Bill Text: NY A04947 | 2025-2026 | General Assembly | Introduced
Bill Title: Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
Spectrum: Partisan Bill (Democrat 5-0)
Status: (Introduced) 2025-02-10 - referred to consumer affairs and protection [A04947 Detail]
Download: New_York-2025-A04947-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 4947 2025-2026 Regular Sessions IN ASSEMBLY February 10, 2025 ___________ Introduced by M. of A. ROSENTHAL, WEPRIN, SIMON, DINOWITZ, PAULIN -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to the management and oversight of personal data The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Short title. This act shall be known and may be cited as 2 the "New York privacy act". 3 § 2. Legislative intent. 1. Privacy is a fundamental right and an 4 essential element of freedom. Advances in technology have produced ramp- 5 ant growth in the amount and categories of personal data being gener- 6 ated, collected, stored, analyzed, and potentially shared, which 7 presents both promise and peril. Companies collect, use and share our 8 personal data in ways that can be difficult for ordinary consumers to 9 understand. Opaque data processing policies make it impossible to evalu- 10 ate risks and compare privacy-related protections across services, 11 stifling competition. Algorithms quietly make decisions with critical 12 consequences for New York consumers, often with no human accountability. 13 Behavioral advertising generates profits by turning people into products 14 and their activity into assets. New York consumers deserve more notice 15 and more control over their data and their digital privacy. 16 2. This act seeks to help New York consumers regain their privacy. It 17 gives New York consumers the ability to exercise more control over their 18 personal data and requires businesses to be responsible, thoughtful, and 19 accountable managers of that information. To achieve this, this act 20 provides New York consumers a number of new rights, including clear 21 notice of how their data is being used, processed and shared; the abili- 22 ty to access and obtain a copy of their data in a commonly used elec- 23 tronic format, with the ability to transfer it between services; the 24 ability to correct inaccurate data and to delete their data; and the EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD04423-01-5A. 4947 2 1 ability to challenge certain automated decisions. This act also imposes 2 obligations upon businesses to maintain reasonable data security for 3 personal data, to notify New York consumers of foreseeable harms arising 4 from use of their data and to obtain specific consent for that use, and 5 to conduct regular assessments to ensure that data is not being used for 6 unacceptable purposes. These data assessments can be obtained and evalu- 7 ated by the New York State Attorney General, who is empowered to obtain 8 penalties for violations of this act and prevent future violations. This 9 act also grants New York consumers who have been injured as the result 10 of a violation a private right of action, which includes reasonable 11 attorneys' fees to a prevailing plaintiff. 12 § 3. The general business law is amended by adding a new article 42-A 13 to read as follows: 14 ARTICLE 42-A 15 NEW YORK PRIVACY ACT 16 Section 1200. Definitions. 17 1201. Jurisdictional scope. 18 1202. Consumer rights. 19 1203. Controller, processor, and third party responsibilities. 20 1204. Data brokers. 21 1205. Limitations. 22 1206. Enforcement and private right of action. 23 1207. Miscellaneous. 24 § 1200. Definitions. The following definitions apply throughout this 25 article unless the context clearly requires otherwise: 26 1. "Automated decision-making" or "automated decision" means a compu- 27 tational process, including one derived from machine learning, artifi- 28 cial intelligence, or any other automated process, involving personal 29 data that results in a decision affecting a consumer. 30 2. "Biometric information" means any personal data generated from the 31 measurement or specific technological processing of a natural person's 32 biological, physical, or physiological characteristics, including fing- 33 erprints, voice prints, iris or retina scans, facial scans or templates, 34 deoxyribonucleic acid (DNA) information, and gait. 35 3. "Business associate" has the same meaning as in Title 45 of the 36 C.F.R., established pursuant to the federal Health Insurance Portability 37 and Accountability Act of 1996. 38 4. "Consent" means a clear affirmative act signifying a freely given, 39 specific, informed, and unambiguous indication of a consumer's agreement 40 to the processing of data relating to the consumer. Consent may be 41 withdrawn at any time, and a controller must provide clear, conspicuous, 42 and consumer-friendly means to withdraw consent. The burden of estab- 43 lishing consent is on the controller. Consent does not include: (a) an 44 agreement of general terms of use or a similar document that references 45 unrelated information in addition to personal data processing; (b) an 46 agreement obtained through fraud, deceit or deception; (c) any act that 47 does not constitute a user's intent to interact with another party such 48 as hovering over, pausing or closing any content; or (d) a pre-checked 49 box or similar default. 50 5. "Consumer" means a natural person who is a New York resident acting 51 only in an individual or household context. It does not include a 52 natural person known to be acting in a professional or employment 53 context. 54 6. "Controller" means the person who, alone or jointly with others, 55 determines the purposes and means of the processing of personal data.A. 4947 3 1 7. "Covered entity" has the same meaning as in Title 45 of the C.F.R., 2 established pursuant to the federal Health Insurance Portability and 3 Accountability Act of 1996. 4 8. "Data broker" means a person, or unit or units of a legal entity, 5 separately or together, that does business in the state of New York and 6 knowingly collects, and sells to controllers or third parties, the 7 personal data of a consumer with whom it does not have a direct 8 relationship. "Data broker" does not include any of the following: 9 (a) a consumer reporting agency to the extent that it is covered by 10 the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or 11 (b) a financial institution to the extent that it is covered by the 12 Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regu- 13 lations. 14 9. "Deidentified data" means data that cannot reasonably be used to 15 infer information about, or otherwise be linked to a particular consum- 16 er, household or device, provided that the processor or controller that 17 possesses the data: 18 (a) implements reasonable technical safeguards to ensure that the data 19 cannot be associated with a consumer, household or device; 20 (b) publicly commits to process the data only as deidentified data and 21 not attempt to reidentify the data, except that the controller or 22 processor may attempt to reidentify the information solely for the 23 purpose of determining whether its deidentification processes satisfy 24 the requirements of this subdivision; and 25 (c) contractually obligates any recipients of the data to comply with 26 all provisions of this article. 27 10. "Device" means any physical object that is capable of connecting 28 to the internet, directly or indirectly, or to another device and is 29 intended for use by a natural person or household or, if used outside 30 the home, for use by the general public. 31 11. "Meaningful human review" means review or oversight by one or more 32 individuals who (a) are trained in the capabilities and limitations of 33 the algorithm at issue and the procedures to interpret and act on the 34 output of the algorithm, and (b) have the authority to alter the auto- 35 mated decision under review. 36 12. "Natural person" means a natural person acting only in an individ- 37 ual or household context. It does not include a natural person known to 38 be acting in a professional or employment context. 39 13. "Person" means a natural person or a legal entity, including but 40 not limited to a proprietorship, partnership, limited partnership, 41 corporation, company, limited liability company or corporation, associ- 42 ation, or other firm or similar body, or any unit, division, agency, 43 department, or similar subdivision thereof. 44 14. "Personal data" means any data that identifies or could reasonably 45 be linked, directly or indirectly, with a specific natural person, 46 household, or device. Personal data does not include deidentified data. 47 15. "Identified or identifiable" means a natural person who can be 48 identified, directly or indirectly, such as by reference to an identifi- 49 er such as a name, an identification number, location data, or an online 50 or device identifier. 51 16. "Process", "processes" or "processing" means an operation or set 52 of operations which are performed on data or on sets of data, including 53 but not limited to the collection, use, access, sharing, monetization, 54 analysis, retention, creation, generation, derivation, recording, organ- 55 ization, structuring, storage, disclosure, transmission, analysis,A. 4947 4 1 disposal, licensing, destruction, deletion, modification, or deidentifi- 2 cation of data. 3 17. "Processor" means a person that processes data on behalf of the 4 controller. 5 18. "Profiling" means any form of automated processing performed on 6 personal data to evaluate, analyze, or predict personal aspects related 7 to an identified or identifiable natural person's economic situation, 8 health, personal preferences, interests, reliability, behavior, 9 location, or movements. 10 19. "Protected health information" has the same meaning as in Title 45 11 C.F.R., established pursuant to the federal Health Insurance Portability 12 and Accountability Act of 1996. 13 20. "Sale", "sell", or "sold" means the disclosure, transfer, convey- 14 ance, sharing, licensing, making available, processing, granting of 15 permission or authorization to process, or other exchange of personal 16 data, or providing access to personal data for monetary or other valu- 17 able consideration by the controller to a third party. "Sale" includes 18 enabling, facilitating or providing access to a consumer for targeted 19 advertising. "Sale" does not include the following: 20 (a) the disclosure of data to a processor who processes the data on 21 behalf of the controller and which is contractually prohibited from 22 using it for any purpose other than as instructed by the controller; or 23 (b) the disclosure or transfer of data as an asset that is part of a 24 merger, acquisition, bankruptcy, or other transaction in which another 25 entity assumes control or ownership of all or a majority of the control- 26 ler's assets. 27 21. "Targeted advertising" means displaying online advertisements to a 28 consumer where the advertisement is selected based on personal data 29 obtained or inferred from a consumer's activities over time and across 30 one or more distinctly-branded websites, online applications, or 31 services, to predict the consumer's preferences or interests. It does 32 not include advertising (a) based solely on the context of the consum- 33 er's current search query or visit to a website or online application or 34 (b) to a consumer in direct response to the consumer's request for 35 information or feedback. 36 22. "Third party" means, with respect to a particular interaction or 37 occurrence, a person, public authority, agency, or body other than the 38 consumer, the controller, or processor of the controller. A third party 39 may also be a controller if the third party, alone or jointly with 40 others, determines the purposes and means of the processing of personal 41 data. 42 23. "Verified request" means a request by a consumer or their agent to 43 exercise a right authorized by this article, the authenticity of which 44 has been ascertained by the controller in accordance with paragraph (c) 45 of subdivision eight of section twelve hundred two of this article. 46 § 1201. Jurisdictional scope. 1. This article applies to legal persons 47 that conduct business in New York or produce products or services that 48 are targeted to residents of New York, and that satisfy one or more of 49 the following thresholds: 50 (a) have annual gross revenue of twenty-five million dollars or more; 51 (b) controls or processes personal data of one hundred thousand 52 consumers or more; 53 (c) controls or processes personal data of five hundred thousand 54 natural persons or more nationwide, and controls or processes personal 55 data of ten thousand consumers or more; orA. 4947 5 1 (d) derives over fifty percent of gross revenue from the sale of 2 personal data, and controls or processes personal data of twenty-five 3 thousand consumers or more. 4 2. This article does not apply to: 5 (a) personal data processed by state and local governments, and munic- 6 ipal corporations, for processes other than sale (filing and processing 7 fees are not sale); 8 (b) a national securities association registered pursuant to section 9 15A of the Securities Exchange Act of 1934, as amended, or regulations 10 adopted thereunder or a registered futures association so designated 11 pursuant to section 17 of the Commodity Exchange Act, as amended, or any 12 regulations adopted thereunder; 13 (c) information that meets the following criteria: 14 (i) personal data collected, processed, sold, or disclosed pursuant to 15 and in compliance with the federal Gramm-Leach-Bliley Act (P.L. 16 106-102), and implementing regulations; 17 (ii) personal data collected, processed, sold, or disclosed pursuant 18 to the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec. 19 2721 et seq.), if the collection, processing, sale, or disclosure is in 20 compliance with such law; 21 (iii) personal data regulated by the federal Family Educational Rights 22 and Privacy Act, U.S.C. Sec. 1232g and its implementing regulations; 23 (iv) personal data collected, processed, sold, or disclosed pursuant 24 to the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. Sec. 25 2001-2279cc) and its implementing regulations (12 C.F.R. Part 600 et 26 seq.) if the collection, processing, sale, or disclosure is in compli- 27 ance with such law; 28 (v) personal data regulated by section two-d of the education law; 29 (vi) data maintained as employment records, for purposes other than 30 sale; 31 (vii) protected health information that is lawfully collected by a 32 covered entity or business associate and is governed by the privacy, 33 security, and breach notification rules issued by the United States 34 Department of Health and Human Services, Parts 160 and 164 of Title 45 35 of the Code of Federal Regulations, established pursuant to the Health 36 Insurance Portability and Accountability Act of 1996 (Public Law 37 104-191) ("HIPAA") and the Health Information Technology for Economic 38 and Clinical Health Act (Public Law 111-5); 39 (viii) patient identifying information for purposes of 42 C.F.R. Part 40 2, established pursuant to 42 U.S.C. Sec. 290dd-2, as long as such data 41 is not sold in violation of HIPAA or any state or federal law; 42 (ix) information and documents lawfully created for purposes of the 43 federal Health Care Quality Improvement Act of 1986, and related regu- 44 lations; 45 (x) patient safety work product created for purposes of 42 C.F.R. Part 46 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26; 47 (xi) information that is treated in the same manner as information 48 exempt under subparagraph (vii) of this paragraph that is maintained by 49 a covered entity or business associate as defined by HIPAA or a program 50 or a qualified service organization as defined by 42 U.S.C. § 290dd-2, 51 as long as such data is not sold in violation of HIPAA or any state or 52 federal law; 53 (xii) deidentified health information that meets all of the following 54 conditions:A. 4947 6 1 (A) it is deidentified in accordance with the requirements for deiden- 2 tification set forth in Section 164.514 of Part 164 of Title 45 of the 3 Code of Federal Regulations; 4 (B) it is derived from protected health information, individually 5 identifiable health information, or identifiable private information 6 compliant with the Federal Policy for the Protection of Human Subjects, 7 also known as the Common Rule; and 8 (C) a covered entity or business associate does not attempt to reiden- 9 tify the information nor do they actually reidentify the information 10 except as otherwise allowed under state or federal law; 11 (xiii) patient information maintained by a covered entity or business 12 associate governed by the privacy, security, and breach notification 13 rules issued by the United States Department of Health and Human 14 Services, Parts 160 and 164 of Title 45 of the Code of Federal Regu- 15 lations, established pursuant to the Health Insurance Portability and 16 Accountability Act of 1996 (Public Law 104-191), to the extent the 17 covered entity or business associate maintains the patient information 18 in the same manner as protected health information as described in 19 subparagraph (vii) of this paragraph; 20 (xiv) data collected as part of human subjects research, including a 21 clinical trial, conducted in accordance with the Federal Policy for the 22 Protection of Human Subjects, also known as the Common Rule, pursuant to 23 good clinical practice guidelines issued by the International Council 24 for Harmonisation or pursuant to human subject protection requirements 25 of the United States Food and Drug Administration; or 26 (xv) personal data processed only for one or more of the following 27 purposes: 28 (A) product registration and tracking consistent with applicable 29 United States Food and Drug Administration regulations and guidance; 30 (B) public health activities and purposes as described in Section 31 164.512 of Title 45 of the Code of Federal Regulations; and/or 32 (C) activities related to quality, safety, or effectiveness regulated 33 by the United States Food and Drug Administration; 34 (d) (i) an activity involving the collection, maintenance, disclosure, 35 sale, communication, or use of any personal data bearing on a consumer's 36 credit worthiness, credit standing, credit capacity, character, general 37 reputation, personal characteristics, or mode of living by a consumer 38 reporting agency, as defined in Title 15 U.S.C. Sec. 1681a(f), by a 39 furnisher of information, as set forth in Title 15 U.S.C. Sec. 1681s-2, 40 who provides information for use in a consumer report, as defined in 41 Title 15 U.S.C. Sec. 1861a(d), and by a user of a consumer report, as 42 set forth in Title 15 U.S.C. Sec. 1681b.; and 43 (ii) this paragraph shall apply only to the extent that such activity 44 involving the collection, maintenance, disclosure, sale, communication, 45 or use of such data by that agency, furnisher, or user is subject to 46 regulation under the Fair Credit Reporting Act, Title 15 U.S.C. Sec. 47 1681 et seq., and the data is not collected, maintained, used, communi- 48 cated, disclosed, or sold except as authorized by the Fair Credit 49 Reporting Act. 50 § 1202. Consumer rights. 1. Right to notice. (a) Notice. Each control- 51 ler that processes a consumer's personal data must make publicly and 52 persistently available, in a conspicuous and readily accessible manner, 53 a notice containing the following: 54 (i) a description of the consumer's rights under subdivisions two 55 through six of this section and how a consumer may exercise those 56 rights, including how to withdraw consent;A. 4947 7 1 (ii) the categories of personal data processed by the controller and 2 by any processor who processes personal data on behalf of the control- 3 ler; 4 (iii) the sources from which personal data is collected; 5 (iv) the purposes for processing personal data; 6 (v) the identity of each third party to whom the controller disclosed, 7 shared, transferred or sold personal data and, for each identified third 8 party, (A) the categories of personal data being shared, disclosed, 9 transferred, or sold to the third party, (B) the purposes for which 10 personal data is being shared, disclosed, transferred, or sold to the 11 third party, (C) the third party's retention period for each category of 12 personal data processed by the third party or processed on their behalf, 13 or if that is not possible, the criteria used to determine the period, 14 and (D) whether the third party uses the personal data for targeted 15 advertising; 16 (vi) the controller's retention period for each category of personal 17 data that they process or is processed on their behalf, or if that is 18 not possible, the criteria used to determine that period; and 19 (vii) for controllers engaging in targeted advertising, average 20 expected revenue per user (ARPU) or a similar metric for the most recent 21 fiscal year for the region that covers New York. 22 (b) Notice requirements. (i) The notice must be written in easy-to-un- 23 derstand language at an eighth grade reading level or below. 24 (ii) The categories of personal data processed and purposes for which 25 each category of personal data is processed must be described at a level 26 specific enough to enable a consumer to exercise meaningful control over 27 their personal data but not so specific as to render the notice unhelp- 28 ful to a reasonable consumer. 29 (iii) The notice must be dated with its effective date and updated at 30 least annually. When the information required to be disclosed to a 31 consumer pursuant to paragraph (a) of this subdivision has not changed 32 since the immediately previous notice (whether initial, annual, or 33 revised) provided to the consumer, a controller may issue a statement 34 that no changes have been made. 35 (iv) The notice, as well as each version of the notice in effect in 36 the preceding six years, must be easily accessible to consumers and 37 capable of being viewed by consumers at any time. 38 2. Opt-in consent. (a) A controller must obtain freely given, specif- 39 ic, informed, and unambiguous opt-in consent from a consumer to: 40 (i) process the consumer's personal data for any purpose other than 41 those in subdivision two of section twelve hundred five of this article; 42 or 43 (ii) make any changes to the existing processing or processing 44 purpose, including those regarding the method and scope of collection, 45 of the consumer's personal data that may be less protective of the 46 consumer's personal data than the processing to which the consumer has 47 previously given their freely given, specific, informed, and unambiguous 48 opt-in consent. 49 (b) Any request for consent must be provided to the consumer, prior to 50 processing their personal data, in a standalone disclosure that is sepa- 51 rate and apart from any contract or privacy policy. The request for 52 consent must: 53 (i) include a clear and conspicuous description of each category of 54 data and processing purpose for which consent is sought; 55 (ii) clearly identify and distinguish between categories of data and 56 processing purposes that are necessary to provide the services or goodsA. 4947 8 1 requested by the consumer and categories of data and processing purposes 2 that are not necessary to provide the services or goods requested by the 3 consumer; 4 (iii) enable a reasonable consumer to easily identify the categories 5 of data and processing purposes for which consent is sought; 6 (iv) clearly present as the most conspicuous choice an option to 7 provide only the consent necessary to provide the services or goods 8 requested by the consumer; 9 (v) clearly present an option to deny consent; and 10 (vi) where the request seeks consent to sharing, disclosure, transfer, 11 or sale of personal data to third parties, identify each such third 12 party, the categories of data sold or shared with them, the processing 13 purposes, the retention period, or if that is not possible, the criteria 14 used to determine the period, and for each third party state if such 15 sharing, disclosure, transfer, or sale enables or involves targeted 16 advertising. The details of identities of such third parties, and the 17 categories of data, processing purposes, and the retention period, may 18 be set forth in a different disclosure, provided that the request for 19 consent contains a conspicuous and directly accessible link to that 20 disclosure. 21 (c) Targeted advertising and sale of personal data shall not be 22 considered processing purposes that are necessary to provide services or 23 goods requested by a consumer. 24 (d) Once a consumer has provided freely given, specific, informed, and 25 unambiguous opt-in consent to process their personal data for a process- 26 ing purpose, a controller may rely on such consent until it is with- 27 drawn. 28 (e) A controller must provide a mechanism for a consumer to withdraw 29 previously given consent at any time. Such mechanism shall make it as 30 easy for a consumer to withdraw their consent as it is for such consumer 31 to provide consent. 32 (f) A controller must not infer that a consumer has provided freely 33 given, specific, informed, and unambiguous opt-in consent from the 34 consumer's inaction or the consumer's continued use of a service or 35 product provided by the controller. 36 (g) To the extent that a controller must process internet protocol 37 addresses, system configuration information, URLs of referring pages, 38 locale and language preferences, keystrokes, or any other data that 39 individually or collectively may comprise personal data in order to 40 obtain a consumer's freely given, specific, informed, and unambiguous 41 opt-in consent, the controller must: 42 (i) process only the personal data necessary to request freely given, 43 specific, informed, and unambiguous opt-in consent; 44 (ii) process the personal data solely to request freely given, specif- 45 ic, informed, and unambiguous opt-in consent; and 46 (iii) promptly delete the personal data if consent is withheld, 47 denied, or withdrawn. 48 (h) Controllers must not request consent from a consumer who has 49 previously withheld or denied consent, unless consent is necessary to 50 provide the services or goods requested by the consumer. 51 (i) Controllers must treat user-enabled privacy controls in a browser, 52 browser plug-in, smartphone application, operating system, device 53 setting, or other mechanism that communicates or signals the consumer's 54 choice not to be subject to targeted advertising or the sale of their 55 personal data as a denial of consent under this article. To the extent 56 that the privacy control conflicts with a consumer's consent, the priva-A. 4947 9 1 cy control settings govern, unless the consumer provides freely given, 2 specific, informed, and unambiguous opt-in consent to override the 3 privacy control. 4 (j) A controller must not discriminate against a consumer for with- 5 holding or denying consent, including, but not limited to, by: 6 (i) denying services or goods to the consumer, unless the consumer 7 does not consent to processing necessary to provide the services or 8 goods requested by the consumer; 9 (ii) charging different prices for goods or services, including 10 through the use of discounts or other benefits, imposing penalties, or 11 providing a different level or quality of services or goods to the 12 consumer; or 13 (iii) suggesting that the consumer will receive a different price or 14 rate for goods or services or a different level or quality of services 15 or goods. 16 (k) A controller may, with the consumer's freely given, specific, 17 informed, and unambiguous opt-in consent given pursuant to this section, 18 operate a program in which information, products, or services sold to 19 the consumer are discounted based solely on such consumer's prior 20 purchases from the controller, provided that the personal data used to 21 operate such program is processed solely for the purpose of operating 22 such program. 23 (l) In the event of a merger, acquisition, bankruptcy, or other trans- 24 action in which another entity assumes control or ownership of all or 25 majority of the controller's assets, any consent provided to the 26 controller by a consumer prior to such transaction shall be deemed with- 27 drawn. 28 3. Right to access. Upon the verified request of a consumer, a 29 controller shall: 30 (a) confirm whether or not the controller is processing or has proc- 31 essed personal data of that consumer, and provide access to a copy of 32 any such personal data in a manner understandable to a reasonable 33 consumer when requested; and 34 (b) provide the identity of each processor or third party to whom the 35 controller disclosed, transferred, or sold the consumer's personal data 36 and, for each identified processor or third party, (i) the categories of 37 the consumer's personal data disclosed, transferred, or sold to each 38 processor or third party and (ii) the purposes for which each category 39 of the consumer's personal data was disclosed, transferred, or sold to 40 each processor or third party. 41 4. Right to portable data. Upon a verified request, and to the extent 42 technically feasible, the controller must: (a) provide to the consumer a 43 copy of all of, or a portion of, as designated in a verified request, 44 the consumer's personal data in a structured, commonly used and 45 machine-readable format and (b) transmit the data to another person of 46 the consumer's or their agent's designation without hindrance. 47 5. Right to correct. (a) Upon the verified request of a consumer or 48 their agent, a controller must conduct a reasonable investigation to 49 determine whether personal data, the accuracy of which is disputed by 50 the consumer, is inaccurate, with such investigation to be concluded 51 within the time period set forth in paragraph (a) of subdivision eight 52 of this section. 53 (b) Notwithstanding paragraph (a) of this subdivision, a controller 54 may terminate an investigation initiated pursuant to such paragraph if 55 the controller reasonably and in good faith determines that the dispute 56 by the consumer is wholly without merit, including by reason of a fail-A. 4947 10 1 ure by a consumer to provide sufficient information to investigate the 2 disputed personal data. Upon making any determination in accordance with 3 this paragraph that a dispute is wholly without merit, a controller 4 must, within the time period set forth in paragraph (a) of subdivision 5 eight of this section, provide the affected consumer a statement in 6 writing that includes, at a minimum, the specific reasons for the deter- 7 mination, and identification of any information required to investigate 8 the disputed personal data, which may consist of a standardized form 9 describing the general nature of such information. 10 (c) If, after any investigation under paragraph (a) of this subdivi- 11 sion of any personal data disputed by a consumer, an item of the 12 personal data is found to be inaccurate or incomplete, or cannot be 13 verified, the controller must: 14 (i) correct the inaccurate or incomplete personal data of the consum- 15 er; and 16 (ii) unless it proves impossible or involves disproportionate effort, 17 communicate such request to each processor or third party to whom the 18 controller disclosed, transferred, or sold the personal data within one 19 year preceding the consumer's request, and to require those processors 20 or third parties to do the same for any further processors or third 21 parties they disclosed, transferred, or sold the personal data to. 22 (d) If the investigation does not resolve the dispute, the consumer 23 may file with the controller a brief statement setting forth the nature 24 of the dispute. Whenever a statement of a dispute is filed, unless there 25 exists reasonable grounds to believe that it is wholly without merit, 26 the controller must note that it is disputed by the consumer and include 27 either the consumer's statement or a clear and accurate codification or 28 summary thereof with the disputed personal data whenever it is 29 disclosed, transferred, or sold to any processor or third party. 30 6. Right to delete. (a) Upon the verified request of a consumer, a 31 controller must: 32 (i) within forty-five days after receiving the verified request, 33 delete any or all personal data, as directed by the consumer or their 34 agent, that the controller possesses or controls; and 35 (ii) unless it proves impossible or involves disproportionate effort 36 that is documented in writing by the controller, communicate such 37 request to each processor or third party to whom the controller 38 disclosed, transferred or sold the personal data within one year preced- 39 ing the consumer's request and to require those processors or third 40 parties to do the same for any further processors or third parties they 41 disclosed, transferred, or sold the personal data to. 42 (b) For personal data that is not possessed by the controller but by a 43 processor of the controller, the controller may choose to (i) communi- 44 cate the consumer's request for deletion to the processor, or (ii) 45 request that the processor return to the controller the personal data 46 that is the subject of the consumer's request and delete such personal 47 data upon receipt of the request. 48 (c) A consumer's deletion of their online account must be treated as a 49 request to the controller to delete all of that consumer's personal 50 data. 51 (d) A controller must maintain reasonable procedures designed to 52 prevent the reappearance in its systems, and in any data it discloses, 53 transfers, or sells to any processor or third party, the personal data 54 that is deleted pursuant to this subdivision. 55 (e) A controller is not required to comply with a consumer's request 56 to delete personal data if:A. 4947 11 1 (i) complying with the request would prevent the controller from 2 performing accounting functions, processing refunds, effectuating a 3 product recall pursuant to federal or state law, or fulfilling warranty 4 claims, provided that the personal data that is the subject of the 5 request is not processed for any purpose other than such specific activ- 6 ities; or 7 (ii) it is necessary for the controller to maintain the consumer's 8 personal data to engage in public or peer-reviewed scientific, histor- 9 ical, or statistical research in the public interest that adheres to all 10 other applicable ethics and privacy laws, when the controller's deletion 11 of the information is likely to render impossible or seriously impair 12 the achievement of such research, provided that the consumer has given 13 informed consent and the personal data is not processed for any purpose 14 other than such research. 15 7. Automated decision-making. (a) Whenever a controller makes an auto- 16 mated decision involving solely automated processing that materially 17 contributes to a denial of financial or lending services, housing, 18 public accommodation, insurance, health care services, or access to 19 basic necessities, such as food and water, the controller must: 20 (i) disclose in a clear, conspicuous, and consumer-friendly manner 21 that the decision was made by a solely automated process; 22 (ii) provide an avenue for the affected consumer to appeal the deci- 23 sion, which must at minimum allow the affected consumer to (A) formally 24 contest the decision, (B) provide information to support their position, 25 and (C) obtain meaningful human review of the decision; and 26 (iii) explain the process to appeal the decision. 27 (b) A controller must respond to a consumer's appeal within forty-five 28 days of receipt of the appeal. That period may be extended once by 29 forty-five additional days where reasonably necessary, taking into 30 account the complexity and number of appeals. The controller must inform 31 the consumer of any such extension within forty-five days of receipt of 32 the appeal, together with the reasons for the delay. 33 (c) (i) A controller or processor engaged in automated decision-making 34 affecting financial or lending services, housing, public accommodation, 35 insurance, education enrollment, employment, health care services, or 36 access to basic necessities, such as food and water, or engaged in 37 assisting others in automated decision-making in those fields, must 38 annually conduct an impact assessment of such automated decision-making 39 that: 40 (A) describes and evaluates the objectives and development of the 41 automated decision-making processes including the design and training 42 data used to develop the automated decision-making process, how the 43 automated decision-making process was tested for accuracy, fairness, 44 bias and discrimination; and 45 (B) assesses whether the automated decision-making system produces 46 discriminatory results on the basis of a consumer's or class of consum- 47 ers' actual or perceived race, color, ethnicity, religion, national 48 origin, sex, gender, gender identity, sexual orientation, familial 49 status, biometric information, lawful source of income, or disability. 50 (ii) A controller or processor must utilize an external, independent 51 auditor or researcher to conduct such assessments. 52 (iii) A controller or processor must make publicly available in a 53 manner accessible online all impact assessments prepared pursuant to 54 this section, retain all such impact assessments for at least six years, 55 and make any such retained impact assessments available to any state, 56 federal, or local government authority upon request.A. 4947 12 1 (iv) For purposes of this paragraph, the limitations to jurisdictional 2 scope set forth in paragraphs (b) and (c) of subdivision two of section 3 twelve hundred one of this article shall not apply. 4 8. Responding to requests. (a) A controller must take action under 5 subdivisions three through six of this section and inform the consumer 6 of any actions taken without undue delay and in any event within forty- 7 five days of receipt of the request. That period may be extended once by 8 forty-five additional days where reasonably necessary, taking into 9 account the complexity and number of the requests. The controller must 10 inform the consumer of any such extension within forty-five days of 11 receipt of the request, together with the reasons for the delay. When a 12 controller denies any such request, it must within this period disclose 13 to the consumer a statement in writing of the specific reasons for the 14 denial. 15 (b) A controller shall permit the exercise of rights and carry out its 16 obligations set forth in subdivisions three through six of this section 17 free of charge, at least twice annually to the consumer. Where requests 18 from a consumer are manifestly unfounded or excessive, in particular 19 because of their repetitive character, the controller may either (i) 20 charge a reasonable fee to cover the administrative costs of complying 21 with the request or (ii) refuse to act on the request and notify the 22 consumer of the reason for refusing the request. The controller bears 23 the burden of demonstrating the manifestly unfounded or excessive char- 24 acter of the request. 25 (c) (i) A controller shall promptly attempt, using commercially 26 reasonable efforts, to verify that all requests to exercise any rights 27 set forth in any section of this article requiring a verified request 28 were made by the consumer who is the subject of the data, or by a person 29 lawfully exercising the right on behalf of the consumer who is the 30 subject of the data. Commercially reasonable efforts shall be determined 31 based on the totality of the circumstances, including the nature of the 32 data implicated by the request. 33 (ii) A controller may require the consumer to provide additional 34 information only if the request cannot reasonably be verified without 35 the provision of such additional information. A controller must not 36 transfer or process any such additional information provided pursuant to 37 this section for any other purpose and must delete any such additional 38 information without undue delay and in any event within forty-five days 39 after the controller has notified the consumer that it has taken action 40 on a request under subdivisions two through five of this section as 41 described in paragraph (a) of this subdivision. 42 (iii) If a controller discloses this additional information to any 43 processor or third party for the purpose of verifying a consumer 44 request, it must notify the receiving processor or third party at the 45 time of such disclosure, or as close in time to the disclosure as is 46 reasonably practicable, that such information was provided by the 47 consumer for the sole purpose of verification and cannot be processed 48 for any purpose other than verification. 49 9. Implementation of rights. Controllers must provide easily accessi- 50 ble and convenient means for consumers to exercise their rights under 51 this article. 52 10. Non-waiver of rights. Any provision of a contract or agreement of 53 any kind that purports to waive or limit in any way a consumer's rights 54 under this article is contrary to public policy and is void and unen- 55 forceable.A. 4947 13 1 § 1203. Controller, processor, and third party responsibilities. 1. 2 Controller responsibilities. (a) Data protection assessment. A control- 3 ler shall regularly conduct and document a data protection assessment 4 for processing activities that present a heightened risk of harm to the 5 consumer. Such assessment must identify and weigh the benefits that may 6 flow, directly and indirectly, from the processing to the controller, 7 the consumer, other stakeholders, and the public against the potential 8 risks to the rights of the consumer, or class of consumers, associated 9 with the processing, as mitigated by safeguards that the controller can 10 employ to reduce the risks. The controller shall factor into this 11 assessment the use of deidentified data and the reasonable expectations 12 of consumers, as well as the context of the processing and the relation- 13 ship between the controller and the consumer whose personal data will be 14 processed, with the goal of restricting or prohibiting such processing 15 if the risks of harm to the consumer outweigh the benefits resulting 16 from the processing to the consumer. Processing that presents a height- 17 ened risk of harm to the consumer includes the following: 18 (i) processing that may benefit the controller to the detriment of the 19 consumer; 20 (ii) processing that would be unexpected and highly offensive to a 21 reasonable consumer; 22 (iii) processing personal data for purposes of targeted advertising; 23 (iv) sale of personal data; and 24 (v) processing of personal data for purposes of profiling, where such 25 profiling presents a reasonably foreseeable risk of: 26 (A) unfair or deceptive treatment, or unlawful disparate impact on, 27 consumers or a class of consumers; 28 (B) financial, physical, psychological or reputational injury to 29 consumers, or a class of consumers; 30 (C) a physical or otherwise intrusion upon the solitude or seclusion, 31 or the private affairs or concerns, of consumers, where such intrusion 32 would be offensive to a reasonable person; or 33 (D) other substantial injury to consumers. 34 (b) Duty of loyalty. (i) A controller must notify the consumer, or 35 class of consumers, of the interest that may be harmed in advance of 36 requesting consent and as close in time to the processing as practicable 37 where it is reasonably foreseeable to the controller that a process 38 presents a heightened risk of harm to the consumer or class of consum- 39 ers. 40 (ii) Controllers must not engage in unfair, deceptive, or abusive acts 41 or practices with respect to obtaining consumer consent, the processing 42 of personal data, and a consumer's exercise of any rights under this 43 article, including without limitation: 44 (A) designing a user interface with the purpose or substantial effect 45 of deceiving consumers, obscuring consumers' rights under this article, 46 or subverting or impairing user autonomy, decision-making, or choice in 47 order to obtain consent; or 48 (B) obtaining consent in a manner designed to overpower a consumer's 49 resistance; for example, by making excessive requests for consent. 50 (c) Duty of care. (i) (A) Controllers must, on at least an annual 51 basis, conduct and document risk assessments of all current processing 52 of personal data. 53 (B) Risk assessments must assess at a minimum: 54 (I) the nature, sensitivity and context of the personal data that the 55 controller processes; 56 (II) the nature, purpose, and value of the processes;A. 4947 14 1 (III) any risks or harms to consumers actually or potentially arising 2 out of the processes, including physical, financial, psychological, or 3 reputational harms; 4 (IV) the adequacy and effect of safeguards implemented by the control- 5 lers; 6 (V) the sufficiency of the controller's notices to consumers at 7 describing and obtaining consent concerning the processes; and 8 (VI) the adequacy of the safeguards and monitoring practices of 9 processors and third parties to whom the controller has provided 10 personal data. 11 (C) The controller must retain risk assessments for at least six years 12 and make risk assessments available to the attorney general upon 13 request. 14 (ii) Controllers must develop, implement, and maintain reasonable 15 safeguards to protect the security, confidentiality and integrity of the 16 personal data of consumers including adopting reasonable administrative, 17 technical and physical safeguards appropriate to the volume and nature 18 of the personal data at issue. 19 (iii) (A) A controller shall limit the use and retention of a consum- 20 er's personal data to what is necessary to provide a service or good 21 requested by a consumer or for purposes for which the consumer has 22 provided freely given, specific, informed, and unambiguous opt-in 23 consent. 24 (B) At least annually, a controller shall review its retention prac- 25 tices for the purpose of ensuring that it is maintaining the minimum 26 amount of personal data as is necessary for the operation of its busi- 27 ness. A controller must dispose of all personal data that is no longer 28 (I) necessary to provide the services or goods requested by the consum- 29 er, (II) necessary for the internal business operations of the control- 30 ler and consistent with the disclosures made to the consumer pursuant to 31 section twelve hundred two of this article, or (III) necessary to comply 32 with the legal obligations of the controller. 33 (iv) Controllers shall be under a continuing obligation to engage in 34 reasonable measures to review their activities for circumstances that 35 may have altered their ability to identify a specific natural person and 36 to update their classifications of data as identified or identifiable 37 accordingly. 38 (d) Non-discrimination. (i) A controller must not discriminate against 39 a consumer for exercising rights under this article, including but not 40 limited to, by: 41 (A) denying services or goods to consumers; 42 (B) charging different prices for services or goods, including through 43 the use of discounts or other benefits; imposing penalties; or providing 44 a different level or quality of services or goods to the consumer; or 45 (C) suggesting that the consumer will receive a different price or 46 rate for services or goods or a different level or quality of services 47 or goods. 48 (ii) This paragraph does not apply to a controller's conduct with 49 respect to opt-in consent, in which case paragraph (j) of subdivision 50 two of section twelve hundred two of this article governs. 51 (e) Agreements with processors. (i) Before making any disclosure, 52 transfer, or sale of personal data to any processor, the controller must 53 enter into a written, signed contract with that processor. Such contract 54 must be binding and clearly set forth instructions for processing data, 55 the nature and purpose of processing, the type of data subject to proc- 56 essing, the duration of processing, and the rights and obligations ofA. 4947 15 1 both parties. The contract must also include requirements that the 2 processor must: 3 (A) ensure that each person processing personal data is subject to a 4 duty of confidentiality with respect to the data; 5 (B) protect the data in a manner consistent with the requirements of 6 this article and at least equal to the security requirements of the 7 controller set forth in their publicly available policies, notices, or 8 similar statements; 9 (C) process the data only when and to the extent necessary to comply 10 with its legal obligations to the controller unless otherwise explicitly 11 authorized by the controller; 12 (D) not combine the personal data which the processor receives from or 13 on behalf of the controller with personal data which the processor 14 receives from or on behalf of another person or collects from its own 15 interaction with consumers; 16 (E) comply with any exercises of a consumer's rights under section 17 twelve hundred two of this article upon the request of the controller, 18 subject to the limitations set forth in section twelve hundred five of 19 this article; 20 (F) at the controller's direction, delete or return all personal data 21 to the controller as requested at the end of the provision of services, 22 unless retention of the personal data is required by law; 23 (G) upon the reasonable request of the controller, make available to 24 the controller all data in its possession necessary to demonstrate the 25 processor's compliance with the obligations in this article; 26 (H) allow, and cooperate with, reasonable assessments by the control- 27 ler or the controller's designated assessor; alternatively, the process- 28 or may arrange for a qualified and independent assessor to conduct an 29 assessment of the processor's policies and technical and organizational 30 measures in support of the obligations under this article using an 31 appropriate and accepted control standard or framework and assessment 32 procedure for such assessments. The processor shall provide a report of 33 such assessment to the controller upon request; 34 (I) a reasonable time in advance before disclosing or transferring the 35 data to any further processors, notify the controller of such a proposed 36 disclosure or transfer and provide the controller an opportunity to 37 approve or reject the proposal; and 38 (J) engage any further processor pursuant to a written, signed 39 contract that includes the contractual requirements provided in this 40 paragraph, containing at minimum the same obligations that the processor 41 has entered into with regard to the data. 42 (ii) A controller must not agree to indemnify, defend, or hold a 43 processor harmless, or agree to a provision that has the effect of 44 indemnifying, defending, or holding the processor harmless, from claims 45 or liability arising from the processor's breach of the contract 46 required by clause (A) of subparagraph (i) of this paragraph or a 47 violation of this article. Any provision of an agreement that violates 48 this subparagraph is contrary to public policy and is void and unen- 49 forceable. 50 (iii) Nothing in this paragraph relieves a controller or a processor 51 from the liabilities imposed on it by virtue of its role in the process- 52 ing relationship as defined by this article. 53 (iv) Determining whether a person is acting as a controller or proces- 54 sor with respect to a specific processing of data is a fact-based deter- 55 mination that depends upon the context in which personal data is to be 56 processed. A processor that continues to adhere to a controller'sA. 4947 16 1 instructions with respect to a specific processing of personal data 2 remains a processor. 3 (f) Third parties. (i) A controller must not share, disclose, trans- 4 fer, or sell personal data, or facilitate or enable the processing, 5 disclosure, transfer, or sale of personal data to a third party for 6 which consent of the consumer pursuant to subdivision two of section 7 twelve hundred two of this article, has not been obtained or is not 8 currently in effect. Any request for consent to share, disclose, trans- 9 fer, or sell personal data, or to facilitate or enable the processing, 10 disclosure, transfer, or sale of personal data to a third party must 11 clearly include the identity of the third party and the processing 12 purposes for which the third party may use the personal data. 13 (ii) A controller must not share, disclose, transfer, or sell personal 14 data, or facilitate or enable the processing, disclosure, transfer, or 15 sale of personal data if it can reasonably expect the personal data of a 16 consumer to be used for purposes that the consumer has not consented to 17 pursuant to subdivision two of section twelve hundred two of this arti- 18 cle, or if it can reasonably expect that any rights of the consumer 19 provided in this article would be compromised as a result of such trans- 20 action. 21 (iii) Before making any disclosure, transfer, or sale of personal data 22 to any third party, the controller must enter into a written, signed 23 contract. Such contract must be binding and the scope, nature, and 24 purpose of processing, the type of data subject to processing, the dura- 25 tion of processing, and the rights and obligations of both parties. 26 Such contract must include requirements that the third party: 27 (A) Process that data only to the extent permitted by the agreement 28 entered into with the controller; and 29 (B) Provide a mechanism to comply with any exercises of a consumer's 30 rights under section twelve hundred two of this article upon the request 31 of the controller, subject to any limitations thereon as authorized by 32 this article; and 33 (C) To the extent the disclosure, transfer, or sale of the personal 34 data causes the third party to become a controller, comply with all 35 obligations imposed on controllers under this article. 36 2. Processor responsibilities. (a) For any personal data that is 37 obtained, received, purchased, or otherwise acquired by a processor, 38 whether directly from a controller or indirectly from another processor, 39 the processor must comply with the requirements set forth in clauses (A) 40 through (J) of subparagraph (i) of paragraph (e) of subdivision one of 41 this section. 42 (b) A processor is not required to comply with a request by the 43 consumer submitted pursuant to this article by a consumer directly to 44 the processor to the extent that the processor has processed the consum- 45 er's personal data solely in its role as a processor for a controller. 46 (c) Processors shall be under a continuing obligation to engage in 47 reasonable measures to review their activities for circumstances that 48 may have altered their ability to identify a specific natural person and 49 to update their classifications of data as identified or identifiable 50 accordingly. 51 (d) A processor shall not engage in any sale of personal data other 52 than on behalf of the controller pursuant to any agreement entered into 53 with the controller. 54 3. Third party responsibilities. (a) For any personal data that is 55 obtained, received, purchased, or otherwise acquired or accessed by a 56 third party from a controller or processor, the third party must:A. 4947 17 1 (i) Process that data only to the extent permitted by any agreements 2 entered into with the controller; 3 (ii) Process only the personal data necessary for purposes for which 4 freely given, specific, informed, and unambiguous opt-in consent is in 5 effect, as conveyed by the controller, limit the use and retention of 6 that data to what is necessary for such purposes, and shall immediately 7 delete such personal data when notified that the consent is withheld, 8 denied, or withdrawn; 9 (iii) Comply with any exercises of a consumer's rights under section 10 twelve hundred two of this article upon the request of the controller or 11 processor, subject to any limitations thereon as authorized by this 12 article; and 13 (iv) To the extent the third party becomes a controller for personal 14 data, comply with all obligations imposed on controllers under this 15 article. 16 4. Exceptions. The requirements of this section shall not apply where: 17 (a) The processing is required by law; 18 (b) The processing is made pursuant to a request by a federal, state, 19 or local government or government entity; or 20 (c) The processing significantly advances protection against criminal 21 or tortious activity. 22 § 1204. Data brokers. 1. A data broker, as defined under this article, 23 must: 24 (a) Annually, on or before January thirty-first following a year in 25 which a person meets the definition of data broker in this article: 26 (i) Register with the attorney general; 27 (ii) Pay a registration fee of one hundred dollars or as otherwise 28 determined by the attorney general pursuant to the regulatory authority 29 granted to the attorney general under this article, not to exceed the 30 reasonable cost of establishing and maintaining the database and infor- 31 mational website described in this section; and 32 (iii) Provide the following information: 33 (A) the name and primary physical, email, and internet website address 34 of the data broker; 35 (B) the name and business address of an officer or registered agent of 36 the data broker authorized to accept legal process on behalf of the data 37 broker; 38 (C) a statement describing the method for exercising consumers rights 39 under section twelve hundred two of this article; 40 (D) a statement whether the data broker implements a purchaser creden- 41 tialing process; and 42 (E) any additional information or explanation the data broker chooses 43 to provide concerning its data collection practices. 44 2. Notwithstanding any other provision of this article, any controller 45 that conducts business in the state of New York must: 46 (a) annually, on or before January thirty-first following a year in 47 which a person meets the definition of controller in this article, 48 provide to the attorney general a list of all data brokers or persons 49 reasonably believed to be data brokers to which the controller provided 50 personal data in the preceding year; and 51 (b) not sell a consumer's personal data to a data broker that is not 52 registered with the attorney general. 53 3. The attorney general shall establish, manage and maintain a state- 54 wide registry on its internet website, which shall list all registered 55 data brokers and make accessible to the public all the information 56 provided by data brokers pursuant to this section. Printed hard copiesA. 4947 18 1 of such registry shall be made available upon request and payment of a 2 fee to be determined by the attorney general. 3 4. A data broker that fails to register as required by this section or 4 submits false information in its registration is, in addition to any 5 other injunction, penalty, or liability that may be imposed under this 6 article, liable for civil penalties, fees, and costs in an action 7 brought by the attorney general as follows: (a) a civil penalty of one 8 thousand dollars for each day the data broker fails to register as 9 required by this section or fails to correct false information, (b) an 10 amount equal to the fees that were due during the period it failed to 11 register, and (c) expenses incurred by the attorney general in the 12 investigation and prosecution of the action as the court deems appropri- 13 ate. 14 § 1205. Limitations. 1. This article does not require a controller or 15 processor to do any of the following solely for purposes of complying 16 with this article: 17 (a) Reidentify deidentified data; 18 (b) Comply with a verified consumer request to access, correct, or 19 delete personal data pursuant to this article if all of the following 20 are true: 21 (i) The controller is not reasonably capable of associating the 22 request with the personal data; 23 (ii) The controller does not associate the personal data with other 24 personal data about the same specific consumer as part of its normal 25 business practice; and 26 (iii) The controller does not sell the personal data to any third 27 party or otherwise voluntarily disclose or transfer the personal data to 28 any processor or third party, except as otherwise permitted in this 29 article; or 30 (c) Maintain personal data in identifiable form, or collect, obtain, 31 retain, or access any personal data or technology, in order to be capa- 32 ble of associating a verified consumer request with personal data. 33 2. The obligations imposed on controllers and processors under this 34 article do not restrict a controller's or processor's ability to do any 35 of the following, to the extent that the use of the consumer's personal 36 data is reasonably necessary and proportionate for these purposes: 37 (a) Comply with federal, state, or local laws, rules, or regulations; 38 (b) Comply with a civil, criminal, or regulatory inquiry, investi- 39 gation, subpoena, or summons by federal, state, local, or other govern- 40 mental authorities; 41 (c) Cooperate with law enforcement agencies concerning conduct or 42 activity that the controller or processor reasonably and in good faith 43 believes may violate federal, state, or local laws, rules, or regu- 44 lations; 45 (d) Investigate, establish, exercise, prepare for, or defend legal 46 claims; 47 (e) Process personal data necessary to provide the services or goods 48 requested by a consumer; perform a contract to which the consumer is a 49 party; or take steps at the request of the consumer prior to entering 50 into a contract; 51 (f) Take immediate steps to protect the life or physical safety of the 52 consumer or of another natural person, and where the processing cannot 53 be manifestly based on another legal basis; 54 (g) Prevent, detect, protect against, or respond to security inci- 55 dents, identity theft, fraud, harassment, malicious or deceptive activ- 56 ities, or any illegal activity; preserve the integrity or security ofA. 4947 19 1 systems; or investigate, report, or prosecute those responsible for any 2 such action; 3 (h) Identify and repair technical errors that impair existing or 4 intended functionality; or 5 (i) Process business contact information, including a natural person's 6 name, position name or title, business telephone number, business 7 address, business electronic mail address, business fax number, or qual- 8 ifications and any other similar information about the natural person. 9 3. The obligations imposed on controllers or processors under this 10 article do not apply where compliance by the controller or processor 11 with this article would violate an evidentiary privilege under New York 12 law and do not prevent a controller or processor from providing personal 13 data concerning a consumer to a person covered by an evidentiary privi- 14 lege under New York law as part of a privileged communication. 15 4. A controller that receives a request pursuant to subdivisions three 16 through six of section twelve hundred two of this article, or a process- 17 or or third party to whom a controller communicates such a request, may 18 decline to fulfill the relevant part of such request if: 19 (a) the controller, processor, or third party is unable to verify the 20 request using commercially reasonable efforts, as described in paragraph 21 (c) of subdivision eight of section twelve hundred two of this article; 22 (b) complying with the request would be demonstrably impossible (for 23 purposes of this paragraph, the receipt of a large number of verified 24 requests, on its own, is not sufficient to render compliance with a 25 request demonstrably impossible); 26 (c) complying with the request would impair the privacy of another 27 individual or the rights of another to exercise free speech; or 28 (d) the personal data was created by a natural person other than the 29 consumer making the request and is being processed for the purpose of 30 facilitating interpersonal relationships or public discussion. 31 § 1206. Enforcement and private right of action. 1. Whenever it 32 appears to the attorney general, either upon complaint or otherwise, 33 that any person or persons has engaged in or is about to engage in any 34 of the acts or practices stated to be unlawful under this article, the 35 attorney general may bring an action or special proceeding in the name 36 and on behalf of the people of the state of New York to enjoin any 37 violation of this article, to obtain restitution of any moneys or prop- 38 erty obtained directly or indirectly by any such violation, to obtain 39 disgorgement of any profits obtained directly or indirectly by any such 40 violation, to obtain civil penalties of not more than fifteen thousand 41 dollars per violation, and to obtain any such other and further relief 42 as the court may deem proper, including preliminary relief. 43 (a) Any action or special proceeding brought by the attorney general 44 pursuant to this section must be commenced within six years. 45 (b) Each instance of unlawful processing counts as a separate 46 violation. Unlawful processing of the personal data of more than one 47 consumer counts as a separate violation as to each consumer. Each 48 provision of this article that is violated counts as a separate 49 violation. 50 (c) In assessing the amount of penalties, the court must consider any 51 one or more of the relevant circumstances presented by any of the 52 parties, including, but not limited to, the nature and seriousness of 53 the misconduct, the number of violations, the persistence of the miscon- 54 duct, the length of time over which the misconduct occurred, the will- 55 fulness of the violator's misconduct, and the violator's financial 56 condition.A. 4947 20 1 2. In connection with any proposed action or special proceeding under 2 this section, the attorney general is authorized to take proof and make 3 a determination of the relevant facts, and to issue subpoenas in accord- 4 ance with the civil practice law and rules. The attorney general may 5 also require such other data and information as such attorney general 6 may deem relevant and may require written responses to questions under 7 oath. Such power of subpoena and examination shall not abate or termi- 8 nate by reason of any action or special proceeding brought by the attor- 9 ney general under this article. 10 3. Any person, within or outside the state, who the attorney general 11 believes may be in possession, custody, or control of any books, papers, 12 or other things, or may have information, relevant to acts or practices 13 stated to be unlawful in this article is subject to the service of a 14 subpoena issued by the attorney general pursuant to this section. 15 Service may be made in any manner that is authorized for service of a 16 subpoena or a summons by the state in which service is made. 17 4. (a) Failure to comply with a subpoena issued pursuant to this 18 section without reasonable cause tolls the applicable statutes of limi- 19 tations in any action or special proceeding brought by the attorney 20 general against the noncompliant person that arises out of the attorney 21 general's investigation. 22 (b) If a person fails to comply with a subpoena issued pursuant to 23 this section, the attorney general may move in the supreme court to 24 compel compliance. If the court finds that the subpoena was authorized, 25 it shall order compliance and may impose a civil penalty of up to five 26 hundred dollars per day of noncompliance. 27 (c) Such tolling and civil penalty shall be in addition to any other 28 penalties or remedies provided by law for noncompliance with a subpoena. 29 5. This section shall apply to all acts declared to be unlawful under 30 this article, whether or not subject to any other law of this state, and 31 shall not supersede, amend or repeal any other law of this state under 32 which the attorney general is authorized to take any action or conduct 33 any inquiry. 34 6. Any consumer who has been injured by a violation of subdivision 35 two, seven or eight of section twelve hundred two of this article may 36 bring an action in their own name to enjoin such unlawful act or prac- 37 tice and to recover the actual damages or one thousand dollars, whichev- 38 er is greater. The court may also award reasonable attorneys' fees to a 39 prevailing plaintiff. Actions pursuant to this section may be brought 40 on a class-wide basis. 41 § 1207. Miscellaneous. 1. Preemption: This article does not annul, 42 alter, or affect the laws, ordinances, regulations, or the equivalent 43 adopted by any local entity regarding the processing, collection, trans- 44 fer, disclosure, and sale of consumers' personal data by a controller or 45 processor subject to this article, except to the extent those laws, 46 ordinances, regulations, or the equivalent create requirements or obli- 47 gations that conflict with or reduce the protections afforded to consum- 48 ers under this article. 49 2. Impact report: The attorney general shall issue a report evaluating 50 this article, its scope, any complaints from consumers or persons, the 51 liability and enforcement provisions of this article including, but not 52 limited to, the effectiveness of its efforts to enforce this article, 53 and any recommendations for changes to such provisions. The attorney 54 general shall submit the report to the governor, the temporary president 55 of the senate, the speaker of the assembly, and the appropriate commit-A. 4947 21 1 tees of the legislature within two years of the effective date of this 2 section. 3 3. Regulatory authority: (a) The attorney general is hereby authorized 4 and empowered to adopt, promulgate, amend and rescind suitable rules and 5 regulations to carry out the provisions of this article, including rules 6 governing the form and content of any disclosures or communications 7 required by this article. 8 (b) The attorney general may request data and information from 9 controllers conducting business in New York state, other New York state 10 government entities administering notice and consent regimes, consumer 11 protection and privacy advocates and researchers, internet standards 12 setting bodies, such as the internet engineering taskforce and the 13 institute of electrical and electronics engineers, and other relevant 14 sources, to conduct studies to inform suitable rules and regulations. 15 The attorney general shall receive, upon request, data from other New 16 York state governmental entities. 17 4. Exercise of rights: Any consumer right set forth in this article 18 may be exercised at any time by the consumer who is the subject of the 19 data or by a parent or guardian authorized by law to take actions of 20 legal consequence on behalf of the consumer who is the subject of the 21 data. An agent authorized by a consumer may exercise the consumer rights 22 set forth in subdivisions three through six of section twelve hundred 23 two of this article on the consumer's behalf. 24 § 4. This act shall take effect immediately; provided, however, that 25 sections 1201, 1202, 1203, 1205, 1206 and 1207 of the general business 26 law, as added by section three of this act, shall take effect two years 27 after it shall have become a law but the private right of action author- 28 ized by subdivision 6 of section 1206 of the general business law shall 29 take effect three years after such section shall have become a law.
