Prohibits the disclosure of individualized fare payment data by the metropolitan commuter transportation authority and the New York city transit authority for the purpose of maintaining customer privacy; provides certain exceptions when such data can be disclosed.
STATE OF NEW YORK
________________________________________________________________________
4886--A
2025-2026 Regular Sessions
IN SENATE
February 13, 2025
___________
Introduced by Sens. GONZALEZ, KRUEGER -- read twice and ordered printed,
and when printed to be committed to the Committee on Transportation --
committee discharged, bill amended, ordered reprinted as amended and
recommitted to said committee
AN ACT to amend the public authorities law, in relation to prohibiting
the disclosure of individualized fare payment data by the metropolitan
commuter transportation authority and the New York city transit
authority
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 1266 of the public authorities law is amended by
2 adding a new subdivision 20 to read as follows:
3 20. (a) If a passenger station's entry system requires the use of a
4 card, token, or other device in order to enter the passenger station,
5 then (i) such card, token, or other device shall be available for
6 purchase, including by cash, throughout all hours of operation of the
7 passenger station, (ii) such card, token, or other device shall not be
8 registered to or otherwise associated with the identity of any individ-
9 ual, and (iii) such card, token, or other device shall not cost in
10 excess of the present-day value of five dollars as of January first, two
11 thousand twenty-five.
12 (b) If a passenger station's entry system permits the use of a card,
13 token, or other device in order to enter the passenger station at a
14 reduced fare or free-of-charge, then such card, token, or other device
15 for reduced fare or free-of-charge entry shall be exempt from the
16 requirements of paragraph (a) of this subdivision, except that registra-
17 tion or association of such card, token, or other device with the iden-
18 tity of an individual shall be used only for the purposes of (i)
19 confirming a prospective user's request for eligibility for such card,
20 token, or other device or (ii) deactivating and replacing such card,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD09533-03-5
S. 4886--A 2
1 token, or other device if lost or stolen, upon request of the person who
2 requested and obtained such card, token, or other device.
3 § 2. The public authorities law is amended by adding a new section
4 1279-j to read as follows:
5 § 1279-j. Customer privacy. 1. For the purposes of this section, the
6 following terms shall have the following meanings:
7 (a) "Data subject" shall have the same meaning as such term is defined
8 pursuant to subdivision three of section ninety-two of the public offi-
9 cers law.
10 (b) "Disclose" shall have the same meaning as such term is defined
11 pursuant to subdivision four of section ninety-two of the public offi-
12 cers law.
13 (c) "Police agency" shall have the same meaning as such term is
14 defined pursuant to subdivision eight of section eight hundred thirty-
15 five of the executive law.
16 (d) "Law enforcement agency" shall mean any agency which is empowered
17 by law to conduct an investigation or to make an arrest for a crime, and
18 any agency which is authorized by law to prosecute or participate in the
19 prosecution of a crime, and shall include any agency that primarily
20 enforces immigration law.
21 (e) "Law enforcement officer" shall mean a police officer or peace
22 officer, including transit police under subdivision sixteen of section
23 one thousand two hundred four of this article and including any person
24 employed by the authority police force established pursuant to section
25 one thousand two hundred sixty-six of this title as well as any person
26 employed by any agency that primarily enforces immigration law.
27 (f) "Police officer" shall have the same meaning as such term is
28 defined pursuant to subdivision thirty-four of section 1.20 of the crim-
29 inal procedure law.
30 (g) "Peace officer" shall mean any individual listed pursuant to
31 section 2.10 of the criminal procedure law.
32 (h) "Person employed" shall mean any employee, independent contractor,
33 or volunteer under the statutory and common law of the state of New York
34 acting in the scope of their duties as an employee, independent contrac-
35 tor, or volunteer.
36 (i) "Individualized fare payment data" shall mean personal informa-
37 tion, as defined in subdivision seven of section ninety-two of the
38 public officers law, related to payment of fares to the authority or its
39 subsidiary corporations in order to enter, access, or otherwise use a
40 transportation system administered by the authority or its subsidiary
41 corporations. "Individualized fare payment data" shall include, but not
42 be limited to, data that correlates a card, token, or device used to pay
43 a fare and the locations at which such card, token or device was used.
44 2. (a) The authority, its subsidiary corporations, or any other person
45 or entity in possession of a data subject's individualized fare payment
46 data shall not disclose such individualized fare payment data to a
47 police agency, law enforcement agency, or law enforcement officer, or
48 use a data subject's individualized fare payment data for law enforce-
49 ment purposes, unless such a disclosure is:
50 (i) reasonably necessary to prevent a serious and imminent threat to
51 the life or safety of the data subject or others, and notification of
52 the disclosure is transmitted to the data subject within twenty days if
53 such notice is practicable; or
54 (ii) pursuant to a search warrant, supported by particularized proba-
55 ble cause with respect to each data subject whose individualized fare
56 payment data is disclosed.
S. 4886--A 3
1 (b) The authority, its subsidiary corporations, or any other person or
2 entity in possession of a data subject's individualized fare payment
3 data shall not sell such individualized fare payment data to any third
4 party.
5 (c) If the authority enters into a partnership or agreement with
6 another entity to provide services, including but not limited to fare
7 payment services, and such other entity directly collects individualized
8 fare payment data pursuant to such a partnership or agreement, the enti-
9 ty shall not disclose such individualized fare payment data other than
10 pursuant to paragraphs (a) and (b) of this subdivision.
11 (d) The authority shall not enter into an agreement described in para-
12 graph (c) of this subdivision with any police agency or law enforcement
13 agency.
14 (e) The authority shall not transfer individualized fare payment data
15 except pursuant to paragraphs (a) and (c) of this subdivision.
16 3. (a) Any data subject or caller whose communication was disclosed in
17 violation of this section may seek judicial review and relief against
18 any private person or entity responsible for such disclosure for:
19 (i) five thousand dollars per violation or actual damages, whichever
20 is greater;
21 (ii) punitive damages; and
22 (iii) any other relief the court deems warranted.
23 (b) In assessing the amount of punitive damages awarded to a plaintiff
24 in an action brought under paragraph (a) of this subdivision, the court
25 shall consider:
26 (i) the defendant's pattern of violations of this section; and
27 (ii) the impact of the violation on the data subject's or caller's
28 exercise of constitutional and statutory rights, including, but not
29 limited to, religion, political views, and medical care.
30 (c) In any action brought under paragraph (a) of this subdivision, the
31 court shall award reasonable attorneys' fees, expenses, and costs to a
32 prevailing plaintiff.
33 (d) The attorney general may seek an injunction from any court of
34 proper jurisdiction for any violation of this section.
35 (e) (i) The authority shall, quarterly, provide to the inspector
36 general a list of each instance in which it shared individualized fare
37 payment data with a police agency, law enforcement agency, or law
38 enforcement officer, which shall be kept by the inspector general for a
39 period of five years.
40 (ii) Such list provided pursuant to this paragraph shall contain the
41 date of the disclosure; a detailed description of the data shared,
42 anonymized to prevent identification of the individuals to whom such
43 data relates; the individual, agency, and division of such agency, if
44 applicable, to which it was shared; if such data was shared pursuant to
45 subparagraph (i) of paragraph (a) of subdivision two of this section, a
46 detailed description of the exigency and the date of notification of the
47 data subject, or, if notice was not practicable, a detailed description
48 of the efforts made to notify the data subject; if such data was shared
49 pursuant to subparagraph (ii) of paragraph (a) of subdivision two of
50 this section, a copy of the warrant.
51 (iii) The inspector general shall review each disclosure, and if the
52 inspector general finds an instance of disclosure made in violation of
53 this section, the inspector general shall refer such improper disclosure
54 to the attorney general for potential legal action.
55 4. Nothing in this section shall be construed to:
S. 4886--A 4
1 (a) limit or abridge the right of any person to obtain judicial review
2 or pecuniary or other relief, in any other form or upon any other basis,
3 otherwise available to a person; or
4 (b) require the authority or any other entity to collect or retain any
5 information about a caller or data subject.
6 § 3. Section 1205 of the public authorities law is amended by adding a
7 new subdivision 9 to read as follows:
8 9. (a) If a passenger station's entry system requires the use of a
9 card, token, or other device in order to enter the passenger station,
10 then (i) such card, token, or other device shall be available for
11 purchase, including by cash, throughout all hours of operation of the
12 passenger station, (ii) such card, token, or other device shall not be
13 registered to or otherwise associated with the identity of any individ-
14 ual, and (iii) such card, token, or other device shall not cost in
15 excess of the present-day value of five dollars as of January first, two
16 thousand twenty-five.
17 (b) If a passenger station's entry system permits the use of a card,
18 token, or other device in order to enter the passenger station at a
19 reduced fare or free-of-charge, then such card, token, or other device
20 for reduced fare or free-of-charge entry shall be exempt from the
21 requirements of paragraph (a) of this subdivision, except that registra-
22 tion or association of such card, token, or other device with the iden-
23 tity of an individual shall be used only for the purposes of (i)
24 confirming a prospective user's request for eligibility for such card,
25 token, or other device or (ii) deactivating and replacing such card,
26 token, or other device if lost or stolen, upon request of the person who
27 requested and obtained such card, token, or other device.
28 § 4. The public authorities law is amended by adding a new section
29 1204-g to read as follows:
30 § 1204-g. Customer privacy. 1. For the purposes of this section, the
31 following terms shall have the following meanings:
32 (a) "Data subject" shall have the same meaning as such term is defined
33 pursuant to subdivision three of section ninety-two of the public offi-
34 cers law.
35 (b) "Disclose" shall have the same meaning as such term is defined
36 pursuant to subdivision four of section ninety-two of the public offi-
37 cers law.
38 (c) "Police agency" shall have the same meaning as such term is
39 defined pursuant to subdivision eight of section eight hundred thirty-
40 five of the executive law.
41 (d) "Law enforcement agency" shall mean any agency which is empowered
42 by law to conduct an investigation or to make an arrest for a crime, and
43 any agency which is authorized by law to prosecute or participate in the
44 prosecution of a crime, and shall include any agency that primarily
45 enforces immigration law.
46 (e) "Law enforcement officer" shall mean a police officer or peace
47 officer, including transit police under subdivision sixteen of section
48 one thousand two hundred four of this title and including any person
49 employed by the authority police force established pursuant to section
50 one thousand two hundred sixty-six of this article as well as any person
51 employed by any agency that primarily enforces immigration law.
52 (f) "Police officer" shall have the same meaning as such term is
53 defined pursuant to subdivision thirty-four of section 1.20 of the crim-
54 inal procedure law.
55 (g) "Peace officer" shall mean any individual listed pursuant to
56 section 2.10 of the criminal procedure law.
S. 4886--A 5
1 (h) "Person employed" shall mean any employee, independent contractor,
2 or volunteer under the statutory and common law of the state of New York
3 acting in the scope of their duties as an employee, independent contrac-
4 tor, or volunteer.
5 (i) "Individualized fare payment data" shall mean personal informa-
6 tion, as defined in subdivision seven of section ninety-two of the
7 public officers law, related to payment of fares to the authority or its
8 subsidiary corporations in order to enter, access, or otherwise use a
9 transportation system administered by the authority or its subsidiary
10 corporations. "Individualized fare payment data" shall include, but not
11 be limited to, data that correlates a card, token, or device used to pay
12 a fare and the locations at which such card, token or device was used.
13 2. The authority shall comply with the requirements of subdivision two
14 of section one thousand two hundred seventy-nine-j of this article.
15 3. (a) Any data subject or caller whose communication was disclosed in
16 violation of this section may seek judicial review and relief against
17 any private person or entity responsible for such disclosure for:
18 (i) five thousand dollars per violation or actual damages, whichever
19 is greater;
20 (ii) punitive damages; and
21 (iii) any other relief the court deems warranted.
22 (b) In assessing the amount of punitive damages awarded to a plaintiff
23 in an action brought under paragraph (a) of this subdivision, the court
24 shall consider:
25 (i) the defendant's pattern of violations of this section; and
26 (ii) the impact of the violation on the data subject's or caller's
27 exercise of constitutional and statutory rights, including, but not
28 limited to, religion, political views, and medical care.
29 (c) In any action brought under paragraph (a) of this subdivision, the
30 court shall award reasonable attorneys' fees, expenses, and costs to a
31 prevailing plaintiff.
32 (d) The attorney general may seek an injunction from any court of
33 proper jurisdiction for any violation of this section.
34 (e) (i) The authority shall, quarterly, provide to the inspector
35 general a list of each instance in which it shared individualized fare
36 payment data with a police agency, law enforcement agency, or law
37 enforcement officer, which shall be kept by the inspector general for a
38 period of five years.
39 (ii) Such list provided pursuant to this paragraph shall contain the
40 date of the disclosure; a detailed description of the data shared,
41 anonymized to prevent identification of the individuals to whom such
42 data relates; the individual, agency, and division of such agency, if
43 applicable, to which data was shared; if such data was shared pursuant
44 to subparagraph (i) of paragraph (a) of subdivision two of this section,
45 a detailed description of the exigency and the date of notification of
46 the data subject, or, if notice was not practicable, a detailed
47 description of the efforts made to notify the data subject; if such data
48 was shared pursuant to subparagraph (ii) of paragraph (a) of subdivision
49 two of this section, a copy of the warrant.
50 (iii) The inspector general shall review each disclosure, and if the
51 inspector general finds an instance of disclosure made in violation of
52 this section, the inspector general shall refer such improper disclosure
53 to the attorney general for potential legal action.
54 4. Nothing in this section shall be construed to:
S. 4886--A 6
1 (a) limit or abridge the right of any person to obtain judicial review
2 or pecuniary or other relief, in any other form or upon any other basis,
3 otherwise available to a person; or
4 (b) require the authority or any other entity to collect or retain any
5 information about a caller or data subject.
6 § 5. This act shall take effect immediately.
