Bill Text: NY S00365 | 2023-2024 | General Assembly | Amended


Bill Title: Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Spectrum: Partisan Bill (Democrat 11-0)

Status: (Engrossed) 2024-06-03 - referred to consumer affairs and protection [S00365 Detail]

Download: New_York-2023-S00365-Amended.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                         365--B

                               2023-2024 Regular Sessions

                    IN SENATE

                                       (Prefiled)

                                     January 4, 2023
                                       ___________

        Introduced  by  Sens.  THOMAS,  COMRIE, HOYLMAN-SIGAL, JACKSON, KRUEGER,
          MAY, RAMOS -- read twice and ordered printed, and when printed  to  be
          committed  to the Committee on Consumer Protection -- reported favora-
          bly from said committee and committed to the Committee on Internet and
          Technology -- committee discharged, bill amended, ordered reprinted as
          amended and recommitted to said committee -- reported  favorably  from
          said  committee and committed to the Committee on Finance -- committee
          discharged, bill amended, ordered reprinted as amended and recommitted
          to said committee

        AN ACT to amend the general business law, in relation to the  management
          and oversight of personal data

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Short title. This act shall be known and may  be  cited  as
     2  the "New York privacy act".
     3    §  2.  Legislative  intent.  1.  Privacy is a fundamental right and an
     4  essential element of freedom. Advances in technology have produced ramp-
     5  ant growth in the amount and categories of personal  data  being  gener-
     6  ated,   collected,  stored,  analyzed,  and  potentially  shared,  which
     7  presents both promise and peril. Companies collect, use  and  share  our
     8  personal  data  in  ways that can be difficult for ordinary consumers to
     9  understand. Opaque data processing policies make it impossible to evalu-
    10  ate risks  and  compare  privacy-related  protections  across  services,
    11  stifling  competition.  Algorithms  quietly make decisions with critical
    12  consequences for New York consumers, often with no human accountability.
    13  Behavioral advertising generates profits by turning people into products
    14  and their activity into assets. New York consumers deserve  more  notice
    15  and more control over their data and their digital privacy.
    16    2. This act seeks to help New York consumers regain their privacy.  It
    17  gives New York consumers the ability to exercise more control over their

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01642-07-3

        S. 365--B                           2

     1  personal data and requires businesses to be responsible, thoughtful, and
     2  accountable  managers  of  that  information.  To achieve this, this act
     3  provides New York consumers a number  of  new  rights,  including  clear
     4  notice of how their data is being used, processed and shared; the abili-
     5  ty  to  access  and obtain a copy of their data in a commonly used elec-
     6  tronic format, with the ability to transfer  it  between  services;  the
     7  ability  to  correct inaccurate data and to delete their data.  This act
     8  also imposes obligations upon businesses  to  maintain  reasonable  data
     9  security  for personal data, to notify New York consumers of foreseeable
    10  harms arising from use of their data and to obtain specific consent  for
    11  that  use, and to conduct regular assessments to ensure that data is not
    12  being used for unacceptable purposes.  These  data  assessments  can  be
    13  obtained  and  evaluated  by the New York State Attorney General, who is
    14  empowered to obtain penalties for violations of  this  act  and  prevent
    15  future violations.
    16    § 3. The general business law is amended by adding a new article 42 to
    17  read as follows:
    18                                 ARTICLE 42
    19                            NEW YORK PRIVACY ACT
    20  Section 1100. Definitions.
    21          1101. Jurisdictional scope.
    22          1102. Consumer rights.
    23          1103. Controller, processor, and third party responsibilities.
    24          1104. Data brokers.
    25          1105. Limitations.
    26          1106. Enforcement.
    27          1107. Miscellaneous.
    28    §  1100. Definitions. The following definitions apply for the purposes
    29  of this article unless the context clearly requires otherwise:
    30    1. "Biometric information" means any personal data generated from  the
    31  measurement  or  specific technological processing of a natural person's
    32  biological, physical, or physiological characteristics  that  allows  or
    33  confirms  the unique identification of a natural person, including fing-
    34  erprints, voice prints, iris or retina scans, facial scans or templates,
    35  and gait.  "Biometric information" does not include a digital  or  phys-
    36  ical photograph, an audio or video recording, or any data generated from
    37  a digital or physical photograph, or an audio or video recording, unless
    38  such data is generated to identify a specific individual.
    39    2.  "Business  associate"  has  the same meaning as in Title 45 of the
    40  C.F.R., established pursuant to the federal Health Insurance Portability
    41  and Accountability Act of 1996.
    42    3. "Consent" means a clear affirmative act signifying a freely  given,
    43  specific, informed, and unambiguous indication of a consumer's agreement
    44  to  the  processing  of  data relating to the consumer.   Consent may be
    45  withdrawn at any time, and a controller must provide clear, conspicuous,
    46  and consumer-friendly means to withdraw consent. The  burden  of  estab-
    47  lishing  consent is on the controller.  Consent does not include: (a) an
    48  agreement of general terms of use or a similar document that  references
    49  unrelated  information  in  addition to personal data processing; (b) an
    50  agreement obtained through fraud, deceit or deception; (c) any act  that
    51  does  not constitute a user's intent to interact with another party such
    52  as hovering over, pausing or closing any content; or (d)  a  pre-checked
    53  box or similar default.
    54    4. "Consumer" means a natural person who is a New York resident acting
    55  only  in  an  individual  or  household  context.  It does not include a

        S. 365--B                           3

     1  natural person known to  be  acting  in  a  professional  or  employment
     2  context.
     3    5.  "Controller"  means  the person who, alone or jointly with others,
     4  determines the purposes and means of the processing of personal data.
     5    6. "Covered entity" has the same meaning as in Title 45 of the C.F.R.,
     6  established pursuant to the federal  Health  Insurance  Portability  and
     7  Accountability Act of 1996.
     8    7.  "Data  broker" means a person, or unit or units of a legal entity,
     9  separately or together, that does business in the state of New York  and
    10  knowingly collects, and sells to other controllers or third parties, the
    11  personal  data  of  a  consumer  with  whom  it  does  not have a direct
    12  relationship. "Data broker" does not include any of the following:
    13    (a) a consumer reporting agency to the extent that it  is  covered  by
    14  the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.); or
    15    (b)  a  financial  institution to the extent that it is covered by the
    16  Gramm-Leach-Bliley Act  (Public  Law  106-102)  and  implementing  regu-
    17  lations.
    18    8.  "Decisions  that  produce  legal or similarly significant effects"
    19  means decisions made by the controller that result in the  provision  or
    20  denial  by  the  controller  of  financial or lending services, housing,
    21  insurance,  education  enrollment  or  opportunity,  criminal   justice,
    22  employment  opportunities,  health  care services or access to essential
    23  goods or services.
    24    9. "Deidentified data" means data that cannot reasonably  be  used  to
    25  infer  information about, or otherwise be linked to a particular consum-
    26  er, household or device, provided that the processor or controller  that
    27  possesses the data:
    28    (a) implements reasonable technical safeguards to ensure that the data
    29  cannot be associated with a consumer, household or device;
    30    (b) publicly commits to process the data only as deidentified data and
    31  not  attempt  to  reidentify  the  data,  except  that the controller or
    32  processor may attempt to  reidentify  the  information  solely  for  the
    33  purpose  of  determining  whether its deidentification processes satisfy
    34  the requirements of this subdivision; and
    35    (c) contractually obligates any recipients of the data to comply  with
    36  all provisions of this article.
    37    10.  "Device"  means any physical object that is capable of connecting
    38  to the internet, directly or indirectly, or to  another  device  and  is
    39  intended  for  use  by a natural person or household or, if used outside
    40  the home, for use by the general public.
    41    11. "Genetic information" means any data, regardless  of  its  format,
    42  that  concerns  a  consumer's  genetic  characteristics.  "Genetic data"
    43  includes but is not limited to (a) raw sequence data  that  result  from
    44  sequencing  of  a  consumer's  complete  extracted  or  a portion of the
    45  extracted deoxyribonucleic acid  (DNA)  information;  (b)  genotype  and
    46  phenotypic  information  that  results  from  analyzing the raw sequence
    47  data; and (c) self-reported health information that a  consumer  submits
    48  to a company regarding the consumer's health conditions and that is used
    49  for   scientific   research  or  product  development  and  analyzed  in
    50  connection with the consumer's raw sequence data.
    51    12. "Household" means a group, however identified,  of  consumers  who
    52  cohabitate  with  one  another  at  the same residential address and may
    53  share use of common devices or services.
    54    13. "Identified or identifiable" means a natural  person  who  can  be
    55  identified, directly or indirectly, such as by reference to an identifi-

        S. 365--B                           4

     1  er such as a name, an identification number, location data, or an online
     2  or device identifier.
     3    14. "Natural person" means a natural person acting only in an individ-
     4  ual  or household context. It does not include a natural person known to
     5  be acting in a professional or employment context.
     6    15. "Person" means a natural person or a legal entity,  including  but
     7  not  limited  to  a  proprietorship,  partnership,  limited partnership,
     8  corporation, company, limited liability company or corporation,  associ-
     9  ation,  or  other  firm  or similar body, or any unit, division, agency,
    10  department, or similar subdivision thereof.
    11    16. "Personal data" means any data that identifies or could reasonably
    12  be linked, directly or indirectly, with a specific  natural  person,  or
    13  household.    Personal data does not include deidentified data, informa-
    14  tion that is lawfully made publicly available  from  federal,  state  or
    15  local government records, or information that a controller has a reason-
    16  able   basis to believe is lawfully made available to the general public
    17  by the  consumer or from widely distributed media.
    18    17. "Precise geolocation data" means information derived from technol-
    19  ogy, including, but not limited to, global position system  level  lati-
    20  tude  and longitude coordinates or other mechanisms, that directly iden-
    21  tifies the  specific  location  of  an  individual  with  precision  and
    22  accuracy  within  a  radius  of  one  thousand seven hundred fifty feet,
    23  except as prescribed by regulations. Precise geolocation data  does  not
    24  include  the  content  of  communications  or  any  data generated by or
    25  connected to advance utility metering infrastructure systems  or  equip-
    26  ment for use by a utility.
    27    18.  "Process",  "processes" or "processing" means an operation or set
    28  of operations which are performed on data or on sets of data,  including
    29  but  not  limited to the collection, use, access, sharing, monetization,
    30  analysis, retention, creation, generation, derivation, recording, organ-
    31  ization,  structuring,  storage,  disclosure,  transmission,   analysis,
    32  disposal, licensing, destruction, deletion, modification, or deidentifi-
    33  cation of data.
    34    19.  "Processor"  means  a person that processes data on behalf of the
    35  controller.
    36    20. "Profiling" means any form of automated  processing  performed  on
    37  personal  data to evaluate, analyze, or predict personal aspects related
    38  to an identified or identifiable natural  person's  economic  situation,
    39  health,   personal   preferences,   interests,   reliability,  behavior,
    40  location, or movements.  Profiling does not include  evaluation,  analy-
    41  sis,  or  prediction based solely upon a natural person's current search
    42  query or activities on, or current visit to, the controller's website or
    43  online application.
    44    21. "Protected health information" has the same meaning as in Title 45
    45  C.F.R., established pursuant to the federal Health Insurance Portability
    46  and Accountability Act of 1996.
    47    22. "Sale", "sell", or "sold" means the disclosure, transfer,  convey-
    48  ance,  sharing,  licensing,  making  available,  processing, granting of
    49  permission or authorization to process, or other  exchange  of  personal
    50  data,  or  providing access to personal data for monetary or other valu-
    51  able consideration by the controller to a third party.  "Sale"  includes
    52  enabling, facilitating or providing access to personal data for targeted
    53  advertising. "Sale" does not include the following:
    54    (a)  the  disclosure  of data to a processor who processes the data on
    55  behalf of the controller and  which  is  contractually  prohibited  from
    56  using it for any purpose other than as instructed by the controller;

        S. 365--B                           5

     1    (b)  the  disclosure or transfer of data as an asset that is part of a
     2  merger, acquisition, bankruptcy, or other transaction in  which  another
     3  entity assumes control or ownership of all or a majority of the control-
     4  ler's assets; or
     5    (c)  the  disclosure  of  personal data to a third party necessary for
     6  purposes of providing a product, service, or interaction with such third
     7  party, when the consumer intentionally and unambiguously  requests  such
     8  disclosure.
     9    23. "Sensitive data" means personal data that reveals:
    10    (a)  racial  or  ethnic  origin, religious beliefs, mental or physical
    11  health condition or diagnosis, sex life, sexual orientation, or citizen-
    12  ship or immigration status;
    13    (b) genetic information or biometric information for  the  purpose  of
    14  uniquely identifying a natural person;
    15    (c) precise geolocation data; or
    16    (d)  social  security, financial account, passport or driver's license
    17  numbers.
    18    24. "Targeted advertising" means advertising based upon profiling.
    19    25. "Third party" means, with respect to a particular  interaction  or
    20  occurrence,  a  person, public authority, agency, or body other than the
    21  consumer, the controller, or processor of the controller.  A third party
    22  may also be a controller if the  third  party,  alone  or  jointly  with
    23  others,  determines the purposes and means of the processing of personal
    24  data.
    25    26. "Verified request" means a request by a consumer or their agent to
    26  exercise a right authorized by this article, the authenticity  of  which
    27  has  been ascertained by the controller in accordance with paragraph (c)
    28  of subdivision eight of section eleven hundred two of this article.
    29    § 1101. Jurisdictional scope. 1. This article applies to legal persons
    30  that conduct business in New York or produce products or  services  that
    31  are  targeted  to residents of New York, and that satisfy one or more of
    32  the following thresholds:
    33    (a) have annual gross revenue of twenty-five million dollars or more;
    34    (b) controls or processes personal data of fifty thousand consumers or
    35  more; or
    36    (c) derives over fifty percent of  gross  revenue  from  the  sale  of
    37  personal data.
    38    2. This article does not apply to:
    39    (a) personal data processed by state and local governments, and munic-
    40  ipal  corporations, for processes other than sale (filing and processing
    41  fees are not sale);
    42    (b) a national securities association registered pursuant  to  section
    43  15A  of  the Securities Exchange Act of 1934, as amended, or regulations
    44  adopted thereunder or a registered  futures  association  so  designated
    45  pursuant to section 17 of the Commodity Exchange Act, as amended, or any
    46  regulations adopted thereunder;
    47    (c)  any  nonprofit  entity identified in section four hundred five of
    48  the financial services law to the  extent  such  organization  collects,
    49  processes,  uses,  or  shares  data  solely  in relation to identifying,
    50  investigating, or assisting (i) law enforcement agencies  in  connection
    51  with  suspected  insurance-related  criminal or fraudulent acts; or (ii)
    52  first responders in connection with catastrophic events;
    53    (d) information that meets the following criteria:
    54    (i) personal data collected, processed, sold, or disclosed pursuant to
    55  and  in  compliance  with  the  federal  Gramm-Leach-Bliley  act   (P.L.
    56  106-102), and implementing regulations;

        S. 365--B                           6

     1    (ii)  personal  data collected, processed, sold, or disclosed pursuant
     2  to the federal Driver's Privacy Protection Act of 1994 (18  U.S.C.  Sec.
     3  2721  et seq.), if the collection, processing, sale, or disclosure is in
     4  compliance with that law;
     5    (iii) personal data regulated by the federal Family Educational Rights
     6  and Privacy Act, U.S.C. Sec. 1232g and its implementing regulations;
     7    (iv)  personal  data collected, processed, sold, or disclosed pursuant
     8  to the federal Farm Credit Act of 1971 (as amended  in  12  U.S.C.  Sec.
     9  2001-2279cc)  and  its  implementing  regulations (12 C.F.R. Part 600 et
    10  seq.) if the collection, processing, sale, or disclosure is  in  compli-
    11  ance with that law;
    12    (v) personal data regulated by section two-d of the education law;
    13    (vi)  data  maintained  as employment records, for purposes other than
    14  sale;
    15    (vii) protected health information that is  lawfully  collected  by  a
    16  covered  entity  or  business  associate and is governed by the privacy,
    17  security, and breach notification rules  issued  by  the  United  States
    18  Department  of  Health and Human Services, Parts 160 and 164 of Title 45
    19  of the Code of Federal Regulations, established pursuant to  the  Health
    20  Insurance  Portability  and  Accountability  Act  of  1996  (Public  Law
    21  104-191) ("HIPAA") and the Health Information  Technology  for  Economic
    22  and Clinical Health Act (Public Law 111-5);
    23    (viii)  patient identifying information for purposes of 42 C.F.R. Part
    24  2, established pursuant to 42 U.S.C. Sec. 290dd-2, as long as such  data
    25  is not sold in violation of HIPAA or any state or federal law;
    26    (ix)  information  and  documents lawfully created for purposes of the
    27  federal Health Care Quality Improvement Act of 1986, and  related  regu-
    28  lations;
    29    (x) patient safety work product created for purposes of 42 C.F.R. Part
    30  3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
    31    (xi)  information  that  is  treated in the same manner as information
    32  exempt under subparagraph (vii) of this paragraph that is maintained  by
    33  a  covered entity or business associate as defined by HIPAA or a program
    34  or a qualified service organization as defined by 42 U.S.C.  §  290dd-2,
    35  as  long  as such data is not sold in violation of HIPAA or any state or
    36  federal law;
    37    (xii) deidentified health information that meets all of the  following
    38  conditions:
    39    (A) it is deidentified in accordance with the requirements for deiden-
    40  tification  set  forth in Section 164.514 of Part 164 of Title 45 of the
    41  Code of Federal Regulations;
    42    (B) it is derived  from  protected  health  information,  individually
    43  identifiable  health  information,  or  identifiable private information
    44  compliant with the Federal Policy for the Protection of Human  Subjects,
    45  also known as the Common Rule; and
    46    (C) a covered entity or business associate does not attempt to reiden-
    47  tify  the  information  nor  do they actually reidentify the information
    48  except as otherwise allowed under state or federal law;
    49    (xiii) information maintained by a covered entity or business  associ-
    50  ate  governed  by  the  privacy, security, and breach notification rules
    51  issued by the United States Department of  Health  and  Human  Services,
    52  Parts 160 and 164 of Title 45 of the Code of Federal Regulations, estab-
    53  lished  pursuant  to the Health Insurance Portability and Accountability
    54  Act of 1996 (Public Law 104-191), to the extent the  covered  entity  or
    55  business  associate  maintains  the  information  in  the same manner as

        S. 365--B                           7

     1  protected health information as described in subparagraph (vii) of  this
     2  paragraph;
     3    (xiv)  data  collected as part of human subjects research, including a
     4  clinical trial, conducted in accordance with the Federal Policy for  the
     5  Protection of Human Subjects, also known as the Common Rule, pursuant to
     6  good  clinical  practice  guidelines issued by the International Council
     7  for Harmonisation or pursuant to human subject  protection  requirements
     8  of the United States Food and Drug Administration;
     9    (xv)  personal  data  processed  only for one or more of the following
    10  purposes:
    11    (A) product  registration  and  tracking  consistent  with  applicable
    12  United States Food and Drug Administration regulations and guidance;
    13    (B)  public  health  activities  and  purposes as described in Section
    14  164.512 of Title 45 of the Code of Federal Regulations; and/or
    15    (C) activities related to quality, safety, or effectiveness  regulated
    16  by the United States Food and Drug Administration; or
    17    (xvi) personal data collected, processed, or disclosed pursuant to and
    18  in  compliance with any opt-out program authorized by the public service
    19  commission  or  any  other  opt-out  community  distributed   generation
    20  programs authorized in law; or
    21    (e) (i) an activity involving the collection, maintenance, disclosure,
    22  sale, communication, or use of any personal data bearing on a consumer's
    23  credit  worthiness, credit standing, credit capacity, character, general
    24  reputation, personal characteristics, or mode of living  by  a  consumer
    25  reporting  agency,  as  defined  in  Title 15 U.S.C. Sec. 1681a(f), by a
    26  furnisher of information, as set forth in Title 15 U.S.C. Sec.  1681s-2,
    27  who provides information for use in a consumer  report,  as  defined  in
    28  Title  15  U.S.C.  Sec. 1861a(d), and by a user of a consumer report, as
    29  set forth in Title 15 U.S.C. Sec. 1681b.; and
    30    (ii) this paragraph shall apply only to the extent that such  activity
    31  involving  the collection, maintenance, disclosure, sale, communication,
    32  or use of such data by that agency, furnisher, or  user  is  subject  to
    33  regulation  under  the  Fair  Credit Reporting Act, Title 15 U.S.C. Sec.
    34  1681 et seq., and the data is not collected, maintained, used,  communi-
    35  cated,  disclosed,  or  sold  except  as  authorized  by the Fair Credit
    36  Reporting Act.
    37    § 1102. Consumer rights. 1. Right to notice. (a) Notice. Each control-
    38  ler that processes a consumer's personal data  must  make  publicly  and
    39  consistently  available, in a conspicuous and readily accessible manner,
    40  a notice containing the following:
    41    (i) a description of the  consumer's  rights  under  subdivisions  two
    42  through  seven  of  this  section  and how a consumer may exercise those
    43  rights, including how to withdraw consent;
    44    (ii) the categories of personal data processed by the  controller  and
    45  by  any  processor who processes personal data on behalf of the control-
    46  ler;
    47    (iii) the sources from which personal data is collected;
    48    (iv) the purposes for processing personal data;
    49    (v) the categories of third parties to whom the controller  disclosed,
    50  shared,  transferred  or  sold  personal  data and, for each category of
    51  third  party,  (A)  the  categories  of  personal  data  being   shared,
    52  disclosed, transferred, or sold to the third party, (B) the purposes for
    53  which  personal data is being shared, disclosed, transferred, or sold to
    54  the third party, (C) any applicable retention periods for each  category
    55  of  personal  data  processed by the third parties or processed on their
    56  behalf, or if that is not possible, the criteria used to  determine  the

        S. 365--B                           8

     1  period,  and (D) whether the third parties may use the personal data for
     2  targeted advertising; and
     3    (vi)  the  controller's retention period for each category of personal
     4  data that they process or is processed on their behalf, or  if  that  is
     5  not possible, the criteria used to determine that period.
     6    (b) Notice requirements.
     7    (i)  The  notice  must  be  written in easy-to-understand language and
     8  format at an eighth grade reading level or below and in at least  twelve
     9  point font.
    10    (ii)  The categories of personal data processed and purposes for which
    11  each category of personal data is processed must be described in a clear
    12  and conspicuous manner, at a level specific enough to enable a  consumer
    13  to  exercise  meaningful  control  over  their  personal data but not so
    14  specific as to render the notice unhelpful to a consumer.
    15    (iii) The notice must be dated with its effective date and updated  at
    16  least  annually.    When  the  information required to be disclosed to a
    17  consumer pursuant to paragraph (a) of this subdivision has  not  changed
    18  since  the  immediately  previous  notice  (whether  initial, annual, or
    19  revised) provided to the consumer, a controller may  issue  a  statement
    20  that no changes have been made.
    21    (iv)  The  notice,  as well as each version of the notice in effect in
    22  the preceding six years,   must be easily accessible  to  consumers  and
    23  capable of being viewed by consumers at any time.
    24    2.  Right to opt out.  (a) A controller must allow consumers the right
    25  to opt out, at any time, of  processing  personal  data  concerning  the
    26  consumer for the purposes of:
    27    (i) targeted advertising;
    28    (ii) the sale of personal data; and
    29    (iii)  profiling  in  furtherance  of  decisions that produce legal or
    30  similarly significant effects concerning a consumer.
    31    (b) A controller must provide clear  and  conspicuous  means  for  the
    32  consumer  or their agent to opt out of processing and clearly present as
    33  the most conspicuous choice an option to simultaneously opt out  of  all
    34  processing purposes set forth in paragraph (a) of this subdivision.
    35    (c)  A  controller must not process personal data for any purpose from
    36  which the consumer has opted out.
    37    (d) A controller must not request that a consumer who has opted out of
    38  certain purposes of processing personal data opt back in,  unless  those
    39  purposes  subsequently become necessary to provide the services or goods
    40  requested by a consumer. Targeted advertising and sale of personal  data
    41  shall  not  be  considered  processing  purposes  that  are necessary to
    42  provide service or goods requested by a consumer.
    43    (e) Controllers must treat user-enabled privacy controls in a browser,
    44  browser  plug-in,  smartphone  application,  operating  system,   device
    45  setting,  or other mechanism that communicates or signals the consumer's
    46  choice not to opt out of the processing of personal data in  furtherance
    47  of  targeted  advertising, the sale of their personal data, or profiling
    48  in furtherance of decisions that produce legal or similarly  significant
    49  effects concerning the consumer as an opt out under this article. To the
    50  extent that the privacy control conflicts with a consumer's consent, the
    51  controller  shall  comply  with  the  privacy control but may notify the
    52  consumer of such conflict and provide to such  consumer  the  choice  to
    53  give controller specific consent to such processing.
    54    3.  Sensitive data. (a) A controller must obtain freely given, specif-
    55  ic, informed, and unambiguous opt-in consent from a consumer to:

        S. 365--B                           9

     1    (i) process the consumer's sensitive data related to that consumer for
     2  any purpose other than  those  in  subdivision  two  of  section  eleven
     3  hundred five of this article; or
     4    (ii)  make  any  changes  to  the  existing  processing  or processing
     5  purpose, including those regarding the method and scope  of  collection,
     6  of  the  consumer's  sensitive  data  that may be less protective of the
     7  consumer's sensitive data than the processing to which the consumer  has
     8  previously given their freely given, specific, informed, and unambiguous
     9  opt-in consent.
    10    (b) Any request for consent to process sensitive data must be provided
    11  to  the  consumer, prior to processing their sensitive data, in a stand-
    12  alone disclosure that is separate and apart from any contract or privacy
    13  policy. The request for consent must:
    14    (i) be written in a twelve point font or greater and include  a  clear
    15  and  conspicuous  description  of  each  category of data and processing
    16  purpose for which consent is sought;
    17    (ii) clearly identify and distinguish between categories of  data  and
    18  processing  purposes that are necessary to provide the services or goods
    19  requested by the consumer and categories of data and processing purposes
    20  that are not necessary to provide the services or goods requested by the
    21  consumer;
    22    (iii) enable a reasonable consumer to easily identify  the  categories
    23  of data and processing purposes for which consent is sought;
    24    (iv)  clearly  present  as  the  most  conspicuous choice an option to
    25  provide only the consent necessary to  provide  the  services  or  goods
    26  requested by the consumer;
    27    (v) clearly present an option to deny consent; and
    28    (vi) where the request seeks consent to sharing, disclosure, transfer,
    29  or  sale  of sensitive data to third parties, identify the categories of
    30  such third parties, the categories of data sold or shared with them, the
    31  processing purposes, the retention period, or if that is  not  possible,
    32  the  criteria  used  to determine the period, and state if such sharing,
    33  disclosure, transfer, or sale enables or involves targeted  advertising.
    34  The  details of the categories of such third parties, and the categories
    35  of data, processing purposes, and the retention period, may be set forth
    36  in a  different  disclosure,  provided  that  the  request  for  consent
    37  contains a conspicuous and directly accessible link to that disclosure.
    38    (c)  Targeted  advertising  and  sale  of  personal  data shall not be
    39  considered processing purposes that are necessary to provide services or
    40  goods requested by a consumer.
    41    (d) Once a consumer has provided freely given, specific, informed, and
    42  unambiguous opt-in consent to process their sensitive data for  a  proc-
    43  essing  purpose, a controller may rely on such consent until it is with-
    44  drawn.
    45    (e) A controller must provide a mechanism for a consumer  to  withdraw
    46  previously  given  consent  at any time. Such mechanism shall make it as
    47  easy for a consumer to withdraw their consent as it is for such consumer
    48  to provide consent.
    49    (f) A controller must not infer that a consumer  has  provided  freely
    50  given,  specific,  informed,  and  unambiguous  opt-in  consent from the
    51  consumer's inaction or the consumer's continued  use  of  a  service  or
    52  product provided by the controller.
    53    (g)  Controllers  must  not  request  consent  from a consumer who has
    54  previously withheld or denied consent to process sensitive  data,  until
    55  at  least  twelve  months after a denial, unless consent is necessary to
    56  provide the services or goods requested by the consumer.

        S. 365--B                          10

     1    (h) Controllers must treat user-enabled privacy controllers in a brow-
     2  ser, browser plug-in, smartphone application, operating  system,  device
     3  setting,  or other mechanism that communicates or signals the consumer's
     4  choices to opt out of the processing of personal data in furtherance  of
     5  targeted  advertising,  the sale of their personal data, or profiling in
     6  furtherance of decisions that produce  legal  or  similarly  significant
     7  effects concerning the consumer as a denial of consent to process sensi-
     8  tive  data  under  this  article. To the extent that the privacy control
     9  conflicts with  a  consumer's  consent,  the  privacy  control  settings
    10  govern,  unless  the consumer provides freely given, specific, informed,
    11  and unambiguous opt-in consent to override the privacy control, however,
    12  the controller may notify such consumer of such conflict and provide  to
    13  the    consumer  the  choice to give controller-specific consent to such
    14  processing.
    15    (i) (i) A controller must not  discriminate  against  a  consumer  for
    16  withholding or denying consent, including, but not limited to, by:
    17    (A)  denying  services  or  goods to the consumer, unless the consumer
    18  does not consent to processing necessary  to  provide  the  services  or
    19  goods requested by the consumer;
    20    (B) charging different prices for goods or services, including through
    21  the use of discounts or other benefits, imposing penalties, or providing
    22  a different level or quality of services or goods to the consumer; or
    23    (C)  suggesting  that  the  consumer will receive a different price or
    24  rate for goods or services or a different level or quality  of  services
    25  or goods.
    26    (ii)  A  controller  shall not be prohibited from offering a different
    27  price, rate, level, quality, or selection of  goods  or  services  to  a
    28  consumer, including offering goods or services for no fee, if the offer-
    29  ing  is  in connection with a consumer's voluntary participation in bona
    30  fide  loyalty,  rewards,  premium  features,  discounts,  or  club  card
    31  program.  If  a consumer exercises their right pursuant to paragraph (a)
    32  of subdivision two of this section, a controller may not  sell  personal
    33  data  to  a third party controller as part of such a program unless: (A)
    34  the sale is reasonably necessary to enable the third party to provide  a
    35  benefit to which the consumer is entitled; (B) the sale of personal data
    36  to  third  parties is clearly disclosed in the terms of the program; and
    37  (C) the third party uses the personal data only for purposes of  facili-
    38  tating  such  a  benefit  to which the consumer is entitled and does not
    39  retain or otherwise use or disclose the  personal  data  for  any  other
    40  purpose.
    41    (j)  A  controller  may,  with  the consumer's freely given, specific,
    42  informed, and unambiguous opt-in consent given pursuant to this section,
    43  operate a program in which information, products, or  services  sold  to
    44  the  consumer  are  discounted  based  solely  on  such consumer's prior
    45  purchases from the controller, provided that any sensitive data used  to
    46  operate  such  program  is processed solely for the purpose of operating
    47  such program.
    48    (k) In the event of a merger, acquisition, bankruptcy, or other trans-
    49  action in which another entity assumes control or ownership  of  all  or
    50  majority  of  the  controller's  assets,  any  consent  provided  to the
    51  controller by a consumer relating to sensitive data prior to such trans-
    52  action other than consent to processing necessary to provide services or
    53  goods requested by the consumer, shall be deemed withdrawn.
    54    4. Right to access.  Upon  the  verified  request  of  a  consumer,  a
    55  controller shall:

        S. 365--B                          11

     1    (a)  confirm  whether or not the controller is processing or has proc-
     2  essed personal data of that consumer, and provide access to  a  copy  of
     3  any  such  personal  data  in  a  manner  understandable to a reasonable
     4  consumer when requested; and
     5    (b)  provide the category of each processor or third party to whom the
     6  controller disclosed, transferred, or sold the consumer's personal  data
     7  and,  for  each category of processor or third party, (i) the categories
     8  of the consumer's personal data disclosed, transferred, or sold to  each
     9  processor  or  third party and (ii) the purposes for which each category
    10  of the consumer's personal data was disclosed, transferred, or  sold  to
    11  each processor or third party.
    12    5. Right to portable data.  Upon a verified request, and to the extent
    13  technically feasible, the controller must: (a) provide to the consumer a
    14  copy  of  all  of, or a portion of, as designated in a verified request,
    15  the  consumer's  personal  data  in  a  structured,  commonly  used  and
    16  machine-readable  format  and (b) transmit the data to another person of
    17  the consumer's or their agent's designation without hindrance.
    18    6. Right to correct. (a) Upon the verified request of  a  consumer  or
    19  their  agent,  a  controller  must conduct a reasonable investigation to
    20  determine whether personal data, the accuracy of which  is  disputed  by
    21  the  consumer,  is  inaccurate,  with such investigation to be concluded
    22  within the time period set forth in paragraph (a) of  subdivision  eight
    23  of this section.
    24    (b)  Notwithstanding  paragraph  (a) of this subdivision, a controller
    25  may terminate an investigation initiated pursuant to such  paragraph  if
    26  the  controller reasonably and in good faith determines that the dispute
    27  by the consumer is wholly without merit, including by reason of a  fail-
    28  ure  by  a consumer to provide sufficient information to investigate the
    29  disputed personal data. Upon making any determination in accordance with
    30  this paragraph that a dispute is  wholly  without  merit,  a  controller
    31  must,  within  the time period set forth in paragraph (a) of subdivision
    32  eight of this section, provide the  affected  consumer  a  statement  in
    33  writing that includes, at a minimum, the specific reasons for the deter-
    34  mination,  and identification of any information required to investigate
    35  the disputed personal data, which may consist  of  a  standardized  form
    36  describing the general nature of such information.
    37    (c)  If,  after any investigation under paragraph (a) of this subdivi-
    38  sion of any personal data  disputed  by  a  consumer,  an  item  of  the
    39  personal  data  is  found  to  be inaccurate or incomplete, or cannot be
    40  verified, the controller must:
    41    (i) correct the inaccurate or incomplete personal data of the  consum-
    42  er; and
    43    (ii)  unless it proves impossible or involves disproportionate effort,
    44  communicate such request to each processor or third party  to  whom  the
    45  controller  disclosed, transferred, or sold the personal data within one
    46  year preceding the consumer's request, and to require  those  processors
    47  or  third  parties  to  do  the same for any further processors or third
    48  parties they disclosed, transferred, or sold the personal data to.
    49    (d) If the investigation does not resolve the  dispute,  the  consumer
    50  may  file with the controller a brief statement setting forth the nature
    51  of the dispute. Whenever a statement of a dispute is filed, unless there
    52  exists reasonable grounds to believe that it is  wholly  without  merit,
    53  the controller must note that it is disputed by the consumer and include
    54  either  the consumer's statement or a clear and accurate codification or
    55  summary  thereof  with  the  disputed  personal  data  whenever  it   is
    56  disclosed, transferred, or sold to any processor or third party.

        S. 365--B                          12

     1    7.  Right  to  delete.  (a) Upon the verified request of a consumer, a
     2  controller must:
     3    (i)  within  forty-five  days  after  receiving  the verified request,
     4  delete any or all of the consumer's personal data, as  directed  by  the
     5  consumer or their agent,  that the controller possesses or controls; and
     6    (ii)  unless  it proves impossible or involves disproportionate effort
     7  that is documented  in  writing  by  the  controller,  communicate  such
     8  request  to  each  processor  or  third  party  to  whom  the controller
     9  disclosed, transferred or sold the personal data within one year preced-
    10  ing the consumer's request and to  require  those  processors  or  third
    11  parties  to do the same for any further processors or third parties they
    12  disclosed, transferred, or sold the personal data to.
    13    (b) For personal data that is not possessed by the controller but by a
    14  processor of the controller, the controller may choose to  (i)  communi-
    15  cate  the  consumer's  request  for  deletion  to the processor, or (ii)
    16  request that the processor return to the controller  the  personal  data
    17  that  is  the subject of the consumer's request and delete such personal
    18  data upon receipt of the request.
    19    (c) A consumer's deletion of their online account must be treated as a
    20  request to the controller to delete all of that consumer's personal data
    21  directly related to that account.
    22    (d) A controller  must  maintain  reasonable  procedures  designed  to
    23  prevent  the  reappearance in its systems, and in any data it discloses,
    24  transfers, or sells to any processor or third party, the  personal  data
    25  that is deleted pursuant to this subdivision.
    26    (e)  A  controller is not required to comply with a consumer's request
    27  to delete personal data if:
    28    (i) complying with the  request  would  prevent  the  controller  from
    29  performing  accounting  functions,  processing  refunds,  effectuating a
    30  product recall pursuant to federal or state law, or fulfilling  warranty
    31  claims,  provided  that  the  personal  data  that is the subject of the
    32  request is not processed for any purpose other than such specific activ-
    33  ities; or
    34    (ii) it is necessary for the controller  to  maintain  the  consumer's
    35  personal  data  to engage in public or peer-reviewed scientific, histor-
    36  ical, or statistical research in the public interest that adheres to all
    37  other applicable ethics and privacy laws, when the controller's deletion
    38  of the information is likely to render impossible  or  seriously  impair
    39  the  achievement  of such research, provided that the consumer has given
    40  informed consent and the personal data is not processed for any  purpose
    41  other than such research.
    42    (f)  Where a consumer's request for deletion is denied, the controller
    43  shall provide the consumer with a written justification for such denial.
    44    8.  Responding to requests. (a) A controller must  take  action  under
    45  subdivisions  four through seven of this section and inform the consumer
    46  of any actions taken without undue delay and in any event within  forty-
    47  five days of receipt of the request. That period may be extended once by
    48  forty-five  additional  days  where  reasonably  necessary,  taking into
    49  account the complexity and number of the requests. The  controller  must
    50  inform  the  consumer  of  any  such extension within forty-five days of
    51  receipt of the request, together with the reasons for the delay. When  a
    52  controller  denies any such request, it must within this period disclose
    53  to the consumer a statement in writing of the specific reasons  for  the
    54  denial and instructions for how to appeal the decision.
    55    (b) A controller shall permit the exercise of rights and carry out its
    56  obligations set forth in subdivisions four through seven of this section

        S. 365--B                          13

     1  free  of charge, at least twice annually to the consumer. Where requests
     2  from a consumer are manifestly unfounded  or  excessive,  in  particular
     3  because  of  their  repetitive  character, the controller may either (i)
     4  charge  a  reasonable fee to cover the administrative costs of complying
     5  with the request or (ii) refuse to act on the  request  and  notify  the
     6  consumer  of  the  reason for refusing the request. The controller bears
     7  the burden of demonstrating the manifestly unfounded or excessive  char-
     8  acter of the request.
     9    (c)  (i)  A  controller  shall  promptly  attempt,  using commercially
    10  reasonable efforts, to verify that all requests to exercise  any  rights
    11  set  forth  in  any section of this article requiring a verified request
    12  were made by the consumer who is the subject of the data, or by a person
    13  lawfully exercising the right on behalf  of  the  consumer  who  is  the
    14  subject of the data. Commercially reasonable efforts shall be determined
    15  based  on the totality of the circumstances, including the nature of the
    16  data implicated by the request.
    17    (ii) A controller may  require  the  consumer  to  provide  additional
    18  information  only  if  the request cannot reasonably be verified without
    19  the provision of such additional  information.  A  controller  must  not
    20  transfer or process any such additional information provided pursuant to
    21  this  section  for any other purpose and must delete any such additional
    22  information without undue delay and in any event within forty-five  days
    23  after  the controller has notified the consumer that it has taken action
    24  on a request under subdivisions four through seven of  this  section  as
    25  described in paragraph (a) of this subdivision.
    26    (iii)  If  a  controller  discloses this additional information to any
    27  processor or third  party  for  the  purpose  of  verifying  a  consumer
    28  request,  it  must  notify the receiving processor or third party at the
    29  time of such disclosure, or as close in time to  the  disclosure  as  is
    30  reasonably  practicable,  that  such  information  was  provided  by the
    31  consumer for the sole purpose of verification and  cannot  be  processed
    32  for any purpose other than verification.
    33    9.  Implementation of rights. Controllers must provide easily accessi-
    34  ble and convenient means for consumers to exercise  their  rights  under
    35  this article.
    36    10.  Non-waiver of rights. Any provision of a contract or agreement of
    37  any kind that purports to waive or limit in any way a consumer's  rights
    38  under  this  article  is contrary to public policy and is void and unen-
    39  forceable.
    40    § 1103.  Controller, processor, and third party  responsibilities.  1.
    41  Controller  responsibilities.  (a)  Data  protection  assessments. (i) A
    42  controller shall  regularly  conduct  and  document  a  data  protection
    43  assessment  for  each  of  the  controller's  processing activities that
    44  presents a heightened risk of harm to a consumer. For  the  purposes  of
    45  this  section,  processing  that presents a heightened risk of harm to a
    46  consumer includes: (A) the processing of personal data for the  purposes
    47  of  targeting  advertising, (B) the sale of personal data, (C) the proc-
    48  essing of personal data  for  the  purposes  of  profiling,  where  such
    49  profiling presents a reasonably foreseeable risk of (I) unfair or decep-
    50  tive  treatment  of,  or  unlawful  disparate  impact on consumers, (II)
    51  financial, physical or reputational injury to consumers, (III)  a  phys-
    52  ical  or  other intrusion upon the solitude or seclusion, or the private
    53  affairs or concerns of consumers where such intrusion would be offensive
    54  to a reasonable person, or (IV) other substantial injury  to  consumers;
    55  and (D) the processing of sensitive data.

        S. 365--B                          14

     1    (ii)  Data  protection  assessments conducted pursuant to subparagraph
     2  (i) of this paragraph shall identify and weigh  the  benefits  that  may
     3  flow,  directly  and  indirectly, from the processing to the controller,
     4  the consumer, other stakeholders and the public  against  the  potential
     5  risks  to the rights of the consumer associated with such processing, as
     6  mitigated by safeguards that can be employed by the controller to reduce
     7  such risks. The controller shall factor into any  such  data  protection
     8  assessment that use of deidentified data and the reasonable expectations
     9  of consumers, as well as the context of the processing and the relation-
    10  ship between the controller and the consumer whose personal data will be
    11  processed.
    12    (iii)  The attorney general may require that a controller disclose any
    13  data  protection  assessment  that  is  relevant  to  an   investigation
    14  conducted  by  the  attorney  general, and the controller shall make the
    15  data protection assessment available to the attorney general. The attor-
    16  ney general may  evaluate  the  data  protection  assessment  to  assess
    17  compliance  with the provisions of this article. Data protection assess-
    18  ments shall be confidential and shall be exempt  from  disclosure  under
    19  the  freedom of information law. To the extent any information contained
    20  in a data protection  assessment  disclosure  to  the  attorney  general
    21  includes  information subject to attorney-client privilege or work prod-
    22  uct protection, such disclosure shall not constitute a  waiver  of  such
    23  privilege or protection.
    24    (iv)  A single data protection assessment may address a comparable set
    25  of processing operations that include similar activities.
    26    (v) If a controller conducts a  data  protection  assessment  for  the
    27  purpose of complying with another applicable law or regulation, the data
    28  protection assessment shall be deemed to satisfy the requirements estab-
    29  lished  in this section if such data protection assessment is reasonably
    30  similar in scope and effect to the data protection assessment that would
    31  otherwise be conducted pursuant to this section.
    32    (vi) Data protection assessment requirements shall apply to processing
    33  activities created or generated after the effective date of  this  arti-
    34  cle.
    35    (b)  Controllers must not engage in unfair, deceptive, or abusive acts
    36  or practices with respect to obtaining consumer consent, the  processing
    37  of  personal  data,  and  a consumer's exercise of any rights under this
    38  article, including without limitation:
    39    (i) designing a user interface with the purpose or substantial  effect
    40  of  deceiving consumers, obscuring consumers' rights under this article,
    41  or subverting or impairing user autonomy, decision-making, or choice; or
    42    (ii) obtaining consent in a manner designed to overpower a  consumer's
    43  resistance; for example, by making excessive requests for consent.
    44    (c) Controllers must develop, implement, and maintain reasonable safe-
    45  guards  to  protect  the  security, confidentiality and integrity of the
    46  personal data of consumers including adopting reasonable administrative,
    47  technical and physical safeguards appropriate to the volume  and  nature
    48  of the personal data at issue.
    49    (d) (i) A controller shall limit the use and retention of a consumer's
    50  personal  data to what is (A) necessary to provide the services or goods
    51  requested by the consumer, (B) necessary for the internal business oper-
    52  ations of the controller and consistent with the disclosures made to the
    53  consumer pursuant to section eleven hundred two of this article, or  (C)
    54  necessary to comply with the legal obligations of the controller.
    55    (ii)  At least annually, a controller shall review its retention prac-
    56  tices for the purpose of ensuring that it  is  maintaining  the  minimum

        S. 365--B                          15

     1  amount  of  personal data as is necessary for the operation of its busi-
     2  ness. A controller must securely dispose of all personal data that is no
     3  longer (A) necessary to provide the services or goods requested  by  the
     4  consumer,  (B)  necessary  for  the  internal business operations of the
     5  controller and consistent with the  disclosures  made  to  the  consumer
     6  pursuant to section eleven hundred two of this article, or (C) necessary
     7  to comply with the legal obligations of the controller.
     8    (e)  Non-discrimination.  (i)  (A)  A controller must not discriminate
     9  against a consumer for exercising rights under this  article,  including
    10  but not limited to, by:
    11    (I) denying services or goods to consumers;
    12    (II)  charging  different  prices  for  services  or  goods, including
    13  through the use of discounts or other benefits; imposing  penalties;  or
    14  providing  a  different  level  or  quality  of services or goods to the
    15  consumer; or
    16    (III) suggesting that the consumer will receive a different  price  or
    17  rate  for  services or goods or a different level or quality of services
    18  or goods.
    19    (B) A controller shall not be prohibited  from  offering  a  different
    20  price,  rate,  level,  quality,  or  selection of goods or services to a
    21  consumer, including offering goods or services for no fee, if the offer-
    22  ing is in connection with a consumer's voluntary participation  in  bona
    23  fide  loyalty,  rewards,  premium  features,  discounts,  or  club  card
    24  program. If a consumer exercises their right pursuant to  paragraph  (a)
    25  of  subdivision  two  of  section  eleven hundred two of this article, a
    26  controller may not sell personal data to a  third  party  controller  as
    27  part  of  such a program unless: (I) the sale is reasonably necessary to
    28  enable the third party to provide a benefit to  which  the  consumer  is
    29  entitled;  (II)  the  sale  of personal data to third parties is clearly
    30  disclosed in the terms of the program; and (III) the  third  party  uses
    31  the  personal  data  only for purposes of facilitating such a benefit to
    32  which the consumer is entitled and does not retain or otherwise  use  or
    33  disclose the personal data for any other purpose.
    34    (ii)  This  paragraph  does  not  apply to a controller's conduct with
    35  respect to opt-in consent, in which case paragraph  (j)  of  subdivision
    36  three of section eleven hundred two of this article governs.
    37    (f)  Agreements  with  processors.  (i)  Before making any disclosure,
    38  transfer, or sale of personal data to any processor, the controller must
    39  enter into a written, signed contract with that processor. Such contract
    40  must be binding and clearly set forth instructions for processing  data,
    41  the  nature and purpose of processing, the type of data subject to proc-
    42  essing, the duration of processing, and the rights  and  obligations  of
    43  both  parties.  The  contract  must  also  include requirements that the
    44  processor must:
    45    (A) ensure that each person processing personal data is subject  to  a
    46  duty of confidentiality with respect to the data;
    47    (B)  protect  the data in a manner consistent with the requirements of
    48  this article and at least equal to  the  security  requirements  of  the
    49  controller  set  forth in their publicly available policies, notices, or
    50  similar statements;
    51    (C) process the data only when and to the extent necessary  to  comply
    52  with its legal obligations to the controller unless otherwise explicitly
    53  authorized by the controller;
    54    (D) not combine the personal data which the processor receives from or
    55  on  behalf  of  the  controller  with  personal data which the processor

        S. 365--B                          16

     1  receives from or on behalf of another person or collects  from  its  own
     2  interaction with consumers;
     3    (E)  comply  with  any  exercises of a consumer's rights under section
     4  eleven hundred two of this article upon the request of  the  controller,
     5  subject  to  the limitations set forth in section eleven hundred five of
     6  this article;
     7    (F) at the controller's direction, delete or return all personal  data
     8  to  the controller as requested at the end of the provision of services,
     9  unless retention of the personal data is required by law;
    10    (G) upon the reasonable request of the controller, make  available  to
    11  the  controller  all data in its possession necessary to demonstrate the
    12  processor's compliance with the obligations in this article;
    13    (H) allow, and cooperate with, reasonable assessments by the  control-
    14  ler or the controller's designated assessor; alternatively, the process-
    15  or  may  arrange  for a qualified and independent assessor to conduct an
    16  assessment of the processor's policies and technical and  organizational
    17  measures  in  support  of  the  obligations  under this article using an
    18  appropriate and accepted control standard or  framework  and  assessment
    19  procedure  for such assessments. The processor shall provide a report of
    20  such assessment to the controller upon request;
    21    (I) a reasonable time in advance before disclosing or transferring the
    22  data to any further processors, notify the controller of such a proposed
    23  disclosure or transfer and provide  the  controller  an  opportunity  to
    24  approve or reject the proposal; and
    25    (J)  engage  any  further  processor  pursuant  to  a  written, signed
    26  contract that includes the contractual  requirements  provided  in  this
    27  paragraph, containing at minimum the same obligations that the processor
    28  has entered into with regard to the data.
    29    (ii)  A  controller  must  not  agree  to indemnify, defend, or hold a
    30  processor harmless, or agree to a  provision  that  has  the  effect  of
    31  indemnifying,  defending, or holding the processor harmless, from claims
    32  or liability  arising  from  the  processor's  breach  of  the  contract
    33  required  by  clause  (A)  of  subparagraph  (i)  of this paragraph or a
    34  violation of this article. Any provision of an agreement  that  violates
    35  this  subparagraph  is  contrary  to public policy and is void and unen-
    36  forceable.
    37    (iii) Nothing in this paragraph relieves a controller or  a  processor
    38  from the liabilities imposed on it by virtue of its role in the process-
    39  ing relationship as defined by this article.
    40    (iv) Determining whether a person is acting as a controller or proces-
    41  sor with respect to a specific processing of data is a fact-based deter-
    42  mination  that  depends upon the context in which personal data is to be
    43  processed. A processor  that  continues  to  adhere  to  a  controller's
    44  instructions  with  respect  to  a  specific processing of personal data
    45  remains a processor.
    46    (g) Third parties. (i) A controller must not share,  disclose,  trans-
    47  fer,  or  sell  personal  data,  or facilitate or enable the processing,
    48  disclosure, transfer, or sale to a third  party  of  personal  data  for
    49  which a consumer has exercised their opt-out rights pursuant to subdivi-
    50  sion  two  of  section  eleven hundred two of this article, or for which
    51  consent of the consumer pursuant to subdivision three of section  eleven
    52  hundred  two  of this article, has not been obtained or is not currently
    53  in effect. Any request for consent to share, disclose, transfer, or sell
    54  personal data, or to facilitate or enable  the  processing,  disclosure,
    55  transfer,  or sale of personal data to a third party of personal data to
    56  a third party must clearly include the category of the third  party  and

        S. 365--B                          17

     1  the  processing  purposes for which the third party may use the personal
     2  data.
     3    (ii) A controller must not share, disclose, transfer, or sell personal
     4  data,  or  facilitate or enable the processing, disclosure, transfer, or
     5  sale to a third party of personal data if it can reasonably  expect  the
     6  personal data of a consumer to be used for purposes for which a consumer
     7  has  exercised  their  opt-out  rights  pursuant  to  subdivision two of
     8  section eleven hundred two of this article, or for  which  the  consumer
     9  has  not  consented  to  pursuant to subdivision three of section eleven
    10  hundred two of this article, or if it can  reasonably  expect  that  any
    11  rights  of the consumer provided in this article would be compromised as
    12  a result of such transaction.
    13    (iii) Before making any disclosure, transfer, or sale of personal data
    14  to any third party, the controller must enter  into  a  written,  signed
    15  contract.  Such  contract  must  be  binding  and the scope, nature, and
    16  purpose of processing, the type of data subject to processing, the dura-
    17  tion of processing, and the rights  and  obligations  of  both  parties.
    18  Such contract must include requirements that the third party:
    19    (A)  Process  that  data only to the extent permitted by the agreement
    20  entered into with the controller; and
    21    (B) Provide a mechanism to comply with any exercises of  a  consumer's
    22  rights under section eleven hundred two of this article upon the request
    23  of  the  controller, subject to any limitations thereon as authorized by
    24  this article; and
    25    (C) To the extent the disclosure, transfer, or sale  of  the  personal
    26  data  causes  the  third  party  to become a controller, comply with all
    27  obligations imposed on controllers under this article.
    28    2. Processor responsibilities. (a)  For  any  personal  data  that  is
    29  obtained,  received,  purchased,  or  otherwise acquired by a processor,
    30  whether directly from a controller or indirectly from another processor,
    31  the processor must comply with the requirements set forth in clauses (A)
    32  through (J) of subparagraph (i) of paragraph (f) of subdivision  one  of
    33  this section.
    34    (b)  A  processor  is  not required to comply with a request submitted
    35  pursuant to this article if (i) the consumer submits the request direct-
    36  ly to the processor; and (ii) the processor has processed the consumer's
    37  personal data solely in its role as a processor for a controller.
    38    (c) Processors shall be under a continuing  obligation  to  engage  in
    39  reasonable  measures  to  review their activities for circumstances that
    40  may have altered their ability to identify a specific natural person and
    41  to update their classifications of data as  identified  or  identifiable
    42  accordingly.
    43    (d)  A  processor  shall not engage in any sale of personal data other
    44  than on behalf of the controller pursuant to any agreement entered  into
    45  with the controller.
    46    3.  Third  party  responsibilities.    For  any  personal data that is
    47  obtained, received, purchased, or otherwise acquired or  accessed  by  a
    48  third party from a controller or processor, the third party must:
    49    (a)  Process  that data only to the extent permitted by any agreements
    50  entered into with the controller;
    51    (b) Comply with any exercises of a  consumer's  rights  under  section
    52  eleven hundred two of this article upon the request of the controller or
    53  processor,  subject  to  any  limitations  thereon as authorized by this
    54  article; and

        S. 365--B                          18

     1    (c) To the extent the third party becomes a  controller  for  personal
     2  data,  comply  with  all  obligations  imposed on controllers under this
     3  article.
     4    4. Exceptions. The requirements of this section shall not apply where:
     5    (a) The processing is required by law;
     6    (b)  The processing is made pursuant to a request by a federal, state,
     7  or local government or government entity; or
     8    (c) The processing significantly advances protection against  criminal
     9  or tortious activity.
    10    § 1104. Data brokers. 1. A data broker, as defined under this article,
    11  must  annually,  on  or  before January thirty-first following a year in
    12  which a person meets the definition of data broker in this article:
    13    (a) Register with the attorney general;
    14    (b) Pay a registration fee of one  hundred  dollars  or  as  otherwise
    15  determined  by the attorney general pursuant to the regulatory authority
    16  granted to the attorney general under this article, not  to  exceed  the
    17  reasonable  cost of establishing and maintaining the database and infor-
    18  mational website described in this section; and
    19    (c) Provide the following information:
    20    (i) the name and primary physical, email, and internet website address
    21  of the data broker;
    22    (ii) the name and business address of an officer or  registered  agent
    23  of  the  data broker authorized to accept legal process on behalf of the
    24  data broker;
    25    (iii) a statement  describing  the  method  for  exercising  consumers
    26  rights under section eleven hundred two of this article;
    27    (iv)  a  statement  whether  the  data  broker  implements a purchaser
    28  credentialing process; and
    29    (v) any additional information or explanation the data broker  chooses
    30  to provide concerning its data collection practices.
    31    2. Notwithstanding any other provision of this article, any controller
    32  that conducts business in the state of New York must:
    33    (a)  annually,  on  or before January thirty-first following a year in
    34  which a person meets the definition of controller in this  act,  provide
    35  to the attorney general a list of all data brokers or persons reasonably
    36  believed  to  be  data brokers to which the controller provided personal
    37  data in the preceding year; and
    38    (b) not sell a  consumer's  personal  data  to  an  entity  reasonably
    39  believed  to  be  a data broker that is not registered with the attorney
    40  general.
    41    3. The attorney general shall establish, manage and maintain a  state-
    42  wide  registry  on its internet website, which shall list all registered
    43  data brokers and make accessible  to  the  public  all  the  information
    44  provided  by  data brokers pursuant to this section. Printed hard copies
    45  of such registry shall be made available upon request and payment  of  a
    46  reasonable fee to be determined by the attorney general.
    47    4. A data broker that fails to register as required by this section or
    48  submits  false  information  in  its registration is, in addition to any
    49  other injunction, penalty, or liability that may be imposed  under  this
    50  article,  liable  for  civil  penalties,  fees,  and  costs in an action
    51  brought by the attorney general as follows: (a) a civil penalty  of  one
    52  thousand  dollars  for  each  day  the  data broker fails to register as
    53  required by this section or fails to correct false information,  (b)  an
    54  amount  equal  to  the fees that were due during the period it failed to
    55  register, and (c) expenses incurred  by  the  attorney  general  in  the

        S. 365--B                          19

     1  investigation and prosecution of the action as the court deems appropri-
     2  ate.
     3    §  1105. Limitations. 1. This article does not require a controller or
     4  processor to do any of the following solely for  purposes  of  complying
     5  with this article:
     6    (a) Reidentify deidentified data;
     7    (b)  Comply  with  a  verified consumer request to access, correct, or
     8  delete personal data pursuant to this article if all  of  the  following
     9  are true:
    10    (i)  The  controller  is  not  reasonably  capable  of associating the
    11  request with the personal data;
    12    (ii) The controller does not associate the personal  data  with  other
    13  personal  data  about  the  same specific consumer as part of its normal
    14  business practice; and
    15    (iii) The controller does not sell the  personal  data  to  any  third
    16  party or otherwise voluntarily disclose or transfer the personal data to
    17  any  processor  or  third  party,  except as otherwise permitted in this
    18  article; or
    19    (c) Maintain personal data in identifiable form, or  collect,  obtain,
    20  retain,  or access any personal data or technology, in order to be capa-
    21  ble of associating a verified consumer request with personal data.
    22    2. The obligations imposed on controllers and  processors  under  this
    23  article  do not restrict a controller's or processor's ability to do any
    24  of the following, to the extent that the use of the consumer's  personal
    25  data is reasonably necessary and proportionate for these purposes:
    26    (a)  Comply with federal, state, or local laws, rules, or regulations,
    27  provided that no law enforcement agency or officer thereof shall  access
    28  personal  data without a subpoena or a lawfully executed search warrant,
    29  except for the attorney general for the    purposes  of  enforcing  this
    30  article, except where otherwise provided specifically in federal law;
    31    (b)  Investigate,  establish,  exercise,  prepare for, or defend legal
    32  claims;
    33    (c) Process personal data necessary to provide the services  or  goods
    34  requested  by  a consumer; perform a contract to which the consumer is a
    35  party; or take steps at the request of the consumer  prior  to  entering
    36  into a contract;
    37    (d) Take immediate steps to protect the life or physical safety of the
    38  consumer  or  of another natural person, and where the processing cannot
    39  be manifestly based on another legal basis;
    40    (e) Prevent, detect, protect against, or  respond  to  security  inci-
    41  dents,  identity theft, fraud, harassment, malicious or deceptive activ-
    42  ities, or any illegal activity; preserve the integrity  or  security  of
    43  systems;  or investigate, report, or prosecute those responsible for any
    44  such action;
    45    (f) Identify and repair  technical  errors  that  impair  existing  or
    46  intended functionality; or
    47    (g) Process business contact information, including a natural person's
    48  name,  position  name  or  title,  business  telephone  number, business
    49  address, business electronic mail address, business fax number, or qual-
    50  ifications and any other similar information about the natural person.
    51    3. The obligations imposed on controllers  or  processors  under  this
    52  article  do  not  apply  where compliance by the controller or processor
    53  with this article would violate an evidentiary privilege under New  York
    54  law and do not prevent a controller or processor from providing personal
    55  data  concerning a consumer to a person covered by an evidentiary privi-
    56  lege under New York law as part of a privileged communication.

        S. 365--B                          20

     1    4. A controller that receives a request pursuant to subdivisions  four
     2  through  seven  of  section  eleven  hundred  two  of this article, or a
     3  processor or third party  to  whom  a  controller  communicates  such  a
     4  request, may decline to fulfill the relevant part of such request if:
     5    (a)  the controller, processor, or third party is unable to verify the
     6  request using commercially reasonable efforts, as described in paragraph
     7  (c) of subdivision eight of section eleven hundred two of this article;
     8    (b) complying with the request would be demonstrably  impossible  (for
     9  purposes  of  this  paragraph, the receipt of a large number of verified
    10  requests, on its own, is not sufficient  to  render  compliance  with  a
    11  request demonstrably impossible);
    12    (c)  complying  with  the  request would impair the privacy of another
    13  individual or the rights of another to exercise free speech; or
    14    (d) the personal data was created by a natural person other  than  the
    15  consumer  making  the  request and is being processed for the purpose of
    16  facilitating interpersonal relationships or public discussion.
    17    § 1106. Enforcement. 1. Whenever it appears to the  attorney  general,
    18  either  upon  complaint  or  otherwise,  that  any person or persons has
    19  engaged in or is about to engage in any of the acts or practices  stated
    20  to  be  unlawful  under  this article, the attorney general may bring an
    21  action or special proceeding in the name and on behalf of the people  of
    22  the state of New York to enjoin any violation of this article, to obtain
    23  restitution of any moneys or property obtained directly or indirectly by
    24  any  such  violation,  to  obtain  disgorgement  of any profits obtained
    25  directly or indirectly by any such violation, to obtain civil  penalties
    26  of  not  more  than twenty thousand dollars per violation, and to obtain
    27  any such other and further relief as the court may deem proper,  includ-
    28  ing preliminary relief.
    29    (a)  Any  action or special proceeding brought by the attorney general
    30  pursuant to this section must be commenced within six years.
    31    (b)  Each  instance  of  unlawful  processing  counts  as  a  separate
    32  violation.  Unlawful  processing  of  the personal data of more than one
    33  consumer counts as a  separate  violation  as  to  each  consumer.  Each
    34  provision  of  this  article  that  is  violated  counts  as  a separate
    35  violation.
    36    (c) In assessing the amount of penalties, the court must consider  any
    37  one  or  more  of  the  relevant  circumstances  presented by any of the
    38  parties, including, but not limited to, the nature  and  seriousness  of
    39  the misconduct, the number of violations, the persistence of the miscon-
    40  duct,  the  length of time over which the misconduct occurred, the will-
    41  fulness of the  violator's  misconduct,  and  the  violator's  financial
    42  condition.
    43    2.  In connection with any proposed action or special proceeding under
    44  this section, the attorney general is authorized to take proof and  make
    45  a determination of the relevant facts, and to issue subpoenas in accord-
    46  ance  with  the  civil practice law and rules.  The attorney general may
    47  also require such other data and information as he or she may deem rele-
    48  vant and may require written responses to questions under  oath.    Such
    49  power of subpoena and examination shall not abate or terminate by reason
    50  of  any  action  or  special  proceeding brought by the attorney general
    51  under this article.
    52    3. Any person, within or outside the state, who the  attorney  general
    53  believes may be in possession, custody, or control of any books, papers,
    54  or  other things, or may have information, relevant to acts or practices
    55  stated to be unlawful in this article is subject to  the  service  of  a
    56  subpoena  issued  by  the  attorney  general  pursuant  to this section.

        S. 365--B                          21

     1  Service may be made in any manner that is authorized for  service  of  a
     2  subpoena or a summons by the state in which service is made.
     3    4.  (a)  Failure  to    comply with a subpoena issued pursuant to this
     4  section without reasonable cause tolls the applicable statutes of  limi-
     5  tations  in  any  action  or  special proceeding brought by the attorney
     6  general against the noncompliant person that arises out of the  attorney
     7  general's investigation.
     8    (b)  If  a  person  fails to comply with a subpoena issued pursuant to
     9  this section, the attorney general may move  in  the  supreme  court  to
    10  compel compliance.  If the court finds that the subpoena was authorized,
    11  it  shall  order  compliance and may impose a civil penalty of up to one
    12  thousand dollars per day of noncompliance.
    13    (c) Such tolling and civil penalty shall be in addition to  any  other
    14  penalties or remedies provided by law for noncompliance with a subpoena.
    15    5.  This section shall apply to all acts declared to be unlawful under
    16  this article, whether or not subject to any other law of this state, and
    17  shall not supersede, amend or repeal any other law of this  state  under
    18  which  the  attorney general is authorized to take any action or conduct
    19  any inquiry.
    20    § 1107. Miscellaneous. 1. Preemption: This  article  does  not  annul,
    21  alter,  or  affect  the laws, ordinances, regulations, or the equivalent
    22  adopted by any local entity regarding the processing, collection, trans-
    23  fer, disclosure, and sale of consumers' personal data by a controller or
    24  processor subject to this article, except  to  the  extent  those  laws,
    25  ordinances,  regulations, or the equivalent create requirements or obli-
    26  gations that conflict with or reduce the protections afforded to consum-
    27  ers under this article.
    28    2. Impact report: The attorney general shall issue a report evaluating
    29  this article, its scope, any complaints from consumers or  persons,  the
    30  liability  and enforcement provisions of this article including, but not
    31  limited to, the effectiveness of its efforts to  enforce  this  article,
    32  and  any  recommendations  for  changes to such provisions. The attorney
    33  general shall submit the report to the governor, the temporary president
    34  of the senate, the speaker of the assembly, and the appropriate  commit-
    35  tees  of  the legislature within two years of the effective date of this
    36  section.
    37    3. Regulatory authority: (a) The attorney general is hereby authorized
    38  and empowered to adopt, promulgate, amend and rescind suitable rules and
    39  regulations to carry out the provisions of this article, including rules
    40  governing the form and content  of  any  disclosures  or  communications
    41  required by this article.
    42    (b)  The  attorney  general  may  request, and shall receive, data and
    43  information from controllers conducting  business  in  New  York  state,
    44  other  New  York  state  government  entities  administering  notice and
    45  consent regimes, consumer protection and privacy advocates and research-
    46  ers, internet standards setting bodies, such as the internet engineering
    47  taskforce and the institute of electrical and electronics engineers, and
    48  other relevant sources, to conduct studies to inform suitable rules  and
    49  regulations.    The  attorney  general shall receive, upon request, data
    50  from other New York state governmental entities.
    51    4.  Exercise of rights: Any consumer right set forth in  this  article
    52  may  be  exercised at any time by the consumer who is the subject of the
    53  data or by a parent or guardian authorized by law  to  take  actions  of
    54  legal  consequence  on  behalf of the consumer who is the subject of the
    55  data. An agent authorized by a consumer may exercise the consumer rights

        S. 365--B                          22

     1  set forth in subdivisions four through seven of section  eleven  hundred
     2  two of this article on the consumers behalf.
     3    § 4. Severability. If any provision of this act, or any application of
     4  any  provision of this act, is held to be invalid, that shall not affect
     5  the  validity or effectiveness of any other provision of this act, or of
     6  any other application of any provision of this act, which can  be  given
     7  effect  without  that  provision  or  application;  and to that end, the
     8  provisions and  applications of this act are severable.
     9    § 5. This act shall take effect immediately; provided,  however,  that
    10  sections  1101,  1102, 1103, 1105, 1106 and 1107 of the general business
    11  law, as added by section three of this act, shall take effect  one  year
    12  after it shall have become a law.
feedback