STATE OF NEW YORK
________________________________________________________________________
6797
2025-2026 Regular Sessions
IN SENATE
March 24, 2025
___________
Introduced by Sen. SKOUFIS -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to prohibiting
data brokers from selling the personal information of current and
former military servicemembers
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 399-jj to read as follows:
3 § 399-jj. Sale of personal information of servicemembers. 1. As used
4 in this section:
5 (a) "Consent" means a clear affirmative act signifying a freely given,
6 specific, informed, and unambiguous indication of a consumer's agreement
7 to the processing of data relating to the consumer. Consent may be with-
8 drawn at any time, and a controller must provide clear, conspicuous, and
9 consumer-friendly means to withdraw consent. The burden of establishing
10 consent is on the controller. Consent does not include: (i) an agreement
11 of general terms of use or a similar document that references unrelated
12 information in addition to personal data processing; (ii) an agreement
13 obtained through fraud, deceit or deception; (iii) any act that does not
14 constitute a user's intent to interact with another party such as hover-
15 ing over, pausing or closing any content; or (iv) a pre-checked box or
16 similar default.
17 (b) "Consumer" means a natural person who is a New York resident
18 acting only in an individual or household context. It does not include a
19 natural person known to be acting in a professional or employment
20 context.
21 (c) "Data broker" means a person, or unit or units of a legal entity,
22 separately or together, that does business in the state of New York and
23 knowingly collects, and sells to other controllers or third parties, the
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03293-01-5
S. 6797 2
1 personal data of a consumer with whom it does not have a direct
2 relationship. "Data broker" does not include any of the following:
3 (i) a consumer reporting agency to the extent that it is covered by
4 the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or
5 (ii) a financial institution to the extent that it is covered by the
6 Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regu-
7 lations.
8 (d) "Household" means a group, however identified, of consumers who
9 cohabitate with one another at the same residential address and may
10 share use of common devices or services.
11 (e) "Military servicemember" means a person who is serving or has
12 served:
13 (i) on active duty in the army, navy, marine corps, air force, space
14 force, or coast guard of the United States;
15 (ii) in the army national guard or air national guard;
16 (iii) as a commissioned officer in the public health service or of the
17 national oceanic and atmospheric administration or environmental
18 sciences services administration; or
19 (iv) as a cadet at a United States armed forces service academy.
20 (f) "Military servicemember list" means a list that includes personal
21 information, other than public record information, about one or more
22 individuals or households which is created for the express or implied
23 purpose of compiling information about individuals who are current or
24 former servicemembers or family members of a current or former servicem-
25 ember.
26 (g) "Personal data" means any data that identifies or could reasonably
27 be linked, directly or indirectly, with a specific natural person, or
28 household. Personal data does not include deidentified data, information
29 that is lawfully made publicly available from federal, state or local
30 government records, or information that a controller has a reasonable
31 basis to believe is lawfully made available to the general public by the
32 consumer or from widely distributed media.
33 (h) "Sale", "sell", or "sold" means the disclosure, transfer, convey-
34 ance, sharing, licensing, making available, processing, granting of
35 permission or authorization to process, or other exchange of personal
36 data, or providing access to personal data for monetary or other valu-
37 able consideration by the controller to a third party. "Sale" includes
38 enabling, facilitating or providing access to personal data for targeted
39 advertising. "Sale" does not include the following:
40 (i) the disclosure of data to a processor who processes the data on
41 behalf of the controller and which is contractually prohibited from
42 using it for any purpose other than as instructed by the controller;
43 (ii) the disclosure or transfer of data as an asset that is part of a
44 merger, acquisition, bankruptcy, or other transaction in which another
45 entity assumes control or ownership of all or a majority of the control-
46 ler's assets; or
47 (iii) the disclosure of personal data to a third party necessary for
48 purposes of providing a product, service, or interaction with such third
49 party, when the consumer intentionally and unambiguously requests such
50 disclosure.
51 (i) "Targeted advertising" means advertising based upon profiling.
52 2. It shall be unlawful for a data broker knowingly or recklessly to
53 sell a military servicemember list or personal data about any military
54 servicemember without consent from such military servicemembers.
55 3. It shall be unlawful for a data broker knowingly or recklessly to
56 advertise a military servicemember list or personal data about any mili-
S. 6797 3
1 tary servicemember or member of their family without consent from such
2 military servicemembers.
3 4. This section applies to legal persons that conduct business in New
4 York or produce products or services that are targeted to residents of
5 New York.
6 5. This section shall not apply to:
7 (a) personal data processed by state and local governments, and munic-
8 ipal corporations, for processes other than sale; provided, however,
9 filing and processing fees shall not be considered a sale for the
10 purposes of this paragraph;
11 (b) a national securities association registered pursuant to section
12 15A of the Securities Exchange Act of 1934, as amended, or regulations
13 adopted thereunder or a registered futures association so designated
14 pursuant to section 17 of the Commodity Exchange Act, as amended, or any
15 regulations adopted thereunder;
16 (c) any nonprofit entity identified in section four hundred five of
17 the financial services law to the extent such organization collects,
18 processes, uses, or shares data solely in relation to identifying,
19 investigating, or assisting:
20 (i) law enforcement agencies in connection with suspected insurance-
21 related criminal or fraudulent acts; or
22 (ii) first responders in connection with catastrophic events;
23 (d) information that meets the following criteria:
24 (i) personal data collected, processed, sold, or disclosed pursuant to
25 and in compliance with the federal Gramm-Leach-Bliley act (P.L.
26 106-102), and implementing regulations;
27 (ii) personal data collected, processed, sold, or disclosed pursuant
28 to the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec.
29 2721 et seq.), if the collection, processing, sale, or disclosure is in
30 compliance with that law;
31 (iii) personal data regulated by the federal Family Educational Rights
32 and Privacy Act, U.S.C. Sec. 1232g and its implementing regulations;
33 (iv) personal data collected, processed, sold, or disclosed pursuant
34 to the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. Sec.
35 2001-2279cc) and its implementing regulations (12 C.F.R. Part 600 et
36 seq.) if the collection, processing, sale, or disclosure is in compli-
37 ance with that law;
38 (v) personal data regulated by section two-d of the education law;
39 (vi) data maintained as employment records, for purposes other than
40 sale;
41 (vii) protected health information that is lawfully collected by a
42 covered entity or business associate and is governed by the privacy,
43 security, and breach notification rules issued by the United States
44 Department of Health and Human Services, Parts 160 and 164 of Title 45
45 of the Code of Federal Regulations, established pursuant to the Health
46 Insurance Portability and Accountability Act of 1996 (Public Law
47 104-191) ("HIPAA") and the Health Information Technology for Economic
48 and Clinical Health Act (Public Law 111-5);
49 (viii) patient identifying information for purposes of 42 C.F.R. Part
50 2, established pursuant to 42 U.S.C. Sec. 290dd-2, as long as such data
51 is not sold in violation of HIPAA or any state or federal law;
52 (ix) information and documents lawfully created for purposes of the
53 federal Health Care Quality Improvement Act of 1986, and related regu-
54 lations;
55 (x) patient safety work product created for purposes of 42 C.F.R.
56 Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
S. 6797 4
1 (xi) information that is treated in the same manner as information
2 exempt under subparagraph (vii) of this paragraph that is maintained by
3 a covered entity or business associate as defined by HIPAA or a program
4 or a qualified service organization as defined by 42 U.S.C. § 290dd-2,
5 as long as such data is not sold in violation of HIPAA or any state or
6 federal law;
7 (xii) deidentified health information that meets all of the following
8 conditions:
9 (A) it is deidentified in accordance with the requirements for deiden-
10 tification set forth in Section 164.514 of Part 164 of Title 45 of the
11 Code of Federal Regulations;
12 (B) it is derived from protected health information, individually
13 identifiable health information, or identifiable private information
14 compliant with the Federal Policy for the Protection of Human Subjects,
15 also known as the Common Rule; and
16 (C) a covered entity or business associate does not attempt to reiden-
17 tify the information nor do they actually reidentify the information
18 except as otherwise allowed under state or federal law;
19 (xiii) information maintained by a covered entity or business associ-
20 ate governed by the privacy, security, and breach notification rules
21 issued by the United States Department of Health and Human Services,
22 Parts 160 and 164 of Title 45 of the Code of Federal Regulations, estab-
23 lished pursuant to the Health Insurance Portability and Accountability
24 Act of 1996 (Public Law 104-191), to the extent the covered entity or
25 business associate maintains the information in the same manner as
26 protected health information as described in subparagraph (vii) of this
27 paragraph;
28 (xiv) data collected as part of human subjects research, including a
29 clinical trial, conducted in accordance with the Federal Policy for the
30 Protection of Human Subjects, also known as the Common Rule, pursuant to
31 good clinical practice guidelines issued by the International Council
32 for Harmonisation or pursuant to human subject protection requirements
33 of the United States Food and Drug Administration;
34 (xv) personal data processed only for one or more of the following
35 purposes:
36 (A) product registration and tracking consistent with applicable
37 United States Food and Drug Administration regulations and guidance;
38 (B) public health activities and purposes as described in Section
39 164.512 of Title 45 of the Code of Federal Regulations; and/or
40 (C) activities related to quality, safety, or effectiveness regulated
41 by the United States Food and Drug Administration; or
42 (xvi) personal data collected, processed, or disclosed pursuant to and
43 in compliance with any opt-out program authorized by the public service
44 commission or any other opt-out community distributed generation
45 programs authorized in law; or
46 (e) (i) an activity involving the collection, maintenance, disclosure,
47 sale, communication, or use of any personal data bearing on a consumer's
48 credit worthiness, credit standing, credit capacity, character, general
49 reputation, personal characteristics, or mode of living by a consumer
50 reporting agency, as defined in Title 15 U.S.C. Sec. 1681a(f), by a
51 furnisher of information, as set forth in Title 15 U.S.C. Sec. 1681s-2,
52 who provides information for use in a consumer report, as defined in
53 Title 15 U.S.C. Sec. 1861a(d), and by a user of a consumer report, as
54 set forth in Title 15 U.S.C. Sec. 1681b.; and
55 (ii) this paragraph shall apply only to the extent that such activity
56 involving the collection, maintenance, disclosure, sale, communication,
S. 6797 5
1 or use of such data by that agency, furnisher, or user is subject to
2 regulation under the Fair Credit Reporting Act, Title 15 U.S.C. Sec.
3 1681 et seq., and the data is not collected, maintained, used, communi-
4 cated, disclosed, or sold except as authorized by the Fair Credit
5 Reporting Act.
6 6. Wherever there shall be a violation of this section, an application
7 may be made by the attorney general in the name of the people of the
8 state of New York to a court or justice having jurisdiction to issue an
9 injunction, and upon notice to the defendant of not less than five days,
10 to enjoin and restrain the continuance of such violations; and if it
11 shall appear to the satisfaction of the court or justice, that the
12 defendant has, in fact, violated this section an injunction may be
13 issued by such court or justice enjoining and restraining any further
14 violation, without requiring proof that any person has, in fact, been
15 injured or damaged thereby. In any such proceeding, the court may make
16 allowances to the attorney general as provided in paragraph six of
17 subdivision (a) of section eighty-three hundred three of the civil prac-
18 tice law and rules, and direct restitution. Whenever the court shall
19 determine that a violation of this section has occurred, the court may
20 impose a civil penalty of not more than ten thousand dollars. In
21 connection with any such proposed application, the attorney general is
22 authorized to take proof and make a determination of the relevant facts
23 and to issue subpoenas in accordance with the civil practice law and
24 rules.
25 § 2. This act shall take effect on the ninetieth day after it shall
26 have become a law.
