Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A2587
SPONSOR: Vanel
 
TITLE OF BILL:
An act to amend the executive law, in relation to enacting the New York
data protection act
 
PURPOSE OR GENERAL IDEA OF BILL:
Creates the New York Data Protection Act, intended to strengthen the
rights of individuals to safeguarding their personal information against
unauthorized collection and usage by government entities and contrac-
tors.
 
SUMMARY OF PROVISIONS:
Section 81 gives applicable definitions.
Section 82 provides an individual the right to request disclosure.
Section 83 provides the individual's right to request deletion of
personal information.
Section 84 defines which personal information may be requested by an
individual.
Section 85 allows individuals to request disclosure of personal informa-
tion shared by government entities or contractors.
Section 86 outlines which personal information may not be shared by
government entities or contractors.
Section 87 ensures that individuals will not be discriminated against
for exercising any of the rights under this article.
Section 88 requires government entities to ensure that the mechanisms
used to request and delete personal information be reasonably accessible
to individuals.
Section 89 places limitations on the obligations imposed on government
entities under this article.
Section 89-a details the recourse available for individuals who have
been subject to unauthorized usage of their personal information.
Section 89-b allows government entities to seek outside counsel to aid
them in compliance With the provisions of this article.
 
JUSTIFICATION:
In an increasing modern and data-driven age, information is among the
most valuable assets to New Yorkers. For decades, the digital and infor-
mation economy has been developing. With no meaningful regulations in
place, major institutions, social media platforms and others have care-
lessly and, at times, willfully placed our vital information, personal
reputations, and political liberties into harm's way. Some governments
have begun to offer their citizens a set of rights regarding the use and
safety of their data. It is long past time for New York to do the same.
On May 25, 2018 the General Data Protection Regulation ("GDPR") took
effect in all European Union member states. The GDPR was the result of a
nearly seven-year process that sought to fundamentally change how organ-
izations and individuals interact with their data.
Through the GDPR, EU residents were granted the right to:
-Access all of the personal information an individual company had
collected on them;
-Learn exactly how the company had collected the information; and
-Request the deletion of that information.
While the GDPR focus primarily on consumers' interactions with private
data compilers and processors, this legislation aims to finally provide
New Yorkers with the rights between their data and the government and
state agencies. By treating New York State and its several agencies as
data compilers, this law will ensure that New Yorkers will have rights
to their personal information with respect to the State.
The NY Data Protection Act would give New Yorkers the following rights
against government entities and government contactors- (1) Right to
Request Disclosure of Personal Information Collected and Use;
(2) Right to request deletion of personal information, and (3) Right not
to be discriminated against.
 
PRIOR LEGISLATIVE HISTORY:
01/28/21 referred to governmental operations
01/05/22 referred to governmental operations
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
To be determined.
 
EFFECTIVE DATE:
This act shall take effect one year after it shall have become a law.
STATE OF NEW YORK
________________________________________________________________________
2587
2023-2024 Regular Sessions
IN ASSEMBLY
January 26, 2023
___________
Introduced by M. of A. VANEL -- read once and referred to the Committee
on Governmental Operations
AN ACT to amend the executive law, in relation to enacting the New York
data protection act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "New York data protection act".
3 § 2. The executive law is amended by adding a new article 5-A to read
4 as follows:
5 ARTICLE 5-A
6 NEW YORK DATA PROTECTION ACT
7 Section 81. Definitions.
8 82. Right to request disclosure.
9 83. Right to request deletion of personal information.
10 84. Personal information which may be requested.
11 85. Shared information; government entities or contractors.
12 86. Non-shareable personal information.
13 87. Right not to be discriminated against.
14 88. Accessibility.
15 89. Limitation on restrictions.
16 89-a. Relief.
17 89-b. Compliance guidance.
18 § 81. Definitions. As used in this article, the following terms shall
19 have the following meanings unless otherwise specified:
20 1. "Aggregate personal information" shall mean information that
21 relates to a group or category of individuals, from which individual
22 identities have been removed, that is not linked or reasonably linkable
23 to any individual or household, including via a device. "Aggregate
24 personal information" shall not mean one or more individual's records
25 that have been de-identified.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD06208-01-3
A. 2587 2
1 2. "Collects", "collected", or "collection" shall mean gathering,
2 obtaining, receiving, or accessing any personal information pertaining
3 to an individual by any means. This includes receiving information from
4 such individual either actively or passively.
5 3. "Contractor" means a contractor, or subcontractor of a contractor,
6 that contracts to process information on behalf of a government entity
7 and to which such government entity discloses an individual's personal
8 information for a legitimate government purpose pursuant to a written
9 contract, provided that such contract prohibits such contractor or
10 subcontractor receiving such personal information from retaining, using,
11 or disclosing such personal information for any purpose other than for
12 the specific purpose of performing the services specified in such
13 contract, or as otherwise permitted by this article, including retain-
14 ing, using, or disclosing such personal information for a commercial
15 purpose other than providing the services specified in the contract.
16 4. "Deidentified" shall mean information that cannot reasonably iden-
17 tify, relate to, describe, be capable of being associated with, or be
18 linked, directly or indirectly, to a particular individual, provided
19 that a government entity that uses such deidentified information:
20 (a) has implemented technical safeguards and processes that prohibit
21 reidentification of the individual to whom such information may pertain;
22 (b) has implemented processes to prevent inadvertent release of
23 deidentified information; and
24 (c) makes no attempt to reidentify such information.
25 5. "Designated methods for submitting requests" shall mean a mailing
26 address, email address, internet web page, internet web portal, toll-
27 free telephone number, or other applicable contact information, whereby
28 individuals may submit a request or direction under this article, and
29 any new means of contacting a government entity, as approved by the
30 attorney general.
31 6. "Device" shall mean any physical object that is capable of connect-
32 ing to the internet, directly or indirectly, or to another device.
33 7. "Government entity" or "entity" shall mean any state agency or any
34 part, body, or subdivision thereof.
35 8. "Homepage" shall mean the introductory page of an internet web site
36 and any internet web page where personal information is collected.
37 9. "Individual" shall mean a person who is a resident of New York
38 state.
39 10. (a) "Personal information" shall mean information that identifies,
40 relates to, describes, is capable of being associated with, or could
41 reasonably be linked, directly or indirectly, with a particular individ-
42 ual or household. Personal information includes, but is not limited to,
43 the following:
44 (i) identifiers such as a real name, alias, postal address, unique
45 personal identifier, internet protocol address, email address, social
46 security number, driver's license number, passport number, photograph,
47 or other similar identifiers;
48 (ii) characteristics of protected classifications under New York or
49 federal law;
50 (iii) commercial information, including records of real or personal
51 property;
52 (iv) biometric information;
53 (v) audio, electronic, visual, or similar information;
54 (vi) professional or employment-related information;
A. 2587 3
1 (vii) education information, defined as information that is not
2 publicly available personally identifiable information as defined in the
3 family educational rights and privacy act (20 USC 1232g);
4 (viii) inferences drawn from any of the information identified in this
5 subdivision to create a profile about an individual reflecting such
6 individual's preferences, characteristics, psychological trends, predis-
7 positions, behavior, attitudes, intelligence, abilities, and aptitudes;
8 and
9 (ix) financial or tax information.
10 (b) "Personal information" shall not include publicly available infor-
11 mation. For these purposes, "publicly available" shall mean information
12 that is lawfully made available from federal, state, or local government
13 records, or any conditions associated with such information. "Publicly
14 available" shall not include an individual's information that is deiden-
15 tified or aggregate personal information.
16 11. "Probabilistic identifier" shall mean the identification of an
17 individual or a device to a degree of certainty of more probable than
18 not based on any categories of personal information included in, or
19 similar to, the categories enumerated in subdivision ten of this
20 section.
21 12. "Process" or "processing" shall mean any operation or set of oper-
22 ations that are performed on personal data or on sets of personal data,
23 whether or not by automated means.
24 13. "Pseudonymize" or "pseudonymization" shall mean the processing of
25 personal information in a manner that renders such personal information
26 no longer attributable to a specific individual without the use of addi-
27 tional information, provided that such additional information is kept
28 separately and is subject to technical and organizational measures to
29 ensure that such personal information is not attributed to an identified
30 or identifiable individual.
31 14. (a) "Sell", "selling", "sale", or "sold" shall mean selling, rent-
32 ing, releasing, disclosing, disseminating, making available, trans-
33 ferring, or otherwise communicating orally, in writing, or by electronic
34 or other means, an individual's personal information by a government
35 entity or contractor to a third party for monetary or other valuable
36 consideration.
37 (b) A government entity or contractor does not sell personal informa-
38 tion within the meaning of this article when:
39 (i) An individual uses or directs such government entity or contractor
40 to intentionally disclose personal information to a third party,
41 provided such third party also does not sell such personal information,
42 unless such disclosure would be consistent with the provisions of this
43 article.
44 (ii) Such government entity or contractor uses or shares with a third
45 party personal information of an individual that is necessary to perform
46 a legitimate government purpose if both of the following conditions are
47 met:
48 (1) the government entity or contractor has provided notice that
49 information is being used or shared; and
50 (2) the third party does not further collect, sell, or use the
51 personal information of such individual except as necessary to perform
52 the business purpose for which it received such information.
53 (iii) A contractor who transfers to a third party an individual's
54 personal information as an asset that is part of a merger, acquisition,
55 bankruptcy, or other transaction in which such contractor or third party
56 assumes control of all or part of such third party provided that such
A. 2587 4
1 information is used or shared consistently with this article. If a
2 third party materially alters how it uses or shares personal information
3 of an individual in a manner that is materially inconsistent with the
4 promises made at the time of collection, it shall provide prior notice
5 of the new or changed practice to such individual. Such notice shall be
6 sufficiently prominent and robust to ensure that individuals can easily
7 exercise their choices consistently with section eighty-three of this
8 article.
9 15. "Service" or "services" shall mean work, labor, and services,
10 including services furnished in connection with the sale or repair of
11 goods.
12 16. "Third party" shall mean a person or business entity who is not
13 another government entity or contractor thereof.
14 17. "Unique identifier" or "unique personal identifier" shall mean a
15 persistent identifier that can be used to recognize an individual, a
16 family, or a device that is linked to an individual or family, over time
17 and across different services, including, but not limited to, a device
18 identifier; an internet protocol address; cookies, beacons, pixel tags,
19 or similar technology; unique pseudonym, or user alias; telephone
20 numbers, or other forms of persistent or probabilistic identifiers that
21 can be used to identify a particular individual or device. For purposes
22 of this subdivision, "family" means a custodial parent or guardian and
23 any minor children over which such parent or guardian has custody.
24 18. "Verifiable information request" shall mean a request to a govern-
25 ment entity that is made by an individual, by an individual on behalf of
26 such individual's minor child, or by a natural person or a person regis-
27 tered with the secretary of state, authorized by such individual to act
28 on such individual's behalf, and that such government entity or contrac-
29 tor can reasonably verify, pursuant to regulations adopted by the attor-
30 ney general to be such individual about whom such government entity or
31 contractor has collected personal information. A government entity or
32 contractor shall not be obligated to provide information to such indi-
33 vidual pursuant to sections eighty-two and eighty-three of this article
34 if such government entity or contractor cannot verify that such individ-
35 ual making such request is the same individual about whom such govern-
36 ment entity has collected information, or is a person authorized by such
37 individual to act on such individual's behalf.
38 § 82. Right to request disclosure. 1. Any individual shall have the
39 right to request that a government entity or contractor that collects
40 personal information disclose to such individual the categories and
41 specific pieces of personal information such government entity or
42 contractor has collected.
43 2. A government entity that collects an individual's personal informa-
44 tion shall, at or before the point of collection, inform such individual
45 as to the categories of personal information to be collected and the
46 purposes for which such categories of personal information shall be
47 used. A government entity or contractor shall not collect additional
48 categories of personal information or use personal information collected
49 for additional purposes without providing such individual with notice
50 consistent with this article.
51 3. A government entity or contractor shall provide the information
52 specified in subdivision one of this section to an individual only upon
53 receipt of a verifiable information request.
54 4. A government entity or contractor that receives a verifiable infor-
55 mation request from an individual to access personal information shall
56 promptly take steps to disclose and deliver, free of charge to such
A. 2587 5
1 individual, such personal information required by this section. Such
2 information may be delivered by mail or electronically. A government
3 entity or contractor may provide personal information to an individual
4 at any time, but shall not be required to provide personal information
5 to any individual more than twice in a twelve-month period.
6 5. This section shall not require a government entity or contractor
7 to:
8 (a) retain any personal information collected for a single, one-time
9 transaction if such information is not shared or retained by such
10 government entity or contractor; or
11 (b) re-identify or otherwise link information that is not maintained
12 in a manner that would be considered personal information.
13 § 83. Right to request deletion of personal information. 1. Any indi-
14 vidual shall have the right to request that a government entity or
15 contractor delete any personal information about such individual which
16 such government entity or contractor has collected from such individual.
17 2. A government entity or contractor that collects personal informa-
18 tion about individuals shall notify such individuals of their rights to
19 request the deletion of their personal information.
20 3. A government entity or contractor that receives a verifiable infor-
21 mation request from an individual to delete such individual's personal
22 information shall delete such individual's personal information from its
23 records and direct any contractors to delete such individual's personal
24 information from their records.
25 4. Notwithstanding other provisions under this article, a government
26 entity or contractor shall not be required to comply with an individ-
27 ual's request to delete such individual's personal information if it is
28 necessary for the government entity or contractor to maintain such indi-
29 vidual's personal information in order to:
30 (a) complete the purpose for which the personal information was
31 collected;
32 (b) comply with a legal obligation;
33 (c) otherwise use such individual's personal information, internally,
34 in a lawful manner that is compatible with the scope of such government
35 entity or contractor's duties.
36 § 84. Personal information which may be requested. 1. An individual
37 who requests disclosure of information pursuant to section eighty-two of
38 this article may request the following information:
39 (a) the categories of personal information such government entity or
40 contractor has collected about such individual;
41 (b) the categories of sources from which such personal information has
42 been collected;
43 (c) the purpose for collecting or sharing such personal information;
44 (d) any other government entities, contractors, or third parties with
45 whom such government entity or contractor shares such personal informa-
46 tion; and
47 (e) the specific pieces of personal information such government entity
48 or contractor has collected about such individual.
49 2. A government entity or contractor possessing personal information
50 about an individual shall disclose to such individual such information
51 upon receipt of a verifiable information request submitted by such indi-
52 vidual. Within five days of receipt of such verifiable information
53 request, such government entity or contractor shall send a response to
54 such requestor acknowledging receipt of such request.
A. 2587 6
1 3. (a) A government entity or contractor that collects personal infor-
2 mation about individuals from another government entity or contractor
3 shall disclose to such individuals the following:
4 (i) the categories of personal information it has collected about such
5 individual;
6 (ii) the categories of sources from which such personal information is
7 collected;
8 (iii) the purpose for collecting or sharing such personal information;
9 (iv) any other government entities or contractors with whom such
10 government entity or contractor shares personal information; and
11 (v) the specific pieces of personal information it has collected about
12 such individual.
13 (b) Such government entity or contractor shall disclose the informa-
14 tion required by paragraph (a) of this subdivision to such individuals
15 immediately upon receipt of such information, without the need for a
16 request to first be submitted.
17 4. This section shall not require a government entity or contractor to
18 do the following:
19 (a) retain any personal information about an individual collected for
20 a single one-time transaction if, in the ordinary course of business,
21 such information about such individual is not retained; or
22 (b) re-identify or otherwise link any data that, in the ordinary
23 course of business, is not maintained in a manner that would be consid-
24 ered personal information.
25 § 85. Shared information; government entities or contractors. Any
26 individual shall have the right to request that a government entity that
27 shares such individual's personal information, disclose to such individ-
28 ual:
29 (1) the categories of personal information that such government entity
30 collected about such individual; and
31 (2) the categories of personal information that such government entity
32 or contractor has shared about such individual and the other government
33 entities or contractors with whom such personal information was shared,
34 by category or categories of personal information for each government
35 entity or contractor to whom such personal information was shared.
36 § 86. Non-shareable personal information. 1. No government entity or
37 contractor shall share any individual's personal information with a
38 contractor or subcontractor unless such information is crucial to the
39 purpose for which such government entity or contractor has contracted
40 such contractor or subcontractor's services.
41 2. No government entity or contractor shall share any individual's
42 personal information with another government entity or contractor unless
43 such information is crucial to the performance of such other government
44 entity or contractor's duties, and such other government entity or
45 contractor cannot procure such personal information on its own without
46 serious hardship.
47 3. No government entity or contractor shall sell personal information
48 about an individual that has been shared with such government entity or
49 contractor.
50 § 87. Right not to be discriminated against. No government entity or
51 contractor shall discriminate against any individual in any way in
52 response to such individual exercising any of his or her rights under
53 this article.
54 § 88. Accessibility. 1. In order to comply with the requirements of
55 this article, in a method that is reasonably accessible to individuals,
56 government entities shall:
A. 2587 7
1 (a) Make available to individuals two or more designated methods for
2 submitting verifiable information requests which include, at a minimum,
3 a toll-free telephone number, and if such government entity maintains an
4 internet website, a website address.
5 (b) If such government entity maintains an internet website, provide
6 on such website information instructing individuals of their rights to
7 request disclosure or deletion of personal information under this arti-
8 cle, and all methods available for making such a request. Such informa-
9 tion shall not be required to be on the homepage of such government
10 entity's website.
11 2. In order to comply with the requirements of this article, govern-
12 ment entities and contractors shall:
13 (a) Disclose and deliver any information requested in a verifiable
14 information request free of charge within forty-five days of receiving
15 such request from an individual. The time period to provide the
16 required information may be extended once by an additional forty-five
17 days when reasonably necessary, provided the requesting individual is
18 provided notice of such extension within the first forty-five day peri-
19 od. Such disclosure shall cover the twelve-month period preceding such
20 government entity or contractor's receipt of the verifiable information
21 request, and shall be made in writing and delivered by mail or electron-
22 ically at the requestor's option.
23 (b) Disclose and deliver the information requested in a manner that
24 covers all disclosure requirements under subdivision one of section
25 eighty-four of this article.
26 (c) Disclose and deliver any information shared pursuant to section
27 eighty-six of this article by such government entity or contractor with-
28 in the twelve months preceding such request.
29 (d) Ensure that any employees of such government entity or contractor
30 who are responsible for handling inquiries about disclosure requirements
31 prescribed by this article are informed of all disclosure requirements
32 under this article, and that such employees are informed of how to
33 direct individuals of how to exercise their rights under this article.
34 (e) Use any personal information collected from an individual in a
35 verifiable information request in connection with such government entity
36 or contractor's verification of such request solely for the purposes of
37 such verification.
38 (f) Not be required to respond to more than two verifiable information
39 requests from the same individual within the same twelve-month period.
40 § 89. Limitation on restrictions. 1. The obligations imposed on
41 government entities and contractors by this article shall not restrict
42 any government entity or contractor's ability to:
43 (a) otherwise comply with federal, state, or local laws;
44 (b) comply with a civil, criminal, or regulatory inquiry, investi-
45 gation, subpoena, or summons by federal, state, or local authorities;
46 (c) comply with a request made under the freedom of information law;
47 or
48 (d) exercise or defend legal claims.
49 2. This article shall not apply to the sale of personal information to
50 or from a consumer reporting agency if such information is to be
51 reported in, or used to generate, a consumer report as defined by the
52 federal fair credit reporting act (15 USC 1681), and use of that infor-
53 mation is limited by such act.
54 3. If requests from an individual are manifestly unfounded or exces-
55 sive, in particular because of their repetitive character, a government
56 entity or contractor may either charge a reasonable fee, taking into
A. 2587 8
1 account the administrative costs of providing such information or commu-
2 nication or taking the action requested, or refuse to act on such
3 request and notify such individual of the reason for refusing such
4 request. Such government entity or contractor shall bear the burden of
5 demonstrating that such verified consumer request is manifestly
6 unfounded or excessive.
7 4. A government entity that discloses personal information to a
8 contractor shall not be liable under this article if such contractor
9 uses such personal information in violation of the restrictions set
10 forth in this article, provided that, at the time of disclosing such
11 personal information, such government entity does not have actual know-
12 ledge or reason to believe that such contractor intends to commit such a
13 violation. No contractor shall be liable under this article for the
14 obligations of a government entity for which it provides services as set
15 forth in this article.
16 5. This article shall not be construed to require a government entity
17 to reidentify or otherwise link information that is not maintained in a
18 manner that would be considered personal information.
19 6. The rights afforded to individuals and the obligations imposed on
20 government entities and contractors by this article shall not adversely
21 affect the rights and freedoms of any other person.
22 § 89-a. Relief. 1. Any individual whose personal information is
23 subject to an unauthorized access and exfiltration, theft, or disclosure
24 as a result of a government entity or contractor's violation of the duty
25 to implement and maintain reasonable security procedures and practices
26 appropriate to the nature of the information to protect such personal
27 information request action by the attorney general in response to such
28 violation.
29 2. Nothing in this article shall be interpreted to serve as the basis
30 for a private right of action under any other law. This shall not be
31 construed to relieve any party from any duties or obligations imposed
32 under other law or the United States or New York constitution.
33 § 89-b. Compliance guidance. Any government entity or contractor may
34 seek the opinion of the attorney general for guidance on how to comply
35 with the provisions of this article.
36 § 3. This act shall take effect one year after it shall have become a
37 law.