                               2017-2018 Regular Sessions
                    IN SENATE
                                      April 4, 2017
        Introduced  by  Sen. KENNEDY -- read twice and ordered printed, and when
          printed to be committed to the Committee on Consumer Protection
        AN ACT to amend the general business law, in relation  to  the  sale  of
          personal information by an internet service provider
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. The general business law is amended by adding a new section
     2  349-f to read as follows:
     3    § 349-f. Sale, transfer, or sharing  of  personal  information  by  an
     4  internet service provider. 1. As used in this section:
     5    (a) "Personal information" shall mean any information that, when it is
     6  disclosed,  identifies,  describes,  or is able to be associated with an
     7  individual and includes, but is not limited to, the following:
     8    (i) an individual's name and address;
     9    (ii) information pertaining to  creditworthiness,  assets,  income  or
    10  liabilities;
    11    (iii) age or date of birth;
    12    (iv) names of children;
    13    (v) electronic mail or other addresses of children;
    14    (vi) number of children;
    15    (vii) the age or gender of children;
    16    (viii) height;
    17    (ix) weight;
    18    (x) race;
    19    (xi) religion;
    20    (xii) occupation;
    21    (xiii) telephone number;
    22    (xiv) education;
    23    (xv) political party affiliation;
    24    (xvi) medical condition;
    25    (xvii) drugs, therapies, or medical products or equipment used;
     1    (xviii) the kind of product the customer purchased, leased, or rented;
     2    (xix) real property purchased, leased, or rented;
     3    (xx) the kind of service provided;
     4    (xxi) social security number;
     5    (xxii) bank account number;
     6    (xxiii) credit card number;
     7    (xxiv) debit card number;
     8    (xxv) bank or investment account, debit card, or credit card balance;
     9    (xxvi) payment history;
    10    (xxvii) internet searches; or
    11    (xxviii) browser cache.
    12    (b)  "Provider of internet service" shall mean any person, business or
    13  organization qualified to do business in this state that provides  indi-
    14  viduals,  corporations, or other entities with the ability to connect to
    15  the internet through equipment that is located in this state.
    16    2. A provider of internet service shall keep confidential:
    17    (a) all personal information concerning a subscriber, other  than  the
    18  electronic  mail  address of the subscriber, unless the subscriber gives
    19  permission, in writing or by electronic mail, to the provider of  inter-
    20  net service to disclose the information; and
    21    (b)  the  electronic  mail  address of a subscriber, if the subscriber
    22  requests, in writing or by electronic mail, to have the electronic  mail
    23  address  of  the  subscriber  kept  confidential.  Upon receiving such a
    24  request from a subscriber, a provider of  internet  service  shall  keep
    25  confidential  the  electronic mail address of the subscriber, unless the
    26  subscriber gives permission, in writing or by electronic  mail,  to  the
    27  provider  of internet service to disclose the electronic mail address of
    28  the subscriber.
    29    3. A provider of internet service shall provide notice of the require-
    30  ments of subdivision two of this section to each of its subscribers. The
    31  notice must include, without limitation, a conspicuous statement that  a
    32  subscriber  may  request,  in writing or by electronic mail, to have the
    33  electronic mail address of the subscriber kept confidential.
    34    4. A provider of internet service shall not add a supplemental  charge
    35  or in any way  penalize a subscriber either financially or in quality or
    36  speed  of delivery for choosing not to allow for the sharing of personal
    37  information.
    38    5. A provider of internet service who violates any provision  of  this
    39  section  shall be guilty of a misdemeanor and shall be subject to a fine
    40  of not less than five hundred dollars or more than one thousand  dollars
    41  for each violation.
    42    § 2. This act shall take effect immediately.