•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

S05662 Summary:

BILL NOS05662
 
SAME ASNo Same As
 
SPONSORGOUNARDES
 
COSPNSRHOYLMAN-SIGAL, JACKSON
 
MLTSPNSR
 
Add Art 51 §§1004 - 1007, Exec L; add §185, Tax L
 
Enacts the "data economy labor compensation and accountability act"; establishes the office of consumer data protection for the purpose of properly safeguarding personal data; imposes a tax on data controllers and data processors required to register with such office.
Go to top

S05662 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          5662
 
                               2023-2024 Regular Sessions
 
                    IN SENATE
 
                                     March 13, 2023
                                       ___________
 
        Introduced  by Sens. GOUNARDES, HOYLMAN-SIGAL, JACKSON -- read twice and
          ordered printed, and when printed to be committed to the Committee  on
          Finance
 
        AN ACT to amend the executive law and the tax law, in relation to estab-
          lishing the data economy labor compensation and accountability act

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. Short title. This act shall be known and may  be  cited  as
     2  the "data economy labor compensation and accountability act".
     3    § 2. Legislative intent. a. The legislature finds that the commercial-
     4  ization  of  personal consumer data has wrought wholesale and disruptive
     5  transformations in our global markets, politics, psychology,  socializa-
     6  tion, and the basic functioning of society;
     7    b. The legislature further finds that, according to a 2016 Rockefeller
     8  Foundation study Data Financing for the Global Good, the "data economy,"
     9  in  which millions of data points are endlessly gathered, organized, and
    10  exchanged by a series of vendors for the purpose of deriving value  from
    11  accumulated  information,  has  produced  enough value in industrialized
    12  countries to equal 4% of their gross domestic product;
    13    c. The legislature further finds  that  the  consumers  whose  emails,
    14  texts,  Internet  searches,  purchasing  history,  profile  information,
    15  swipes, clicks, and more have produced such tremendous amounts of  value
    16  do not receive the direct dividends of their labor;
    17    d.  The  legislature further finds that large swaths of our global and
    18  national society have yet to benefit from the revolution wrought by such
    19  commercialization of their data and technology at large;
    20    e. The legislature further finds that the  proliferation  of  targeted
    21  advertising  based  on  the  sale,  transfer,  or  licensing of personal
    22  consumer data has led to an exploitation of individual users' attention,
    23  leading to reduced productivity, mental acuity,  and  overall  emotional

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01552-02-3

        S. 5662                             2
 
     1  and  social  well-being  as  well  as overcrowding of digital spaces and
     2  depletion of the "common good" of limited user attention;
     3    f.  The  legislature  further finds that the collection and storage of
     4  vast amounts of personal consumer data carries an inherent risk of secu-
     5  rity breach if such data is compromised;
     6    g. The legislature hereby declares that a levy on the  gross  receipts
     7  of  commercial  interests engaged in such commodification will erode the
     8  aforementioned negative  externalities  by  incentivizing  companies  to
     9  collect  fewer  points of personal consumer data, to provide fair market
    10  value dividends directly to consumers in exchange for  their  productive
    11  labor,  to proactively mitigate the security risks of data breaches, and
    12  to more judiciously preserve the commons of digital  space  and  limited
    13  user attention;
    14    h.  The legislature further declares that a levy on the gross receipts
    15  of such commercial interests will redistribute the wealth created by the
    16  value of consumers from the shareholders who  exploit  this  free  labor
    17  back to the people who generate such labor;
    18    i.  The legislature further declares that the creation of a "data tax"
    19  will put New York on par with other domestic and foreign states such  as
    20  Maryland, Vermont, and Austria who have similarly recognized the social,
    21  economic, and ethical justification for such tax.
    22    §  3.  The executive law is amended by adding a new article 51 to read
    23  as follows:
    24                                 ARTICLE 51
    25                     OFFICE OF CONSUMER DATA PROTECTION
    26  Section 1004. Definitions.
    27          1005. Applicability.
    28          1006. Office of consumer data protection.
    29          1007. Annual report.
    30    § 1004. Definitions. For the purposes of this article,  the  following
    31  terms shall have the following meanings:
    32    1. "Code of conduct" shall mean a set of written policies adopted by a
    33  data  controller or processor in order to facilitate compliance with the
    34  provisions of this article and any regulations promulgated by the office
    35  of consumer data protection, taking into account the specific character-
    36  istics of the data controller or processor's data operations.  All codes
    37  of conduct shall be approved by the office  data  protection.  Either  a
    38  code of conduct or the data protection certification described in subdi-
    39  vision  eight of this section may be used to demonstrate compliance with
    40  the provisions of this article  and  with  data  protection  regulations
    41  promulgated by the office of consumer data protection.
    42    2. "Consumer" shall mean a natural person who is a New York resident.
    43    3.  "Data breach" shall mean a breach of security leading to the acci-
    44  dental or unlawful destruction, loss, alteration,  unauthorized  disclo-
    45  sure  of,  or  access to, personal data transmitted, stored or otherwise
    46  processed.
    47    4. "Data controller" or "controller" shall mean  a  natural  or  legal
    48  person  which, alone or jointly with others, determines the purposes and
    49  means of processing of personal data. This includes but is  not  limited
    50  to  any  business, website, or platform that collects data while selling
    51  electronic advertising space on its platform tailored to any one or  any
    52  aggregation  of  the  items of personal data defined in this section. No
    53  data controller is exempt from the requirements of this article if  they
    54  are  processing  pseudonymized data, whereby processing means any opera-
    55  tion or set of operations that are performed on personal data or on sets
    56  of personal data, whether or not by automated  means.  For  purposes  of

        S. 5662                             3
 
     1  this  subdivision  "pseudonymized" or "pseudonymization" means the proc-
     2  essing of personal data in a manner that renders the  personal  data  no
     3  longer  attributable to a specific data subject without the use of addi-
     4  tional  information,  provided  that  the additional information is kept
     5  separately and is subject to technical and  organizational  measures  to
     6  ensure  that  the  personal  data  is not attributed to an identified or
     7  identifiable  data  subject.  Any  entity  participating  in  real  time
     8  auctions to facilitate the sale of digital advertising space, any entity
     9  collecting anonymized or aggregated data for the purpose of advertising,
    10  marketing,  or  transferring data to any party purchasing digital adver-
    11  tising space, and any company collecting the data of data  subjects  via
    12  an  internet  or  phone-based  platform, application or website registry
    13  that also markets or advertises products  to  consumers  are  considered
    14  data controllers under this article.
    15    5.  "Data  operations"  shall  mean the collection, storage, transfer,
    16  sale, or licensing of personal data by a data controller or data proces-
    17  sor.
    18    6. "Data processor" or "processor"  shall  mean  a  natural  or  legal
    19  person that processes data on behalf of the controller. Provided, howev-
    20  er, that when such natural or legal person is both a data controller and
    21  data  processor, as defined in this section, such person shall be deemed
    22  one entity for the purposes of registration as  described  in  paragraph
    23  (b)  of  subdivision two of section one thousand six of this article and
    24  taxation as described in section one hundred eighty-five of the tax law.
    25    7. "Data protection audit" shall mean an audit conducted by the office
    26  or consumer data protection in order to assess whether a data controller
    27  or processor is in compliance with a data controller or processor's code
    28  of conduct, regulations promulgated by the office, and/or  any  relevant
    29  federal,  state  or  local  law.  The office of consumer data protection
    30  shall adopt a rating system of "high assurance," "reasonable assurance,"
    31  "limited assurance," and "very limited assurance" to measure  levels  of
    32  compliance with such code of conduct, laws and regulations.
    33    8.  "Data  protection  certification"  shall refer to a certification,
    34  created by the office of  consumer  data  protection,  which  serves  to
    35  demonstrate compliance with the provisions of this article and with data
    36  protection  regulations  promulgated  by  such  office.  Data protection
    37  certification shall be voluntary for all data controllers  and  process-
    38  ors.  The  office  shall  create  the  criteria  for such certification.
    39  Successful certification may be demonstrated by a certificate, seal,  or
    40  mark which data controllers and processors may conspicuously display.
    41    9.  "Data  protection impact assessment" shall mean an internal evalu-
    42  ation which  the  office  of  consumer  data  protection  requires  data
    43  controllers  and  processors to carry out in order to evaluate the level
    44  of risk associated with such controller or processor's data  operations.
    45  Such  assessment  shall  examine  the origin, nature, particularity, and
    46  severity of such risk. Where a data protection impact  assessment  indi-
    47  cates  that  a  controller or processor's data operations involve a high
    48  degree of risk, as determined by the office of consumer data protection,
    49  which cannot be mitigated by appropriate measures,  such  controller  or
    50  processor shall be obligated to receive express approval from the office
    51  of  consumer  data protection prior to commencing or resuming data oper-
    52  ations.
    53    10. "Data subject" or "subject" shall mean a natural person for whom a
    54  data controller holds personal data, as defined in subdivision  thirteen
    55  of  this  section, and who can be identified, directly or indirectly, by
    56  reference to such personal data.

        S. 5662                             4
 
     1    11. "Newly established" shall refer to a limited history of data oper-
     2  ations as determined by the office of  consumer  data  protection.  Such
     3  office  may consider factors such as date of incorporation or other form
     4  of organization, whether in this  state  or  another  state,  territory,
     5  district,  province,  nation or other jurisdiction, foreign or domestic,
     6  amount of capital raised, the entrepreneurial nature of a data  control-
     7  ler  or processor's business, or any other factor the office deems rele-
     8  vant in determining limited operating history and  an  initial  date  of
     9  data  operations, provided that such office shall promulgate regulations
    10  with the guidelines used for determining such date and that such  office
    11  shall  adhere to such guidelines consistently when determining such date
    12  for all data controllers and processors required to register under para-
    13  graph (b) of subdivision two of section one thousand six of  this  arti-
    14  cle.
    15    12.  "Office" shall mean the office of consumer data protection estab-
    16  lished by section one thousand six of this article.
    17    13. "Personal data" shall mean any computerized  information  about  a
    18  data  subject as set forth in this subdivision that is not made publicly
    19  available through federal, state or local  government  agencies  or  any
    20  publicly  available  information as it relates to a data subject's busi-
    21  ness  license,  status  or  profession,  regardless  of  whether  it  is
    22  collected for the purpose of selling or transferring it to another enti-
    23  ty.  Personal  data  shall mean information that identifies, relates to,
    24  describes or is reasonably linked to a particular data subject or house-
    25  hold, including but not limited to:
    26    (a) physical address;
    27    (b) legal name;
    28    (c) alias;
    29    (d) unique personal identifier;
    30    (e) online identifier;
    31    (f) internet protocol address;
    32    (g) email address;
    33    (h) account name;
    34    (i) social security number;
    35    (j) driver's license number;
    36    (k) passport number;
    37    (l) place of birth;
    38    (m) mother's maiden name;
    39    (n) date of birth;
    40    (o) phone number;
    41    (p) audio, visual, thermal or olfactory data;
    42    (q) profession or employment related information;
    43    (r) medical history, records of past medical treatment, or any diagno-
    44  sis of a physical  or  mental  health  condition,  including  diagnosis,
    45  treatment or referral for addiction or substance abuse;
    46    (s)  educational  information  that  is not already publicly available
    47  through a local, state, or federal agency;
    48    (t) real time geolocation data or stored geolocation history;
    49    (u) any unique biometric data, body measurement, technical analysis or
    50  measurements collected for the purpose of allowing  a  data  subject  to
    51  authenticate the subject on a device, internet application, or web-based
    52  platform;
    53    (v) names and identifying information of a subject's immediate family;
    54    (w)  internet  or  any  other  electronic  network activity, including
    55  browsing history, search history, and information regarding a  subject's
    56  activity on a website or interaction with an electronic advertisement;

        S. 5662                             5
 
     1    (x)  any  other  information  that  alone, or combined with any of the
     2  information described in this subdivision, could be reasonably  used  to
     3  identify an individual data subject or household; and
     4    (y)  any  inferences  drawn from any of the combined forms of personal
     5  data that are used to create a profile of the  data  subject  reflecting
     6  the   subject's  preferences,  choices,  characteristics,  psychological
     7  trends, intelligence, aptitude, physical health or behavior.
     8    "Personal data" shall also include any information which creates prob-
     9  abilistic identifiers that can be used  to  isolate,  individualize,  or
    10  identify a data subject or device to a degree of certainty more probable
    11  than  not  based  on  any  item  of personal information defined in this
    12  subdivision.
    13    14. "Sale" or "sold" shall mean the disclosure, dissemination,  making
    14  available,  release,  transfer,  conveyance,  license,  rental, or other
    15  commercialization of data by a data controller to a third party, whether
    16  commercialization occurs via access to raw data or via use  of  platform
    17  interface  rather  than direct access to raw data. This definition shall
    18  include dissemination of data, orally, in writing, or by  electronic  or
    19  other  means, for monetary or other valuable consideration, or otherwise
    20  for a commercial purpose, by a data controller to a third party.
    21    15. "Third party" shall mean a natural or legal person, public author-
    22  ity, agency, or body other than the data subject,  data  controller,  or
    23  data processor of the data controller.
    24    §  1005.  Applicability.  1.  The provisions of this article shall not
    25  apply to a data controller or data processor who, as determined  by  the
    26  office,  collects,  processes,  or  sells personal data in a way that is
    27  deemed incidental to such controller or processor's ordinary  course  of
    28  business,  taking  into account the nature, context, scope, and purposes
    29  of such data collection, processing, or sale.
    30    2. The office shall further be empowered to exempt from the provisions
    31  of this article any data controller or processor who, as  determined  by
    32  such  office,  derives  no  economic  benefit  from  such  controller or
    33  processor's data operations or whose data  operations  are  required  in
    34  order  to  comply with a legal obligation or in the exercise of official
    35  authority, or for any other purpose, as determined by the office,  which
    36  serves to further the public interest.
    37    §  1006.  Office  of  consumer data protection. 1. (a) There is hereby
    38  created an office of consumer data  protection,  to  be  governed  by  a
    39  seven-member consumer data protection board.  The board shall consist of
    40  a  chairperson  nominated by the governor with the advice and consent of
    41  the senate, with one vote, and  six  other  voting  board  members.  The
    42  governor  shall  have  two additional appointments to the board with the
    43  advice and consent of the senate, and the  temporary  president  of  the
    44  senate and the speaker of the assembly shall have two appointments each.
    45  The  members  of  the  consumer data protection board shall engage in no
    46  occupation incompatible with their duties prescribed  in  this  section,
    47  whether  gainful  or  not,  and shall take steps they deem necessary and
    48  proper to shield all decision making processes of the board from  unwar-
    49  ranted and inappropriate communications and attempts to influence.
    50    (b) The members of the consumer data protection board shall be subject
    51  to  a  duty of professional secrecy both during and after their terms on
    52  such board, with regard to any confidential information which  has  come
    53  to  their  knowledge  in the course of the performance of their tasks or
    54  exercise of their powers. During their term  of  office,  that  duty  of
    55  professional  secrecy  shall  apply  to  reporting by natural persons of
    56  infringements of this article.

        S. 5662                             6
 
     1    (c) A member of the consumer data protection board  may  be  dismissed
     2  before  the expiration of such member's term by such member's appointing
     3  authority only in a  case  of  serious  misconduct  or  if  such  member
     4  violates the terms of paragraph (a) or (b) of this subdivision.
     5    (d)  The  consumer  data  protection  board shall appoint an executive
     6  director of the office who shall supervise all day-to-day operations  of
     7  such  office.  The  executive  director  may appoint necessary deputies,
     8  counsels, assistants, investigators, and other  employees  in  order  to
     9  effectuate the provisions of this article.
    10    (e) The consumer data protection board shall ensure that the office is
    11  provided  with  the human, technical, and financial resources, premises,
    12  and infrastructure necessary for the effective performance of its  tasks
    13  and exercise of its powers described in subdivision two of this section.
    14    2.  The  office  shall  retain the following administrative powers and
    15  responsibilities:
    16    (a) The office shall promulgate any and all rules and  regulations  it
    17  deems  necessary  to properly safeguard personal data, including whether
    18  and how data subjects shall consent to  the  processing  of  such  data,
    19  whether  and  how  data  subjects  are  granted access to personal data,
    20  whether and how data subjects can  request  erasure  of  personal  data,
    21  whether  and  how  data  subjects  can object to the processing of their
    22  personal data for commercial purposes, any steps that a data  controller
    23  or processor must take to safeguard personal data, necessary disclosures
    24  that  a  data  controller  or  processor must make to data subjects when
    25  there is a potential or likely data breach, or after a data  breach  has
    26  occurred,  and  any  other  policies  which  further the interest of the
    27  protection of personal data.
    28    (b) (i) Each data controller and processor  in  this  state  shall  be
    29  required to register with the office, on an annual basis, with a digital
    30  application  developed  and  maintained by such office. Such application
    31  shall include the name of such data controller or processor,  its  phys-
    32  ical  address,  any  email  address or website associated with such data
    33  controller or processor,  whether  such  data  controller  or  processor
    34  offers  an  opt-in  or  opt-out  model  for  its data operations and the
    35  specific details of how a  data  subject  can  access  either  of  these
    36  options,  a  statement  specifying the methods used for data operations,
    37  databases maintained, and amount of data collected, processed,  or  sold
    38  of  both all data subjects and data subjects who reside in New York, and
    39  annual gross receipts of such controller or processor.  When  disclosing
    40  such  annual gross receipts, a data controller or processor shall detail
    41  (A) the amount of annual gross receipts from all  foreign  and  domestic
    42  sources,  (B)  annual gross receipts from domestic sources only, and (C)
    43  annual gross receipts derived from the  collection,  processing,  and/or
    44  sale of data subjects who reside in New York.
    45    (ii)  Data controllers and processors shall pay an annual registration
    46  fee of two hundred fifty dollars, if such controller  or  processor  has
    47  gross  receipts  of eight hundred sixty million dollars or less, or four
    48  hundred fifty  dollars,  if  such  controller  or  processor  has  gross
    49  receipts of over eight hundred sixty million dollars.
    50    (iii)  Any data controller or processor which fails to annually regis-
    51  ter as required by this paragraph shall be subject to a fine of  between
    52  one thousand dollars and twenty thousand dollars per day. Any controller
    53  or  processor  found  to  have  knowingly  submitted false or incomplete
    54  information upon registration shall be subject to a fine of between  ten
    55  thousand  dollars and one hundred thousand dollars. All such fines shall
    56  be levied by the office, provided that the office shall consider factors

        S. 5662                             7
 
     1  such as gross income and assets of a data controller  or  processor  and
     2  whether  such  controller  or  processor  has made reasonable efforts to
     3  comply with the provisions of this paragraph when determining the amount
     4  of such fines to be levied.
     5    (iv)  The office shall determine which data controllers and processors
     6  have been newly established within the  previous  three  years  for  the
     7  purposes  of  compliance  with the reporting requirements of section one
     8  thousand seven of this article and with the tax imposed in  section  one
     9  hundred eighty-five of the tax law.
    10    (c)  The  office  shall  promote public awareness and understanding of
    11  risks, rules, safeguards and rights in relation to data processing.
    12    (d) The office shall advise on legislative and administrative measures
    13  relating to the protection of data subjects' rights  and  freedoms  with
    14  regard to processing.
    15    (e)  The  office  shall provide, upon request, information to any data
    16  subject concerning the exercise  of  their  rights  under  this  act  as
    17  created  in  the regulations described in paragraph (a) of this subdivi-
    18  sion.
    19    (f) The office shall advise data controllers and processors  of  their
    20  obligations under this article.
    21    (g)  The  office  shall encourage the formation of codes of conduct by
    22  data controllers and processors and provide an opinion and approve  such
    23  codes of conduct it deems to provide sufficient safeguards.
    24    (h)  The  office shall establish a data protection certification mech-
    25  anism, approving all criteria for such certification and data protection
    26  seals and marks to  indicate  such  certification.    The  office  shall
    27  conduct  a  periodic  review of certifications issued, where applicable,
    28  and shall deny or withdraw certifications if such criteria are  not  met
    29  or no longer met by a data controller or processor.
    30    (i) The office shall establish and maintain a list of data controllers
    31  and processors who have completed data protection impact assessments and
    32  the results of such assessments.
    33    (j)  The  office  shall monitor relevant developments, insofar as they
    34  have an impact on the protection of personal  data,  in  particular  the
    35  development of information and communication technologies and commercial
    36  practices.
    37    (k)  The office shall process complaints lodged by data subjects about
    38  a data controller or processor, investigating the subject matter of such
    39  complaints and informing the complainant of the progress and outcome  of
    40  such investigation within a reasonable time period.
    41    (l)  The  office shall conduct data protection audits of data control-
    42  lers or processors upon a request from such controller or  processor  or
    43  from a data subject or as the office deems prudent and necessary.
    44    (m)  The  office  shall  have  the power to order a data controller or
    45  processor to provide any information it requires for the performance  of
    46  the  office's  tasks  described in this subdivision, including access to
    47  such controller or processor's premises and  data  processing  equipment
    48  and means if needed.
    49    (n)  The office shall notify data controllers and processors when they
    50  are likely to infringe or have infringed upon a regulation  such  office
    51  has issued or such controller or processor's code of conduct. The office
    52  may  order  that such data controller or processor bring such controller
    53  or processor's data operations into compliance in a specified manner and
    54  within a specified time period. The office may further order a temporary
    55  or definitive ban on data operations or the rectification or erasure  of
    56  personal  data  until such compliance is achieved. The office shall keep

        S. 5662                             8
 
     1  internal records of infringements by data controllers and processors  of
     2  any infringements of its regulations or a controller or processor's code
     3  of conduct, and of measures taken in resolution.
     4    (o)  The  office may order the suspension of data flows to a recipient
     5  in a third world country or to an international organization.
     6    (p) The office may impose administrative fines  for  the  purposes  of
     7  encouraging  compliance with any infringement of this article or a regu-
     8  lation such office has issued or such controller or processor's code  of
     9  conduct in addition to the fine described in subparagraph (iii) of para-
    10  graph (b) of this subdivision.
    11    (q)  The  office may issue opinions to the state or other institutions
    12  and bodies as well as  to  the  public  on  any  issue  related  to  the
    13  protection of personal data, on its own initiative or upon request.
    14    §  1007.  Annual  report.  The  consumer  data  protection board shall
    15  produce and transmit, in conjunction with the office, an  annual  report
    16  to  the  temporary president of the senate, the speaker of the assembly,
    17  the chair of the senate finance committee, and the chair of the assembly
    18  ways and means committee, on or  before  January  thirty-first  of  each
    19  year,  pertaining to the data controllers and processors who have regis-
    20  tered with the office pursuant to paragraph (b) of  subdivision  two  of
    21  section one thousand six of this article. Such report shall contain, but
    22  not  be limited to, the number of data controllers and processors regis-
    23  tered, the number of data subjects residing in this state whose data  is
    24  being  collected, processed, or sold, both in the aggregate and per data
    25  controller or processor, and an analysis of the receipts generated  from
    26  such  controller  or processor's data operations. Such report shall also
    27  be posted for public review in a clear and  conspicuous  manner  on  the
    28  office of consumer data protection's website.
    29    §  4.  The  tax  law is amended by adding a new section 185 to read as
    30  follows:
    31    § 185. Additional tax on data controllers and  data  processors.    1.
    32  Notwithstanding  any  other  provision  of this chapter, or of any other
    33  law, for taxable years beginning on or after January first, two thousand
    34  twenty-four, an annual tax is hereby imposed upon every data  controller
    35  or data processor, as defined in section one thousand four of the execu-
    36  tive law, which is required to register with the office of consumer data
    37  protection  pursuant  to paragraph (b) of subdivision two of section one
    38  thousand  six  of  the  executive  law.  The  office  of  consumer  data
    39  protection  shall share a complete directory of all data controllers and
    40  processors registered with such office with  the  commissioner  for  the
    41  purposes of assessing the tax imposed by this section.
    42    2. (a) The tax shall be equal to two per centum of the estimated annu-
    43  al  gross  receipts  of  a data controller or processor derived from the
    44  collection, processing, and/or sale of data subjects who reside  in  New
    45  York.  The commissioner shall calculate such estimation by multiplying a
    46  data controller  or  processor's  annual  gross  domestic  receipts,  as
    47  reported  in  subparagraph  (i)  of  paragraph (b) of subdivision two of
    48  section one thousand six of the executive law, by a sum that is equal to
    49  the quotient of the gross domestic product of New York  divided  by  the
    50  gross  domestic  product of the United States, and then multiplying such
    51  sum by one hundred. If a data controller or processor disagrees with the
    52  estimation of annual gross receipts described in  this  paragraph,  such
    53  controller  or  processor  shall  have the opportunity to present to the
    54  commissioner an alternative estimation of such controller or processor's
    55  annual gross receipts derived from the  collection,  processing,  and/or
    56  sale of data subjects who reside in New York based on such controller or

        S. 5662                             9
 
     1  processor's  internal  records. If the commissioner accepts the alterna-
     2  tive estimation so  presented  by  such  controller  or  processor,  the
     3  commissioner  shall  impose  a tax of two per centum of such alternative
     4  estimation on such controller or processor. As used in this subdivision,
     5  "gross  domestic  product"  shall  mean a monetary measure of the market
     6  value of all final goods and services produced and sold  in  a  specific
     7  time period by a country or countries.
     8    (b)  Provided,  however,  the commissioner shall exempt the first five
     9  million dollars of the estimated gross receipts of a data controller  or
    10  processor,  as  described in paragraph (a) of this subdivision, from the
    11  tax imposed by this section.
    12    3. Data controllers and processors shall be exempt from  such  tax  on
    13  gross receipts if the controller or processor has been newly established
    14  within the previous three years, as determined by the office of consumer
    15  data protection in subparagraph (iv) of paragraph (b) of subdivision two
    16  of section one thousand six of the executive law.
    17    4.  (a) All gross receipts of subsidiaries formed by a data controller
    18  or processor shall be  considered  assets  of  the  data  controller  or
    19  processor  for  the purposes of determining the gross receipts exemption
    20  described in paragraph (b) of subdivision two of this  section.    Gross
    21  receipts of subsidiaries shall not be used in any way to offset, reduce,
    22  or  discount  the  gross  receipts  of the underlying data controller or
    23  processor for the purposes of calculation of such receipts.
    24    (b) Provided, further, an initial date of registration with the office
    25  of consumer data protection by the subsidiary of a  data  controller  or
    26  processor  which is later than such underlying controller or processor's
    27  initial date of registration shall not be used to delay such  underlying
    28  controller  or  processor's initial date. A data controller or processor
    29  and such controller or processor's subsidiary shall count as one  entity
    30  for  the  purposes of determining the period of time after which the tax
    31  imposed by this section shall apply.
    32    (c) "Subsidiary" as used in this subdivision shall mean a  corporation
    33  of  which  over fifty percent of the number of shares of stock entitling
    34  the holders thereof to vote for the election of directors or trustees is
    35  owned by the data controller or processor which formed such subsidiary.
    36    § 5. This act shall take effect on the one hundred eightieth day after
    37  it shall have become a law. Effective immediately, the addition,  amend-
    38  ment and/or repeal of any rule or regulation necessary for the implemen-
    39  tation  of  this act on its effective date are authorized to be made and
    40  completed on or before such effective date.
Go to top