STATE OF NEW YORK
________________________________________________________________________
10911
IN ASSEMBLY
April 8, 2026
___________
Introduced by M. of A. STERN -- read once and referred to the Committee
on Science and Technology
AN ACT to amend the general business law, in relation to prohibiting
data brokers from selling the personal information of current and
former military servicemembers
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 399-jj to read as follows:
3 § 399-jj. Sale of personal information of servicemembers. 1. As used
4 in this section:
5 (a) "Consent" means a clear affirmative act signifying a freely given,
6 specific, informed, and unambiguous indication of a consumer's agreement
7 to the processing of data relating to the consumer. Consent may be with-
8 drawn at any time, and a controller must provide clear, conspicuous, and
9 consumer-friendly means to withdraw consent. The burden of establishing
10 consent is on the controller. Consent does not include: (i) an agreement
11 of general terms of use or a similar document that references unrelated
12 information in addition to personal data processing; (ii) an agreement
13 obtained through fraud, deceit or deception; (iii) any act that does not
14 constitute a user's intent to interact with another party such as hover-
15 ing over, pausing or closing any content; or (iv) a pre-checked box or
16 similar default.
17 (b) "Consumer" means a natural person who is a New York resident
18 acting only in an individual or household context. It does not include a
19 natural person known to be acting in a professional or employment
20 context.
21 (c) "Data broker" means a person, or unit or units of a legal entity,
22 separately or together, that does business in the state of New York and
23 knowingly collects, and sells to other controllers or third parties, the
24 personal data of a consumer with whom it does not have a direct
25 relationship. "Data broker" does not include any of the following:
26 (i) a consumer reporting agency to the extent that it is covered by
27 the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03293-01-5
A. 10911 2
1 (ii) a financial institution to the extent that it is covered by the
2 Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regu-
3 lations.
4 (d) "Household" means a group, however identified, of consumers who
5 cohabitate with one another at the same residential address and may
6 share use of common devices or services.
7 (e) "Military servicemember" means a person who is serving or has
8 served:
9 (i) on active duty in the army, navy, marine corps, air force, space
10 force, or coast guard of the United States;
11 (ii) in the army national guard or air national guard;
12 (iii) as a commissioned officer in the public health service or of the
13 national oceanic and atmospheric administration or environmental
14 sciences services administration; or
15 (iv) as a cadet at a United States armed forces service academy.
16 (f) "Military servicemember list" means a list that includes personal
17 information, other than public record information, about one or more
18 individuals or households which is created for the express or implied
19 purpose of compiling information about individuals who are current or
20 former servicemembers or family members of a current or former servicem-
21 ember.
22 (g) "Personal data" means any data that identifies or could reasonably
23 be linked, directly or indirectly, with a specific natural person, or
24 household. Personal data does not include deidentified data, information
25 that is lawfully made publicly available from federal, state or local
26 government records, or information that a controller has a reasonable
27 basis to believe is lawfully made available to the general public by the
28 consumer or from widely distributed media.
29 (h) "Sale", "sell", or "sold" means the disclosure, transfer, convey-
30 ance, sharing, licensing, making available, processing, granting of
31 permission or authorization to process, or other exchange of personal
32 data, or providing access to personal data for monetary or other valu-
33 able consideration by the controller to a third party. "Sale" includes
34 enabling, facilitating or providing access to personal data for targeted
35 advertising. "Sale" does not include the following:
36 (i) the disclosure of data to a processor who processes the data on
37 behalf of the controller and which is contractually prohibited from
38 using it for any purpose other than as instructed by the controller;
39 (ii) the disclosure or transfer of data as an asset that is part of a
40 merger, acquisition, bankruptcy, or other transaction in which another
41 entity assumes control or ownership of all or a majority of the control-
42 ler's assets; or
43 (iii) the disclosure of personal data to a third party necessary for
44 purposes of providing a product, service, or interaction with such third
45 party, when the consumer intentionally and unambiguously requests such
46 disclosure.
47 (i) "Targeted advertising" means advertising based upon profiling.
48 2. It shall be unlawful for a data broker knowingly or recklessly to
49 sell a military servicemember list or personal data about any military
50 servicemember without consent from such military servicemembers.
51 3. It shall be unlawful for a data broker knowingly or recklessly to
52 advertise a military servicemember list or personal data about any mili-
53 tary servicemember or member of their family without consent from such
54 military servicemembers.
A. 10911 3
1 4. This section applies to legal persons that conduct business in New
2 York or produce products or services that are targeted to residents of
3 New York.
4 5. This section shall not apply to:
5 (a) personal data processed by state and local governments, and munic-
6 ipal corporations, for processes other than sale; provided, however,
7 filing and processing fees shall not be considered a sale for the
8 purposes of this paragraph;
9 (b) a national securities association registered pursuant to section
10 15A of the Securities Exchange Act of 1934, as amended, or regulations
11 adopted thereunder or a registered futures association so designated
12 pursuant to section 17 of the Commodity Exchange Act, as amended, or any
13 regulations adopted thereunder;
14 (c) any nonprofit entity identified in section four hundred five of
15 the financial services law to the extent such organization collects,
16 processes, uses, or shares data solely in relation to identifying,
17 investigating, or assisting:
18 (i) law enforcement agencies in connection with suspected insurance-
19 related criminal or fraudulent acts; or
20 (ii) first responders in connection with catastrophic events;
21 (d) information that meets the following criteria:
22 (i) personal data collected, processed, sold, or disclosed pursuant to
23 and in compliance with the federal Gramm-Leach-Bliley act (P.L.
24 106-102), and implementing regulations;
25 (ii) personal data collected, processed, sold, or disclosed pursuant
26 to the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec.
27 2721 et seq.), if the collection, processing, sale, or disclosure is in
28 compliance with that law;
29 (iii) personal data regulated by the federal Family Educational Rights
30 and Privacy Act, U.S.C. Sec. 1232g and its implementing regulations;
31 (iv) personal data collected, processed, sold, or disclosed pursuant
32 to the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. Sec.
33 2001-2279cc) and its implementing regulations (12 C.F.R. Part 600 et
34 seq.) if the collection, processing, sale, or disclosure is in compli-
35 ance with that law;
36 (v) personal data regulated by section two-d of the education law;
37 (vi) data maintained as employment records, for purposes other than
38 sale;
39 (vii) protected health information that is lawfully collected by a
40 covered entity or business associate and is governed by the privacy,
41 security, and breach notification rules issued by the United States
42 Department of Health and Human Services, Parts 160 and 164 of Title 45
43 of the Code of Federal Regulations, established pursuant to the Health
44 Insurance Portability and Accountability Act of 1996 (Public Law
45 104-191) ("HIPAA") and the Health Information Technology for Economic
46 and Clinical Health Act (Public Law 111-5);
47 (viii) patient identifying information for purposes of 42 C.F.R. Part
48 2, established pursuant to 42 U.S.C. Sec. 290dd-2, as long as such data
49 is not sold in violation of HIPAA or any state or federal law;
50 (ix) information and documents lawfully created for purposes of the
51 federal Health Care Quality Improvement Act of 1986, and related regu-
52 lations;
53 (x) patient safety work product created for purposes of 42 C.F.R.
54 Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
55 (xi) information that is treated in the same manner as information
56 exempt under subparagraph (vii) of this paragraph that is maintained by
A. 10911 4
1 a covered entity or business associate as defined by HIPAA or a program
2 or a qualified service organization as defined by 42 U.S.C. § 290dd-2,
3 as long as such data is not sold in violation of HIPAA or any state or
4 federal law;
5 (xii) deidentified health information that meets all of the following
6 conditions:
7 (A) it is deidentified in accordance with the requirements for deiden-
8 tification set forth in Section 164.514 of Part 164 of Title 45 of the
9 Code of Federal Regulations;
10 (B) it is derived from protected health information, individually
11 identifiable health information, or identifiable private information
12 compliant with the Federal Policy for the Protection of Human Subjects,
13 also known as the Common Rule; and
14 (C) a covered entity or business associate does not attempt to reiden-
15 tify the information nor do they actually reidentify the information
16 except as otherwise allowed under state or federal law;
17 (xiii) information maintained by a covered entity or business associ-
18 ate governed by the privacy, security, and breach notification rules
19 issued by the United States Department of Health and Human Services,
20 Parts 160 and 164 of Title 45 of the Code of Federal Regulations, estab-
21 lished pursuant to the Health Insurance Portability and Accountability
22 Act of 1996 (Public Law 104-191), to the extent the covered entity or
23 business associate maintains the information in the same manner as
24 protected health information as described in subparagraph (vii) of this
25 paragraph;
26 (xiv) data collected as part of human subjects research, including a
27 clinical trial, conducted in accordance with the Federal Policy for the
28 Protection of Human Subjects, also known as the Common Rule, pursuant to
29 good clinical practice guidelines issued by the International Council
30 for Harmonisation or pursuant to human subject protection requirements
31 of the United States Food and Drug Administration;
32 (xv) personal data processed only for one or more of the following
33 purposes:
34 (A) product registration and tracking consistent with applicable
35 United States Food and Drug Administration regulations and guidance;
36 (B) public health activities and purposes as described in Section
37 164.512 of Title 45 of the Code of Federal Regulations; and/or
38 (C) activities related to quality, safety, or effectiveness regulated
39 by the United States Food and Drug Administration; or
40 (xvi) personal data collected, processed, or disclosed pursuant to and
41 in compliance with any opt-out program authorized by the public service
42 commission or any other opt-out community distributed generation
43 programs authorized in law; or
44 (e) (i) an activity involving the collection, maintenance, disclosure,
45 sale, communication, or use of any personal data bearing on a consumer's
46 credit worthiness, credit standing, credit capacity, character, general
47 reputation, personal characteristics, or mode of living by a consumer
48 reporting agency, as defined in Title 15 U.S.C. Sec. 1681a(f), by a
49 furnisher of information, as set forth in Title 15 U.S.C. Sec. 1681s-2,
50 who provides information for use in a consumer report, as defined in
51 Title 15 U.S.C. Sec. 1861a(d), and by a user of a consumer report, as
52 set forth in Title 15 U.S.C. Sec. 1681b.; and
53 (ii) this paragraph shall apply only to the extent that such activity
54 involving the collection, maintenance, disclosure, sale, communication,
55 or use of such data by that agency, furnisher, or user is subject to
56 regulation under the Fair Credit Reporting Act, Title 15 U.S.C. Sec.
A. 10911 5
1 1681 et seq., and the data is not collected, maintained, used, communi-
2 cated, disclosed, or sold except as authorized by the Fair Credit
3 Reporting Act.
4 6. Wherever there shall be a violation of this section, an application
5 may be made by the attorney general in the name of the people of the
6 state of New York to a court or justice having jurisdiction to issue an
7 injunction, and upon notice to the defendant of not less than five days,
8 to enjoin and restrain the continuance of such violations; and if it
9 shall appear to the satisfaction of the court or justice, that the
10 defendant has, in fact, violated this section an injunction may be
11 issued by such court or justice enjoining and restraining any further
12 violation, without requiring proof that any person has, in fact, been
13 injured or damaged thereby. In any such proceeding, the court may make
14 allowances to the attorney general as provided in paragraph six of
15 subdivision (a) of section eighty-three hundred three of the civil prac-
16 tice law and rules, and direct restitution. Whenever the court shall
17 determine that a violation of this section has occurred, the court may
18 impose a civil penalty of not more than ten thousand dollars. In
19 connection with any such proposed application, the attorney general is
20 authorized to take proof and make a determination of the relevant facts
21 and to issue subpoenas in accordance with the civil practice law and
22 rules.
23 § 2. This act shall take effect on the ninetieth day after it shall
24 have become a law.
