NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A5220
SPONSOR: Dinowitz
 
TITLE OF BILL:
An act to amend the general business law, in relation to restricting the
disclosure of personal information by businesses
 
SUMMARY OF PROVISIONS:
Section One states that this Act shall be known and cited as the "Right
to Know Act 2017"
Section Two states the legislative intent
Section Three changes the article heading of article 39-F of the General
Business Law form "Notification of Unauthorized Acquisition of Private
Information" to "Acquisition and Use of Private Information."
Section Four of the bill amends the General Business Law to add a new
section 899-bb which states that a business that retains a customer's
personal information shall make available to the customer free of charge
access to, or copies of, all of the customer's personal information
retained by the business.
A business that discloses a customer's personal information to a third
party shall make the following information available to the customer
free of charge:
*All categories of the customer's personal information that were
disclosed; and
*The names and contact information of all third parties that received
the customer's personal information from the business, including the
third party's designated request address or addresses if available.
*A business required to comply with this Act shall make the required
information available by one or more of the following means:
*By providing a designated request address and, upon receipt of a
request, providing the customer within thirty days with the required
information for all disclosures occurring in the prior twelve months,
provided that:
>If the business has an online privacy policy, that policy includes a
description of a customer's right, accompanied by one or more designated
request addresses;-provided that a business with multiple online privacy
policies must include this information in the policy of each product or
service that collects personal information that may be disclosed to a
third party;
>The business ensures that all persons responsible for handling customer
inquires about the business' privacy practices or the business' compli-
ance with this section are informed of all designated request addresses;
and
>The business provides information pertaining to the specific customer
if that information is reasonably available to the business, and
provides information in standardized format if information pertaining to
the specific customer is not reasonably available.
For information required to be provided under this Act, the business
must provide the customer with notice including the required information
prior to or immediately following a disclosure.
A business is not obligated to provide more than one notice to the same
customer in a twelve-month period about the disclosure of the same
personal information to the same third party and in not obligated to
respond to a request by the same customer more than once within a
twelve-month period.
A business in not obligated to provide information to the customer if
the business cannot reasonably verify that the individual making the
request is the customer.
"Categories of information" is defined as:
*Identity information including, but not limited to, real name, alias,
including but not limited to, postal address or nickname or user name;
*Address information, email; *Telephone number; *Account name;
*Social Security number or other government-issues identification
number, including but not limited to, social security number, driver's
license number, identification card number and passport number;
*Birthdate or age;
*Physical characteristic information, including but not limited to
height and weight;
*Sexual information, including, but not limited to, sexual orientation,
sex, gender status, gender identity or expression;
*Race or ethnicity;
*Religious affiliation or activity;
*Political affiliation or activity;
*Professional or employment-related information;
*Educational information;
*Medical information, including but not limited to, medical conditions
or drugs, therapies, mental health or medical products or equipment
used;
*Financial information, including but not limited to, credit, debit, or
account numbers account balances, payment history or information related
to assets, liabilities or general creditworthiness;
*Commercial information, including but not limited to, records of prop-
erty, products or services provided, obtained or considered or other
purchasing or consuming histories or tendencies;
*Location information;
*Internet or mobile activity information, including, but not limited to,
Internet protocol addresses or information concerning the access or use
of any Internet or mobile-based site or service;
*Content, including text, photographs, audio or visual recordings or
other material generated or provided by the customer.
The legislation further provides a definitional section. A violation of
the Act constitutes a right to a civil action to recover penalties by
the customer, the Attorney General, a District Attorney, a City Attor-
ney, or a City Prosecutor in a court of competent jurisdiction.
 
JUSTIFICATION:
The Right to Know Act will modernize current privacy law and give New
York consumers an effective tool to monitor how their personal informa-
tion, including information about their health, finances, location,
politics, religious, sexual orientation, buying habits, and more, is
being collected and disclosed in unexpected and possibly harmful ways.
Many websites incorporate scores of tracking tools that collect informa-
tion about visitors like age, gender, race, income, health concerns and
recent purchases for advertising and marketing companies.
Many mobile applications (apps) share location, age, gender, phone
numbers, and other personal details of both adults and children with
third party companies - which can lead to potential danger for the
consumer involved in the transaction. And Facebook apps used by a
consumer's "friend" can often access sensitive information about that
consumer, including religious, political, and sexual preferences.
There are numerous examples of companies that collect information about
consumer activities inadvertently exposing sensitive personal informa-
tion such as pregnancy status or sexual orientation. Data brokers are
engaged in the Widespread buying, selling, and trading of personal
information obtained from mobile phones, banks, social media sites, and
stores creating a secondary market for confidential consumer data. When
this information is incorrect, it can impact credit scores, hurting an
individual at their place of employment or being denied credit. More-
over, scanners are using data broker lists to target vulnerable popu-
lations, such as senior citizens
 
LEGISLATIVE HISTORY:
2015-16 - A.2134A - Referred to Consumer Protection/S.68A - Referred to
Consumer Protection
 
FISCAL IMPLICATIONS:
Minimal
 
EFFECTIVE DATE:
This act shall take effect immediately.
STATE OF NEW YORK
________________________________________________________________________
5220
2017-2018 Regular Sessions
IN ASSEMBLY
February 7, 2017
___________
Introduced by M. of A. DINOWITZ -- read once and referred to the Commit-
tee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to restricting the
disclosure of personal information by businesses
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as the "right to
2 know act of 2017".
3 § 2. The legislature hereby finds and declares that the right to
4 privacy is a personal and fundamental right protected by the United
5 States Constitution. All individuals have a right of privacy in informa-
6 tion pertaining to them.
7 This state recognizes the importance of providing consumers with tran-
8 sparency about how their personal information has been shared by busi-
9 nesses. For free market forces to have a role in shaping the privacy
10 practices and for "opt-in" and "opt-out" remedies to be effective,
11 consumers must be more than vaguely informed that a business might share
12 personal information with third parties. Consumers must be better
13 informed about what kinds of personal information are purchased by busi-
14 nesses for direct marketing purposes. With these specifics, consumers
15 can knowledgeably choose to opt-in or opt-out or choose among businesses
16 that disclose information to third parties for direct marketing purposes
17 on the basis of how protective the business is of consumers' privacy.
18 Businesses are now collecting personal information and sharing and
19 selling it in ways not contemplated or properly covered by the current
20 law. Some web sites are installing up to one hundred tracking tools when
21 consumers visit web pages and sending very personal information such as
22 age, gender, race, income, health concerns, and recent purchases to
23 third-party advertising and marketing companies. Third-party data broker
24 companies are buying, selling, and trading personal information obtained
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD03601-01-7
A. 5220 2
1 from mobile phones, financial institutions, social media sites, and
2 other online and brick and mortar companies.
3 Some mobile applications are sharing personal information, such as
4 location information, unique phone identification numbers, and age,
5 gender, and other personal details with third-party companies.
6 Consumers need to know the ways that their personal information is
7 being collected by companies and then shared or sold to third parties in
8 order to properly protect their privacy, personal safety, and financial
9 security.
10 § 3. The article heading of article 39-F of the general business law,
11 as added by chapter 442 of the laws of 2005, is amended to read as
12 follows:
13 [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND USE
14 OF PRIVATE INFORMATION
15 § 4. The general business law is amended by adding a new section 899-
16 bb to read as follows:
17 § 899-bb. Disclosure of a customer's personal information to a third
18 party. 1. (a) A business that retains a customer's personal information
19 shall make available to the customer free of charge access to, or copies
20 of, all of the customer's personal information retained by the business.
21 (b) A business that discloses a customer's personal information to a
22 third party shall make the following information available to the
23 customer free of charge:
24 (1) All categories of the customer's personal information that were
25 disclosed, including the categories set forth in paragraph (a) of subdi-
26 vision four of this section.
27 (2) The names and contact information of all of the third parties that
28 received the customer's personal information from the business, includ-
29 ing the third party's designated request address or addresses if avail-
30 able.
31 2. A business required to comply with subdivision one of this section
32 shall make the required information available by one or more of the
33 following means:
34 (a) By providing a designated request address and, upon receipt of a
35 request under this section to the designated request address, providing
36 the customer within thirty days with the required information for all
37 disclosures occurring in the prior twelve months, provided that:
38 (1) if the business has an online privacy policy, that policy includes
39 a description of a customer's rights pursuant to this section accompa-
40 nied by one or more designated request addresses; provided that a busi-
41 ness with multiple online privacy policies must include this information
42 in the policy of each product or service that collects personal informa-
43 tion that may be disclosed to a third party;
44 (2) the business ensures that all persons responsible for handling
45 customer inquiries about the business' privacy practices or the busi-
46 ness' compliance with this section are informed of all designated
47 request addresses; and
48 (3) the business provides information pertaining to the specific
49 customer if that information is reasonably available to the business,
50 and provides information in standardized format if information pertain-
51 ing to the specific customer is not reasonably available.
52 (b) For information required to be provided by paragraph (b) of subdi-
53 vision one of this section, by providing the customer with notice
54 including the required information prior to or immediately following a
55 disclosure.
A. 5220 3
1 (c) By providing the customer the disclosure required by Section 6803
2 of Title 15 of the United States Code, but only if the disclosure also
3 complies with this section.
4 3. (a) A business is not obligated to provide more than one notice
5 under paragraph (b) of subdivision two of this section to the same
6 customer in a twelve-month period about the disclosure of the same
7 personal information to the same third party and is not obligated under
8 paragraph (a) of subdivision two of this section to respond to a request
9 by the same customer more than once within a given twelve-month period.
10 (b) A business is not obligated to provide information to the customer
11 pursuant to subdivision one of this section if the business cannot
12 reasonably verify that the individual making the request is the custom-
13 er.
14 4. For purposes of this section, the following terms have the follow-
15 ing meanings:
16 (a) "Categories of personal information" includes, but is not limited
17 to, the following:
18 (1) Identity information including, but not limited to, real name,
19 alias, nickname, and user name.
20 (2) Address information, including, but not limited to, postal address
21 or e-mail.
22 (3) Telephone number.
23 (4) Account name.
24 (5) Social security number or other government-issued identification
25 number, including, but not limited to, social security number, driver's
26 license number, identification card number, and passport number.
27 (6) Birthdate or age.
28 (7) Physical characteristic information, including, but not limited
29 to, height and weight.
30 (8) Sexual information, including, but not limited to, sexual orien-
31 tation, sex, gender status, gender identity, and gender expression.
32 (9) Race or ethnicity.
33 (10) Religious affiliation or activity.
34 (11) Political affiliation or activity.
35 (12) Professional or employment-related information.
36 (13) Educational information.
37 (14) Medical information, including, but not limited to, medical
38 conditions or drugs, therapies, mental health, or medical products or
39 equipment used.
40 (15) Financial information, including, but not limited to, credit,
41 debit, or account numbers, account balances, payment history, or infor-
42 mation related to assets, liabilities, or general creditworthiness.
43 (16) Commercial information, including, but not limited to, records of
44 property, products or services provided, obtained, or considered, or
45 other purchasing or consumer histories or tendencies.
46 (17) Location information.
47 (18) Internet or mobile activity information, including, but not
48 limited to, Internet protocol addresses or information concerning the
49 access or use of any Internet or mobile-based site or service.
50 (19) Content, including text, photographs, audio or video recordings,
51 or other material generated by or provided by the customer.
52 (20) Any of the above categories of information as they pertain to the
53 children of the customer.
54 (b) (1) "Customer" means an individual who is a resident of New York
55 state who provides personal information to a business, with or without
56 an exchange of consideration, in the course of purchasing, viewing,
A. 5220 4
1 accessing, renting, leasing, or otherwise using real or personal proper-
2 ty, or any interest therein, or obtaining a product or service from the
3 business including advertising or any other content.
4 (2) An individual is also the customer of a business if that business
5 obtained the personal information of that individual from any other
6 business.
7 (c) "Designated request address" means a mailing address, e-mail
8 address, web page, toll-free telephone number, or other applicable
9 contact information, whereby customers may request or obtain the infor-
10 mation required to be provided under subdivision one of this section.
11 (d) (1) "Disclose" means to disclose, release, share, transfer,
12 disseminate, make available, or otherwise communicate orally, in writ-
13 ing, or by electronic or any other means to any third party as defined
14 in this section.
15 (2) "Disclose" does not include:
16 (A) Disclosure of personal information by a business to a third party
17 pursuant to a written contract authorizing the third party to utilize
18 the personal information to perform services on behalf of the business,
19 including maintaining or servicing accounts, providing customer service,
20 processing or fulfilling orders and transactions, verifying customer
21 information, processing payments, providing financing, or similar
22 services, but only if (I) the contract prohibits the third party from
23 using the personal information for any reason other than performing the
24 specified service or services on behalf of the business and from
25 disclosing any such personal information to additional third parties and
26 (II) the business effectively enforces these prohibitions.
27 (B) Disclosure of personal information by a business to a third party
28 based on a good-faith belief that disclosure is required to comply with
29 applicable law, regulation, legal process, or court order.
30 (C) Disclosure of personal information by a business to a third party
31 that is reasonably necessary to address fraud, security, or technical
32 issues; to protect the disclosing business' rights or property; or to
33 protect customers or the public from illegal activities as required or
34 permitted by law.
35 (D) Disclosure of personal information by a business to a third party
36 that is otherwise lawfully available to the general public, provided
37 that the business did not direct the third party to the personal infor-
38 mation.
39 (e) "Personal information" means:
40 (1) Any information that identifies or references a particular indi-
41 vidual or electronic device, including, but not limited to, a real name,
42 alias, postal address, telephone number, electronic mail address, Inter-
43 net protocol address, account name, social security number, driver's
44 license number, passport number, or any other identifier intended or
45 able to be uniquely associated with a particular individual or device.
46 (2) Any information that relates to or describes an individual if such
47 information is disclosed in connection with any identifying or referenc-
48 ing information as defined in subparagraph one of this paragraph.
49 (f) (1) "Retains" means to store or otherwise hold information, wheth-
50 er the information is collected or obtained directly from the subject of
51 the information or from any third party.
52 (2) "Retains" does not include information that is stored or otherwise
53 held solely for one or more of the following purposes, so long as the
54 information is deleted as soon as it is no longer needed for those
55 purposes:
A. 5220 5
1 (A) To perform a service or complete a transaction initiated by or on
2 behalf of the customer, including maintaining or servicing accounts,
3 providing customer service, processing or fulfilling orders and trans-
4 actions, verifying customer information, processing payments, providing
5 financing, or similar services.
6 (B) To address fraud, security, or technical issues; to protect the
7 disclosing business' rights or property; or to protect customers or the
8 public from illegal activities as required or permitted by law.
9 (C) To comply with applicable law or regulation or with a court order
10 or other legal process where the business has a good-faith belief that
11 the law, regulation, court order, or legal process requires the informa-
12 tion to be stored or held.
13 (g) "Third party" or "third parties" means one or more of the follow-
14 ing:
15 (1) A business that is a separate legal entity from the business that
16 has disclosed personal information.
17 (2) A business that does not share common ownership or common corpo-
18 rate control with the business that has disclosed personal information.
19 (3) A business that does not share a brand name or common branding
20 with the business that has disclosed personal information such that the
21 affiliate relationship is clear to the customer.
22 5. The provisions of this section are severable. If any provision of
23 this section or its application is held invalid, that invalidity shall
24 not affect other provisions or applications that can be given effect
25 without the invalid provision or application.
26 6. A violation of this section constitutes an injury to a customer. A
27 civil action to recover penalties may be brought by a customer, the
28 attorney general, a district attorney, a city attorney, or a city prose-
29 cutor, in a court of competent jurisdiction.
30 § 5. This act shall take effect immediately.