Enacts the "connected consumer product end of life disclosure act", relating to requiring manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software, hardware, or firmware necessary for the product to securely function.
STATE OF NEW YORK
________________________________________________________________________
8507
2025-2026 Regular Sessions
IN SENATE
September 12, 2025
___________
Introduced by Sen. FAHY -- read twice and ordered printed, and when
printed to be committed to the Committee on Rules
AN ACT to amend the general business law, in relation to enacting the
"connected consumer product end of life disclosure act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "connected consumer product end of life disclosure act".
3 § 2. The general business law is amended by adding a new section 399-
4 mm to read as follows:
5 § 399-mm. Connected consumer product end of life disclosure. 1. Defi-
6 nitions. As used in this section, the following terms shall have the
7 following meanings:
8 (a) "Connected consumer product" means any device, or other physical
9 object, that is intended for consumer use and is capable of connecting
10 to the internet, either directly or indirectly. Such term shall include
11 the physical device, the mobile application and necessary cloud infras-
12 tructure.
13 (b) "End of life" means the point at which the manufacturer ceases
14 providing technical support, security updates, or bug fixes for the
15 software, hardware, or firmware necessary for the connected consumer
16 product to securely function, even if the product is still in use.
17 (c) "Firmware" means low-level software that is embedded into hardware
18 devices, where such software provides the essential instructions needed
19 for hardware to operate properly, acting as a middle layer between the
20 hardware and higher-level software such as device operating systems or
21 applications.
22 (d) "Internet service provider" means a company or organization that
23 provides individuals and businesses with access to the internet via
24 infrastructure and networking technologies that connect to the global
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13518-01-5
S. 8507 2
1 internet, and that offer services such as broadband, fiber, DSL, and
2 mobile data, often including email, and web hosting.
3 (e) "Minimum guaranteed support time frame" means the minimum amount
4 of time for which a company has publicly committed to providing techni-
5 cal support, security updates, or bug fixes for the software, hardware,
6 or firmware, expressed as continuing until a specific date.
7 (f) "Product web page" means a web page specific to the particular
8 connected consumer product that contains features and information about
9 such product.
10 (g) "Security updates" means updates released to address vulnerabili-
11 ties in the software, hardware, or firmware used by a connected consumer
12 product.
13 (h) "Vulnerability" means a flaw in the software, hardware, or firm-
14 ware running on a connected consumer product that lessens the security
15 and integrity of the software, hardware or firmware needed to operate
16 such product.
17 2. Requirements. The following requirements shall apply for any
18 connected consumer product manufactured after January first, two thou-
19 sand twenty-four:
20 (a) The manufacturer shall clearly disclose a minimum guaranteed
21 support time frame to prospective buyers at the point of sale where it
22 has the ability to make disclosures to the consumer.
23 (i) The minimum guaranteed support time frame shall not be inconsist-
24 ent with reasonable consumer expectations about how long a connected
25 consumer product's features that depend upon internet connectivity
26 should last.
27 (ii) The minimum guaranteed support time frame for a connected consum-
28 er product shall not be reduced after it is disclosed pursuant to this
29 paragraph. A manufacturer may extend the minimum guaranteed support time
30 frame at any time by making a new disclosure pursuant to this paragraph.
31 (b) The manufacturer shall provide clear, prominent language about the
32 minimum guaranteed support time frame for the connected consumer product
33 on such product's web page.
34 (c) The manufacturer shall provide a detailed account of the features
35 and functionality lost when the connected consumer product reaches its
36 end of life on such product's web page.
37 (d) The manufacturer shall provide advance notification of the deci-
38 sion to cease providing technical support, security updates, or bug
39 fixes for the software, hardware, or firmware to the owners of the
40 connected consumer product:
41 (i) six months before the product reaches end of life; and
42 (ii) on the date on which the product reaches end of life.
43 (e) The manufacturer may communicate with connected consumer product
44 owners through any or all of the following: an interface on the device
45 or an associated application, if practicable, on the product web page,
46 and otherwise through email when manufacturers possess such customer
47 data.
48 (f) Notifications about the end of life shall include clear informa-
49 tion about actions the user can take if they want to continue using the
50 connected consumer product in a secure manner, including disconnecting
51 such product from the internet, and shall provide a list of features
52 lost, and vulnerabilities and security risks that are likely to result
53 from the end of life.
54 (g) Internet service providers that lease or otherwise provide
55 connected consumer products to their customers shall be responsible for:
S. 8507 3
1 (i) ensuring that such products connected to their networks receive
2 and apply security patches; and
3 (ii) removing such products that have been declared end of life and
4 replacing them with comparable products capable of receiving software
5 updates and security patches at no cost to the customer.
6 3. Enforcement by attorney general. A violation of any of the
7 provisions of this section shall be deemed a deceptive act or practice
8 within the meaning of section three hundred forty-nine of this chapter
9 and any remedy provided therein shall be available for the enforcement
10 of this section.
11 4. Enforcement by individuals. Any person who suffers damage as a
12 result of a violation of any of the provisions of this section may bring
13 an action to recover:
14 (a) actual damages, which include:
15 (i) direct costs of connected consumer product repair or replacement;
16 (ii) costs of alternative connected consumer products during repair;
17 (iii) transportation and shipping costs;
18 (iv) consequential damages from connected consumer product failure;
19 (v) lost wages from time taken for repairs; and
20 (vi) other documented monetary losses;
21 (b) reasonable attorney's fees and costs; and/or
22 (c) injunctive relief.
23 § 3. This act shall take effect immediately.
