A00680 Summary:

BILL NOA00680A
 
SAME ASSAME AS S06701
 
SPONSORRosenthal L
 
COSPNSRQuart, Weprin, Rosenthal D, Simon, Dinowitz, Paulin
 
MLTSPNSR
 
Add Art 42 §§1100 - 1107, Gen Bus L
 
Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
Go to top    

A00680 Actions:

BILL NOA00680A
 
01/06/2021referred to consumer affairs and protection
05/27/2021amend and recommit to consumer affairs and protection
05/27/2021print number 680a
Go to top

A00680 Committee Votes:

Go to top

A00680 Floor Votes:

There are no votes for this bill in this legislative session.
Go to top

A00680 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         680--A
 
                               2021-2022 Regular Sessions
 
                   IN ASSEMBLY
 
                                       (Prefiled)
 
                                     January 6, 2021
                                       ___________
 
        Introduced  by M. of A. L. ROSENTHAL, QUART, WEPRIN, D. ROSENTHAL, SIMON
          -- read once and referred to the Committee  on  Consumer  Affairs  and
          Protection -- committee discharged, bill amended, ordered reprinted as
          amended and recommitted to said committee

        AN  ACT to amend the general business law, in relation to the management
          and oversight of personal data
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section  1.  Short  title. This act shall be known and may be cited as
     2  the "New York privacy act".
     3    § 2. Legislative intent. 1. Privacy is  a  fundamental  right  and  an
     4  essential element of freedom. Advances in technology have produced ramp-
     5  ant  growth  in  the amount and categories of personal data being gener-
     6  ated,  collected,  stored,  analyzed,  and  potentially  shared,   which
     7  presents  both  promise  and peril. Companies collect, use and share our
     8  personal information in ways that can be difficult for ordinary  consum-
     9  ers to understand. Opaque data processing policies make it impossible to
    10  evaluate  risks and compare privacy-related protections across services,
    11  stifling competition. Algorithms quietly make  decisions  with  critical
    12  consequences for New York consumers, often with no human accountability.
    13  Behavioral advertising generates profits by turning people into products
    14  and  their  activity into assets. New York consumers deserve more notice
    15  and more control over their data and their digital privacy.
    16    2. This act seeks to help New York consumers regain their privacy.  It
    17  gives New York consumers the ability to exercise more control over their
    18  personal data and requires businesses to be responsible, thoughtful, and
    19  accountable managers of that information.  To  achieve  this,  this  act
    20  provides  New  York  consumers  a  number of new rights, including clear
    21  notice of how their data is being used, processed and shared; the abili-
    22  ty to access and obtain a copy of their data in a  commonly  used  elec-
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD00516-02-1

        A. 680--A                           2
 
     1  tronic  format,  with  the  ability to transfer it between services; the
     2  ability to correct inaccurate data and to delete  their  data;  and  the
     3  ability  to challenge certain automated decisions. This act also imposes
     4  obligations  upon  businesses  to  maintain reasonable data security for
     5  personal data, to notify New York consumers of foreseeable harms arising
     6  from use of their data and to obtain specific consent for that use,  and
     7  to conduct regular assessments to ensure that data is not being used for
     8  unacceptable purposes. These data assessments can be obtained and evalu-
     9  ated  by the New York State Attorney General, who is empowered to obtain
    10  penalties for violations of this act and prevent future violations. This
    11  act also grants New York consumers who have been injured as  the  result
    12  of  a  violation  a  private  right of action, which includes reasonable
    13  attorneys' fees to a prevailing plaintiff.
    14    § 3. The general business law is amended by adding a new article 42 to
    15  read as follows:
    16                                 ARTICLE 42
    17                            NEW YORK PRIVACY ACT
    18  Section 1100. Definitions.
    19          1101. Jurisdictional scope.
    20          1102. Consumer rights.
    21          1103. Controller, processor, and third-party responsibilities.
    22          1104. Data brokers.
    23          1105. Limitations.
    24          1106. Enforcement and private right of action.
    25          1107. Miscellaneous.
    26    § 1100. Definitions. The following definitions apply  throughout  this
    27  article unless the context clearly requires otherwise:
    28    1.  "Automated decision-making" or "automated decision" means a compu-
    29  tational process, including one derived from machine  learning,  artifi-
    30  cial  intelligence,  or  any other automated process, involving personal
    31  data that results in a decision affecting a consumer.
    32    2. "Biometric information" means any personal data generated from  the
    33  measurement  or  specific  technological  processing  of an individual's
    34  biological, physical, or physiological characteristics, including  fing-
    35  erprints, voice prints, iris or retina scans, facial scans or templates,
    36  deoxyribonucleic acid (DNA) information, and gait.
    37    3.  "Business  associate"  has  the same meaning as in Title 45 of the
    38  C.F.R., established pursuant to the federal Health Insurance Portability
    39  and Accountability Act of 1996.
    40    4. "Consent" means a clear affirmative act signifying a freely  given,
    41  specific, informed, and unambiguous indication of a consumer's agreement
    42  to the processing of data relating to the consumer made in response to a
    43  dedicated prompt outlining in clear and conspicuous language the materi-
    44  al  nature  of  the  processing  to which the consumer is consenting.  A
    45  pre-checked box or similar default is not affirmative  consent.  Consent
    46  may  be  withdrawn  at  any  time,  and a controller must provide clear,
    47  conspicuous, and consumer-friendly means to withdraw consent. The burden
    48  of establishing consent is on the controller.
    49    5. "Consumer" means a natural person who is a New York resident acting
    50  only in an individual or  household  context.  It  does  not  include  a
    51  natural person known to be acting in a commercial or employment context.
    52    6.  "Controller"  means  the person who, alone or jointly with others,
    53  determines the purposes and means of the processing of personal data.
    54    7. "Covered entity" has the same meaning as in Title 45 of the C.F.R.,
    55  established pursuant to the federal  Health  Insurance  Portability  and
    56  Accountability Act of 1996.

        A. 680--A                           3
 
     1    8.  "Data  broker" means a person, or unit or units of a legal entity,
     2  separately or together, that does business in the state of New York  and
     3  knowingly  collects,  and  sells  to  controllers  or third-parties, the
     4  personal data of a  consumer  with  whom  it  does  not  have  a  direct
     5  relationship. "Data broker" does not include any of the following:
     6    (a)  a  consumer  reporting agency to the extent that it is covered by
     7  the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or
     8    (b) a financial institution to the extent that it is  covered  by  the
     9  Gramm-Leach-Bliley  Act  (Public  Law  106-102)  and  implementing regu-
    10  lations.
    11    9. "Deidentified data" means data that cannot reasonably  be  used  to
    12  infer  information about, or otherwise be linked to a particular consum-
    13  er, provided that the processor or controller that possesses the data:
    14    (a) takes reasonable measures to ensure that the data cannot be  asso-
    15  ciated with a consumer or device;
    16    (b) publicly commits to process the data only as deidentified data and
    17  not  attempt  to  reidentify  the  data,  except  that the controller or
    18  processor may attempt to  reidentify  the  information  solely  for  the
    19  purpose  of  determining  whether its deidentification processes satisfy
    20  the requirements of this subdivision; and
    21    (c) contractually obligates any recipients of the data to comply  with
    22  all provisions of this article.
    23    10.  "Device"  means any physical object that is capable of connecting
    24  to the Internet, directly or indirectly, or to  another  device  and  is
    25  intended  for  use  by a natural person or household or, if used outside
    26  the home, for use by the general public.
    27    11. "Meaningful human review" means review or oversight by one or more
    28  individuals who (a) are trained in the capabilities and  limitations  of
    29  the  algorithm  at  issue and the procedures to interpret and act on the
    30  output of the algorithm, and (b) have the authority to alter  the  auto-
    31  mated decision under review.
    32    12. "Natural person" means a natural person acting only in an individ-
    33  ual  or household context. It does not include a natural person known to
    34  be acting in a commercial or employment context.
    35    13. "Person" means a natural person or a legal entity,  including  but
    36  not  limited  to  a  proprietorship,  partnership,  limited partnership,
    37  corporation, company, limited liability company or corporation,  associ-
    38  ation,  or  other  firm  or similar body, or any unit, division, agency,
    39  department, or similar subdivision thereof.
    40    14. "Personal data" means any data that is identified or could reason-
    41  ably be linked, directly or indirectly, with a specific natural  person,
    42  household, or device.  Personal data does not include deidentified data.
    43    15. "Identified or identifiable natural person" means a natural person
    44  who  can  be identified, directly or indirectly, such as by reference to
    45  an identifier such as a name, an identification number,  location  data,
    46  or an online or device identifier.
    47    16.  "Process,"  "processes" or "processing" means an operation or set
    48  of operations which are performed on data or on sets of data,  including
    49  but  not  limited to the collection, use, access, sharing, monetization,
    50  analysis, retention, creation, generation, derivation, recording, organ-
    51  ization,  structuring,  storage,  disclosure,  transmission,   analysis,
    52  disposal, licensing, destruction, deletion, modification, or deidentifi-
    53  cation of data.
    54    17.  "Processor"  means  a person that processes data on behalf of the
    55  controller.

        A. 680--A                           4
 
     1    18. "Protected health information" has the same meaning as in Title 45
     2  C.F.R., established pursuant to the federal Health Insurance Portability
     3  and Accountability Act of 1996.
     4    19.  "Sale," "sell," or "sold" means the disclosure, transfer, convey-
     5  ance, sharing, licensing,  making  available,  processing,  granting  of
     6  permission  or  authorization  to process, or other exchange of personal
     7  data, or providing access to personal data for monetary or  other  valu-
     8  able  consideration by the controller to a third-party.  "Sale" includes
     9  enabling, facilitating or providing access to a  consumer  for  targeted
    10  advertising. "Sale" does not include the following:
    11    (a)  the  disclosure  of data to a processor who processes the data on
    12  behalf of the controller and  which  is  contractually  prohibited  from
    13  using it for any purpose other than as instructed by the controller; or
    14    (b)  the  disclosure or transfer of data as an asset that is part of a
    15  merger, acquisition, bankruptcy, or other transaction in  which  another
    16  entity assumes control or ownership of all or a majority of the control-
    17  ler's assets.
    18    20. "Targeted advertising" means displaying online advertisements to a
    19  consumer  where  the  advertisement  is  selected based on personal data
    20  obtained from a consumer's activities over time and across one  or  more
    21  distinctly-branded   websites,  online  applications,  or  services,  to
    22  predict the consumer's preferences or interests.   It does  not  include
    23  advertising  (a)  based  on the context of the consumer's current search
    24  query or visit to a website or online application, or (b) to a  consumer
    25  in  direct  response  to the consumer's request for information or feed-
    26  back.
    27    21. "Third-party" means, with respect to a particular  interaction  or
    28  occurrence,  a  person, public authority, agency, or body other than the
    29  consumer, the controller, or processor of the controller.  A third party
    30  may also be a controller if the  third  party,  alone  or  jointly  with
    31  others,  determines the purposes and means of the processing of personal
    32  data.
    33    22. "Verified request" means a request by a  consumer  to  exercise  a
    34  right  authorized  by  this  article, the authenticity of which has been
    35  ascertained by the controller in accordance with paragraph (c) of subdi-
    36  vision eight of section eleven hundred two of this article.
    37    § 1101. Jurisdictional scope. 1. This article applies to legal persons
    38  that conduct business in New York or produce products or  services  that
    39  are  targeted  to residents of New York, and that satisfy one or more of
    40  the following thresholds:
    41    (a) have annual gross revenue of twenty-five million dollars or more;
    42    (b) controls or  processes  personal  data  of  one  hundred  thousand
    43  consumers or more;
    44    (c)  controls  or  processes  personal  data  of five hundred thousand
    45  natural persons or more nationwide, and controls or  processes  personal
    46  data of ten thousand consumers; or
    47    (d)  derives  over  fifty  percent  of  gross revenue from the sale of
    48  personal data, and controls or processes personal  data  of  twenty-five
    49  thousand consumers or more.
    50    2. This article does not apply to:
    51    (a) Personal data processed by state and local governments, and munic-
    52  ipal  corporations, for processes other than sale (filing and processing
    53  fees are not sale);
    54    (b) Information that meets the following criteria:
    55    (i) personal data  required  to  be  collected,  processed,  sold,  or
    56  disclosed pursuant to the federal Gramm-Leach-Bliley act (P.L. 106-102),

        A. 680--A                           5
 
     1  and  implementing  regulations,  if the collection, processing, sale, or
     2  disclosure is in compliance with such law;
     3    (ii)  personal  data collected, processed, sold, or disclosed pursuant
     4  to the federal Driver's Privacy Protection Act of 1994 (18  U.S.C.  Sec.
     5  2721  et seq.), if the collection, processing, sale, or disclosure is in
     6  compliance with that law;
     7    (iii) personal data regulated by the federal Family Educational Rights
     8  and Privacy Act, U.S.C. Sec. 1232g and its implementing regulations;
     9    (iv) personal data collected, processed, sold, or  disclosed  pursuant
    10  to  the  federal  Farm  Credit Act of 1971 (as amended in 12 U.S.C. Sec.
    11  2001-2279cc) and its implementing regulations (12  C.F.R.  Part  600  et
    12  seq.)  if  the collection, processing, sale, or disclosure is in compli-
    13  ance with that law;
    14    (v) personal data regulated by section two-d of the education law;
    15    (vi) data maintained for employment  records  purposes,  for  purposes
    16  other than sale;
    17    (vii)  protected  health  information  that  is collected by a covered
    18  entity or business associate governed  by  the  privacy,  security,  and
    19  breach  notification  rules  issued  by  the United States Department of
    20  Health and Human Services, Parts 160 and 164 of Title 45 of the Code  of
    21  Federal Regulations, established pursuant to the Health Insurance Porta-
    22  bility and Accountability Act of 1996 (Public Law 104-191) ("HIPAA") and
    23  the  Health  Information Technology for Economic and Clinical Health Act
    24  (Public Law 111-5);
    25    (viii) patient identifying information for purposes of 42 C.F.R.  Part
    26  2, established pursuant to 42 U.S.C. Sec. 290dd-2;
    27    (ix)  information  and  documents  created for purposes of the federal
    28  Health Care Quality Improvement Act of 1986, and related regulations;
    29    (x) patient safety work product for purposes  of  42  C.F.R.  Part  3,
    30  established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
    31    (xi)  information  originating  from, and intermingled to be indistin-
    32  guishable from, or information treated in the same manner  as,  informa-
    33  tion exempt under this subdivision that is maintained by a covered enti-
    34  ty or business associate as defined by HIPAA or a program or a qualified
    35  service organization as defined by 42 U.S.C. § 290dd-2;
    36    (xii)  deidentified health information that meets all of the following
    37  conditions:
    38    (A) it is deidentified in accordance with the requirements for deiden-
    39  tification set forth in Section 164.514 of Part 164 of Title 45  of  the
    40  Code of Federal Regulations;
    41    (B)  it  is  derived  from  protected health information, individually
    42  identifiable health information,  or  identifiable  private  information
    43  consistent with the Federal Policy for the Protection of Human Subjects,
    44  also known as the Common Rule; and
    45    (C) a covered entity or business associate does not attempt to reiden-
    46  tify  the  information  nor  do they actually reidentify the information
    47  except as otherwise allowed under state or federal law;
    48    (xiii) patient information maintained by a covered entity or  business
    49  associate  governed  by  the  privacy, security, and breach notification
    50  rules issued by  the  United  States  Department  of  Health  and  Human
    51  Services,  Parts  160  and  164 of Title 45 of the Code of Federal Regu-
    52  lations, established pursuant to the Health  Insurance  Portability  and
    53  Accountability  Act  of  1996  (Public  Law  104-191), to the extent the
    54  covered entity or business associate maintains the  patient  information
    55  in  the  same  manner  as  protected  health information as described in
    56  subparagraph (vii) of this paragraph;

        A. 680--A                           6
 
     1    (xiv) data collected as part of human subjects research,  including  a
     2  clinical  trial, conducted in accordance with the Federal Policy for the
     3  Protection of Human Subjects, also known as the Common Rule, pursuant to
     4  good clinical practice guidelines issued by  the  International  Council
     5  for  Harmonisation  or pursuant to human subject protection requirements
     6  of the United States Food and Drug Administration; or
     7    (xv) personal data processed only for one or  more  of  the  following
     8  purposes:
     9    (A)  product  registration  and  tracking  consistent  with applicable
    10  United States Food and Drug Administration regulations and guidance;
    11    (B) public health activities and  purposes  as  described  in  Section
    12  164.512 of Title 45 of the Code of Federal Regulations; and/or
    13    (C)  activities related to quality, safety, or effectiveness regulated
    14  by the United States Food and Drug Administration;
    15    (c) (i) An activity involving the collection, maintenance, disclosure,
    16  sale, communication, or use of any personal data bearing on a consumer's
    17  credit worthiness, credit standing, credit capacity, character,  general
    18  reputation,  personal  characteristics,  or mode of living by a consumer
    19  reporting agency, as defined in Title 15  U.S.C.  Sec.  1681a(f),  by  a
    20  furnisher of information, as set forth in Title 15 U.S.C. Sec.  1681s-2,
    21  who  provides  information  for  use in a consumer report, as defined in
    22  Title 15 U.S.C. Sec. 1861a(d), and by a user of a  consumer  report,  as
    23  set forth in Title 15 U.S.C. Sec. 1681b.; and
    24    (ii)  This paragraph shall apply only to the extent that such activity
    25  involving the collection, maintenance, disclosure, sale,  communication,
    26  or  use  of  such  data by that agency, furnisher, or user is subject to
    27  regulation under the Fair Credit Reporting Act,  Title  15  U.S.C.  Sec.
    28  1681  et seq., and the data is not collected, maintained, used, communi-
    29  cated, disclosed, or sold  except  as  authorized  by  the  Fair  Credit
    30  Reporting Act.
    31    § 1102. Consumer rights. 1. Right to notice. (a) Notice. Each control-
    32  ler  that  processes  a  consumer's personal data must make publicly and
    33  persistently available, in a conspicuous and readily accessible  manner,
    34  a notice containing the following:
    35    (i)  a  description  of  the  consumer's rights under subdivisions two
    36  through six of this section  and  how  a  consumer  may  exercise  those
    37  rights, including how to withdraw consent;
    38    (ii)  the  categories of personal data processed by the controller and
    39  by any processor who processes personal data on behalf of  the  control-
    40  ler;
    41    (iii) the sources from which personal data is collected;
    42    (iv) the purposes for processing personal data;
    43    (v) the identity of each processor or third party to whom the control-
    44  ler  discloses,  shares, transfers, or sells personal data and, for each
    45  identified processor or third party, (A) the categories of personal data
    46  being shared, disclosed, transferred, or sold to the processor or  third
    47  party,  (B)  the  purposes  for  which  personal  data  is being shared,
    48  disclosed, transferred, or sold to the processor or third party, (C) the
    49  third party's retention period for each category of personal data  proc-
    50  essed by the third party or processed on their behalf, or if that is not
    51  possible, the criteria used to determine the period, and (D) whether the
    52  entity uses the personal data for targeted advertising;
    53    (vi)  the  controller's retention period for each category of personal
    54  data that they process or is processed on their behalf, or  if  that  is
    55  not possible, the criteria used to determine that period; and

        A. 680--A                           7
 
     1    (vii)  for  controllers  engaging  in  targeted  advertising,  average
     2  expected revenue per user (ARPU) or a similar metric for the most recent
     3  fiscal year for the region that covers New York.
     4    (b) Notice requirements.
     5    (i)  The  notice  must be written in easy-to-understand language at an
     6  eighth grade reading level or below.
     7    (ii) The categories of personal data processed and purposes for  which
     8  each category of personal data is processed must be described at a level
     9  specific enough to enable a consumer to exercise meaningful control over
    10  their  personal data but not so specific as to render the notice unhelp-
    11  ful to a reasonable consumer.
    12    (iii) The notice must be dated with its effective date and updated  at
    13  least annually.
    14    (iv)  The  notice,  as well as each version of the notice in effect in
    15  the preceding six years,   must be easily accessible  to  consumers  and
    16  capable of being viewed by consumers at any time.
    17    2. Opt-in consent.  (a) A controller must obtain freely given, specif-
    18  ic, informed, and unambiguous opt-in consent from a consumer to:
    19    (i) process the consumer's personal data for any purpose; or
    20    (ii) make any changes in the processing or processing purpose, includ-
    21  ing  the method and scope of collection, of the consumer's personal data
    22  that are less protective of the consumer's personal data than the  proc-
    23  essing  to  which  the consumer has previously given their freely given,
    24  specific, informed, and unambiguous opt-in consent.
    25    (b) Any request for consent  must,  in  a  standalone  disclosure,  be
    26  provided  to the consumer prior to processing their personal data, sepa-
    27  rate and apart from any contract or  privacy  policy.  The  request  for
    28  consent must:
    29    (i)  include  a  clear and conspicuous description of each category of
    30  data and processing purpose for which consent is sought;
    31    (ii) clearly identify and distinguish between categories of  data  and
    32  processing  purposes that are necessary to provide the services or goods
    33  requested by the consumer and categories of data and processing purposes
    34  that are not necessary to provide the services or goods requested by the
    35  consumer;
    36    (iii) enable a reasonable consumer to easily identify  the  categories
    37  of data and processing purposes for which consent is sought;
    38    (iv)  clearly  present  as  the  most  conspicuous choice an option to
    39  provide only the consent necessary to  provide  the  services  or  goods
    40  requested by the consumer;
    41    (v) clearly present an option to deny consent; and
    42    (vi) where the request seeks consent to sharing, disclosure, transfer,
    43  or  sale  of  personal  data  to third parties, identify each such third
    44  party, the categories of data sold or shared with them,  the  processing
    45  purposes, the retention period, or if that is not possible, the criteria
    46  used  to  determine  the  period, and for each third party state if such
    47  sharing, disclosure, transfer, or  sale  enables  or  involves  targeted
    48  advertising.  The  details  of identities of such third parties, and the
    49  categories of data, processing purposes, and the retention  period,  may
    50  be  set  forth  in a different disclosure, provided that the request for
    51  consent contains a conspicuous and  directly  accessible  link  to  that
    52  disclosure.
    53    (c)  Targeted  advertising  and  sale  of  personal  data shall not be
    54  considered processing purposes that are necessary to provide services or
    55  goods requested by a consumer.

        A. 680--A                           8
 
     1    (d) Once a consumer has provided freely given, specific, informed, and
     2  unambiguous opt-in consent to process their personal data for a process-
     3  ing purpose, a controller may rely on such consent  until  it  is  with-
     4  drawn.
     5    (e)  A  controller must provide a mechanism for a consumer to withdraw
     6  previously given consent at any time. Such mechanism shall  make  it  as
     7  easy for a consumer to withdraw their consent as it is for such consumer
     8  to  provide  consent.  The  controller  may style the mechanism allowing
     9  consumers to withdraw previously given consent as an opt-out.
    10    (f) A controller must not infer that a consumer  has  provided  freely
    11  given,  specific,  informed,  and  unambiguous  opt-in  consent from the
    12  consumer's inaction or the consumer's continued  use  of  a  service  or
    13  product provided by the controller.
    14    (g)  To  the  extent  that a controller must process internet protocol
    15  addresses, system configuration information, URLs  of  referring  pages,
    16  locale  and  language  preferences,  keystrokes,  or any other data that
    17  individually or collectively may comprise  personal  data  in  order  to
    18  obtain  a  consumer's  freely given, specific, informed, and unambiguous
    19  opt-in consent, the controller must:
    20    (i) process only the personal data necessary to request freely  given,
    21  specific, informed, and unambiguous opt-in consent;
    22    (ii) process the personal data solely to request freely given, specif-
    23  ic, informed, and unambiguous opt-in consent; and
    24    (iii)  immediately  delete  the  personal data if consent is withheld,
    25  denied, or withdrawn.
    26    (h) Controllers must not request  consent  from  a  consumer  who  has
    27  previously  withheld  or  denied consent, unless consent is necessary to
    28  provide the services or goods requested by the consumer.
    29    (i) Controllers must treat user-enabled privacy controls in a browser,
    30  browser  plug-in,  smartphone  application,  operating  system,   device
    31  setting,  or other mechanism that communicates or signals the consumer's
    32  choice not to be subject to targeted advertising or the  sale  of  their
    33  personal  data as a denial of consent under this act. To the extent that
    34  the privacy control conflicts with a  consumer's  consent,  the  privacy
    35  control  settings  govern,  unless  the  consumer provides freely given,
    36  specific, informed, and  unambiguous  opt-in  consent  to  override  the
    37  privacy control.
    38    (j)  A  controller  must not discriminate against a consumer for with-
    39  holding or denying consent, including, but not limited to, by:
    40    (i) denying services or goods to the  consumer,  unless  the  consumer
    41  does  not  consent  to  processing  necessary to provide the services or
    42  goods requested by the consumer;
    43    (ii) charging  different  prices  for  goods  or  services,  including
    44  through  the  use of discounts or other benefits, imposing penalties, or
    45  providing a different level or quality  of  services  or  goods  to  the
    46  consumer; or
    47    (iii)  suggesting  that the consumer will receive a different price or
    48  rate for goods or services or a different level or quality  of  services
    49  or goods.
    50    (k)  A  controller  may,  with  the consumer's freely given, specific,
    51  informed, and unambiguous opt-in consent given pursuant to this section,
    52  operate a program in which information, products, or  services  sold  to
    53  the  consumer  are  discounted  based on such consumer's prior purchases
    54  from the controller, provided that the personal  data  used  to  operate
    55  such  program  is  processed  solely  for  the purpose of operating such
    56  program.

        A. 680--A                           9
 
     1    (l) In the event of a merger, acquisition, bankruptcy, or other trans-
     2  action in which another entity assumes control or ownership  of  all  or
     3  majority  of  the  controller's  assets,  any  consent  provided  to the
     4  controller by a consumer prior to such transaction shall be deemed with-
     5  drawn.
     6    3.  Right  to  access.  Upon  the  verified  request  of a consumer, a
     7  controller shall:
     8    (a) confirm whether or not the controller is processing or  has  proc-
     9  essed  personal  data  of that consumer, and provide access to a copy of
    10  any such personal data when requested; and
    11    (b) provide the identity of each processor or third-party to whom  the
    12  controller  disclosed, transferred, or sold the consumer's personal data
    13  and, for each identified processor or third-party, (A) the categories of
    14  the consumer's personal data disclosed, transferred,  or  sold  to  each
    15  processor or third-party and (B) the purposes for which each category of
    16  the consumer's personal data was disclosed, transferred, or sold to each
    17  processor or third-party.
    18    4. Right to portable data.  Upon a verified request, and to the extent
    19  technically feasible, the controller must: (a) provide to the consumer a
    20  copy  of  all  of, or a portion of, as designated in a verified request,
    21  the  consumer's  personal  data  in  a  structured,  commonly  used  and
    22  machine-readable  format and (b) at the consumer's request, transmit the
    23  data to another person of the consumer's designation without hindrance.
    24    5. Right to correct. (a) Upon the verified request of  a  consumer,  a
    25  controller  must conduct a reasonable investigation to determine whether
    26  personal data, the accuracy of which is disputed  by  the  consumer,  is
    27  inaccurate,  with  such  investigation  to  be concluded within the time
    28  period set forth in paragraph (a) of subdivision eight of this section.
    29    (b) Notwithstanding paragraph (a) of this  subdivision,  a  controller
    30  may  terminate  an investigation of personal data disputed by a consumer
    31  under such paragraph if the controller reasonably  determines  that  the
    32  dispute  by  the consumer is frivolous, including by reason of a failure
    33  by a consumer to  provide  sufficient  information  to  investigate  the
    34  disputed personal data. Upon making any determination in accordance with
    35  this  paragraph  that  a dispute is frivolous, a controller must, within
    36  the time period set forth in paragraph (a) of subdivision eight of  this
    37  section,  provide  the  affected  consumer  a  statement in writing that
    38  includes, at a minimum, the specific reasons for the determination,  and
    39  identification  of  any information required to investigate the disputed
    40  personal data, which may consist of a standardized form  describing  the
    41  general nature of such information.
    42    (c)  If,  after any investigation under paragraph (a) of this subdivi-
    43  sion of any personal data  disputed  by  a  consumer,  an  item  of  the
    44  personal  data  is  found  to  be inaccurate or incomplete, or cannot be
    45  verified, the controller must:
    46    (i) correct the inaccurate or incomplete personal data of the  consum-
    47  er; and
    48    (ii)  unless it proves impossible or involves disproportionate effort,
    49  communicate such request to each processor or third-party  to  whom  the
    50  controller  disclosed, transferred, or sold the personal data within one
    51  year preceding the consumer's request, and to require  those  processors
    52  or third-parties to do the same for any further processors or third-par-
    53  ties they disclosed, transferred, or sold the personal data to.
    54    (d)  If  the  investigation does not resolve the dispute, the consumer
    55  may file with the controller a brief statement setting forth the  nature
    56  of the dispute. Whenever a statement of a dispute is filed, unless there

        A. 680--A                          10
 
     1  exists  reasonable grounds to believe that it is frivolous, the control-
     2  ler must note that it is disputed by the consumer and include either the
     3  consumer's statement or a clear and  accurate  codification  or  summary
     4  thereof with the disputed personal data whenever it is disclosed, trans-
     5  ferred, or sold to any processor or third-party.
     6    6.  Right  to  delete.  (a) Upon the verified request of a consumer, a
     7  controller must:
     8    (i) within a reasonable amount of time after  receiving  the  verified
     9  request,  delete  any or all personal data, as directed by the consumer,
    10  that the controller possesses or controls; and
    11    (ii) unless it proves impossible or involves disproportionate  effort,
    12  communicate  such  request  to each processor or third-party to whom the
    13  controller disclosed, transferred or sold the personal data  within  one
    14  year preceding the consumer's request and to require those processors or
    15  third-parties to do the same for any further processors or third-parties
    16  they disclosed, transferred, or sold the personal data to.
    17    (b) For personal data that is not possessed by the controller but by a
    18  processor  of  the controller, the controller may choose to (i) communi-
    19  cate the consumer's request for  deletion  to  the  processor,  or  (ii)
    20  request  that  the  processor return to the controller the personal data
    21  that is the subject of the consumer's request and delete  such  personal
    22  data upon receipt of the request.
    23    (c) A consumer's deletion of their online account must be treated as a
    24  request  to  the  controller  to  delete all of that consumer's personal
    25  data.
    26    (d) A controller  must  maintain  reasonable  procedures  designed  to
    27  prevent  the  reappearance in its systems, and in any data it discloses,
    28  transfers, or sells to any processor or third-party, the  personal  data
    29  that is deleted pursuant to this subdivision.
    30    (e)  A  controller is not required to comply with a consumer's request
    31  to delete personal data if:
    32    (i) complying with the  request  would  prevent  the  controller  from
    33  performing  accounting  functions,  processing  refunds,  effectuating a
    34  product recall pursuant to federal or state law, or fulfilling  warranty
    35  claims,  provided  that  the  personal  data  that is the subject of the
    36  request is not processed for any purpose other than such specific activ-
    37  ities; or
    38    (ii) it is necessary for the controller  to  maintain  the  consumer's
    39  personal  data  to engage in public or peer-reviewed scientific, histor-
    40  ical, or statistical research in the public interest that adheres to all
    41  other applicable ethics and privacy laws, when the controller's deletion
    42  of the information is likely to render impossible  or  seriously  impair
    43  the  achievement  of such research, provided that the consumer has given
    44  informed consent and the personal data is not processed for any  purpose
    45  other than such research.
    46    7. Automated decision-making. (a) Whenever a controller makes an auto-
    47  mated  decision  involving solely automated processing that results in a
    48  denial of financial or lending services, housing, public  accommodation,
    49  insurance, health care services, or access to basic necessities, such as
    50  food and water, the controller must:
    51    (i) disclose in a clear conspicuous, and consumer-friendly manner that
    52  the decision was made by a solely automated process;
    53    (ii)  provide  an avenue for the affected consumer to appeal the deci-
    54  sion, which must at minimum allow the affected consumer to  (A)  express
    55  their point of view, (B) contest the decision, and (C) obtain meaningful
    56  human review; and

        A. 680--A                          11
 
     1    (iii) explain how to appeal the decision.
     2    (b) A controller must respond to a consumer's appeal within forty-five
     3  days  of  receipt  of  the  appeal.  That period may be extended once by
     4  forty-five additional  days  where  reasonably  necessary,  taking  into
     5  account the complexity and number of appeals. The controller must inform
     6  the  consumer of any such extension within forty-five days of receipt of
     7  the appeal, together with the reasons for the delay.
     8    (c) (i) A controller or processor engaged in automated decision-making
     9  affecting financial or lending services, housing, public  accommodation,
    10  insurance,  education  enrollment,  employment, health care services, or
    11  access to basic necessities, such as  food  and  water,  or  engaged  in
    12  assisting  others  in  automated  decision-making  in those fields, must
    13  annually conduct an impact assessment of such automated  decision-making
    14  that:
    15    (A)  describes  and  evaluates  the  objectives and development of the
    16  automated decision-making processes including the  design  and  training
    17  data  used  to  develop  the  automated decision-making process, how the
    18  automated decision-making process was  tested  for  accuracy,  fairness,
    19  bias and discrimination; and
    20    (B)  assesses  whether  the  automated decision-making system produces
    21  discriminatory results on the basis of a consumer's or class of  consum-
    22  ers'  actual  or  perceived  race,  color, ethnicity, religion, national
    23  origin, sex,  gender,  gender  identity,  sexual  orientation,  familial
    24  status, biometric information, lawful source of income, or disability.
    25    (ii)  A  controller or processor must utilize an external, independent
    26  auditor or researcher to conduct such assessments.
    27    (iii) A controller or processor must make public  all  impact  assess-
    28  ments  prepared pursuant to this section, retain all such impact assess-
    29  ments for at least six years, and make any such retained impact  assess-
    30  ments  available  to  any  state, federal, or local government authority
    31  upon request.
    32    (iv) For purposes of this paragraph, the limitations to jurisdictional
    33  scope set forth in paragraphs (b) and (c) of subdivision two of  section
    34  eleven hundred one of this article shall not apply.
    35    8.  Responding  to  requests.  (a) A controller must take action under
    36  subdivisions three through six of this section and inform  the  consumer
    37  of  any actions taken without undue delay and in any event within forty-
    38  five days of receipt of the request. That period may be extended once by
    39  forty-five additional  days  where  reasonably  necessary,  taking  into
    40  account  the  complexity and number of the requests. The controller must
    41  inform the consumer of any such  extension  within  forty-five  days  of
    42  receipt  of the request, together with the reasons for the delay. When a
    43  controller denies any such request, it must within this period  disclose
    44  to  the  consumer a statement in writing of the specific reasons for the
    45  denial.
    46    (b) A controller shall permit the exercise of rights and carry out its
    47  obligations set forth in subdivisions three through six of this  section
    48  free  of charge, at least twice annually to the consumer. Where requests
    49  from a consumer are manifestly unfounded  or  excessive,  in  particular
    50  because  of  their  repetitive  character, the controller may either (i)
    51  charge a reasonable fee to cover the administrative costs  of  complying
    52  with  the  request  or  (ii) refuse to act on the request and notify the
    53  consumer of the reason for refusing the request.  The  controller  bears
    54  the  burden of demonstrating the manifestly unfounded or excessive char-
    55  acter of the request.

        A. 680--A                          12

     1    (c) (i)  A  controller  shall  promptly  attempt,  using  commercially
     2  reasonable  efforts,  to verify that all requests to exercise any rights
     3  set forth in any section of this article requiring  a  verified  request
     4  were made by the consumer who is the subject of the data, or by a person
     5  lawfully  exercising  the  right  on  behalf  of the consumer who is the
     6  subject of the data. Commercially reasonable efforts shall be determined
     7  based on the totality of the circumstances, including the nature of  the
     8  data implicated by the request.
     9    (ii)  A  controller  may  require  the  consumer to provide additional
    10  information only if the request cannot reasonably  be  verified  without
    11  the  provision  of  such  additional  information. A controller must not
    12  transfer or process any such additional information provided pursuant to
    13  this section for any other purpose and must delete any  such  additional
    14  information  without undue delay and in any event within forty-five days
    15  after the controller has notified the consumer that it has taken  action
    16  on  a  request  under  subdivisions  two through five of this section as
    17  described in paragraph (a) of this subdivision.
    18    (iii) If a controller discloses this  additional  information  to  any
    19  processor  or  third-party  for  the  purpose  of  verifying  a consumer
    20  request, it must notify the receiving processor or third  party  at  the
    21  time  of  such  disclosure,  or as close in time to the disclosure as is
    22  reasonably practicable,  that  such  information  was  provided  by  the
    23  consumer for the sole purpose of verification.
    24    9.  Implementation of rights. Controllers must provide easily accessi-
    25  ble and convenient means for consumers to exercise  their  rights  under
    26  this article.
    27    10.  Non-waiver of rights. Any provision of a contract or agreement of
    28  any kind that purports to waive or limit in any way a consumer's  rights
    29  under  this  article  is contrary to public policy and is void and unen-
    30  forceable.
    31    § 1103.  Controller, processor, and third-party  responsibilities.  1.
    32  Controller  responsibilities.  (a)  Duty  of  loyalty.   (i) Where it is
    33  reasonably foreseeable to the controller that a process will be  against
    34  a  consumer's physical, financial, psychological, or reputational inter-
    35  ests or against the physical, financial, psychological, or  reputational
    36  interests  of  a class of consumers that the consumer is known to belong
    37  to, the controller must notify that consumer of any interest that may be
    38  harmed in advance of requesting consent and as  close  in  time  to  the
    39  processing  as  practicable. This obligation does not apply with respect
    40  to processing: (A) as required by law; (B) pursuant to a  request  by  a
    41  federal,  state,  or  local government or government entity; or (C) that
    42  significantly advances protection against criminal or tortious activity.
    43    (ii) Controllers must not engage in unfair, deceptive, or abusive acts
    44  or practices with respect to obtaining consumer consent, the  processing
    45  of  personal  data,  and  a consumer's exercise of any rights under this
    46  article, including without limitation:
    47    (A) designing a user interface with the purpose or substantial  effect
    48  of  deceiving consumers, obscuring consumers' rights under this article,
    49  or subverting or impairing user autonomy, decision-making, or choice  in
    50  order to obtain consent; or
    51    (B)  obtaining  consent in a manner designed to overpower a consumer's
    52  resistance; for example, by making excessive requests for consent.
    53    (b) Duty of care. (i) (A) Controllers must,  on  at  least  an  annual
    54  basis, conduct and document risk assessments of all current processes of
    55  personal data.
    56    (B) Risk assessments must assess at a minimum:

        A. 680--A                          13
 
     1    (I)  the nature, sensitivity and context of the personal data that the
     2  controller processes;
     3    (II) the nature, purpose, and value of the processes;
     4    (III)  any risks or harms to consumers actually or potentially arising
     5  out of the processes, including physical, financial,  psychological,  or
     6  reputational harms;
     7    (IV) the adequacy and effect of safeguards implemented by the control-
     8  lers;
     9    (V)  the  sufficiency  of  the  controller's  notices  to consumers at
    10  describing and obtaining consent concerning the processes; and
    11    (VI) the adequacy  of  the  safeguards  and  monitoring  practices  of
    12  processors  and  third  parties  to  whom  the  controller  has provided
    13  personal data.
    14    (C) The controller must retain risk assessments for at least six years
    15  and make  risk  assessments  available  to  the  attorney  general  upon
    16  request.
    17    (ii)  Controllers  must  develop,  implement,  and maintain reasonable
    18  safeguards to protect the security, confidentiality and integrity of the
    19  personal data of consumers including adopting reasonable administrative,
    20  technical and physical safeguards appropriate to the volume  and  nature
    21  of the personal data at issue.
    22    (iii)  (A) A controller that collects a consumer's personal data shall
    23  limit its use and retention of that data to what is necessary to provide
    24  a service or good requested by a consumer or for purposes for which  the
    25  consumer  has provided freely given, specific, informed, and unambiguous
    26  opt-in consent.
    27    (B) At least annually, a controller must dispose of all personal  data
    28  that  is  either  no  longer  necessary to provide the services or goods
    29  requested by the consumer or for the purposes for which  the  consumer's
    30  freely  given,  specific, informed, and unambiguous opt-in consent is in
    31  effect, consistent with the retention period disclosed in notice  pursu-
    32  ant to section eleven hundred two of this article.
    33    (iv)  Controllers  shall be under a continuing obligation to engage in
    34  reasonable measures to review their activities  for  circumstances  that
    35  may have altered their ability to identify a specific natural person and
    36  to  update  their  classifications of data as identified or identifiable
    37  accordingly.
    38    (c) Non-discrimination. (i) A controller must not discriminate against
    39  a consumer for exercising rights  under  this  act,  including  but  not
    40  limited to, by:
    41    (A) denying services or goods to consumers;
    42    (B) charging different prices for services or goods, including through
    43  the use of discounts or other benefits; imposing penalties; or providing
    44  a different level or quality of services or goods to the consumer; or
    45    (C)  suggesting  that  the  consumer will receive a different price or
    46  rate for services or goods or a different level or quality  of  services
    47  or goods.
    48    (ii)  This  paragraph  does  not  apply to a controller's conduct with
    49  respect to opt-in consent, in which case paragraph  (j)  of  subdivision
    50  two of section eleven hundred two of this article governs.
    51    (d)  Agreements  with  processors.  (i)  Before making any disclosure,
    52  transfer, or sale of personal data to any processor, the controller must
    53  enter into a written, signed contract with that processor. Such contract
    54  must be binding and clearly set forth instructions for processing  data,
    55  the  nature and purpose of processing, the type of data subject to proc-
    56  essing, the duration of processing, and the rights  and  obligations  of

        A. 680--A                          14
 
     1  both  parties.  The  contract  must  also  include requirements that the
     2  processor must:
     3    (A)  ensure  that each person processing personal data is subject to a
     4  duty of confidentiality with respect to the data;
     5    (B) protect the data consistent with the requirements of this act  and
     6  any  statements made by the controller in their publicly available poli-
     7  cies, notices, or similar statements;
     8    (C) process the data only when and to the extent necessary  to  comply
     9  with its legal obligations to the controller unless otherwise explicitly
    10  authorized by the controller;
    11    (D)  not combine the personal information which the processor receives
    12  from or on behalf of the controller with personal information which  the
    13  processor  receives from or on behalf of another person or collects from
    14  its own interaction with consumers;
    15    (E) comply with any exercises of a  consumer's  rights  under  section
    16  eleven  hundred  two of this article upon the request of the controller,
    17  subject to the limitations set forth in section eleven hundred  five  of
    18  this article;
    19    (F)  at the controller's direction, delete or return all personal data
    20  to the controller as requested at the end of the provision of  services,
    21  unless retention of the personal data is required by law;
    22    (G)  upon  the reasonable request of the controller, make available to
    23  the controller all information in its  possession  necessary  to  demon-
    24  strate the processor's compliance with the obligations in this act;
    25    (H)  allow, and cooperate with, reasonable assessments by the control-
    26  ler or the controller's designated assessor; alternatively, the process-
    27  or may arrange for a qualified and independent assessor  to  conduct  an
    28  assessment  of the processor's policies and technical and organizational
    29  measures in support of the  obligations  under  this  article  using  an
    30  appropriate  and  accepted  control standard or framework and assessment
    31  procedure for such assessments. The processor shall provide a report  of
    32  such assessment to the controller upon request;
    33    (I) a reasonable time in advance before disclosing or transferring the
    34  data to any further processors, notify the controller of such a proposed
    35  disclosure  or  transfer  and  provide  the controller an opportunity to
    36  approve or reject the proposal; and
    37    (J) engage  any  further  processor  pursuant  to  a  written,  signed
    38  contract  that  includes  the  contractual requirements provided in this
    39  paragraph, containing at minimum the same obligations that the processor
    40  has entered into with regard to the data.
    41    (ii) A controller must not agree  to  indemnify,  defend,  or  hold  a
    42  processor  harmless,  or  agree  to  a  provision that has the effect of
    43  indemnifying, defending, or holding the processor harmless, from  claims
    44  or  liability  arising  from  the  processor's  breach  of  the contract
    45  required by clause (A) of  subparagraph  (i)  of  this  paragraph  or  a
    46  violation  of this act. Any provision of an agreement that violates this
    47  subparagraph is contrary to public policy and is void and unenforceable.
    48    (iii) Nothing in this paragraph relieves a controller or  a  processor
    49  from the liabilities imposed on it by virtue of its role in the process-
    50  ing relationship as defined by this article.
    51    (iv) Determining whether a person is acting as a controller or proces-
    52  sor with respect to a specific processing of data is a fact-based deter-
    53  mination  that  depends upon the context in which personal data is to be
    54  processed. A processor  that  continues  to  adhere  to  a  controller's
    55  instructions  with  respect  to  a  specific processing of personal data
    56  remains a processor.

        A. 680--A                          15
 
     1    (e) Third parties. (i) A controller must not share,  disclose,  trans-
     2  fer,  or  sell  personal  data,  or facilitate or enable the processing,
     3  disclosure, transfer, or sale of personal data  to  a  third  party  for
     4  which  consent  of  the  consumer pursuant to subdivision two of section
     5  eleven  hundred  two  of  this  article, has not been obtained or is not
     6  currently in effect. Any request for consent to share, disclose,  trans-
     7  fer,  or  sell personal data, or to facilitate or enable the processing,
     8  disclosure, transfer, or sale of personal data to  a  third  party  must
     9  clearly  include  the  identity  of  the  third party and the processing
    10  purposes for which the third-party may use the personal data.
    11    (ii) A controller must not share, disclose, transfer, or sell personal
    12  data, or facilitate or enable the processing, disclosure,  transfer,  or
    13  sale of personal data if it can reasonably expect the personal data of a
    14  consumer  to be used for purposes that the consumer has not consented to
    15  pursuant to subdivision two of section eleven hundred two of this  arti-
    16  cle,  or  if  it  can  reasonably expect that any rights of the consumer
    17  provided in this article would be compromised as a result of such trans-
    18  action.
    19    (iii) Before making any disclosure, transfer, or sale of personal data
    20  to any third party, the controller must enter  into  a  written,  signed
    21  contract.  Such  contract  must  be  binding  and the scope, nature, and
    22  purpose of processing, the type of data subject to processing, the dura-
    23  tion of processing, and the rights  and  obligations  of  both  parties.
    24  Such contract must include requirements that the third party:
    25    (A)  Process  that  data only to the extent permitted by the agreement
    26  entered into with the controller; and
    27    (B) Provide a mechanism to comply with any exercises of  a  consumer's
    28  rights under section eleven hundred two of this article upon the request
    29  of  the  controller, subject to any limitations thereon as authorized by
    30  this article; and
    31    (C) To the extent the disclosure, transfer, or sale  of  the  personal
    32  data  causes  the  third  party  to become a controller, comply with all
    33  obligations imposed on controllers under this article.
    34    2. Processor responsibilities. (a)  For  any  personal  data  that  is
    35  obtained,  received,  purchased,  or  otherwise acquired by a processor,
    36  whether directly from a controller or indirectly from another processor,
    37  the processor must comply with the requirements set forth in clauses (A)
    38  through (J) of subparagraph (i) of paragraph (d) of subdivision  one  of
    39  this section.
    40    (b)  A  processor  is  not  required  to  comply with a request by the
    41  consumer submitted pursuant to this article by a  consumer  directly  to
    42  the processor to the extent that the processor has processed the consum-
    43  er's personal data solely in its role as a processor for a controller.
    44    (c)  Processors  shall  be  under a continuing obligation to engage in
    45  reasonable measures to review their activities  for  circumstances  that
    46  may have altered their ability to identify a specific natural person and
    47  to  update  their  classifications of data as identified or identifiable
    48  accordingly.
    49    (d) A processor shall not engage in any sale of  personal  data  other
    50  than  on behalf of the controller pursuant to any agreement entered into
    51  with the controller.
    52    3. Third-party responsibilities. (a) For any  personal  data  that  is
    53  obtained,  received,  purchased,  or otherwise acquired or accessed by a
    54  third-party from a controller or processor, the third-party must:
    55    (i) Process that data only to the extent permitted by  any  agreements
    56  entered into with the controller;

        A. 680--A                          16
 
     1    (ii)  Process  only the personal data necessary for purposes for which
     2  freely given, specific, informed, and unambiguous opt-in consent  is  in
     3  effect,  as  conveyed  by the controller, limit the use and retention of
     4  that data to what is necessary for such purposes, and shall  immediately
     5  delete  such  personal  data when notified that the consent is withheld,
     6  denied, or withdrawn;
     7    (iii) Comply with any exercises of a consumer's rights  under  section
     8  eleven hundred two of this article upon the request of the controller or
     9  processor,  subject  to  any  limitations  thereon as authorized by this
    10  article; and
    11    (iv) To the extent the third party becomes a controller  for  personal
    12  data,  comply  with  all  obligations  imposed on controllers under this
    13  article.
    14    4. Exceptions. The requirements of this section shall not apply where:
    15    (a) The processing is required by law;
    16    (b) The processing is made pursuant to a request by a federal,  state,
    17  or local government or government entity; or
    18    (c)  The processing significantly advances protection against criminal
    19  or tortious activity.
    20    § 1104. Data brokers. 1. A data broker, as defined under this article,
    21  must:
    22    (a) Annually, on or before January thirty-first following  a  year  in
    23  which a person meets the definition of data broker in this article:
    24    (i) Register with the attorney general;
    25    (ii)  Pay  a  registration  fee of one hundred dollars or as otherwise
    26  determined by the attorney general pursuant to the regulatory  authority
    27  granted  to  the  attorney general under this article, not to exceed the
    28  reasonable cost of establishing and maintaining the database and  infor-
    29  mational website described in this section; and
    30    (iii) Provide the following information:
    31    (A) the name and primary physical, email, and internet website address
    32  of the data broker;
    33    (B) the name and business address of an officer or registered agent of
    34  the data broker authorized to accept legal process on behalf of the data
    35  broker;
    36    (C)  a statement describing the method for exercising consumers rights
    37  under section eleven hundred two of this article;
    38    (D) a statement whether the data broker implements a purchaser creden-
    39  tialing process; and
    40    (E) any additional information or explanation the data broker  chooses
    41  to provide concerning its data collection practices.
    42    2. Notwithstanding any other provision of this article, any controller
    43  that conducts business in the state of New York must:
    44    (a)  annually,  on  or before January thirty-first following a year in
    45  which a person meets the definition of controller in this  act,  provide
    46  to the attorney general a list of all data brokers or persons reasonably
    47  believed  to  be  data brokers to which the controller provided personal
    48  data in the preceding year; and
    49    (b) not sell a consumer's personal data to a data broker that  is  not
    50  registered with the attorney general.
    51    3.  The attorney general shall establish, manage and maintain a state-
    52  wide registry on its internet website, which shall list  all  registered
    53  data  brokers  and  make  accessible  to  the public all the information
    54  provided by data brokers pursuant to this section. Printed  hard  copies
    55  of  such  registry shall be made available upon request and payment of a
    56  fee to be determined by the attorney general.

        A. 680--A                          17
 
     1    4. A data broker that fails to register as required by this section or
     2  submits false information in its registration is,  in  addition  to  any
     3  other  injunction,  penalty, or liability that may be imposed under this
     4  article, liable for civil  penalties,  fees,  and  costs  in  an  action
     5  brought  by  the attorney general as follows: (a) a civil penalty of one
     6  thousand dollars for each day the  data  broker  fails  to  register  as
     7  required  by  this section or fails to correct false information, (b) an
     8  amount equal to the fees that were due during the period  it  failed  to
     9  register,  and  (c)  expenses  incurred  by  the attorney general in the
    10  investigation and prosecution of the action as the court deems appropri-
    11  ate.
    12    § 1105. Limitations. 1. This article does not require a controller  or
    13  processor  to  do  any of the following solely for purposes of complying
    14  with this article:
    15    (a) Reidentify deidentified data;
    16    (b) Comply with a verified consumer request  to  access,  correct,  or
    17  delete  personal  data  pursuant to this article if all of the following
    18  are true:
    19    (i) The controller  is  not  reasonably  capable  of  associating  the
    20  request with the personal data;
    21    (ii)  The  controller  does not associate the personal data with other
    22  personal data about the same specific consumer as  part  of  its  normal
    23  business practice; and
    24    (iii)  The  controller  does  not  sell the personal data to any third
    25  party or otherwise voluntarily disclose or transfer the personal data to
    26  any processor or third party, except  as  otherwise  permitted  in  this
    27  article; or
    28    (c)  Maintain  personal data in identifiable form, or collect, obtain,
    29  retain, or access any personal data or technology, in order to be  capa-
    30  ble of associating a verified consumer request with personal data.
    31    2.  The  obligations  imposed on controllers and processors under this
    32  article do not restrict a controller's or processor's ability to do  any
    33  of  the following, to the extent that the use of the consumer's personal
    34  data is reasonably necessary and proportionate for these purposes:
    35    (a) Comply with federal, state, or local laws, rules, or regulations;
    36    (b) Comply with a civil, criminal,  or  regulatory  inquiry,  investi-
    37  gation,  subpoena, or summons by federal, state, local, or other govern-
    38  mental authorities;
    39    (c) Cooperate with law  enforcement  agencies  concerning  conduct  or
    40  activity  that  the controller or processor reasonably and in good faith
    41  believes may violate federal, state, or  local  laws,  rules,  or  regu-
    42  lations;
    43    (d)  Investigate,  establish,  exercise,  prepare for, or defend legal
    44  claims;
    45    (e) Process personal data necessary to provide the services  or  goods
    46  requested by a consumer, unless the consumer withholds, denies, or with-
    47  draws  consent;  perform a contract to which the consumer is a party; or
    48  take steps at the request of the  consumer  prior  to  entering  into  a
    49  contract;
    50    (f) Take immediate steps to protect the life or physical safety of the
    51  consumer  or  of another natural person, and where the processing cannot
    52  be manifestly based on another legal basis;
    53    (g) Prevent, detect, protect against, or  respond  to  security  inci-
    54  dents,  identity theft, fraud, harassment, malicious or deceptive activ-
    55  ities, or any illegal activity; preserve the integrity  or  security  of

        A. 680--A                          18
 
     1  systems;  or investigate, report, or prosecute those responsible for any
     2  such action; or
     3    (h)  Identify  and  repair  technical  errors  that impair existing or
     4  intended functionality.
     5    3. The obligations imposed on controllers  or  processors  under  this
     6  article  do  not  apply  where compliance by the controller or processor
     7  with this article would violate an evidentiary privilege under New  York
     8  law and do not prevent a controller or processor from providing personal
     9  data  concerning a consumer to a person covered by an evidentiary privi-
    10  lege under New York law as part of a privileged communication.
    11    4. The obligations imposed on controllers  or  processors  under  this
    12  article  do  not  apply  to the publication of newsworthy information of
    13  legitimate public concern to the public, or the processing  or  transfer
    14  of information by a controller for such purpose.
    15    5. A controller that receives a request pursuant to subdivisions three
    16  through six of section eleven hundred two of this article, or a process-
    17  or  or third party to whom a controller communicates such a request, may
    18  decline to fulfill the relevant part of such request if:
    19    (a) the controller, processor, or third party is unable to verify  the
    20  request using commercially reasonable efforts, as described in paragraph
    21  (c) of subdivision eight of section eleven hundred two of this article;
    22    (b)  complying  with the request would be demonstrably impossible (for
    23  purposes of this paragraph, the receipt of a large  number  of  verified
    24  requests,  on  its  own,  is  not sufficient to render compliance with a
    25  request demonstrably impossible);
    26    (c) complying with the request would impair  the  privacy  of  another
    27  individual or the rights of another to exercise free speech; or
    28    (d)  the  personal data was created by a natural person other than the
    29  consumer making the request and is being processed for  the  purpose  of
    30  facilitating interpersonal relationships or public discussion.
    31    §  1106.  Enforcement  and  private  right  of  action. 1. Whenever it
    32  appears to the attorney general, either  upon  complaint  or  otherwise,
    33  that  any  person or persons has engaged in or is about to engage in any
    34  of the acts or practices stated to be unlawful under this  article,  the
    35  attorney  general  may bring an action or special proceeding in the name
    36  and on behalf of the people of the state  of  New  York  to  enjoin  any
    37  violation  of this article, to obtain restitution of any moneys or prop-
    38  erty obtained directly or indirectly by any such  violation,  to  obtain
    39  disgorgement  of any profits obtained directly or indirectly by any such
    40  violation, to obtain civil penalties of not more than  fifteen  thousand
    41  dollars  per  violation, and to obtain any such other and further relief
    42  as the court may deem proper, including preliminary relief.
    43    (a) Any action or special proceeding brought by the  attorney  general
    44  pursuant to this section must be commenced within six years.
    45    (b)  Each  instance  of  unlawful  processing  counts  as  a  separate
    46  violation. Unlawful processing of the personal data  of  more  than  one
    47  consumer  counts  as  a  separate  violation  as  to each consumer. Each
    48  provision of  this  article  that  is  violated  counts  as  a  separate
    49  violation.
    50    (c)  In assessing the amount of penalties, the court must consider any
    51  one or more of the  relevant  circumstances  presented  by  any  of  the
    52  parties,  including,  but  not limited to, the nature and seriousness of
    53  the misconduct, the number of violations, the persistence of the miscon-
    54  duct, the length of time over which the misconduct occurred,  the  will-
    55  fulness  of  the  violator's  misconduct,  and  the violator's financial
    56  condition.

        A. 680--A                          19
 
     1    2. In connection with any proposed action or special proceeding  under
     2  this  section, the attorney general is authorized to take proof and make
     3  a determination of the relevant facts, and to issue subpoenas in accord-
     4  ance with the civil practice law and rules.   The attorney  general  may
     5  also require such other data and information as he or she may deem rele-
     6  vant  and  may  require written responses to questions under oath.  Such
     7  power of subpoena and examination shall not abate or terminate by reason
     8  of any action or special proceeding  brought  by  the  attorney  general
     9  under this article.
    10    3.  Any  person, within or outside the state, who the attorney general
    11  believes may be in possession, custody, or control of any books, papers,
    12  or other things, or may have information, relevant to acts or  practices
    13  stated  to  be  unlawful  in this article is subject to the service of a
    14  subpoena issued by  the  attorney  general  pursuant  to  this  section.
    15  Service  may  be  made in any manner that is authorized for service of a
    16  subpoena or a summons by the state in which service is made.
    17    4. (a) Failure to   comply with a subpoena  issued  pursuant  to  this
    18  section  without reasonable cause tolls the applicable statutes of limi-
    19  tations in any action or special  proceeding  brought  by  the  attorney
    20  general  against the noncompliant person that arises out of the attorney
    21  general's investigation.
    22    (b) If a person fails to comply with a  subpoena  issued  pursuant  to
    23  this  section,  the  attorney  general  may move in the supreme court to
    24  compel compliance.  If the court finds that the subpoena was authorized,
    25  it shall order compliance and may impose a civil penalty of up  to  five
    26  hundred dollars per day of noncompliance.
    27    (c)  Such  tolling and civil penalty shall be in addition to any other
    28  penalties or remedies provided by law for noncompliance with a subpoena.
    29    5. This section shall apply to all acts declared to be unlawful  under
    30  this article, whether or not subject to any other law of this state, and
    31  shall  not  supersede, amend or repeal any other law of this state under
    32  which the attorney general is authorized to take any action  or  conduct
    33  any inquiry.
    34    6.  Any consumer who has been injured by a violation of section eleven
    35  hundred two of this article may bring an action in his or her  own  name
    36  to enjoin such unlawful act or practice and to recover his or her actual
    37  damages  or  one  thousand  dollars, whichever is greater. The court may
    38  also  award  reasonable  attorneys'  fees  to  a  prevailing  plaintiff.
    39  Actions pursuant to this section may be brought on a class-wide basis.
    40    §  1107.  Miscellaneous.  1.  Preemption: This article does not annul,
    41  alter, or affect the laws, ordinances, regulations,  or  the  equivalent
    42  adopted by any local entity regarding the processing, collection, trans-
    43  fer, disclosure, and sale of consumers' personal data by a controller or
    44  processor  subject  to this act, except to the extents those laws, ordi-
    45  nances,  regulations,  or  the  equivalent  are  inconsistent  with  the
    46  provisions  of this act, and then only to the extent of the inconsisten-
    47  cy.
    48    2. Impact report: The attorney general shall issue a report evaluating
    49  this article, its scope, any complaints from consumers or  persons,  the
    50  liability  and enforcement provisions of this article including, but not
    51  limited to, the effectiveness of its efforts to  enforce  this  article,
    52  and  any  recommendations  for  changes to such provisions. The attorney
    53  general shall submit the report to the governor, the temporary president
    54  of the senate, the speaker of the assembly, and the appropriate  commit-
    55  tees  of  the legislature within two years of the effective date of this
    56  section.

        A. 680--A                          20
 
     1    3. Regulatory authority: (a) The attorney general is hereby authorized
     2  and empowered to adopt, promulgate, amend and rescind suitable rules and
     3  regulations to carry out the provisions of this article, including rules
     4  governing the form and content  of  any  disclosures  or  communications
     5  required by this article.
     6    (b)  The  attorney  general  may  request  data  and  information from
     7  controllers conducting business in New York state, other New York  state
     8  government  entities  administering notice and consent regimes, consumer
     9  protection and privacy advocates  and  researchers,  internet  standards
    10  setting  bodies,  such  as  the  internet  engineering taskforce and the
    11  institute of electrical and electronics engineers,  and  other  relevant
    12  sources,  to  conduct  studies to inform suitable rules and regulations.
    13  The attorney general shall receive, upon request, data  from  other  New
    14  York state governmental entities.
    15    4.  Exercise  of  rights: Any consumer right set forth in this article
    16  may be exercised at any time by the consumer who is the subject  of  the
    17  data,  by  an  agent authorized by a consumer to exercise the rights set
    18  forth in this act on their behalf, or by a parent or guardian authorized
    19  by law to take actions of legal consequence on behalf  of  the  consumer
    20  who is the subject of the data.
    21    §  4.  This act shall take effect immediately; provided, however, that
    22  sections 1101, 1102, 1103, 1105, 1106 and 1107 of the  general  business
    23  law, as added by section three of this act, shall take effect January 1,
    24  2022.
Go to top