New York-2021-A00733-Introduced


                STATE OF NEW YORK
        ________________________________________________________________________

                                           733

                               2021-2022 Regular Sessions

                   IN ASSEMBLY

                                       (Prefiled)

                                     January 6, 2021
                                       ___________

        Introduced  by  M.  of  A. L. ROSENTHAL -- read once and referred to the
          Committee on Consumer Affairs and Protection

        AN ACT to amend the general business law,  in  relation  to  collection,
          storage  or  transmission of personal information collected from smart
          home systems

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section 1. The general business law is amended by adding a new section
     2  390-d to read as follows:
     3    §  390-d.  Smart home systems. 1. For the purposes of this section the
     4  following terms shall have the following meanings:
     5    (a) "Smart home system" means any device,  or  other  physical  object
     6  that  is  capable of connecting to the internet, directly or indirectly,
     7  and that is assigned an internet protocol address or bluetooth address.
     8    (b) "End user" means a  person  that  ultimately  uses  a  smart  home
     9  connected  system  regardless  of  whether  such  person  installed such
    10  system.
    11    (c) "Personal information"  includes,  but  is  not  limited  to,  the
    12  following:
    13    (i)  identity  information  including,  but not limited to, real name,
    14  alias, nickname, and user name;
    15    (ii) address  information,  including,  but  not  limited  to,  postal
    16  address or e-mail;
    17    (iii) telephone number;
    18    (iv) account name;
    19    (v)  social  security number or other government-issued identification
    20  number, including, but not limited to, social security number,  driver's
    21  license number, identification card number, and passport number;
    22    (vi) birthdate or age;

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD00550-01-1

        A. 733                              2

     1    (vii)  physical characteristic information, including, but not limited
     2  to, height and weight;
     3    (viii)  sexual  information,  including,  but  not  limited to, sexual
     4  orientation, sex, gender status, gender identity, and gender expression;
     5    (ix) race or ethnicity;
     6    (x) religious affiliation or activity;
     7    (xi) political affiliation or activity;
     8    (xii) professional or employment-related information;
     9    (xiii) educational information;
    10    (xiv) medical information, including,  but  not  limited  to,  medical
    11  conditions  or  drugs,  therapies, mental health, or medical products or
    12  equipment used;
    13    (xv) financial information, including, but  not  limited  to,  credit,
    14  debit,  or account numbers, account balances, payment history, or infor-
    15  mation related to assets, liabilities, or general creditworthiness;
    16    (xvi) commercial information, including, but not limited  to,  records
    17  of  property, products or services provided, obtained, or considered, or
    18  other purchasing or consumer histories or tendencies;
    19    (xvii) location information;
    20    (xviii) internet or mobile activity information,  including,  but  not
    21  limited  to,  internet  protocol addresses or information concerning the
    22  access or use of any internet or mobile-based site or service;
    23    (xix) content, including text, photographs, audio or video recordings,
    24  or other material generated by or provided by an end user; and
    25    (xx) any of the above categories of information as they pertain to any
    26  children of an end user.
    27    2. (a) No business which manufactures or sells a smart home  connected
    28  system  shall  collect,  store  or  transmit  any  personal  information
    29  obtained from the installation or use of a smart home  connected  system
    30  to  a third-party without the express and affirmative consent of the end
    31  user of such system.
    32    (b) No landlord who has installed a smart home connected system on  or
    33  in  rental property shall collect, store or transmit any personal infor-
    34  mation obtained  from  the  installation  or  use  of  such  smart  home
    35  connected  system  without  the  express  and affirmative consent of the
    36  tenant of such rental property.
    37    (c) No employer who has installed a smart home connected system  shall
    38  collect,  store  or  transmit  any  personal information of any employee
    39  obtained from the installation or  use  of  such  smart  home  connected
    40  system without the express and affirmative consent of such employee.
    41    § 2. This act shall take effect immediately.