Prohibits the collection or processing of an individual's location information except for a permissible purpose; requires an entity collecting location information for the provision of multiple permissible purpose to maintain a location privacy policy obtain consent from the individual the information pertains to; prohibits the disclosure or sale of such information except for certain purposes; provides remedies for violations.
STATE OF NEW YORK
________________________________________________________________________
8729
2025-2026 Regular Sessions
IN ASSEMBLY
June 2, 2025
___________
Introduced by M. of A. ROSENTHAL -- read once and referred to the
Committee on Science and Technology
AN ACT to amend the general business law, in relation to protecting
safety and privacy by stopping the sale of location data
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 39-FFF to read as follows:
3 ARTICLE 39-FFF
4 PROTECTION OF LOCATION DATA
5 Section 899-ss. Definitions.
6 899-tt. Protection of location information.
7 899-uu. Prohibition against retaliation.
8 899-vv. Enforcement.
9 899-ww. Rulemaking authority.
10 899-xx. Application.
11 § 899-ss. Definitions. As used in this article, the following terms
12 shall have the following meanings:
13 1. "Application" means a software program that runs on the operating
14 system of a device.
15 2. "Collect" means to obtain, infer, generate, create, receive, or
16 access an individual's location information.
17 3. "Consent" means freely given, specific, informed, unambiguous,
18 opt-in consent. This term does not include either of the following:
19 (a) agreement secured without first providing to the individual a
20 clear and conspicuous disclosure of all information material to the
21 provision of consent, apart from any privacy policy, terms of service,
22 terms of use, general release, user agreement, or other similar docu-
23 ment; or
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11915-01-5
A. 8729 2
1 (b) agreement obtained through the use of a user interface designed or
2 manipulated with the substantial effect of subverting or impairing user
3 autonomy, decision making, or choice.
4 4. "Covered entity" means any individual, partnership, corporation,
5 limited liability company, association, or other group, however organ-
6 ized. A covered entity does not include a state or local government
7 agency, or any court of New York, a clerk of the court, or a judge or
8 justice thereof. A covered entity does not include an individual acting
9 in a non-commercial context. A covered entity includes all agents of the
10 entity.
11 5. "Device" means a mobile telephone or any other electronic device
12 that is or may commonly be carried by or on an individual and is capable
13 of connecting to a cellular, bluetooth, or other wireless network.
14 6. "Disclose" means to make location information available to a third
15 party, including but not limited to sharing, publishing, releasing,
16 transferring, disseminating, providing access to, or otherwise communi-
17 cating such location information orally, in writing, electronically, or
18 by any other means.
19 7. "Individual" means a person located in the state of New York.
20 8. "Location information" means information derived from a device or
21 from interactions between devices, with or without the knowledge of the
22 user and regardless of the technological method used, that pertains to
23 or directly or indirectly reveals the present or past geographical
24 location of an individual or device within the state of New York with
25 sufficient precision to identify street-level location information with-
26 in a range of one thousand eight hundred fifty feet or less. Location
27 information includes but is not limited to: (a) an internet protocol
28 address capable of revealing the physical or geographical location of an
29 individual; (b) Global Positioning System (GPS) coordinates; and (c)
30 cell-site location information. This term does not include location
31 information identifiable or derived solely from the visual content of a
32 legally obtained image, including the location of the device that
33 captured such image, or publicly posted words.
34 9. "Location privacy policy" means a description of the policies,
35 practices, and procedures controlling a covered entity's collection,
36 processing, management, storage, retention, and deletion of location
37 information.
38 10. "Monetize" means to collect, process, or disclose an individual's
39 location information for profit or in exchange for monetary or other
40 consideration. This term includes but is not limited to selling, rent-
41 ing, trading, or leasing location information.
42 11. "Person" means any natural person.
43 12. "Permissible purpose" means one of the following purposes:
44 (a) the provision of a product, service, or service feature to the
45 individual to whom the location information pertains when that individ-
46 ual requested the provision of such product, service, or service feature
47 by subscribing to, creating an account, or otherwise contracting with a
48 covered entity;
49 (b) initiation, management, execution, or completion of a financial or
50 commercial transaction or fulfill an order for specific products or
51 services requested by an individual, including any associated routine
52 administrative, operational, and account-servicing activity such as
53 billing, shipping, delivery, storage, and accounting;
54 (c) compliance with an obligation under federal or state law; or
A. 8729 3
1 (d) response to an emergency service agency, an emergency alert, a 911
2 communication, or any other communication reporting an imminent threat
3 to human life.
4 13. "Process" means to perform any action or set of actions on or with
5 location information, including but not limited to collecting, access-
6 ing, using, storing, retaining, analyzing, creating, generating, aggre-
7 gating, altering, correlating, operating on, recording, modifying,
8 organizing, structuring, disposing of, destroying, de-identifying, or
9 otherwise manipulating location information. This term does not include
10 disclosing location information.
11 14. "Reasonably understandable" means of length and complexity such
12 that an individual with an eighth-grade reading level, as established by
13 the department of education, can read and comprehend.
14 15. "Service feature" means a discrete aspect of a service provided by
15 a covered entity, including but not limited to real-time directions,
16 real-time weather, and identity authentication.
17 16. "Service provider" means an individual, partnership, corporation,
18 limited liability company, association, or other group, however organ-
19 ized, that collects, processes, or transfers location information for
20 the sole purpose of, and only to the extent that such service provider
21 is, conducting business activities on behalf of, for the benefit of, at
22 the direction of, and under contractual agreement with a covered entity.
23 17. "Third party" means any covered entity or person other than: (a) a
24 covered entity that collected or processed location information in
25 accordance with this chapter or its service providers; or (b) the indi-
26 vidual to whom the location information pertains. This term does not
27 include government entities.
28 § 899-tt. Protection of location information. 1. It shall be unlawful
29 for a covered entity to collect or process an individual's location
30 information except for a permissible purpose. Prior to collecting or
31 processing an individual's location information for one of those permis-
32 sible purposes, a covered entity shall provide the individual with a
33 copy of the location privacy policy and obtain consent from that indi-
34 vidual; provided, however, that this shall not be required when the
35 collection and processing is done in:
36 (a) compliance with an obligation under federal or state law; or
37 (b) in response to an emergency service agency, an emergency alert, a
38 911 communication, or any other communication reporting an imminent
39 threat to human life.
40 2. If a covered entity collects location information for the provision
41 of multiple permissible purposes, it shall be mentioned in the location
42 privacy policy and individuals shall provide discrete consent for each
43 purpose; provided, however, that this shall not be required for the
44 purpose of collecting and processing location information to comply with
45 an obligation under federal or state law or to respond to an emergency
46 service agency, an emergency alert, a 911 communication, or any other
47 communication reporting an imminent threat to human life.
48 3. A covered entity that directly delivers targeted advertisements as
49 part of its product or services shall provide individuals with a clear,
50 conspicuous, and simple means to opt out of the processing of their
51 location information for purposes of selecting and delivering targeted
52 advertisements.
53 4. Consent provided under this section shall expire:
54 (a) after one year;
55 (b) when the initial purpose for processing the information has been
56 satisfied; or
A. 8729 4
1 (c) when the individual revokes consent, whichever occurs first,
2 provided that consent may be renewed pursuant to the same procedures.
3 Upon expiration of consent, any location information possessed by a
4 covered entity shall be permanently destroyed.
5 5. It shall be unlawful for a covered entity or service provider that
6 lawfully collects and processes location information to:
7 (a) collect more precise location information than necessary to carry
8 out the permissible purpose;
9 (b) retain location information longer than necessary to carry out the
10 permissible purpose;
11 (c) sell, rent, trade, or lease location information to third parties;
12 (d) derive or infer from location information any data that is not
13 necessary to carry out a permissible purpose; or
14 (e) disclose, cause to disclose, or assist with or facilitate the
15 disclosure of an individual's location information to third parties,
16 unless such disclosure is necessary to carry out the permissible purpose
17 for which the information was collected or requested by the individual
18 to whom the location data pertains.
19 6. It shall be unlawful for a covered entity or service providers to
20 disclose location information to any federal, state, or local government
21 agency or official unless:
22 (a) the agency or official serves the covered entity or service
23 provider with a valid warrant or establishes the existence of exigent
24 circumstances that make it impracticable to obtain a warrant;
25 (b) disclosure is mandated under federal or state law, including in
26 response to a court order or lawfully issued and properly served subpoe-
27 na or civil investigative demand under state or federal law; or
28 (c) the data subject requests such disclosure.
29 7. A covered entity shall maintain and make available to the data
30 subject a location privacy policy, which shall include, at a minimum,
31 the following:
32 (a) the permissible purpose for which the covered entity is collect-
33 ing, processing, or disclosing any location information;
34 (b) the type of location information collected, including the preci-
35 sion of the data;
36 (c) the identities of service providers with which the covered entity
37 contracts with respect to location data;
38 (d) any disclosures of location data necessary to carry out a permis-
39 sible purpose and the identities of the third parties to whom the
40 location information could be disclosed;
41 (e) whether the covered entity's practices include the internal use of
42 location information for purposes of targeted advertisement;
43 (f) the data management and data security policies governing location
44 information; and
45 (g) the retention schedule and guidelines for permanently deleting
46 location information.
47 8. A covered entity in lawful possession of location information shall
48 provide notice to individuals to whom that information pertains of any
49 change to its location privacy policy at least twenty business days
50 before the change goes into effect, and shall request and obtain consent
51 before collecting or processing location information in accordance with
52 the new location privacy policy.
53 9. It shall be unlawful for a government entity to monetize location
54 information.
55 § 899-uu. Prohibition against retaliation. A covered entity shall not
56 take adverse action against an individual because the individual exer-
A. 8729 5
1 cised or refused to waive any of such individual's rights under this
2 article, unless location data is essential to the provision of the good,
3 service, or service feature that the individual requests, and then only
4 to the extent that such data is essential. This prohibition includes but
5 is not limited to:
6 1. refusing to provide a good or service to the individual;
7 2. charging different prices or rates for goods or services, including
8 through the use of discounts or other benefits or imposing penalties; or
9 3. providing a different level or quality of goods or services to the
10 individual.
11 § 899-vv. Enforcement. 1. A violation of this chapter or a regulation
12 promulgated under this article regarding an individual's location infor-
13 mation constitutes an injury to that individual and shall be deemed an
14 unfair or deceptive act or practice in the conduct of trade or commerce.
15 2. Any individual alleging a violation of this chapter by a covered
16 entity or service provider may bring a civil action in the supreme court
17 or any court of competent jurisdiction; provided that, venue in the
18 supreme court shall be in the county in which the plaintiff resides or
19 was located at the time of any violation.
20 3. An individual protected by this chapter shall not be required, as a
21 condition of service or otherwise, to file an administrative complaint
22 with the attorney general or to accept mandatory arbitration of a claim
23 arising under this chapter.
24 4. In a civil action in which the plaintiff prevails, the court may
25 award:
26 (a) actual damages, including damages for emotional distress, or five
27 thousand dollars per violation, whichever is greater;
28 (b) punitive damages; and
29 (c) any other relief, including but not limited to an injunction or
30 declaratory judgment, that the court deems to be appropriate. The court
31 shall consider each instance in which a covered entity or service
32 provider collects, processes, or discloses location information in a
33 manner prohibited by this article or a regulation promulgated under this
34 article as constituting a separate violation of this chapter or regu-
35 lation promulgated under this article. In addition to any relief
36 awarded, the court shall award reasonable attorney's fees and costs to
37 any prevailing plaintiff.
38 5. The attorney general may bring an action against a covered entity
39 or service provider to remedy violations of this chapter and for other
40 relief that may be appropriate.
41 6. Any provision of a contract or agreement of any kind, including a
42 covered entity's terms of service or policies, including but not limited
43 to the location privacy policy, that purports to waive or limit in any
44 way an individual's rights under this article, including but not limited
45 to any right to a remedy or means of enforcement, shall be deemed
46 contrary to state law and shall be void and unenforceable.
47 7. No private or government action brought pursuant to this article
48 shall preclude any other action under this article or any other
49 provision of law.
50 § 899-ww. Rulemaking authority. The attorney general may promulgate
51 such rules and regulations as are necessary to effectuate and enforce
52 the provisions of this article.
53 § 899-xx. Application. Location information collected, processed, and
54 stored prior to the effective date of this article shall be subject to
55 the provisions of paragraphs (c) and (e) of subdivision five and of
56 subdivision six of section three hundred ninety-nine-tt of this article.
A. 8729 6
1 § 2. This act shall take effect one year after it shall have become a
2 law. Effective immediately, the addition, amendment and/or repeal of
3 any rule or regulation necessary for the implementation of this act on
4 its effective date are authorized to be made and completed on or before
5 such effective date.
