Requires internet service providers to provide customers with a copy of their privacy policy and to obtain written and explicit permission from a customer prior to sharing, using, selling or providing to a third party any sensitive information of such customer.
STATE OF NEW YORK
________________________________________________________________________
7236
2017-2018 Regular Sessions
IN ASSEMBLY
April 12, 2017
___________
Introduced by M. of A. ZEBROWSKI, SKOUFIS, BUCHWALD, JAFFEE, MONTESANO
-- Multi-Sponsored by -- M. of A. CROUCH, SIMON -- read once and
referred to the Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to requiring
internet service providers to provide customers with a copy of their
privacy policy and to obtain written and explicit permission from a
customer prior to sharing, using, selling or providing to a third
party any sensitive information of such customer
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 390-bb to read as follows:
3 § 390-bb. Internet service providers; customer data privacy. 1. For
4 the purposes of this section the following terms shall have the follow-
5 ing meanings:
6 (a) "Internet service provider" means any person, business, or organ-
7 ization who is qualified to conduct business in the state that provides
8 individuals, corporations, or other entities with access to the internet
9 as part of a service.
10 (b) "Customer" means any person, corporation or entity which pays a
11 fee to an internet service provider for access to the internet as part
12 of a service.
13 (c) "Sensitive information" means any information that which can iden-
14 tify the customer or any other information that is specifically attrib-
15 utable to such customer including, but not limited to, financial or
16 medical data, biographical information, communication content, browsing
17 or web history, or internet usage.
18 (d) "Non-sensitive information" means information collected on users
19 that is not specific to an individual customer including, but not limit-
20 ed to, aggregated use, subscription data or other macro level informa-
21 tion.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD10887-01-7
A. 7236 2
1 2. Each internet service provider shall provide customers with a copy,
2 either in writing or in electronic form, of their privacy policy that
3 shall include its data collection and use practices, third party
4 relationships, purpose of the data collection and process for customers
5 to exercise control over their information as provided in this section.
6 The privacy policy shall be provided to customers upon entering into a
7 contract with the internet service provider and subsequently upon any
8 significant changes made to such policy.
9 3. An internet service provider shall obtain written and explicit
10 permission from a customer prior to sharing, using, selling or providing
11 to a third party any sensitive information of such customer. The inter-
12 net service provider shall provide to the customer a clear and conspicu-
13 ous description of the intended use of their information, including, but
14 not limited to, type of information that may be disclosed, purpose of
15 such disclosure, and all third party entities that may be receiving or
16 using the information.
17 4. A customer shall have the option to remove their consent for the
18 use or disclosure of non-sensitive information. The internet service
19 provider shall develop a process for a customer to easily remove their
20 consent for the use of any non-sensitive information. The process shall
21 include a detailed description of the intended use of their information,
22 including, but not limited to, type of information that may be
23 disclosed, purpose of such disclosure, and all third party entities that
24 may be receiving or using the information.
25 5. An internet service provider shall not, as a condition of the
26 service, require consent from a customer for use of their sensitive or
27 non-sensitive information.
28 6. An internet service provider may use sensitive or non-sensitive
29 information without consent from the customer if such information is
30 necessary in providing the service to the customer, including, but not
31 limited to, billing, installation, and support.
32 7. Whenever there shall be a violation of this section, an application
33 may be made by the attorney general in the name of the people of the
34 state of New York to a court or justice having jurisdiction by a special
35 proceeding to issue an injunction, and upon notice to the defendant of
36 not less than five days, to enjoin and restrain the continuance of such
37 violation; and if it shall appear to the satisfaction of the court or
38 justice that the defendant has, in fact, violated this section, an
39 injunction may be issued by such court or justice, enjoining and
40 restraining any further violation, without requiring proof that any
41 person has, in fact, been injured or damaged thereby. In any such
42 proceeding, the court may make allowances to the attorney general as
43 provided in paragraph six of subdivision (a) of section eighty-three
44 hundred three of the civil practice law and rules, and direct restitu-
45 tion. Whenever the court shall determine that a violation of this
46 section has occurred, the court may impose a civil penalty of not more
47 than five hundred dollars for a single violation and not more than fifty
48 thousand dollars for multiple violations resulting from a single act or
49 incident. In connection with any such proposed application, the attorney
50 general is authorized to take proof and make a determination of the
51 relevant facts and issue subpoenas in accordance with the civil practice
52 law and rules.
53 § 2. This act shall take effect on the sixtieth day after it shall
54 have become a law.