STATE OF NEW YORK
________________________________________________________________________
8486
2011-2012 Regular Sessions
IN ASSEMBLY
June 17, 2011
___________
Introduced by M. of A. MILLMAN -- read once and referred to the Commit-
tee on Judiciary
AN ACT to amend the civil practice law and rules and the general busi-
ness law, in relation to enacting "The Reader Privacy Act"
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. This act shall be known and may be cited as "The Reader
2 Privacy Act".
3 § 2. The civil practice law and rules is amended by adding a new
4 section 4509-a to read as follows:
5 § 4509-a. Book service records. (a) For purposes of this section:
6 (1) "Book" means paginated or similarly organized content in printed,
7 audio, electronic, or other format, including fiction, nonfiction,
8 academic, or other works of the type normally published in a volume or
9 volumes.
10 (2) "Book service" means a service that, as its primary purpose,
11 provides the rental, purchase, borrowing, browsing, or viewing of books.
12 (3) "Government entity" means any state or local agency, including,
13 but not limited to, a law enforcement or any other investigative agency,
14 department, division, bureau, board, or commission, or any individual
15 acting or purporting to act for or on behalf of a state or local agency.
16 (4) "Personal information" means all of the following:
17 (A) Any information that identifies, relates to, describes, or is
18 associated with a particular user, including, but not limited to, his or
19 her name, signature, social security number, physical characteristics or
20 description, address, telephone number, passport number, driver's
21 license or state identification card number, insurance policy number,
22 education, employment, employment history, bank account number, credit
23 card number, debit card number, or any other financial information,
24 medical information, or health insurance information. "Personal informa-
25 tion" does not include publicly available information that is lawfully
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13166-01-1
A. 8486 2
1 made available to the general public from federal, state, or local
2 government records.
3 (B) A unique identifier or internet protocol address, when that iden-
4 tifier or address is being used to identify, relate to, describe, or be
5 associated with a particular user of a book service or book, in whole or
6 in partial form.
7 (C) Any information that relates to, or is capable of being associated
8 with, a particular user's access to or use of a book service or a book,
9 in whole or in partial form.
10 (5) "Provider" means any commercial entity offering a book service to
11 the public.
12 (6) "User" means any person or entity that uses a book service.
13 (b) A provider shall not knowingly disclose to any government entity,
14 or be compelled to disclose to any person, private entity, or government
15 entity, any personal information of a user, except under any of the
16 following circumstances:
17 (1) A provider shall disclose personal information of a user to a
18 government entity only pursuant to a court order issued by a duly
19 authorized court with jurisdiction over an offense that is under inves-
20 tigation and only if all of the following conditions are met:
21 (A) The court issuing the order finds that probable cause exists to
22 believe the personal information requested is relevant evidence to the
23 investigation of an offense and the requirements of article six hundred
24 ninety of the criminal procedure law are satisfied.
25 (B) The court issuing the order finds that the person or entity seek-
26 ing disclosure has a compelling interest in obtaining the personal
27 information sought.
28 (C) The court issuing the order finds that the personal information
29 sought cannot be obtained by the person or entity seeking disclosure
30 through less intrusive means.
31 (D) The person or entity seeking disclosure provides the provider with
32 reasonable notice of the proceeding prior to the issuance of the order.
33 (E) The opportunity to appear and contest the issuance of the order is
34 afforded to the provider prior to the issuance of the order.
35 (F) Notice of the order is given to the user by the person or entity
36 seeking disclosure contemporaneous with execution of the order, unless
37 there is a judicial determination of a strong showing of necessity to
38 delay that notification for a reasonable period of time, not to exceed
39 seven days.
40 (2) A provider shall disclose personal information of a user pursuant
41 to a court order in a pending civil or administrative action, if all of
42 the following conditions are met:
43 (A) The court issuing the order finds that the person or entity seek-
44 ing disclosure has a compelling interest in obtaining the personal
45 information sought.
46 (B) The court issuing the order finds that the personal information
47 sought cannot be obtained by the person or entity seeking disclosure
48 through less intrusive means.
49 (C) The person or entity seeking disclosure takes reasonable steps to
50 provide the user and the provider with reasonable notice of the proceed-
51 ing prior to the issuance of the court order in a timely manner to allow
52 the user and provider the opportunity to appear and contest the issuance
53 of the court order.
54 (D) The provider refrains from disclosing any personal information
55 pursuant to the court order until it provides notice to the user about
56 the issuance of the order and the ability to appear and quash the order,
A. 8486 3
1 and the user has been given a reasonable opportunity to appear and quash
2 the order.
3 (3) A provider shall disclose the personal information of a user to
4 any person if the user has given his or her informed, affirmative
5 consent to the specific disclosure for a particular purpose.
6 (4) A provider may disclose to a government entity, if the government
7 entity asserts, and the provider in good faith believes, that there is
8 an imminent danger of death or serious physical injury requiring the
9 immediate disclosure of the requested personal information and there is
10 insufficient time to obtain a court order. The government entity seek-
11 ing the disclosure shall provide the provider with a written statement
12 setting forth the facts giving rise to the emergency upon request or no
13 later than forty-eight hours after seeking disclosure.
14 (5) A provider may disclose personal information of a user of a book
15 service to a government entity if the provider in good faith believes
16 that the personal information is evidence directly related and relevant
17 to a crime against the provider or that user of the book service.
18 (c) (1) Any court issuing an order requiring the disclosure of
19 personal information of a user of a book service shall impose appropri-
20 ate safeguards against the unauthorized disclosure of personal informa-
21 tion by the provider pursuant to the order.
22 (2) The court may, in its discretion, quash or modify an order requir-
23 ing the disclosure of the user's personal information upon a motion made
24 by the user, provider, or person or entity seeking disclosure.
25 (d) Except as proof in an action for a violation of this section, no
26 evidence obtained in violation of this section shall be admissible in
27 any civil, administrative, or other proceeding.
28 (e) (1) Violations of this section shall be subject to the following
29 penalties:
30 (A) Any provider that knowingly provides personal information about a
31 user to a government entity in violation of this section shall be
32 subject to a civil penalty not to exceed five hundred dollars for each
33 violation, which may be recovered in a civil action brought by the
34 person who is the subject of the records.
35 (B) Any provider that knowingly provides personal information to a
36 government entity in violation of this section shall, in addition to the
37 penalty prescribed by subparagraph (A) of this paragraph, be subject to
38 a civil penalty not to exceed five hundred dollars for each violation,
39 which may be assessed and recovered in a civil action brought by the
40 attorney general, by any district attorney or city attorney, or by a
41 city prosecutor in any city having a full-time city prosecutor, in any
42 court of competent jurisdiction.
43 (2) If an action is brought by the attorney general, one-half of the
44 penalty collected shall be paid to the treasurer of the county in which
45 the judgment was entered, and one-half to the general fund described in
46 section seventy-two of the state finance law. If the action is brought
47 by a district attorney, the penalty collected shall be paid to the trea-
48 surer of the county in which the judgment was entered. If the action is
49 brought by a city attorney or city prosecutor, one-half of the penalty
50 shall be paid to the treasurer of the city in which the judgment was
51 entered, and one-half to the treasurer of the county in which the judg-
52 ment was entered.
53 (3) The penalties provided by this section are not the exclusive reme-
54 dy and do not affect any other relief or remedy provided by law.
A. 8486 4
1 (4) A civil action brought pursuant to this section shall be commenced
2 within two years after the date upon which the claimant first discovered
3 the violation.
4 (f) An objectively reasonable reliance by the provider on a court
5 order for the disclosure of personal information of a user of a book
6 service, or on any of the enumerated exceptions to the confidentiality
7 of a user's personal information set forth in this section, is a
8 complete defense to any civil, administrative, or criminal action.
9 (g) Unless disclosure of information pertaining to a particular
10 request or set of requests is specifically prohibited by law, a provider
11 shall prepare a report including all of the following information, to
12 the extent it can be reasonably determined:
13 (1) The number of grand jury subpoenas, civil and administrative
14 subpoenas, federal and state civil and criminal court orders, and
15 requests for information made with the informed consent of the user as
16 described in paragraph three of subdivision (b) of this section, seeking
17 disclosure of any personal information of a user related to the access
18 or use of a book service or book, received by the provider from January
19 first to December thirty-first, inclusive, of the previous year.
20 (2) The number of disclosures made by the provider pursuant to para-
21 graphs four and five of subdivision (b) of this section from January
22 first to December thirty-first, inclusive, of the previous year.
23 (3) For each category of demand or disclosure, the provider shall
24 include all of the following information:
25 (A) The number of times notice of a court order in a criminal, civil
26 or administrative action has been provided by the provider and the date
27 the notice was provided.
28 (B) The number of times personal information has been disclosed by the
29 provider.
30 (C) The number of times no personal information has been disclosed by
31 the provider.
32 (D) The number of times the provider contests the demand.
33 (E) The number of times the user contests the demand.
34 (F) The number of users whose personal information was disclosed by
35 the provider.
36 (G) The type of personal information that was disclosed and the number
37 of times that type of personal information was disclosed.
38 (h) Reports prepared pursuant to subdivision (g) of this section shall
39 be made publicly available in an online, searchable format on or before
40 March first of each year. If the provider does not have an internet web
41 site, the provider shall post the reports prominently on its premises or
42 send the reports to the office of the attorney general on or before
43 March first of each year.
44 (i) Any provider operating a commercial web site or online service
45 that collects user information through the internet from or about indi-
46 vidual consumers residing in the state who use or visit its commercial
47 web site or online service shall create a prominent hyperlink to its
48 latest report published pursuant to subdivision (h) of this section in
49 the disclosure section of the privacy policy applicable to its book
50 service on or before March first of each year.
51 (j) Nothing in this section shall otherwise affect the rights of any
52 person under any other law of this state.
53 § 3. The general business law is amended by adding a new section 399-
54 ff to read as follows:
55 § 399-ff. Reader privacy. 1. Any provider operating a commercial web
56 site or online service that collects personal information through the
A. 8486 5
1 internet from or about individual consumers residing in the state who
2 use or visit its commercial web site or online service shall:
3 (a) create a prominent hyperlink to its privacy policy to disclose its
4 information gathering and dissemination practices related to the inter-
5 net; and
6 (b) require that, prior to being given access to the site or service,
7 all individual consumers desiring to utilize the commercial web site or
8 online service check a notification box located after the following
9 statement: "I understand that by agreeing to this I am giving up certain
10 privacy rights". Such statement and box shall be conspicuously posted
11 directly above the terms of services acceptance and acknowledgement
12 statement and notification box.
13 2. The privacy policy required by paragraph (a) of subdivision one of
14 this section shall describe, at a minimum, the provider's information
15 practices with regard to the following matters in clear and easily
16 understandable language:
17 (a) the types of personal information that the provider collects
18 through the web site or online service from or about individual consum-
19 ers;
20 (b) the manner in which the provider uses the information;
21 (c) whether and under what circumstances the provider discloses the
22 obtained information to other entities or persons, including law
23 enforcement agencies;
24 (d) whether and under what circumstances other entities or persons,
25 including law enforcement agencies, are collecting information through
26 the provider web site;
27 (e) the identities of other entities or persons with whom the provider
28 may share personal information;
29 (f) the process for a consumer who uses or visits the provider's web
30 site or online service to review and request changes to any of his or
31 her personally identifiable information that is collected through the
32 web site or online service, if such process exists; and
33 (g) the process by which the provider notifies consumers who use or
34 visit its commercial web site or online service of material changes to
35 the provider's privacy policy for that web site or online service.
36 3. A provider shall be in violation of this subdivision only if the
37 provider fails to post its policy within thirty days after being noti-
38 fied of noncompliance.
39 4. As used in this section:
40 (a) "Personal information" means all of the following:
41 (1) any information that identifies, relates to, describes, or is
42 associated with a particular person, including, but not limited to, his
43 or her name, signature, social security number, physical characteristics
44 or description, address, telephone number, passport number, driver's
45 license or state identification card number, insurance policy number,
46 education, employment, employment history, bank account number, credit
47 card number, debit card number, or any other financial information,
48 medical information, or health insurance information. "Personal informa-
49 tion" does not include publicly available information that is lawfully
50 made available to the general public from federal, state, or local
51 government records;
52 (2) a unique identifier or internet protocol address, when that iden-
53 tifier or address is being used to identify, relate to, describe, or be
54 associated with a particular person of a book service or book, in whole
55 or in partial form; and
A. 8486 6
1 (3) any information that relates to, or is capable of being associated
2 with, a particular person's access to or use of a book service or a
3 book, in whole or in partial form.
4 (b) "Provider" means any commercial entity offering a book service to
5 the public.
6 (c) "Consumer" means any individual who seeks or acquires, by purchase
7 or lease, any goods, services, money, or credit for personal, family, or
8 household purposes.
9 § 4. This act shall take effect on the sixtieth day after it shall
10 become a law.
