, the addition, amendment and/or
27 repeal of any rule or regulation necessary for the implementation of
28 this act on its effective date are authorized to be made and completed
29 on or before such effective date.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08677-03-6
