Ren Art 40 SS900 & 901 to be Art 41 SS1000 & 1001, add Art 40 SS900 - 907, Gen Bus L
Enacts New York State Internet Privacy Law to which operators of websites may voluntarily be subject; limits disclosure of personal information to those submitting to the law by publicizing that they comply with such law; provides for enforcement.
STATE OF NEW YORK
________________________________________________________________________
4985
2011-2012 Regular Sessions
IN ASSEMBLY
February 10, 2011
___________
Introduced by M. of A. BRENNAN, PHEFFER, DINOWITZ, PERRY, JAFFEE,
N. RIVERA, ORTIZ -- Multi-Sponsored by -- M. of A. BOYLAND, CAHILL,
COLTON, COOK, DESTITO, GABRYSZAK, GALEF, GOTTFRIED, HIKIND, JACOBS,
LUPARDO, MARKEY, MAYERSOHN, McENENY, MENG, MILLMAN, REILLY, SCHIMEL,
SWEENEY, TITONE, TOWNS, WRIGHT -- read once and referred to the
Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to protecting the
privacy of internet users
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 "New York state internet privacy law".
3 § 2. Legislative intent. 1. The legislature finds that the internet is
4 becoming a major part of the personal and commercial lives of Americans.
5 The internet brings with it much good, such as increased personal know-
6 ledge and communications, and increased and more efficient commercial
7 opportunities.
8 2. The privacy of personal information flowing over the internet is of
9 concern. Vast amounts of personal information about individual internet
10 users are collected on the internet and sold or otherwise transferred to
11 third parties. Polls consistently show that individual internet users
12 are highly troubled over their lack of control over their personal
13 information. In fact, concern over personal privacy is one of the
14 biggest factors holding back even greater commercial development of the
15 internet.
16 3. The right to privacy is a personal and fundamental right worthy of
17 protection through appropriate legislation. Industry has developed
18 several self-policing schemes, but none of them are enforceable in a
19 meaningful way. Meaningful, enforceable internet privacy rules would
20 protect New York citizens and would foster the growth of electronic
21 commerce in New York.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08079-01-1
A. 4985 2
1 4. The legislature intends to establish strong privacy rules to which
2 an operator of a website or online service may voluntarily choose to
3 submit. The incentive for the operator to submit will be that it may
4 publicize that it complies with the New York state internet privacy law.
5 Any operator who does so advertise may be subject to an enforcement
6 action.
7 § 3. Article 40 and sections 900 and 901 of the general business law,
8 as renumbered by chapter 407 of the laws of 1973, are renumbered article
9 41 and sections 1000 and 1001 and a new article 40 is added to read as
10 follows:
11 ARTICLE 40
12 NEW YORK STATE INTERNET PRIVACY LAW
13 Section 900. Definitions.
14 901. Applicability of article.
15 902. Disclosure of personal information.
16 903. Third parties.
17 904. User's right to inspect and correct information.
18 905. Duration of operator's responsibility.
19 906. Enforcement.
20 907. Separability clause.
21 § 900. Definitions. As used in this article:
22 1. The term "internet" means collectively the myriad of computer and
23 telecommunications facilities, including equipment and operating soft-
24 ware, which comprise the interconnected world-wide network of networks
25 that employ the Transmission Control Protocol/Internet Protocol, or any
26 predecessor or successor protocols to such protocol, to communicate
27 information of all kinds by wire or radio.
28 2. The term "operator" means any person who operates a website located
29 on the internet or an online service and who collects or maintains
30 personal information from or about the users of or visitors to such
31 website or online service, or on whose behalf such information is
32 collected or maintained, where such website or online service is oper-
33 ated for commercial purposes, including any person offering products or
34 services for sale through that website or online service, involving
35 commerce.
36 3. The term "user" means a person who uses an online service or visits
37 a website.
38 4. The term "personal information" means individually identifiable
39 information about an individual collected online, including:
40 (a) a first and last name;
41 (b) a home or other physical address including street name and name of
42 a city or town;
43 (c) an e-mail address;
44 (d) a telephone number;
45 (e) a social security number;
46 (f) any other identifier that permits the physical or online contact-
47 ing of a specific individual; or
48 (g) information concerning a child or the parents of that child that
49 the operator collects online from the child and combines with another
50 identifier set forth in this subdivision.
51 5. The term "disclosure" means, with respect to personal information:
52 (a) the release of personal information collected in identifiable form
53 by an operator for any purpose, except where such information is
54 provided to a person other than the operator who provides support for
55 the internal operations of the website and does not disclose or use that
56 information for any other purpose; and
A. 4985 3
1 (b) making personal information collected from a child by a website or
2 online service directed to children or with actual knowledge that such
3 information was collected from a child, publicly available in identifi-
4 able form, by any means including by a public posting, through the
5 internet, or through:
6 (i) a home page of a website;
7 (ii) a pen pal service;
8 (iii) an electronic mail service;
9 (iv) a message board; or
10 (v) a chat room.
11 6. The term "third party" means a person other than the user or the
12 operator, or an employee of the operator.
13 § 901. Applicability of article. An operator is subject to this arti-
14 cle if it advertises or otherwise publicly states that it complies with
15 the "New York State Internet Privacy Law".
16 § 902. Disclosure of personal information. 1. An operator shall not
17 disclose to a third party any personally identifiable information
18 obtained from a user without the user's prior informed, affirmative
19 written consent.
20 2. Informed consent requires that the operator notify the user of the
21 identity of any third party which will receive his or her personal
22 information, and for what purpose the information will be used.
23 3. Informed written consent may be obtained only upon notice to a user
24 of his or her rights under this law. Such notice must be in writing,
25 clear and conspicuous, and in plain English.
26 4. An operator shall permit a person to revoke the consent granted
27 under subdivision one of this section at any time, and upon such revoca-
28 tion, such operator shall cease disclosing such information to a third
29 party.
30 5. An operator or an employee of such operator shall not knowingly
31 disclose to a third party any personally identifiable information
32 provided by a subscriber to such service that such service, or such
33 employee, has knowingly falsified.
34 6. Notwithstanding the provisions of subdivision one of this section,
35 neither an operator nor the operator's agent shall be held to be liable
36 for any disclosure made in good faith and following reasonable proce-
37 dures in responding to a request for disclosure of personal information
38 under the federal Children's Online Privacy Protection Act to the parent
39 of a child.
40 7. Notwithstanding the provisions of subdivision one of this section,
41 an operator may disclose personal information, without notice to the
42 user, when necessary to respond to a court order, subpoena, or other
43 legal process.
44 § 903. Third parties. 1. Prior to disclosing personal information to a
45 third party, an operator shall inform the third party of the provisions
46 of this article, and obtain from the third party a written certification
47 that the third party will comply with this article.
48 2. A third party which receives personal information pursuant to this
49 article may use such information only for the purpose of which the user
50 has been notified.
51 § 904. User's right to inspect and correct information. 1. Upon
52 request an operator shall (a) provide a person with his or her personal
53 information maintained by the operator; (b) permit the user to verify
54 such information maintained by the service; and (c) permit the user to
55 correct any error in such information.
A. 4985 4
1 2. Upon request, an operator shall provide to the user the identity of
2 the third party recipients of his of her personal information.
3 3. An operator shall not charge a fee for one annual request that a
4 person makes for the information set forth in subdivision four or five
5 of section nine hundred of this article. For additional requests, an
6 operator may charge a fee consisting of the operator's actual cost of
7 providing the information. An operator shall provide an ability for a
8 user to electronically request and receive the information set forth in
9 this section.
10 § 905. Duration of operator's responsibility. Any personal information
11 which an operator obtains within thirty days of the operator's last
12 advertisement or public statement pursuant to section nine hundred one
13 of this article shall be subject to this article.
14 § 906. Enforcement. 1. Any person found to have violated this article,
15 knowingly or recklessly, shall be liable to the aggrieved user for all
16 actual damages sustained by such user as a direct result of the
17 violation, provided that any subscriber who prevails or substantially
18 prevails in any action brought under this section shall receive not less
19 than five hundred dollars in damages, regardless of the amount of actual
20 damage proved, plus costs, disbursements and reasonable attorney's fees.
21 An action brought pursuant to this section may be maintained as a class
22 action.
23 2. Whenever there shall be a violation of this article, an application
24 may be made by the attorney general in the name of the people of the
25 state of New York to a court or justice having jurisdiction by a special
26 proceeding to issue an injunction, and upon notice to the defendant of
27 not less than five days, to enjoin and restrain the continuation of such
28 violation; and if it shall appear to the satisfaction of the court or
29 justice that the defendant has, in fact, violated this article, an
30 injunction may be issued by such court or justice, enjoining and
31 restraining any further violation, without requiring proof that any
32 person has, in fact, been injured or damaged thereby. In any such
33 proceeding, the court may make allowances to the attorney general as
34 provided in paragraph six of subdivision (a) of section eighty-three
35 hundred three of the civil practice law and rules and direct restitu-
36 tion. Whenever the court shall determine that a grossly negligent
37 violation of this article has occurred, the court may impose a civil
38 penalty of not more than one thousand dollars for such violation. In
39 connection with any such proposed application, the attorney general is
40 authorized to take proof and make a determination of the relevant facts
41 and to issue subpoenas in accordance with the civil practice law and
42 rules.
43 3. The remedies provided by this article shall be in addition to any
44 other lawful remedy available to a subscriber.
45 4. No action may be brought under the provisions of this section
46 unless such action is commenced within the two years from the date of
47 the act complained of or the date of discovery of such act.
48 § 907. Separability clause. If any clause, paragraph, section or part
49 of this article shall be adjudged by any court of competent jurisdiction
50 to be invalid or unconstitutional, such judgment shall not affect,
51 impair or invalidate the remainder thereof, but shall be confined in its
52 operation to the clause, sentence, paragraph, section or part thereof
53 directly involved in the controversy in which such judgment shall have
54 been rendered.
55 § 4. This act shall take effect on the one hundred eightieth day after
56 it shall have become a law.
