Bill Text: NY S04201 | 2023-2024 | General Assembly | Introduced
Bill Title: Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2024-01-03 - REFERRED TO INVESTIGATIONS AND GOVERNMENT OPERATIONS [S04201 Detail]
Download: New_York-2023-S04201-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 4201 2023-2024 Regular Sessions IN SENATE February 6, 2023 ___________ Introduced by Sen. SANDERS -- read twice and ordered printed, and when printed to be committed to the Committee on Investigations and Govern- ment Operations AN ACT to amend the executive law, in relation to enacting the New York data protection act The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Short title. This act shall be known and may be cited as 2 the "New York data protection act". 3 § 2. The executive law is amended by adding a new article 5-A to read 4 as follows: 5 ARTICLE 5-A 6 NEW YORK DATA PROTECTION ACT 7 Section 81. Definitions. 8 82. Right to request disclosure. 9 83. Right to request deletion of personal information. 10 84. Personal information which may be requested. 11 85. Shared information; government entities or contractors. 12 86. Non-shareable personal information. 13 87. Right not to be discriminated against. 14 88. Accessibility. 15 89. Limitation on restrictions. 16 89-a. Relief. 17 89-b. Compliance guidance. 18 § 81. Definitions. As used in this article, the following terms shall 19 have the following meanings unless otherwise specified: 20 1. "Aggregate personal information" shall mean information that 21 relates to a group or category of individuals, from which individual 22 identities have been removed, that is not linked or reasonably linkable 23 to any individual or household, including via a device. "Aggregate EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD06208-01-3S. 4201 2 1 personal information" shall not mean one or more individual's records 2 that have been de-identified. 3 2. "Collects", "collected", or "collection" shall mean gathering, 4 obtaining, receiving, or accessing any personal information pertaining 5 to an individual by any means. This includes receiving information from 6 such individual either actively or passively. 7 3. "Contractor" means a contractor, or subcontractor of a contractor, 8 that contracts to process information on behalf of a government entity 9 and to which such government entity discloses an individual's personal 10 information for a legitimate government purpose pursuant to a written 11 contract, provided that such contract prohibits such contractor or 12 subcontractor receiving such personal information from retaining, using, 13 or disclosing such personal information for any purpose other than for 14 the specific purpose of performing the services specified in such 15 contract, or as otherwise permitted by this article, including retain- 16 ing, using, or disclosing such personal information for a commercial 17 purpose other than providing the services specified in the contract. 18 4. "Deidentified" shall mean information that cannot reasonably iden- 19 tify, relate to, describe, be capable of being associated with, or be 20 linked, directly or indirectly, to a particular individual, provided 21 that a government entity that uses such deidentified information: 22 (a) has implemented technical safeguards and processes that prohibit 23 reidentification of the individual to whom such information may pertain; 24 (b) has implemented processes to prevent inadvertent release of 25 deidentified information; and 26 (c) makes no attempt to reidentify such information. 27 5. "Designated methods for submitting requests" shall mean a mailing 28 address, email address, internet web page, internet web portal, toll- 29 free telephone number, or other applicable contact information, whereby 30 individuals may submit a request or direction under this article, and 31 any new means of contacting a government entity, as approved by the 32 attorney general. 33 6. "Device" shall mean any physical object that is capable of connect- 34 ing to the internet, directly or indirectly, or to another device. 35 7. "Government entity" or "entity" shall mean any state agency or any 36 part, body, or subdivision thereof. 37 8. "Homepage" shall mean the introductory page of an internet web site 38 and any internet web page where personal information is collected. 39 9. "Individual" shall mean a person who is a resident of New York 40 state. 41 10. (a) "Personal information" shall mean information that identifies, 42 relates to, describes, is capable of being associated with, or could 43 reasonably be linked, directly or indirectly, with a particular individ- 44 ual or household. Personal information includes, but is not limited to, 45 the following: 46 (i) identifiers such as a real name, alias, postal address, unique 47 personal identifier, internet protocol address, email address, social 48 security number, driver's license number, passport number, photograph, 49 or other similar identifiers; 50 (ii) characteristics of protected classifications under New York or 51 federal law; 52 (iii) commercial information, including records of real or personal 53 property; 54 (iv) biometric information; 55 (v) audio, electronic, visual, or similar information; 56 (vi) professional or employment-related information;S. 4201 3 1 (vii) education information, defined as information that is not 2 publicly available personally identifiable information as defined in the 3 family educational rights and privacy act (20 USC 1232g); 4 (viii) inferences drawn from any of the information identified in this 5 subdivision to create a profile about an individual reflecting such 6 individual's preferences, characteristics, psychological trends, predis- 7 positions, behavior, attitudes, intelligence, abilities, and aptitudes; 8 and 9 (ix) financial or tax information. 10 (b) "Personal information" shall not include publicly available infor- 11 mation. For these purposes, "publicly available" shall mean information 12 that is lawfully made available from federal, state, or local government 13 records, or any conditions associated with such information. "Publicly 14 available" shall not include an individual's information that is deiden- 15 tified or aggregate personal information. 16 11. "Probabilistic identifier" shall mean the identification of an 17 individual or a device to a degree of certainty of more probable than 18 not based on any categories of personal information included in, or 19 similar to, the categories enumerated in subdivision ten of this 20 section. 21 12. "Process" or "processing" shall mean any operation or set of oper- 22 ations that are performed on personal data or on sets of personal data, 23 whether or not by automated means. 24 13. "Pseudonymize" or "pseudonymization" shall mean the processing of 25 personal information in a manner that renders such personal information 26 no longer attributable to a specific individual without the use of addi- 27 tional information, provided that such additional information is kept 28 separately and is subject to technical and organizational measures to 29 ensure that such personal information is not attributed to an identified 30 or identifiable individual. 31 14. (a) "Sell", "selling", "sale", or "sold" shall mean selling, rent- 32 ing, releasing, disclosing, disseminating, making available, trans- 33 ferring, or otherwise communicating orally, in writing, or by electronic 34 or other means, an individual's personal information by a government 35 entity or contractor to a third party for monetary or other valuable 36 consideration. 37 (b) A government entity or contractor does not sell personal informa- 38 tion within the meaning of this article when: 39 (i) An individual uses or directs such government entity or contractor 40 to intentionally disclose personal information to a third party, 41 provided such third party also does not sell such personal information, 42 unless such disclosure would be consistent with the provisions of this 43 article. 44 (ii) Such government entity or contractor uses or shares with a third 45 party personal information of an individual that is necessary to perform 46 a legitimate government purpose if both of the following conditions are 47 met: 48 (1) the government entity or contractor has provided notice that 49 information is being used or shared; and 50 (2) the third party does not further collect, sell, or use the 51 personal information of such individual except as necessary to perform 52 the business purpose for which it received such information. 53 (iii) A contractor who transfers to a third party an individual's 54 personal information as an asset that is part of a merger, acquisition, 55 bankruptcy, or other transaction in which such contractor or third party 56 assumes control of all or part of such third party provided that suchS. 4201 4 1 information is used or shared consistently with this article. If a 2 third party materially alters how it uses or shares personal information 3 of an individual in a manner that is materially inconsistent with the 4 promises made at the time of collection, it shall provide prior notice 5 of the new or changed practice to such individual. Such notice shall be 6 sufficiently prominent and robust to ensure that individuals can easily 7 exercise their choices consistently with section eighty-three of this 8 article. 9 15. "Service" or "services" shall mean work, labor, and services, 10 including services furnished in connection with the sale or repair of 11 goods. 12 16. "Third party" shall mean a person or business entity who is not 13 another government entity or contractor thereof. 14 17. "Unique identifier" or "unique personal identifier" shall mean a 15 persistent identifier that can be used to recognize an individual, a 16 family, or a device that is linked to an individual or family, over time 17 and across different services, including, but not limited to, a device 18 identifier; an internet protocol address; cookies, beacons, pixel tags, 19 or similar technology; unique pseudonym, or user alias; telephone 20 numbers, or other forms of persistent or probabilistic identifiers that 21 can be used to identify a particular individual or device. For purposes 22 of this subdivision, "family" means a custodial parent or guardian and 23 any minor children over which such parent or guardian has custody. 24 18. "Verifiable information request" shall mean a request to a govern- 25 ment entity that is made by an individual, by an individual on behalf of 26 such individual's minor child, or by a natural person or a person regis- 27 tered with the secretary of state, authorized by such individual to act 28 on such individual's behalf, and that such government entity or contrac- 29 tor can reasonably verify, pursuant to regulations adopted by the attor- 30 ney general to be such individual about whom such government entity or 31 contractor has collected personal information. A government entity or 32 contractor shall not be obligated to provide information to such indi- 33 vidual pursuant to sections eighty-two and eighty-three of this article 34 if such government entity or contractor cannot verify that such individ- 35 ual making such request is the same individual about whom such govern- 36 ment entity has collected information, or is a person authorized by such 37 individual to act on such individual's behalf. 38 § 82. Right to request disclosure. 1. Any individual shall have the 39 right to request that a government entity or contractor that collects 40 personal information disclose to such individual the categories and 41 specific pieces of personal information such government entity or 42 contractor has collected. 43 2. A government entity that collects an individual's personal informa- 44 tion shall, at or before the point of collection, inform such individual 45 as to the categories of personal information to be collected and the 46 purposes for which such categories of personal information shall be 47 used. A government entity or contractor shall not collect additional 48 categories of personal information or use personal information collected 49 for additional purposes without providing such individual with notice 50 consistent with this article. 51 3. A government entity or contractor shall provide the information 52 specified in subdivision one of this section to an individual only upon 53 receipt of a verifiable information request. 54 4. A government entity or contractor that receives a verifiable infor- 55 mation request from an individual to access personal information shall 56 promptly take steps to disclose and deliver, free of charge to suchS. 4201 5 1 individual, such personal information required by this section. Such 2 information may be delivered by mail or electronically. A government 3 entity or contractor may provide personal information to an individual 4 at any time, but shall not be required to provide personal information 5 to any individual more than twice in a twelve-month period. 6 5. This section shall not require a government entity or contractor 7 to: 8 (a) retain any personal information collected for a single, one-time 9 transaction if such information is not shared or retained by such 10 government entity or contractor; or 11 (b) re-identify or otherwise link information that is not maintained 12 in a manner that would be considered personal information. 13 § 83. Right to request deletion of personal information. 1. Any indi- 14 vidual shall have the right to request that a government entity or 15 contractor delete any personal information about such individual which 16 such government entity or contractor has collected from such individual. 17 2. A government entity or contractor that collects personal informa- 18 tion about individuals shall notify such individuals of their rights to 19 request the deletion of their personal information. 20 3. A government entity or contractor that receives a verifiable infor- 21 mation request from an individual to delete such individual's personal 22 information shall delete such individual's personal information from its 23 records and direct any contractors to delete such individual's personal 24 information from their records. 25 4. Notwithstanding other provisions under this article, a government 26 entity or contractor shall not be required to comply with an individ- 27 ual's request to delete such individual's personal information if it is 28 necessary for the government entity or contractor to maintain such indi- 29 vidual's personal information in order to: 30 (a) complete the purpose for which the personal information was 31 collected; 32 (b) comply with a legal obligation; 33 (c) otherwise use such individual's personal information, internally, 34 in a lawful manner that is compatible with the scope of such government 35 entity or contractor's duties. 36 § 84. Personal information which may be requested. 1. An individual 37 who requests disclosure of information pursuant to section eighty-two of 38 this article may request the following information: 39 (a) the categories of personal information such government entity or 40 contractor has collected about such individual; 41 (b) the categories of sources from which such personal information has 42 been collected; 43 (c) the purpose for collecting or sharing such personal information; 44 (d) any other government entities, contractors, or third parties with 45 whom such government entity or contractor shares such personal informa- 46 tion; and 47 (e) the specific pieces of personal information such government entity 48 or contractor has collected about such individual. 49 2. A government entity or contractor possessing personal information 50 about an individual shall disclose to such individual such information 51 upon receipt of a verifiable information request submitted by such indi- 52 vidual. Within five days of receipt of such verifiable information 53 request, such government entity or contractor shall send a response to 54 such requestor acknowledging receipt of such request.S. 4201 6 1 3. (a) A government entity or contractor that collects personal infor- 2 mation about individuals from another government entity or contractor 3 shall disclose to such individuals the following: 4 (i) the categories of personal information it has collected about such 5 individual; 6 (ii) the categories of sources from which such personal information is 7 collected; 8 (iii) the purpose for collecting or sharing such personal information; 9 (iv) any other government entities or contractors with whom such 10 government entity or contractor shares personal information; and 11 (v) the specific pieces of personal information it has collected about 12 such individual. 13 (b) Such government entity or contractor shall disclose the informa- 14 tion required by paragraph (a) of this subdivision to such individuals 15 immediately upon receipt of such information, without the need for a 16 request to first be submitted. 17 4. This section shall not require a government entity or contractor to 18 do the following: 19 (a) retain any personal information about an individual collected for 20 a single one-time transaction if, in the ordinary course of business, 21 such information about such individual is not retained; or 22 (b) re-identify or otherwise link any data that, in the ordinary 23 course of business, is not maintained in a manner that would be consid- 24 ered personal information. 25 § 85. Shared information; government entities or contractors. Any 26 individual shall have the right to request that a government entity that 27 shares such individual's personal information, disclose to such individ- 28 ual: 29 (1) the categories of personal information that such government entity 30 collected about such individual; and 31 (2) the categories of personal information that such government entity 32 or contractor has shared about such individual and the other government 33 entities or contractors with whom such personal information was shared, 34 by category or categories of personal information for each government 35 entity or contractor to whom such personal information was shared. 36 § 86. Non-shareable personal information. 1. No government entity or 37 contractor shall share any individual's personal information with a 38 contractor or subcontractor unless such information is crucial to the 39 purpose for which such government entity or contractor has contracted 40 such contractor or subcontractor's services. 41 2. No government entity or contractor shall share any individual's 42 personal information with another government entity or contractor unless 43 such information is crucial to the performance of such other government 44 entity or contractor's duties, and such other government entity or 45 contractor cannot procure such personal information on its own without 46 serious hardship. 47 3. No government entity or contractor shall sell personal information 48 about an individual that has been shared with such government entity or 49 contractor. 50 § 87. Right not to be discriminated against. No government entity or 51 contractor shall discriminate against any individual in any way in 52 response to such individual exercising any of his or her rights under 53 this article. 54 § 88. Accessibility. 1. In order to comply with the requirements of 55 this article, in a method that is reasonably accessible to individuals, 56 government entities shall:S. 4201 7 1 (a) Make available to individuals two or more designated methods for 2 submitting verifiable information requests which include, at a minimum, 3 a toll-free telephone number, and if such government entity maintains an 4 internet website, a website address. 5 (b) If such government entity maintains an internet website, provide 6 on such website information instructing individuals of their rights to 7 request disclosure or deletion of personal information under this arti- 8 cle, and all methods available for making such a request. Such informa- 9 tion shall not be required to be on the homepage of such government 10 entity's website. 11 2. In order to comply with the requirements of this article, govern- 12 ment entities and contractors shall: 13 (a) Disclose and deliver any information requested in a verifiable 14 information request free of charge within forty-five days of receiving 15 such request from an individual. The time period to provide the 16 required information may be extended once by an additional forty-five 17 days when reasonably necessary, provided the requesting individual is 18 provided notice of such extension within the first forty-five day peri- 19 od. Such disclosure shall cover the twelve-month period preceding such 20 government entity or contractor's receipt of the verifiable information 21 request, and shall be made in writing and delivered by mail or electron- 22 ically at the requestor's option. 23 (b) Disclose and deliver the information requested in a manner that 24 covers all disclosure requirements under subdivision one of section 25 eighty-four of this article. 26 (c) Disclose and deliver any information shared pursuant to section 27 eighty-six of this article by such government entity or contractor with- 28 in the twelve months preceding such request. 29 (d) Ensure that any employees of such government entity or contractor 30 who are responsible for handling inquiries about disclosure requirements 31 prescribed by this article are informed of all disclosure requirements 32 under this article, and that such employees are informed of how to 33 direct individuals of how to exercise their rights under this article. 34 (e) Use any personal information collected from an individual in a 35 verifiable information request in connection with such government entity 36 or contractor's verification of such request solely for the purposes of 37 such verification. 38 (f) Not be required to respond to more than two verifiable information 39 requests from the same individual within the same twelve-month period. 40 § 89. Limitation on restrictions. 1. The obligations imposed on 41 government entities and contractors by this article shall not restrict 42 any government entity or contractor's ability to: 43 (a) otherwise comply with federal, state, or local laws; 44 (b) comply with a civil, criminal, or regulatory inquiry, investi- 45 gation, subpoena, or summons by federal, state, or local authorities; 46 (c) comply with a request made under the freedom of information law; 47 or 48 (d) exercise or defend legal claims. 49 2. This article shall not apply to the sale of personal information to 50 or from a consumer reporting agency if such information is to be 51 reported in, or used to generate, a consumer report as defined by the 52 federal fair credit reporting act (15 USC 1681), and use of that infor- 53 mation is limited by such act. 54 3. If requests from an individual are manifestly unfounded or exces- 55 sive, in particular because of their repetitive character, a government 56 entity or contractor may either charge a reasonable fee, taking intoS. 4201 8 1 account the administrative costs of providing such information or commu- 2 nication or taking the action requested, or refuse to act on such 3 request and notify such individual of the reason for refusing such 4 request. Such government entity or contractor shall bear the burden of 5 demonstrating that such verified consumer request is manifestly 6 unfounded or excessive. 7 4. A government entity that discloses personal information to a 8 contractor shall not be liable under this article if such contractor 9 uses such personal information in violation of the restrictions set 10 forth in this article, provided that, at the time of disclosing such 11 personal information, such government entity does not have actual know- 12 ledge or reason to believe that such contractor intends to commit such a 13 violation. No contractor shall be liable under this article for the 14 obligations of a government entity for which it provides services as set 15 forth in this article. 16 5. This article shall not be construed to require a government entity 17 to reidentify or otherwise link information that is not maintained in a 18 manner that would be considered personal information. 19 6. The rights afforded to individuals and the obligations imposed on 20 government entities and contractors by this article shall not adversely 21 affect the rights and freedoms of any other person. 22 § 89-a. Relief. 1. Any individual whose personal information is 23 subject to an unauthorized access and exfiltration, theft, or disclosure 24 as a result of a government entity or contractor's violation of the duty 25 to implement and maintain reasonable security procedures and practices 26 appropriate to the nature of the information to protect such personal 27 information request action by the attorney general in response to such 28 violation. 29 2. Nothing in this article shall be interpreted to serve as the basis 30 for a private right of action under any other law. This shall not be 31 construed to relieve any party from any duties or obligations imposed 32 under other law or the United States or New York constitution. 33 § 89-b. Compliance guidance. Any government entity or contractor may 34 seek the opinion of the attorney general for guidance on how to comply 35 with the provisions of this article. 36 § 3. This act shall take effect one year after it shall have become a 37 law.
