Relates to establishing the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.
STATE OF NEW YORK
________________________________________________________________________
7724
IN SENATE
February 11, 2020
___________
Introduced by Sen. SANDERS -- read twice and ordered printed, and when
printed to be committed to the Committee on Investigations and Govern-
ment Operations
AN ACT to amend the executive law, in relation to enacting the New York
data protection act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "New York data protection act".
3 § 2. The executive law is amended by adding a new article 5-A to read
4 as follows:
5 ARTICLE 5-A
6 NEW YORK DATA PROTECTION ACT
7 Section 81. Definitions.
8 82. Right to request disclosure.
9 83. Right to request deletion of personal information.
10 84. Personal information which may be requested.
11 85. Shared information; government entities or contractors.
12 86. Non-shareable personal information.
13 87. Right not to be discriminated against.
14 88. Accessibility.
15 89. Limitation on restrictions.
16 89-a. Relief.
17 89-b. Compliance guidance.
18 § 81. Definitions. As used in this article, the following terms shall
19 have the following meanings unless otherwise specified:
20 1. "Aggregate personal information" shall mean information that
21 relates to a group or category of individuals, from which individual
22 identities have been removed, that is not linked or reasonably linkable
23 to any individual or household, including via a device. "Aggregate
24 personal information" shall not mean one or more individual's records
25 that have been de-identified.
26 2. "Collects", "collected", or "collection" shall mean gathering,
27 obtaining, receiving, or accessing any personal information pertaining
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD11525-01-9
S. 7724 2
1 to an individual by any means. This includes receiving information from
2 such individual either actively or passively.
3 3. "Contractor" means a contractor, or subcontractor of a contractor,
4 that contracts to process information on behalf of a government entity
5 and to which such government entity discloses an individual's personal
6 information for a legitimate government purpose pursuant to a written
7 contract, provided that such contract prohibits such contractor or
8 subcontractor receiving such personal information from retaining, using,
9 or disclosing such personal information for any purpose other than for
10 the specific purpose of performing the services specified in such
11 contract, or as otherwise permitted by this article, including retain-
12 ing, using, or disclosing such personal information for a commercial
13 purpose other than providing the services specified in the contract.
14 4. "Deidentified" shall mean information that cannot reasonably iden-
15 tify, relate to, describe, be capable of being associated with, or be
16 linked, directly or indirectly, to a particular individual, provided
17 that a government entity that uses such deidentified information:
18 (a) has implemented technical safeguards and processes that prohibit
19 reidentification of the individual to whom such information may pertain;
20 (b) has implemented processes to prevent inadvertent release of
21 deidentified information; and
22 (c) makes no attempt to reidentify such information.
23 5. "Designated methods for submitting requests" shall mean a mailing
24 address, email address, internet web page, internet web portal, toll-
25 free telephone number, or other applicable contact information, whereby
26 individuals may submit a request or direction under this article, and
27 any new means of contacting a government entity, as approved by the
28 attorney general.
29 6. "Device" shall mean any physical object that is capable of connect-
30 ing to the internet, directly or indirectly, or to another device.
31 7. "Government entity" or "entity" shall mean any state agency or any
32 part, body, or subdivision thereof.
33 8. "Homepage" shall mean the introductory page of an internet web site
34 and any internet web page where personal information is collected.
35 9. "Individual" shall mean a person who is a resident of New York
36 state.
37 10. (a) "Personal information" shall mean information that identifies,
38 relates to, describes, is capable of being associated with, or could
39 reasonably be linked, directly or indirectly, with a particular individ-
40 ual or household. Personal information includes, but is not limited to,
41 the following:
42 (i) identifiers such as a real name, alias, postal address, unique
43 personal identifier, internet protocol address, email address, social
44 security number, driver's license number, passport number, photograph,
45 or other similar identifiers;
46 (ii) characteristics of protected classifications under New York or
47 federal law;
48 (iii) commercial information, including records of real or personal
49 property;
50 (iv) biometric information;
51 (v) audio, electronic, visual, or similar information;
52 (vi) professional or employment-related information;
53 (vii) education information, defined as information that is not
54 publicly available personally identifiable information as defined in the
55 family educational rights and privacy act (20 USC 1232g);
S. 7724 3
1 (viii) inferences drawn from any of the information identified in this
2 subdivision to create a profile about an individual reflecting such
3 individual's preferences, characteristics, psychological trends, predis-
4 positions, behavior, attitudes, intelligence, abilities, and aptitudes;
5 and
6 (ix) financial or tax information.
7 (b) "Personal information" shall not include publicly available infor-
8 mation. For these purposes, "publicly available" shall mean information
9 that is lawfully made available from federal, state, or local government
10 records, or any conditions associated with such information. "Publicly
11 available" shall not include an individual's information that is deiden-
12 tified or aggregate personal information.
13 11. "Probabilistic identifier" shall mean the identification of an
14 individual or a device to a degree of certainty of more probable than
15 not based on any categories of personal information included in, or
16 similar to, the categories enumerated in subdivision ten of this
17 section.
18 12. "Process" or "processing" shall mean any operation or set of oper-
19 ations that are performed on personal data or on sets of personal data,
20 whether or not by automated means.
21 13. "Pseudonymize" or "pseudonymization" shall mean the processing of
22 personal information in a manner that renders such personal information
23 no longer attributable to a specific individual without the use of addi-
24 tional information, provided that such additional information is kept
25 separately and is subject to technical and organizational measures to
26 ensure that such personal information is not attributed to an identified
27 or identifiable individual.
28 14. (a) "Sell", "selling", "sale", or "sold" shall mean selling, rent-
29 ing, releasing, disclosing, disseminating, making available, trans-
30 ferring, or otherwise communicating orally, in writing, or by electronic
31 or other means, an individual's personal information by a government
32 entity or contractor to a third party for monetary or other valuable
33 consideration.
34 (b) A government entity or contractor does not sell personal informa-
35 tion within the meaning of this article when:
36 (i) An individual uses or directs such government entity or contractor
37 to intentionally disclose personal information to a third party,
38 provided such third party also does not sell such personal information,
39 unless such disclosure would be consistent with the provisions of this
40 article.
41 (ii) Such government entity or contractor uses or shares with a third
42 party personal information of an individual that is necessary to perform
43 a legitimate government purpose if both of the following conditions are
44 met:
45 (1) the government entity or contractor has provided notice that
46 information is being used or shared; and
47 (2) the third party does not further collect, sell, or use the
48 personal information of such individual except as necessary to perform
49 the business purpose for which it received such information.
50 (iii) A contractor who transfers to a third party an individual's
51 personal information as an asset that is part of a merger, acquisition,
52 bankruptcy, or other transaction in which such contractor or third party
53 assumes control of all or part of such third party provided that such
54 information is used or shared consistently with this article. If a
55 third party materially alters how it uses or shares personal information
56 of an individual in a manner that is materially inconsistent with the
S. 7724 4
1 promises made at the time of collection, it shall provide prior notice
2 of the new or changed practice to such individual. Such notice shall be
3 sufficiently prominent and robust to ensure that individuals can easily
4 exercise their choices consistently with section eighty-three of this
5 article.
6 15. "Service" or "services" shall mean work, labor, and services,
7 including services furnished in connection with the sale or repair of
8 goods.
9 16. "Third party" shall mean a person or business entity who is not
10 another government entity or contractor thereof.
11 17. "Unique identifier" or "unique personal identifier" shall mean a
12 persistent identifier that can be used to recognize an individual, a
13 family, or a device that is linked to an individual or family, over time
14 and across different services, including, but not limited to, a device
15 identifier; an internet protocol address; cookies, beacons, pixel tags,
16 or similar technology; unique pseudonym, or user alias; telephone
17 numbers, or other forms of persistent or probabilistic identifiers that
18 can be used to identify a particular individual or device. For purposes
19 of this subdivision, "family" means a custodial parent or guardian and
20 any minor children over which such parent or guardian has custody.
21 18. "Verifiable information request" shall mean a request to a govern-
22 ment entity that is made by an individual, by an individual on behalf of
23 such individual's minor child, or by a natural person or a person regis-
24 tered with the secretary of state, authorized by such individual to act
25 on such individual's behalf, and that such government entity or contrac-
26 tor can reasonably verify, pursuant to regulations adopted by the attor-
27 ney general to be such individual about whom such government entity or
28 contractor has collected personal information. A government entity or
29 contractor shall not be obligated to provide information to such indi-
30 vidual pursuant to sections eighty-two and eighty-three of this article
31 if such government entity or contractor cannot verify that such individ-
32 ual making such request is the same individual about whom such govern-
33 ment entity has collected information, or is a person authorized by such
34 individual to act on such individual's behalf.
35 § 82. Right to request disclosure. 1. Any individual shall have the
36 right to request that a government entity or contractor that collects
37 personal information disclose to such individual the categories and
38 specific pieces of personal information such government entity or
39 contractor has collected.
40 2. A government entity that collects an individual's personal informa-
41 tion shall, at or before the point of collection, inform such individual
42 as to the categories of personal information to be collected and the
43 purposes for which such categories of personal information shall be
44 used. A government entity or contractor shall not collect additional
45 categories of personal information or use personal information collected
46 for additional purposes without providing such individual with notice
47 consistent with this article.
48 3. A government entity or contractor shall provide the information
49 specified in subdivision one of this section to an individual only upon
50 receipt of a verifiable information request.
51 4. A government entity or contractor that receives a verifiable infor-
52 mation request from an individual to access personal information shall
53 promptly take steps to disclose and deliver, free of charge to such
54 individual, such personal information required by this section. Such
55 information may be delivered by mail or electronically. A government
56 entity or contractor may provide personal information to an individual
S. 7724 5
1 at any time, but shall not be required to provide personal information
2 to any individual more than twice in a twelve-month period.
3 5. This section shall not require a government entity or contractor
4 to:
5 (a) retain any personal information collected for a single, one-time
6 transaction if such information is not shared or retained by such
7 government entity or contractor; or
8 (b) re-identify or otherwise link information that is not maintained
9 in a manner that would be considered personal information.
10 § 83. Right to request deletion of personal information. 1. Any indi-
11 vidual shall have the right to request that a government entity or
12 contractor delete any personal information about such individual which
13 such government entity or contractor has collected from such individual.
14 2. A government entity or contractor that collects personal informa-
15 tion about individuals shall notify such individuals of their rights to
16 request the deletion of their personal information.
17 3. A government entity or contractor that receives a verifiable infor-
18 mation request from an individual to delete such individual's personal
19 information shall delete such individual's personal information from its
20 records and direct any contractors to delete such individual's personal
21 information from their records.
22 4. Notwithstanding other provisions under this article, a government
23 entity or contractor shall not be required to comply with an individ-
24 ual's request to delete such individual's personal information if it is
25 necessary for the government entity or contractor to maintain such indi-
26 vidual's personal information in order to:
27 (a) complete the purpose for which the personal information was
28 collected;
29 (b) comply with a legal obligation;
30 (c) otherwise use such individual's personal information, internally,
31 in a lawful manner that is compatible with the scope of such government
32 entity or contractor's duties.
33 § 84. Personal information which may be requested. 1. An individual
34 who requests disclosure of information pursuant to section eighty-two of
35 this article may request the following information:
36 (a) the categories of personal information such government entity or
37 contractor has collected about such individual;
38 (b) the categories of sources from which such personal information has
39 been collected;
40 (c) the purpose for collecting or sharing such personal information;
41 (d) any other government entities, contractors, or third parties with
42 whom such government entity or contractor shares such personal informa-
43 tion; and
44 (e) the specific pieces of personal information such government entity
45 or contractor has collected about such individual.
46 2. A government entity or contractor possessing personal information
47 about an individual shall disclose to such individual such information
48 upon receipt of a verifiable information request submitted by such indi-
49 vidual. Within five days of receipt of such verifiable information
50 request, such government entity or contractor shall send a response to
51 such requestor acknowledging receipt of such request.
52 3. (a) A government entity or contractor that collects personal infor-
53 mation about individuals from another government entity or contractor
54 shall disclose to such individuals the following:
55 (i) the categories of personal information it has collected about such
56 individual;
S. 7724 6
1 (ii) the categories of sources from which such personal information is
2 collected;
3 (iii) the purpose for collecting or sharing such personal information;
4 (iv) any other government entities or contractors with whom such
5 government entity or contractor shares personal information; and
6 (v) the specific pieces of personal information it has collected about
7 such individual.
8 (b) Such government entity or contractor shall disclose the informa-
9 tion required by paragraph (a) of this subdivision to such individuals
10 immediately upon receipt of such information, without the need for a
11 request to first be submitted.
12 4. This section shall not require a government entity or contractor to
13 do the following:
14 (a) retain any personal information about an individual collected for
15 a single one-time transaction if, in the ordinary course of business,
16 such information about such individual is not retained; or
17 (b) re-identify or otherwise link any data that, in the ordinary
18 course of business, is not maintained in a manner that would be consid-
19 ered personal information.
20 § 85. Shared information; government entities or contractors. Any
21 individual shall have the right to request that a government entity that
22 shares such individual's personal information, disclose to such individ-
23 ual:
24 (1) the categories of personal information that such government entity
25 collected about such individual; and
26 (2) the categories of personal information that such government entity
27 or contractor has shared about such individual and the other government
28 entities or contractors with whom such personal information was shared,
29 by category or categories of personal information for each government
30 entity or contractor to whom such personal information was shared.
31 § 86. Non-shareable personal information. 1. No government entity or
32 contractor shall share any individual's personal information with a
33 contractor or subcontractor unless such information is crucial to the
34 purpose for which such government entity or contractor has contracted
35 such contractor or subcontractor's services.
36 2. No government entity or contractor shall share any individual's
37 personal information with another government entity or contractor unless
38 such information is crucial to the performance of such other government
39 entity or contractor's duties, and such other government entity or
40 contractor cannot procure such personal information on its own without
41 serious hardship.
42 3. No government entity or contractor shall sell personal information
43 about an individual that has been shared with such government entity or
44 contractor.
45 § 87. Right not to be discriminated against. No government entity or
46 contractor shall discriminate against any individual in any way in
47 response to such individual exercising any of his or her rights under
48 this article.
49 § 88. Accessibility. 1. In order to comply with the requirements of
50 this article, in a method that is reasonably accessible to individuals,
51 government entities shall:
52 (a) Make available to individuals two or more designated methods for
53 submitting verifiable information requests which include, at a minimum,
54 a toll-free telephone number, and if such government entity maintains an
55 internet website, a website address.
S. 7724 7
1 (b) If such government entity maintains an internet website, provide
2 on such website information instructing individuals of their rights to
3 request disclosure or deletion of personal information under this arti-
4 cle, and all methods available for making such a request. Such informa-
5 tion shall not be required to be on the homepage of such government
6 entity's website.
7 2. In order to comply with the requirements of this article, govern-
8 ment entities and contractors shall:
9 (a) Disclose and deliver any information requested in a verifiable
10 information request free of charge within forty-five days of receiving
11 such request from an individual. The time period to provide the
12 required information may be extended once by an additional forty-five
13 days when reasonably necessary, provided the requesting individual is
14 provided notice of such extension within the first forty-five day peri-
15 od. Such disclosure shall cover the twelve-month period preceding such
16 government entity or contractor's receipt of the verifiable information
17 request, and shall be made in writing and delivered by mail or electron-
18 ically at the requestor's option.
19 (b) Disclose and deliver the information requested in a manner that
20 covers all disclosure requirements under subdivision one of section
21 eighty-four of this article.
22 (c) Disclose and deliver any information shared pursuant to section
23 eighty-six of this article by such government entity or contractor with-
24 in the twelve months preceding such request.
25 (d) Ensure that any employees of such government entity or contractor
26 who are responsible for handling inquiries about disclosure requirements
27 prescribed by this article are informed of all disclosure requirements
28 under this article, and that such employees are informed of how to
29 direct individuals of how to exercise their rights under this article.
30 (e) Use any personal information collected from an individual in a
31 verifiable information request in connection with such government entity
32 or contractor's verification of such request solely for the purposes of
33 such verification.
34 (f) Not be required to respond to more than two verifiable information
35 requests from the same individual within the same twelve-month period.
36 § 89. Limitation on restrictions. 1. The obligations imposed on
37 government entities and contractors by this article shall not restrict
38 any government entity or contractor's ability to:
39 (a) otherwise comply with federal, state, or local laws;
40 (b) comply with a civil, criminal, or regulatory inquiry, investi-
41 gation, subpoena, or summons by federal, state, or local authorities;
42 (c) comply with a request made under the freedom of information law;
43 or
44 (d) exercise or defend legal claims.
45 2. This article shall not apply to the sale of personal information to
46 or from a consumer reporting agency if such information is to be
47 reported in, or used to generate, a consumer report as defined by the
48 federal fair credit reporting act (15 USC 1681), and use of that infor-
49 mation is limited by such act.
50 3. If requests from an individual are manifestly unfounded or exces-
51 sive, in particular because of their repetitive character, a government
52 entity or contractor may either charge a reasonable fee, taking into
53 account the administrative costs of providing such information or commu-
54 nication or taking the action requested, or refuse to act on such
55 request and notify such individual of the reason for refusing such
56 request. Such government entity or contractor shall bear the burden of
S. 7724 8
1 demonstrating that such verified consumer request is manifestly
2 unfounded or excessive.
3 4. A government entity that discloses personal information to a
4 contractor shall not be liable under this article if such contractor
5 uses such personal information in violation of the restrictions set
6 forth in this article, provided that, at the time of disclosing such
7 personal information, such government entity does not have actual know-
8 ledge or reason to believe that such contractor intends to commit such a
9 violation. No contractor shall be liable under this article for the
10 obligations of a government entity for which it provides services as set
11 forth in this article.
12 5. This article shall not be construed to require a government entity
13 to reidentify or otherwise link information that is not maintained in a
14 manner that would be considered personal information.
15 6. The rights afforded to individuals and the obligations imposed on
16 government entities and contractors by this article shall not adversely
17 affect the rights and freedoms of any other person.
18 § 89-a. Relief. 1. Any individual whose personal information is
19 subject to an unauthorized access and exfiltration, theft, or disclosure
20 as a result of a government entity or contractor's violation of the duty
21 to implement and maintain reasonable security procedures and practices
22 appropriate to the nature of the information to protect such personal
23 information request action by the attorney general in response to such
24 violation.
25 2. Nothing in this article shall be interpreted to serve as the basis
26 for a private right of action under any other law. This shall not be
27 construed to relieve any party from any duties or obligations imposed
28 under other law or the United States or New York constitution.
29 § 89-b. Compliance guidance. Any government entity or contractor may
30 seek the opinion of the attorney general for guidance on how to comply
31 with the provisions of this article.
32 § 3. This act shall take effect one year after it shall have become a
33 law.
