Relates to data broker regulation; prohibits the acquisition of personally identifiable information through fraudulent means; requires a data broker to develop, implement, and maintain a comprehensive information security program; requires data brokers operating in the state of New York to register with the attorney general.
STATE OF NEW YORK
________________________________________________________________________
9131
IN SENATE
February 5, 2026
___________
Introduced by Sen. GONZALEZ -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology
AN ACT to amend the general business law, in relation to data broker
regulation
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 42-A to read as follows:
3 ARTICLE 42-A
4 DATA BROKER REGULATION
5 Section 1200. Definitions.
6 1201. Acquisition of personally identifiable information; prohi-
7 bition.
8 1202. Data brokers; comprehensive information security program.
9 1203. Data brokers; registration.
10 1204. Enforcement; civil penalties.
11 § 1200. Definitions. As used in this article, unless the context
12 requires a different meaning:
13 1. "Artificial intelligence system" means any machine learning-based
14 system that, for any explicit or implicit objective, infers from the
15 inputs such system receives how to generate outputs, including content,
16 decisions, predictions, and recommendations, that can influence physical
17 or virtual environments. "Artificial intelligence system" does not
18 include any artificial intelligence system or general purpose artificial
19 intelligence model that is used for development, prototyping, and
20 research activities before such artificial intelligence system or gener-
21 al purpose artificial intelligence model is made available to deployers
22 or consumers.
23 2. "Biometric data" means data generated by automatic measurements of
24 an individual's biological characteristics, such as a fingerprint,
25 voiceprint, eye retinas, irises, or other unique biological patterns or
26 characteristics that is used to identify a specific individual. "Biome-
27 tric data" does not include a physical or digital photograph, a video or
28 audio recording or data generated therefrom, or information collected,
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD14643-02-6
S. 9131 2
1 used, or stored for health care treatment, payment, or operations under
2 HIPAA.
3 3. "Business" means a corporation, partnership, sole proprietorship,
4 firm, enterprise, franchise, association, trust or foundation, or any
5 other individual or entity carrying on a business or profession, whether
6 or not for profit. "Business" does not include a state or local agency.
7 4. "Consumer" means a natural person who is a resident of the state of
8 New York acting only in an individual or household context. "Consumer"
9 does not include a natural person acting in a commercial or employment
10 context.
11 5. "Data broker" means a business that knowingly collects and conducts
12 the sale of personally identifiable information to third parties. The
13 following activities conducted by a business, and the collection and
14 sale or licensing of personally identifiable information incidental to
15 conducting these activities, do not qualify the business as a "data
16 broker":
17 (a) providing 411 directory assistance or directory information
18 services, including name, address, and telephone number, on behalf of or
19 as a function of a telecommunications carrier;
20 (b) providing publicly available information related to a consumer's
21 business or profession; or
22 (c) providing publicly available information through real-time or
23 near-real-time alert services for health or safety purposes.
24 6. "Data broker security breach" means an unauthorized acquisition or
25 a reasonable belief of an unauthorized acquisition of more than one
26 element of personally identifiable information maintained by a data
27 broker when the personally identifiable information is not de-identi-
28 fied, redacted, or protected by another method that renders the informa-
29 tion unreadable or unusable by an unauthorized person. "Data broker
30 security breach" does not include good faith but unauthorized acquisi-
31 tion of personally identifiable information by an employee or agent of
32 the data broker for a legitimate purpose of the data broker, provided
33 that the personally identifiable information is not used for a purpose
34 unrelated to the data broker's business or subject to further unauthor-
35 ized disclosure. In determining whether personally identifiable informa-
36 tion has been acquired or is reasonably believed to have been acquired
37 by a person without valid authorization, a data broker may consider:
38 (a) indications that the personally identifiable information is in the
39 physical possession and control of a person without valid authorization,
40 such as a lost or stolen computer or other device containing personally
41 identifiable information;
42 (b) indications that the personally identifiable information has been
43 downloaded or copied;
44 (c) indications that the personally identifiable information was used
45 by an unauthorized person, such as fraudulent accounts opened or
46 instances of identity theft reported; or
47 (d) that the personally identifiable information has been made public.
48 7. (a) "De-identified data" means data that cannot reasonably be
49 linked to an identified or identifiable natural person, or a device
50 linked to such person, provided that a controller that possesses "de-i-
51 dentified data" shall:
52 (i) take reasonable measures to ensure that such information cannot be
53 associated with a consumer or a household;
54 (ii) publicly commit to maintaining and using de-identified data with-
55 out attempting to re-identify the data; and
S. 9131 3
1 (iii) contractually obligate any recipients of the de-identified data
2 to comply with all provisions of this article.
3 (b) Nothing in this article shall be construed to (i) require a
4 controller or processor to re-identify de-identified data or pseudony-
5 mous data or (ii) maintain data in identifiable form, or collect,
6 obtain, retain, or access any data or technology, in order to be capable
7 of associating an authenticated consumer request with personal data.
8 8. "Identified or identifiable natural person" means a person who can
9 be readily identified, directly or indirectly.
10 9. (a) "Personally identifiable information" means information that
11 identifies, relates to, describes, is reasonably capable of being asso-
12 ciated with, or could reasonably be linked, whether directly or indi-
13 rectly, with a particular consumer. "Personally identifiable informa-
14 tion" includes the following:
15 (i) identifiers such as a real name, alias, postal address, unique
16 personal identifier, online identifier, internet protocol address, email
17 address, account name, social security number, driver's license number,
18 passport number, or similar identifier;
19 (ii) characteristics of protected classifications under state or
20 federal law;
21 (iii) commercial information, including records of personal property,
22 product or service purchases, whether obtained or considered, or other
23 purchasing or consuming histories or tendencies;
24 (iv) biometric data;
25 (v) internet or other electronic network activity information, includ-
26 ing browsing history, search history, and information regarding a
27 consumer's interaction with an internet website application or adver-
28 tisement;
29 (vi) precise geolocation data;
30 (vii) audio, electronic, visual, thermal, olfactory, or similar infor-
31 mation;
32 (viii) information related to profession or employment;
33 (ix) education information that is not publicly available personally
34 identifiable information as defined in the family educational rights and
35 privacy act (20 U.S.C. § 1232g);
36 (x) inferences drawn from any of the information identified in this
37 definition to create a profile about a consumer reflecting the consum-
38 er's preferences, characteristics, psychological trends, predisposi-
39 tions, behavior, attitudes, intelligence, abilities, and aptitudes; and
40 (xi) sensitive data.
41 (b) "Personally identifiable information" does not include publicly
42 available information or personally identifiable information that has
43 been de-identified.
44 10. "Precise geolocation data" means information derived from technol-
45 ogy, including but not limited to global positioning system level lati-
46 tude and longitude coordinates or other mechanisms, that directly iden-
47 tifies the specific location of a natural person with precision and
48 accuracy within a radius of one thousand seven hundred fifty feet.
49 "Precise geolocation data" does not include the content of communi-
50 cations or any data generated by or connected to advanced utility meter-
51 ing infrastructure systems or equipment for use by a utility.
52 11. (a) "Publicly available information" means information that has
53 been lawfully made available to the general public from (i) federal,
54 state, or local government records, if the person collects, processes,
55 and transfers such information in accordance with any restrictions or
56 terms of use placed on the information by the relevant government enti-
S. 9131 4
1 ty; (ii) widely distributed media; or (iii) a disclosure to the general
2 public as required by federal, state, or local law.
3 (b) "Publicly available information" does not include (i) any obscene
4 visual depiction; (ii) any inference made exclusively from multiple
5 independent sources of publicly available information that reveals
6 sensitive data with respect to a consumer; (iii) biometric data; (iv)
7 personal data that is created through the combination of personal data
8 with publicly available information; (v) genetic data, unless otherwise
9 made publicly available by the individual to whom the information
10 pertains; or (vi) intimate images, whether authentic or computer-gener-
11 ated, known to be nonconsensual.
12 12. "Sale of personally identifiable information" means the exchange
13 of personally identifiable information for monetary or other valuable
14 consideration by a data broker to a third party. "Sale of personally
15 identifiable information" does not include a one-time or occasional sale
16 of assets of a business as part of a transfer of control of those assets
17 that is not part of the ordinary conduct of the business or a sale of
18 personally identifiable information that is merely incidental to the
19 business.
20 13. "Sensitive data" means a category of personal data that includes:
21 (a) personal data revealing racial or ethnic origin, religious
22 beliefs, mental or physical health diagnosis, sexual orientation, or
23 citizenship or immigration status;
24 (b) the processing of genetic or biometric data for the purpose of
25 uniquely identifying a natural person;
26 (c) the personal data collected from a known child; or
27 (d) precise geolocation data.
28 § 1201. Acquisition of personally identifiable information; prohibi-
29 tion. 1. No person shall acquire personally identifiable information
30 through fraudulent means.
31 2. No person shall acquire or use personally identifiable information
32 for the purpose of:
33 (a) stalking or harassing another person;
34 (b) committing a fraud, including identity theft, financial fraud, or
35 email fraud; or
36 (c) engaging in unlawful discrimination, including employment discrim-
37 ination or housing discrimination.
38 § 1202. Data brokers; comprehensive information security program. 1.
39 (a) A data broker shall develop, implement, and maintain a comprehensive
40 information security program that is written in one or more readily
41 accessible parts and contains administrative, technical, and physical
42 safeguards that are appropriate according to:
43 (i) the size, scope, and type of business of the data broker;
44 (ii) the amount of resources available to the data broker;
45 (iii) the amount of stored data; and
46 (iv) the need for security and confidentiality of personally identifi-
47 able information.
48 (b) A data broker shall adopt safeguards in the comprehensive security
49 program that are consistent with the safeguards for protection of
50 personally identifiable information and information of a similar charac-
51 ter set forth in other state or federal laws or regulations applicable
52 to the data broker.
53 2. A comprehensive information security program required pursuant to
54 subdivision one of this section shall include the following features:
55 (a) designation of one or more employees to maintain the program;
S. 9131 5
1 (b) identification and assessment of reasonably foreseeable internal
2 and external risks to the security, confidentiality, and integrity of
3 any electronic, paper, or other records containing personally identifi-
4 able information;
5 (c) a process for evaluating and improving, where necessary, the
6 effectiveness of the current safeguards for limiting such risks, includ-
7 ing (i) ongoing employee training, including training for temporary and
8 contract employees; (ii) employee compliance with policies and proce-
9 dures; and (iii) means of detecting and preventing security system fail-
10 ures;
11 (d) security policies for employees relating to the storage, access,
12 and transportation of records containing personally identifiable infor-
13 mation outside business premises;
14 (e) disciplinary measures for violations of the comprehensive informa-
15 tion security program rules;
16 (f) measures that prevent terminated employees from accessing records
17 containing personally identifiable information;
18 (g) supervision of third-party service providers by taking reasonable
19 steps to select and retain such providers that are capable of maintain-
20 ing appropriate security measures to protect personally identifiable
21 information consistent with applicable law and by requiring such provid-
22 ers by contract to implement and maintain appropriate security measures
23 for personally identifiable information;
24 (h) reasonable restrictions upon physical access to records containing
25 personally identifiable information and storage of the records and data
26 in locked facilities, storage areas, or containers;
27 (i) regular monitoring to ensure that the comprehensive information
28 security program is operating in a manner reasonably calculated to
29 prevent unauthorized access to or unauthorized use of personally iden-
30 tifiable information and upgrading information safeguards as necessary
31 to limit risks;
32 (j) review of the scope of the security measures (i) at least annual-
33 ly; and (ii) whenever there is a material change in business practices
34 that may reasonably implicate the security or integrity of records
35 containing personally identifiable information; and
36 (k) documentation of responsive actions taken in connection with any
37 incident involving a breach of security and mandatory post-incident
38 review of events and actions taken, if any, to make changes in business
39 practices relating to protection of personally identifiable information.
40 3. (a) A comprehensive information security program required pursuant
41 to subdivision one of this section shall, to the extent technically
42 feasible, include the following technical elements:
43 (i) a secure user authentication protocol that has (A) the control of
44 user identifications and other identifiers; (B) a reasonably secure
45 method of assigning and selecting passwords or use of unique identifier
46 technologies, such as biometrics or token devices; (C) control of data
47 security passwords to ensure that such passwords are kept in a location
48 and format that do not compromise the security of the data they protect;
49 (D) the ability to restrict access to only active users and active user
50 accounts; and (E) the ability to block access to user identification
51 after multiple unsuccessful attempts to gain access;
52 (ii) secure access control measures that restrict access to records
53 and files containing personally identifiable information to those who
54 need such information to perform their job duties and assign to each
55 person with computer access unique identifications plus passwords that
56 are not vendor-supplied default passwords and that are reasonably
S. 9131 6
1 designed to maintain the integrity of the security of the access
2 controls;
3 (iii) a mechanism that ensures that all transmitted records and files
4 containing personally identifiable information that will travel across
5 public networks and all data containing personally identifiable informa-
6 tion to be transmitted wirelessly shall be transformed to de-identified
7 data prior to such travel or transmission;
8 (iv) reasonable monitoring of systems for unauthorized use of or
9 access to personally identifiable information;
10 (v) a mechanism that ensures that all personally identifiable informa-
11 tion stored on laptops or other portable devices is de-identified prior
12 to such storage;
13 (vi) for files containing personally identifiable information on a
14 system that is connected to the internet, reasonably up-to-date firewall
15 protection and operating system security patches that are reasonably
16 designed to maintain the integrity of the personally identifiable infor-
17 mation;
18 (vii) reasonably up-to-date versions of system security agent software
19 that shall include malware protection and reasonably up-to-date patches
20 and virus definitions, or a version of such software that can still be
21 supported with up-to-date patches and virus definitions and is set to
22 receive the most current security updates on a regular basis; and
23 (viii) education and training of employees in the proper use of the
24 computer security system and the importance of personally identifiable
25 information security.
26 (b) Nothing in this subdivision shall prohibit a comprehensive infor-
27 mation security program from providing a higher degree of security than
28 the protocols described in this subdivision.
29 § 1203. Data brokers; registration. 1. Beginning on December first,
30 two thousand twenty-seven, and annually thereafter, a data broker oper-
31 ating in the state of New York shall register with the office of the
32 attorney general by paying a registration fee of one hundred thousand
33 dollars and providing the following information:
34 (a) the name and primary physical, email, and internet addresses of
35 the data broker;
36 (b) if the data broker permits a consumer to opt-out of the data
37 broker's collection of personally identifiable information, opt-out of
38 its databases, or opt-out of certain sales of data, (i) the method for
39 requesting an opt-out; (ii) which activities or sales the opt-out
40 applies to, if the opt-out applies only to certain activities or sales;
41 and (iii) whether the data broker permits a consumer to authorize a
42 third party to perform the opt-out on the consumer's behalf;
43 (c) a statement specifying the data collection, databases, or sales
44 activities from which a consumer may not opt-out;
45 (d) a statement stating whether the data broker implements a purchaser
46 credentialing process;
47 (e) the number of data broker security breaches that the data broker
48 experienced during the prior year, and, if known, the total number of
49 consumers affected by such breaches;
50 (f) where the data broker has actual knowledge that it possesses the
51 personally identifiable information of minors, a separate statement
52 detailing the data collection practices, databases, sales activities,
53 and opt-out policies that are applicable to the personally identifiable
54 information of minors;
55 (g) whether the data broker collects:
56 (i) precise geolocation data;
S. 9131 7
1 (ii) reproductive health care data;
2 (iii) biometric data;
3 (iv) data related to immigration status;
4 (v) data related to sexual orientation;
5 (vi) data related to union membership;
6 (vii) data related to name, date of birth, zip code, email address, or
7 phone number;
8 (viii) account login data in combination with any required security
9 code, access code, or password that would permit access to a consumer's
10 account by a third party;
11 (ix) data related to driver's license number, state identification
12 card number, tax identification number, social security number, passport
13 number, military identification number, or other unique identification
14 number issued on a government document commonly used to verify the iden-
15 tity of an individual; or
16 (x) data related to mobile advertising identification number,
17 connected television identification number, or vehicle identification
18 number;
19 (h) whether the data broker has shared or sold consumer data in the
20 past year with or to:
21 (i) a foreign business or government;
22 (ii) the federal government;
23 (iii) a state government;
24 (iv) any law enforcement agency, unless such data was shared pursuant
25 to a subpoena or court order; or
26 (v) a developer of an artificial intelligence system;
27 (i) between one and three of the most common categories of personally
28 identifiable information that the data broker collects; and
29 (j) any additional information or explanation the data broker chooses
30 to provide concerning its data collection practices.
31 2. The office of the attorney general shall post on its website the
32 registration information provided by data brokers as described in this
33 section.
34 § 1204. Enforcement; civil penalties. Any violation of this article
35 shall constitute a prohibited practice under the provisions of section
36 three hundred forty-nine of this chapter and shall be subject to any and
37 all of the enforcement provisions of article twenty-two-A of this chap-
38 ter.
39 § 2. This act shall take effect January 1, 2027.
