Enacts the "data economy labor compensation and accountability act"; establishes the office of consumer data protection for the purpose of properly safeguarding personal data; imposes a tax on data controllers and data processors required to register with such office.
STATE OF NEW YORK
________________________________________________________________________
5662
2023-2024 Regular Sessions
IN SENATE
March 13, 2023
___________
Introduced by Sens. GOUNARDES, HOYLMAN-SIGAL, JACKSON -- read twice and
ordered printed, and when printed to be committed to the Committee on
Finance
AN ACT to amend the executive law and the tax law, in relation to estab-
lishing the data economy labor compensation and accountability act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "data economy labor compensation and accountability act".
3 § 2. Legislative intent. a. The legislature finds that the commercial-
4 ization of personal consumer data has wrought wholesale and disruptive
5 transformations in our global markets, politics, psychology, socializa-
6 tion, and the basic functioning of society;
7 b. The legislature further finds that, according to a 2016 Rockefeller
8 Foundation study Data Financing for the Global Good, the "data economy,"
9 in which millions of data points are endlessly gathered, organized, and
10 exchanged by a series of vendors for the purpose of deriving value from
11 accumulated information, has produced enough value in industrialized
12 countries to equal 4% of their gross domestic product;
13 c. The legislature further finds that the consumers whose emails,
14 texts, Internet searches, purchasing history, profile information,
15 swipes, clicks, and more have produced such tremendous amounts of value
16 do not receive the direct dividends of their labor;
17 d. The legislature further finds that large swaths of our global and
18 national society have yet to benefit from the revolution wrought by such
19 commercialization of their data and technology at large;
20 e. The legislature further finds that the proliferation of targeted
21 advertising based on the sale, transfer, or licensing of personal
22 consumer data has led to an exploitation of individual users' attention,
23 leading to reduced productivity, mental acuity, and overall emotional
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD01552-02-3
S. 5662 2
1 and social well-being as well as overcrowding of digital spaces and
2 depletion of the "common good" of limited user attention;
3 f. The legislature further finds that the collection and storage of
4 vast amounts of personal consumer data carries an inherent risk of secu-
5 rity breach if such data is compromised;
6 g. The legislature hereby declares that a levy on the gross receipts
7 of commercial interests engaged in such commodification will erode the
8 aforementioned negative externalities by incentivizing companies to
9 collect fewer points of personal consumer data, to provide fair market
10 value dividends directly to consumers in exchange for their productive
11 labor, to proactively mitigate the security risks of data breaches, and
12 to more judiciously preserve the commons of digital space and limited
13 user attention;
14 h. The legislature further declares that a levy on the gross receipts
15 of such commercial interests will redistribute the wealth created by the
16 value of consumers from the shareholders who exploit this free labor
17 back to the people who generate such labor;
18 i. The legislature further declares that the creation of a "data tax"
19 will put New York on par with other domestic and foreign states such as
20 Maryland, Vermont, and Austria who have similarly recognized the social,
21 economic, and ethical justification for such tax.
22 § 3. The executive law is amended by adding a new article 51 to read
23 as follows:
24 ARTICLE 51
25 OFFICE OF CONSUMER DATA PROTECTION
26 Section 1004. Definitions.
27 1005. Applicability.
28 1006. Office of consumer data protection.
29 1007. Annual report.
30 § 1004. Definitions. For the purposes of this article, the following
31 terms shall have the following meanings:
32 1. "Code of conduct" shall mean a set of written policies adopted by a
33 data controller or processor in order to facilitate compliance with the
34 provisions of this article and any regulations promulgated by the office
35 of consumer data protection, taking into account the specific character-
36 istics of the data controller or processor's data operations. All codes
37 of conduct shall be approved by the office data protection. Either a
38 code of conduct or the data protection certification described in subdi-
39 vision eight of this section may be used to demonstrate compliance with
40 the provisions of this article and with data protection regulations
41 promulgated by the office of consumer data protection.
42 2. "Consumer" shall mean a natural person who is a New York resident.
43 3. "Data breach" shall mean a breach of security leading to the acci-
44 dental or unlawful destruction, loss, alteration, unauthorized disclo-
45 sure of, or access to, personal data transmitted, stored or otherwise
46 processed.
47 4. "Data controller" or "controller" shall mean a natural or legal
48 person which, alone or jointly with others, determines the purposes and
49 means of processing of personal data. This includes but is not limited
50 to any business, website, or platform that collects data while selling
51 electronic advertising space on its platform tailored to any one or any
52 aggregation of the items of personal data defined in this section. No
53 data controller is exempt from the requirements of this article if they
54 are processing pseudonymized data, whereby processing means any opera-
55 tion or set of operations that are performed on personal data or on sets
56 of personal data, whether or not by automated means. For purposes of
S. 5662 3
1 this subdivision "pseudonymized" or "pseudonymization" means the proc-
2 essing of personal data in a manner that renders the personal data no
3 longer attributable to a specific data subject without the use of addi-
4 tional information, provided that the additional information is kept
5 separately and is subject to technical and organizational measures to
6 ensure that the personal data is not attributed to an identified or
7 identifiable data subject. Any entity participating in real time
8 auctions to facilitate the sale of digital advertising space, any entity
9 collecting anonymized or aggregated data for the purpose of advertising,
10 marketing, or transferring data to any party purchasing digital adver-
11 tising space, and any company collecting the data of data subjects via
12 an internet or phone-based platform, application or website registry
13 that also markets or advertises products to consumers are considered
14 data controllers under this article.
15 5. "Data operations" shall mean the collection, storage, transfer,
16 sale, or licensing of personal data by a data controller or data proces-
17 sor.
18 6. "Data processor" or "processor" shall mean a natural or legal
19 person that processes data on behalf of the controller. Provided, howev-
20 er, that when such natural or legal person is both a data controller and
21 data processor, as defined in this section, such person shall be deemed
22 one entity for the purposes of registration as described in paragraph
23 (b) of subdivision two of section one thousand six of this article and
24 taxation as described in section one hundred eighty-five of the tax law.
25 7. "Data protection audit" shall mean an audit conducted by the office
26 or consumer data protection in order to assess whether a data controller
27 or processor is in compliance with a data controller or processor's code
28 of conduct, regulations promulgated by the office, and/or any relevant
29 federal, state or local law. The office of consumer data protection
30 shall adopt a rating system of "high assurance," "reasonable assurance,"
31 "limited assurance," and "very limited assurance" to measure levels of
32 compliance with such code of conduct, laws and regulations.
33 8. "Data protection certification" shall refer to a certification,
34 created by the office of consumer data protection, which serves to
35 demonstrate compliance with the provisions of this article and with data
36 protection regulations promulgated by such office. Data protection
37 certification shall be voluntary for all data controllers and process-
38 ors. The office shall create the criteria for such certification.
39 Successful certification may be demonstrated by a certificate, seal, or
40 mark which data controllers and processors may conspicuously display.
41 9. "Data protection impact assessment" shall mean an internal evalu-
42 ation which the office of consumer data protection requires data
43 controllers and processors to carry out in order to evaluate the level
44 of risk associated with such controller or processor's data operations.
45 Such assessment shall examine the origin, nature, particularity, and
46 severity of such risk. Where a data protection impact assessment indi-
47 cates that a controller or processor's data operations involve a high
48 degree of risk, as determined by the office of consumer data protection,
49 which cannot be mitigated by appropriate measures, such controller or
50 processor shall be obligated to receive express approval from the office
51 of consumer data protection prior to commencing or resuming data oper-
52 ations.
53 10. "Data subject" or "subject" shall mean a natural person for whom a
54 data controller holds personal data, as defined in subdivision thirteen
55 of this section, and who can be identified, directly or indirectly, by
56 reference to such personal data.
S. 5662 4
1 11. "Newly established" shall refer to a limited history of data oper-
2 ations as determined by the office of consumer data protection. Such
3 office may consider factors such as date of incorporation or other form
4 of organization, whether in this state or another state, territory,
5 district, province, nation or other jurisdiction, foreign or domestic,
6 amount of capital raised, the entrepreneurial nature of a data control-
7 ler or processor's business, or any other factor the office deems rele-
8 vant in determining limited operating history and an initial date of
9 data operations, provided that such office shall promulgate regulations
10 with the guidelines used for determining such date and that such office
11 shall adhere to such guidelines consistently when determining such date
12 for all data controllers and processors required to register under para-
13 graph (b) of subdivision two of section one thousand six of this arti-
14 cle.
15 12. "Office" shall mean the office of consumer data protection estab-
16 lished by section one thousand six of this article.
17 13. "Personal data" shall mean any computerized information about a
18 data subject as set forth in this subdivision that is not made publicly
19 available through federal, state or local government agencies or any
20 publicly available information as it relates to a data subject's busi-
21 ness license, status or profession, regardless of whether it is
22 collected for the purpose of selling or transferring it to another enti-
23 ty. Personal data shall mean information that identifies, relates to,
24 describes or is reasonably linked to a particular data subject or house-
25 hold, including but not limited to:
26 (a) physical address;
27 (b) legal name;
28 (c) alias;
29 (d) unique personal identifier;
30 (e) online identifier;
31 (f) internet protocol address;
32 (g) email address;
33 (h) account name;
34 (i) social security number;
35 (j) driver's license number;
36 (k) passport number;
37 (l) place of birth;
38 (m) mother's maiden name;
39 (n) date of birth;
40 (o) phone number;
41 (p) audio, visual, thermal or olfactory data;
42 (q) profession or employment related information;
43 (r) medical history, records of past medical treatment, or any diagno-
44 sis of a physical or mental health condition, including diagnosis,
45 treatment or referral for addiction or substance abuse;
46 (s) educational information that is not already publicly available
47 through a local, state, or federal agency;
48 (t) real time geolocation data or stored geolocation history;
49 (u) any unique biometric data, body measurement, technical analysis or
50 measurements collected for the purpose of allowing a data subject to
51 authenticate the subject on a device, internet application, or web-based
52 platform;
53 (v) names and identifying information of a subject's immediate family;
54 (w) internet or any other electronic network activity, including
55 browsing history, search history, and information regarding a subject's
56 activity on a website or interaction with an electronic advertisement;
S. 5662 5
1 (x) any other information that alone, or combined with any of the
2 information described in this subdivision, could be reasonably used to
3 identify an individual data subject or household; and
4 (y) any inferences drawn from any of the combined forms of personal
5 data that are used to create a profile of the data subject reflecting
6 the subject's preferences, choices, characteristics, psychological
7 trends, intelligence, aptitude, physical health or behavior.
8 "Personal data" shall also include any information which creates prob-
9 abilistic identifiers that can be used to isolate, individualize, or
10 identify a data subject or device to a degree of certainty more probable
11 than not based on any item of personal information defined in this
12 subdivision.
13 14. "Sale" or "sold" shall mean the disclosure, dissemination, making
14 available, release, transfer, conveyance, license, rental, or other
15 commercialization of data by a data controller to a third party, whether
16 commercialization occurs via access to raw data or via use of platform
17 interface rather than direct access to raw data. This definition shall
18 include dissemination of data, orally, in writing, or by electronic or
19 other means, for monetary or other valuable consideration, or otherwise
20 for a commercial purpose, by a data controller to a third party.
21 15. "Third party" shall mean a natural or legal person, public author-
22 ity, agency, or body other than the data subject, data controller, or
23 data processor of the data controller.
24 § 1005. Applicability. 1. The provisions of this article shall not
25 apply to a data controller or data processor who, as determined by the
26 office, collects, processes, or sells personal data in a way that is
27 deemed incidental to such controller or processor's ordinary course of
28 business, taking into account the nature, context, scope, and purposes
29 of such data collection, processing, or sale.
30 2. The office shall further be empowered to exempt from the provisions
31 of this article any data controller or processor who, as determined by
32 such office, derives no economic benefit from such controller or
33 processor's data operations or whose data operations are required in
34 order to comply with a legal obligation or in the exercise of official
35 authority, or for any other purpose, as determined by the office, which
36 serves to further the public interest.
37 § 1006. Office of consumer data protection. 1. (a) There is hereby
38 created an office of consumer data protection, to be governed by a
39 seven-member consumer data protection board. The board shall consist of
40 a chairperson nominated by the governor with the advice and consent of
41 the senate, with one vote, and six other voting board members. The
42 governor shall have two additional appointments to the board with the
43 advice and consent of the senate, and the temporary president of the
44 senate and the speaker of the assembly shall have two appointments each.
45 The members of the consumer data protection board shall engage in no
46 occupation incompatible with their duties prescribed in this section,
47 whether gainful or not, and shall take steps they deem necessary and
48 proper to shield all decision making processes of the board from unwar-
49 ranted and inappropriate communications and attempts to influence.
50 (b) The members of the consumer data protection board shall be subject
51 to a duty of professional secrecy both during and after their terms on
52 such board, with regard to any confidential information which has come
53 to their knowledge in the course of the performance of their tasks or
54 exercise of their powers. During their term of office, that duty of
55 professional secrecy shall apply to reporting by natural persons of
56 infringements of this article.
S. 5662 6
1 (c) A member of the consumer data protection board may be dismissed
2 before the expiration of such member's term by such member's appointing
3 authority only in a case of serious misconduct or if such member
4 violates the terms of paragraph (a) or (b) of this subdivision.
5 (d) The consumer data protection board shall appoint an executive
6 director of the office who shall supervise all day-to-day operations of
7 such office. The executive director may appoint necessary deputies,
8 counsels, assistants, investigators, and other employees in order to
9 effectuate the provisions of this article.
10 (e) The consumer data protection board shall ensure that the office is
11 provided with the human, technical, and financial resources, premises,
12 and infrastructure necessary for the effective performance of its tasks
13 and exercise of its powers described in subdivision two of this section.
14 2. The office shall retain the following administrative powers and
15 responsibilities:
16 (a) The office shall promulgate any and all rules and regulations it
17 deems necessary to properly safeguard personal data, including whether
18 and how data subjects shall consent to the processing of such data,
19 whether and how data subjects are granted access to personal data,
20 whether and how data subjects can request erasure of personal data,
21 whether and how data subjects can object to the processing of their
22 personal data for commercial purposes, any steps that a data controller
23 or processor must take to safeguard personal data, necessary disclosures
24 that a data controller or processor must make to data subjects when
25 there is a potential or likely data breach, or after a data breach has
26 occurred, and any other policies which further the interest of the
27 protection of personal data.
28 (b) (i) Each data controller and processor in this state shall be
29 required to register with the office, on an annual basis, with a digital
30 application developed and maintained by such office. Such application
31 shall include the name of such data controller or processor, its phys-
32 ical address, any email address or website associated with such data
33 controller or processor, whether such data controller or processor
34 offers an opt-in or opt-out model for its data operations and the
35 specific details of how a data subject can access either of these
36 options, a statement specifying the methods used for data operations,
37 databases maintained, and amount of data collected, processed, or sold
38 of both all data subjects and data subjects who reside in New York, and
39 annual gross receipts of such controller or processor. When disclosing
40 such annual gross receipts, a data controller or processor shall detail
41 (A) the amount of annual gross receipts from all foreign and domestic
42 sources, (B) annual gross receipts from domestic sources only, and (C)
43 annual gross receipts derived from the collection, processing, and/or
44 sale of data subjects who reside in New York.
45 (ii) Data controllers and processors shall pay an annual registration
46 fee of two hundred fifty dollars, if such controller or processor has
47 gross receipts of eight hundred sixty million dollars or less, or four
48 hundred fifty dollars, if such controller or processor has gross
49 receipts of over eight hundred sixty million dollars.
50 (iii) Any data controller or processor which fails to annually regis-
51 ter as required by this paragraph shall be subject to a fine of between
52 one thousand dollars and twenty thousand dollars per day. Any controller
53 or processor found to have knowingly submitted false or incomplete
54 information upon registration shall be subject to a fine of between ten
55 thousand dollars and one hundred thousand dollars. All such fines shall
56 be levied by the office, provided that the office shall consider factors
S. 5662 7
1 such as gross income and assets of a data controller or processor and
2 whether such controller or processor has made reasonable efforts to
3 comply with the provisions of this paragraph when determining the amount
4 of such fines to be levied.
5 (iv) The office shall determine which data controllers and processors
6 have been newly established within the previous three years for the
7 purposes of compliance with the reporting requirements of section one
8 thousand seven of this article and with the tax imposed in section one
9 hundred eighty-five of the tax law.
10 (c) The office shall promote public awareness and understanding of
11 risks, rules, safeguards and rights in relation to data processing.
12 (d) The office shall advise on legislative and administrative measures
13 relating to the protection of data subjects' rights and freedoms with
14 regard to processing.
15 (e) The office shall provide, upon request, information to any data
16 subject concerning the exercise of their rights under this act as
17 created in the regulations described in paragraph (a) of this subdivi-
18 sion.
19 (f) The office shall advise data controllers and processors of their
20 obligations under this article.
21 (g) The office shall encourage the formation of codes of conduct by
22 data controllers and processors and provide an opinion and approve such
23 codes of conduct it deems to provide sufficient safeguards.
24 (h) The office shall establish a data protection certification mech-
25 anism, approving all criteria for such certification and data protection
26 seals and marks to indicate such certification. The office shall
27 conduct a periodic review of certifications issued, where applicable,
28 and shall deny or withdraw certifications if such criteria are not met
29 or no longer met by a data controller or processor.
30 (i) The office shall establish and maintain a list of data controllers
31 and processors who have completed data protection impact assessments and
32 the results of such assessments.
33 (j) The office shall monitor relevant developments, insofar as they
34 have an impact on the protection of personal data, in particular the
35 development of information and communication technologies and commercial
36 practices.
37 (k) The office shall process complaints lodged by data subjects about
38 a data controller or processor, investigating the subject matter of such
39 complaints and informing the complainant of the progress and outcome of
40 such investigation within a reasonable time period.
41 (l) The office shall conduct data protection audits of data control-
42 lers or processors upon a request from such controller or processor or
43 from a data subject or as the office deems prudent and necessary.
44 (m) The office shall have the power to order a data controller or
45 processor to provide any information it requires for the performance of
46 the office's tasks described in this subdivision, including access to
47 such controller or processor's premises and data processing equipment
48 and means if needed.
49 (n) The office shall notify data controllers and processors when they
50 are likely to infringe or have infringed upon a regulation such office
51 has issued or such controller or processor's code of conduct. The office
52 may order that such data controller or processor bring such controller
53 or processor's data operations into compliance in a specified manner and
54 within a specified time period. The office may further order a temporary
55 or definitive ban on data operations or the rectification or erasure of
56 personal data until such compliance is achieved. The office shall keep
S. 5662 8
1 internal records of infringements by data controllers and processors of
2 any infringements of its regulations or a controller or processor's code
3 of conduct, and of measures taken in resolution.
4 (o) The office may order the suspension of data flows to a recipient
5 in a third world country or to an international organization.
6 (p) The office may impose administrative fines for the purposes of
7 encouraging compliance with any infringement of this article or a regu-
8 lation such office has issued or such controller or processor's code of
9 conduct in addition to the fine described in subparagraph (iii) of para-
10 graph (b) of this subdivision.
11 (q) The office may issue opinions to the state or other institutions
12 and bodies as well as to the public on any issue related to the
13 protection of personal data, on its own initiative or upon request.
14 § 1007. Annual report. The consumer data protection board shall
15 produce and transmit, in conjunction with the office, an annual report
16 to the temporary president of the senate, the speaker of the assembly,
17 the chair of the senate finance committee, and the chair of the assembly
18 ways and means committee, on or before January thirty-first of each
19 year, pertaining to the data controllers and processors who have regis-
20 tered with the office pursuant to paragraph (b) of subdivision two of
21 section one thousand six of this article. Such report shall contain, but
22 not be limited to, the number of data controllers and processors regis-
23 tered, the number of data subjects residing in this state whose data is
24 being collected, processed, or sold, both in the aggregate and per data
25 controller or processor, and an analysis of the receipts generated from
26 such controller or processor's data operations. Such report shall also
27 be posted for public review in a clear and conspicuous manner on the
28 office of consumer data protection's website.
29 § 4. The tax law is amended by adding a new section 185 to read as
30 follows:
31 § 185. Additional tax on data controllers and data processors. 1.
32 Notwithstanding any other provision of this chapter, or of any other
33 law, for taxable years beginning on or after January first, two thousand
34 twenty-four, an annual tax is hereby imposed upon every data controller
35 or data processor, as defined in section one thousand four of the execu-
36 tive law, which is required to register with the office of consumer data
37 protection pursuant to paragraph (b) of subdivision two of section one
38 thousand six of the executive law. The office of consumer data
39 protection shall share a complete directory of all data controllers and
40 processors registered with such office with the commissioner for the
41 purposes of assessing the tax imposed by this section.
42 2. (a) The tax shall be equal to two per centum of the estimated annu-
43 al gross receipts of a data controller or processor derived from the
44 collection, processing, and/or sale of data subjects who reside in New
45 York. The commissioner shall calculate such estimation by multiplying a
46 data controller or processor's annual gross domestic receipts, as
47 reported in subparagraph (i) of paragraph (b) of subdivision two of
48 section one thousand six of the executive law, by a sum that is equal to
49 the quotient of the gross domestic product of New York divided by the
50 gross domestic product of the United States, and then multiplying such
51 sum by one hundred. If a data controller or processor disagrees with the
52 estimation of annual gross receipts described in this paragraph, such
53 controller or processor shall have the opportunity to present to the
54 commissioner an alternative estimation of such controller or processor's
55 annual gross receipts derived from the collection, processing, and/or
56 sale of data subjects who reside in New York based on such controller or
S. 5662 9
1 processor's internal records. If the commissioner accepts the alterna-
2 tive estimation so presented by such controller or processor, the
3 commissioner shall impose a tax of two per centum of such alternative
4 estimation on such controller or processor. As used in this subdivision,
5 "gross domestic product" shall mean a monetary measure of the market
6 value of all final goods and services produced and sold in a specific
7 time period by a country or countries.
8 (b) Provided, however, the commissioner shall exempt the first five
9 million dollars of the estimated gross receipts of a data controller or
10 processor, as described in paragraph (a) of this subdivision, from the
11 tax imposed by this section.
12 3. Data controllers and processors shall be exempt from such tax on
13 gross receipts if the controller or processor has been newly established
14 within the previous three years, as determined by the office of consumer
15 data protection in subparagraph (iv) of paragraph (b) of subdivision two
16 of section one thousand six of the executive law.
17 4. (a) All gross receipts of subsidiaries formed by a data controller
18 or processor shall be considered assets of the data controller or
19 processor for the purposes of determining the gross receipts exemption
20 described in paragraph (b) of subdivision two of this section. Gross
21 receipts of subsidiaries shall not be used in any way to offset, reduce,
22 or discount the gross receipts of the underlying data controller or
23 processor for the purposes of calculation of such receipts.
24 (b) Provided, further, an initial date of registration with the office
25 of consumer data protection by the subsidiary of a data controller or
26 processor which is later than such underlying controller or processor's
27 initial date of registration shall not be used to delay such underlying
28 controller or processor's initial date. A data controller or processor
29 and such controller or processor's subsidiary shall count as one entity
30 for the purposes of determining the period of time after which the tax
31 imposed by this section shall apply.
32 (c) "Subsidiary" as used in this subdivision shall mean a corporation
33 of which over fifty percent of the number of shares of stock entitling
34 the holders thereof to vote for the election of directors or trustees is
35 owned by the data controller or processor which formed such subsidiary.
36 § 5. This act shall take effect on the one hundred eightieth day after
37 it shall have become a law. Effective immediately, the addition, amend-
38 ment and/or repeal of any rule or regulation necessary for the implemen-
39 tation of this act on its effective date are authorized to be made and
40 completed on or before such effective date.