Enacts the "connected consumer product end of life disclosure act", relating to requiring manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software, hardware, or firmware necessary for the product to securely function.
STATE OF NEW YORK
________________________________________________________________________
8507--B
2025-2026 Regular Sessions
IN SENATE
September 12, 2025
___________
Introduced by Sen. FAHY -- read twice and ordered printed, and when
printed to be committed to the Committee on Rules -- recommitted to
the Committee on Internet and Technology in accordance with Senate
Rule 6, sec. 8 -- committee discharged, bill amended, ordered
reprinted as amended and recommitted to said committee -- committee
discharged, bill amended, ordered reprinted as amended and recommitted
to said committee
AN ACT to amend the general business law, in relation to enacting the
"connected consumer product end of life disclosure act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "connected consumer product end of life disclosure act".
3 § 2. The general business law is amended by adding a new section 399-
4 mm to read as follows:
5 § 399-mm. Connected consumer product end of life disclosure. 1. Defi-
6 nitions. As used in this section, the following terms shall have the
7 following meanings:
8 (a) "Connected consumer product" means any physical product, including
9 any mobile application or cloud infrastructure related to the function-
10 ing of such product, that is intended for consumer use and depends for
11 its functioning, in whole or in part, on connection to the internet.
12 (b) "End of life" means the point at which the manufacturer ceases
13 providing a necessary update or support for a connected consumer prod-
14 uct, even if such product is still in use.
15 (c) "Firmware" means low-level software that is embedded into hardware
16 devices, where such software provides the essential instructions needed
17 for hardware to operate properly, acting as a middle layer between the
18 hardware and higher-level software such as device operating systems or
19 applications.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13518-09-6
S. 8507--B 2
1 (d) "Minimum guaranteed support time frame" means the minimum amount
2 of time for which a company has publicly committed to providing all
3 necessary updates and support for a connected consumer product,
4 expressed as a specific date for the end of the time frame.
5 (e) "Product update" means an update, other than a security update,
6 released for a connected consumer product to address effectively a flaw
7 in the software, hardware, or firmware running on such product that
8 interferes with the full functioning of such product.
9 (f) "Product web page" means a web page specific to the particular
10 connected consumer product that contains information about such product
11 and its features.
12 (g) "Security update" means an update released for a connected consum-
13 er product to address effectively a vulnerability in the software, hard-
14 ware, or firmware running on such product.
15 (h) "Support" means service to ensure that a connected consumer prod-
16 uct continues to fully function and to provide information and guidance
17 to consumers regarding proper use of such product.
18 (i) "Update" means a product update or a security update.
19 (j) "Vulnerability" means a flaw in the software, hardware, or firm-
20 ware running on a connected consumer product that lessens the security
21 or integrity of such product.
22 2. Requirements. The following requirements shall apply to any
23 connected consumer product manufactured or sold after January first, two
24 thousand twenty-seven:
25 (a) The manufacturer shall clearly and prominently disclose a minimum
26 guaranteed support time frame to prospective buyers, in all of the
27 following ways:
28 (i) disclosing on the product web page;
29 (ii) disclosing at the point of sale, in a manner reasonably designed
30 to reach the attention of the prospective buyer, if the manufacturer has
31 the ability to make the disclosure directly to prospective buyers at the
32 point of sale; and
33 (iii) if the manufacturer does not have the ability to make the
34 disclosure directly to prospective buyers at the point of sale, disclos-
35 ing to the retailer with instructions to disclose to prospective buyers
36 at the point of sale.
37 (b) The minimum guaranteed support time frame shall not be inconsist-
38 ent with reasonable consumer expectations about how long a connected
39 consumer product's features that depend upon internet connectivity will
40 continue to function safely and effectively.
41 (c) The minimum guaranteed support time frame for a connected consumer
42 product shall not be reduced after it is first disclosed pursuant to
43 paragraph (a) of this subdivision. A manufacturer may extend the minimum
44 guaranteed support time frame at any time in the manner described under
45 paragraph (a) of this subdivision.
46 (d) The disclosures described in paragraph (a) of this subdivision
47 shall also include a detailed account of the features and functionality
48 that will be lost or compromised when the connected consumer product
49 reaches its end of life.
50 (e) The manufacturer shall provide advance notification of the
51 connected consumer product's end of life, as described in paragraph (f)
52 of this subdivision, to the public and owners of such product:
53 (i) six months before such product reaches end of life; and
54 (ii) on the date on which such product reaches end of life.
55 (f) A manufacturer shall provide the notification described in para-
56 graph (e) of this subdivision in each of the following ways:
S. 8507--B 3
1 (i) through an interface on the connected consumer product or an asso-
2 ciated application, if practicable;
3 (ii) through email to owners of the connected consumer product for
4 whom the manufacturer possesses an email address; and
5 (iii) on the connected consumer product's web page.
6 (g) Notification about the connected consumer product's end of life
7 shall include clear information about actions consumers can take if they
8 want to continue using the connected consumer product in a secure and
9 effective manner, disconnecting such product from the internet and shall
10 provide a list of features lost in, and vulnerabilities and security
11 risks that are likely to result from such product's end of life.
12 (h) The manufacturer shall not sell, lease, or otherwise distribute
13 the connected consumer product after the date that is one year before
14 the minimum guaranteed support time frame end date for such product.
15 (i) A business that owns or controls a connected consumer product that
16 it leases or otherwise provides to its customers as part of a service
17 shall:
18 (i) ensure that updates provided by the manufacturer for such product
19 are promptly received and applied; and
20 (ii) when the product has reached end of life:
21 (A) promptly so notify customers; and
22 (B) replace such product, at no additional cost to customers, with a
23 comparable product capable of receiving necessary updates and support,
24 when such comparable product is reasonably available to the business,
25 and so notify customers.
26 3. Exemption. Nothing in this section shall apply to a medical device,
27 as defined by paragraph (g) of subdivision one of section three hundred
28 ninety-nine-nn of this article.
29 4. Enforcement. Any violation of the provisions of this section shall
30 constitute an unlawful practice under section three hundred forty-nine
31 of this chapter. All remedies, penalties, and authority granted to the
32 attorney general therein shall be available for the enforcement of this
33 section.
34 § 3. This act shall take effect immediately.
