Bill Text: NY S07695 | 2023-2024 | General Assembly | Introduced

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Establishes the New York child data protection act to protect minors from having their personal data accessed; provides exceptions in certain circumstances.

Spectrum: Moderate Partisan Bill (Democrat 31-9)

Status: (Passed) 2024-06-20 - SIGNED CHAP.121 [S07695 Detail]

Download: New_York-2023-S07695-Introduced.html



                STATE OF NEW YORK
        ________________________________________________________________________

                                          7695

                               2023-2024 Regular Sessions

                    IN SENATE

                                    October 13, 2023
                                       ___________

        Introduced by Sen. GOUNARDES -- read twice and ordered printed, and when
          printed to be committed to the Committee on Rules

        AN  ACT  to  amend the general business law, in relation to establishing
          the New York child data protection act

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section 1. The general business law is amended by adding a new article
     2  39-FF to read as follows:
     3                                ARTICLE 39-FF
     4                     NEW YORK CHILD DATA PROTECTION ACT
     5  Section 899-ee. Definitions.
     6          899-ff. Privacy protection by default.
     7          899-gg. Third parties.
     8          899-hh. Ongoing safeguards.
     9          899-ii. Respecting user-provided age flags.
    10          899-jj. Protections for third-party operators.
    11          899-kk. Rulemaking authority.
    12          899-ll. Scope.
    13          899-mm. Remedies.
    14    §  899-ee.  Definitions.  For  purposes of this article, the following
    15  terms shall have the following meanings:
    16    1. "Covered user" shall mean a user  of  a  website,  online  service,
    17  online  application, mobile application, or connected device, or portion
    18  thereof, in the state of New York who is:
    19    (a) actually known by the operator of such  website,  online  service,
    20  online  application,  mobile  application,  or  connected device to be a
    21  minor; or
    22    (b) a user of a website, online service,  online  application,  mobile
    23  application, or connected device primarily directed to minors.
    24    2. "Minor" shall mean a natural person under the age of eighteen.
    25    3. "Operator" shall mean any person:

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD13150-04-3

        S. 7695                             2

     1    (a)  who  operates  or  provides  a  website  on  the internet, online
     2  service, online application, mobile application,  or  connected  device;
     3  and
     4    (b) who:
     5    (i)  collects or maintains, either directly or through another person,
     6  personal data from or about the users of such website, service, applica-
     7  tion, or connected device;
     8    (ii)  integrates  with  another  website,  service,  application,   or
     9  connected  device  and directly collects personal data from the users of
    10  such website, service, application, or connected device;
    11    (iii) allows another person to collect  personal  data  directly  from
    12  users of such website, service, application, or connected device; or
    13    (iv)  allows users of such website, service, application, or connected
    14  device to publicly disclose personal data.
    15    4. "Personal data" shall  mean  any  data  that  identifies  or  could
    16  reasonably  be  linked,  directly or indirectly, with a specific natural
    17  person or device.
    18    5. "Process" or "processing" shall mean an operation or set  of  oper-
    19  ations  performed  on  personal  data,  including but not limited to the
    20  collection,  use,  access,  sharing,   sale,   monetization,   analysis,
    21  retention,  creation,  generation,  derivation, recording, organization,
    22  structuring, storage,  disclosure,  transmission,  disposal,  licensing,
    23  destruction,  deletion,  modification,  or  deidentification of personal
    24  data.
    25    6. "Primarily  directed  to  minors"  shall  mean  a  website,  online
    26  service, online application, mobile application, or connected device, or
    27  a  portion  thereof,  that  is  targeted  to  minors.  A website, online
    28  service, online application, mobile application, or connected device, or
    29  portion thereof, shall not be deemed directed primarily to minors solely
    30  because such website, online service, online application, mobile  appli-
    31  cation,  or  connected device, or portion thereof refers or links to any
    32  other website, online service, online application,  mobile  application,
    33  or  connected  device  directed  to minors by using information location
    34  tools, including a directory, index, reference,  pointer,  or  hypertext
    35  link. A website, online service, online application, mobile application,
    36  or  connected  device,  or  portion thereof, shall be deemed directed to
    37  minors when it has actual knowledge that it is collecting personal  data
    38  of  users directly from users of another website, online service, online
    39  application, mobile application, or connected device primarily  directed
    40  to minors.
    41    7.  "Sell"  shall  mean  to  share personal data for monetary or other
    42  valuable consideration. "Selling"  shall  not  include  the  sharing  of
    43  personal  data  for  monetary or other valuable consideration to another
    44  person as an asset that is part of a merger, acquisition, bankruptcy, or
    45  other transaction in which that person assumes control of all or part of
    46  the operator's assets.
    47    8. "Third party" shall mean any person who is not any of  the  follow-
    48  ing:
    49    (a)  the  operator  with whom the user intentionally interacts and who
    50  collects personal data from the user  as  part  of  the  user's  current
    51  interaction with the operator;
    52    (b) the user whose personal data the operator processes; or
    53    (c)  the  parent  or legal guardian of a user under thirteen years old
    54  whose personal data the operator processes.
    55    § 899-ff. Privacy protection by default. 1. Except as provided for  in
    56  subdivision six of this section and section eight hundred ninety-nine-jj

        S. 7695                             3

     1  of  this  article, an operator shall not process, or allow a third party
     2  to process, the personal data of a covered user  collected  through  the
     3  use  of  a  website, online service, online application, mobile applica-
     4  tion, or connected device unless and to the extent:
     5    (a)  the covered user is twelve years of age or younger and processing
     6  is permitted under 15 U.S.C. § 6502 and its implementing regulations; or
     7    (b) the covered user is thirteen years of age or older and  processing
     8  is  strictly  necessary  for an activity set forth in subdivision two of
     9  this section, or informed consent has been  obtained  as  set  forth  in
    10  subdivision three of this section.
    11    2.  For  the  purposes  of  paragraph  (b)  of subdivision one of this
    12  section, the processing of personal data of a covered user is  permissi-
    13  ble where it is strictly necessary for the following activities:
    14    (a)  providing  or maintaining a specific product or service requested
    15  by the covered user;
    16    (b)  conducting  the  operator's  internal  business  operations.  For
    17  purposes  of this paragraph, such internal business operations shall not
    18  include any activities related to marketing, advertising,  or  providing
    19  products or services to third parties, or prompting covered users to use
    20  the  website, online service, online application, mobile application, or
    21  connected device when it is not in use;
    22    (c) identifying and repairing technical errors that impair existing or
    23  intended functionality;
    24    (d) protecting against malicious, fraudulent, or illegal activity;
    25    (e) investigating, establishing, exercising, preparing for, or defend-
    26  ing legal claims;
    27    (f) complying with federal, state, or  local  laws,  rules,  or  regu-
    28  lations;
    29    (g)  complying with a civil, criminal, or regulatory inquiry, investi-
    30  gation, subpoena, or summons by federal, state, local, or other  govern-
    31  mental authorities;
    32    (h)  detecting,  responding  to,  or  preventing security incidents or
    33  threats; or
    34    (i) protecting the vital interests of a natural person.
    35    3. (a) For the purposes of paragraph (b) of subdivision  one  of  this
    36  section,  to process personal data of a covered user where such process-
    37  ing is not strictly necessary under subdivision  two  of  this  section,
    38  informed consent must be obtained from the covered user either through a
    39  device communication or signal pursuant to the provisions of subdivision
    40  two of section eight hundred ninety-nine-ii of this article or through a
    41  request. Requests for such informed consent shall:
    42    (i)  be made separately from any other transaction or part of a trans-
    43  action;
    44    (ii) be made in the absence of any mechanism that has the  purpose  or
    45  substantial  effect  of  obscuring,  subverting,  or impairing a covered
    46  user's decision-making regarding authorization for the processing;
    47    (iii) if requesting informed consent for multiple types of processing,
    48  allow the covered user to provide or  withhold  consent  separately  for
    49  each type of processing;
    50    (iv)  clearly and conspicuously state that the processing is optional,
    51  and that the covered user may decline without preventing  continued  use
    52  of  the website, online service, online application, mobile application,
    53  or connected device; and
    54    (v) clearly present an option to refuse to provide consent as the most
    55  prominent option.

        S. 7695                             4

     1    (b) Such informed consent, once given, shall be  freely  revocable  at
     2  any time, and shall be at least as easy to revoke as it was to provide.
     3    (c)  If a covered user declines to provide or revokes informed consent
     4  for processing, another request may not be made for such processing  for
     5  the following calendar year.
     6    (d)  If  a  covered  user's  device  communicates  or signals that the
     7  covered user declines to provide informed consent for processing  pursu-
     8  ant  to the provisions of subdivision two of section eight hundred nine-
     9  ty-nine-ii of this article,  an  operator  shall  not  request  informed
    10  consent for such processing.
    11    4. Except where processing is strictly necessary to provide a product,
    12  service,  or  feature,  an operator may not withhold, degrade, lower the
    13  quality, or increase the price of any product, service, or feature to  a
    14  covered  user  due  to  the  operator  not obtaining verifiable parental
    15  consent under 15 U.S.C. §  6502  and  its  implementing  regulations  or
    16  informed consent under subdivision three of this section.
    17    5.  Except  as provided for in section eight hundred ninety-nine-jj of
    18  this article, an operator shall not purchase or sell, or allow  a  third
    19  party to purchase or sell, the personal data of a covered user.
    20    6.  Within fourteen days of determining that a user is a covered user,
    21  an operator shall:
    22    (a) dispose of, destroy, or delete all personal data of  such  covered
    23  user  that it maintains, unless processing such personal data is permit-
    24  ted under 15 U.S.C. § 6502 and its implementing regulations, is strictly
    25  necessary for an activity listed in subdivision two of this section,  or
    26  informed  consent  is obtained as set forth in subdivision three of this
    27  section; and
    28    (b) notify any third parties to whom it disclosed the  personal  data,
    29  and  any third parties it allowed to process the personal data, that the
    30  user is a covered user.
    31    § 899-gg. Third parties. 1. Except as provided for  in  section  eight
    32  hundred  ninety-nine-jj  of this article, no operator shall disclose the
    33  personal data of a covered user to a third party, or allow the  process-
    34  ing  of  the personal data of a covered user by a third party, without a
    35  written, binding agreement governing such disclosure or processing. Such
    36  agreement shall clearly  set  forth  instructions  for  the  nature  and
    37  purpose   of   the   third-party's  processing  of  the  personal  data,
    38  instructions for using or further disclosing the personal data, and  the
    39  rights and obligations of both parties.
    40    2.  Except  as provided for in section eight hundred ninety-nine-jj of
    41  this article, prior to disclosing personal data to a  third  party,  the
    42  operator  shall inform the third party if such data is the personal data
    43  of a covered user.
    44    3. An agreement pursuant to subdivision  one  of  this  section  shall
    45  require that the third party:
    46    (a)  process  the  personal data of covered users only when and to the
    47  extent strictly necessary for an activity listed pursuant to subdivision
    48  two of section eight hundred ninety-nine-ff of this  article,  or  where
    49  informed  consent  was obtained pursuant to subdivision three of section
    50  eight hundred ninety-nine-ff of this article;
    51    (b) delete or return to the operator  all  personal  data  of  covered
    52  users  at  the end of its provision of services, unless retention of the
    53  personal data is required by law;
    54    (c) upon reasonable request of the operator,  make  available  to  the
    55  operator  all data in its possession necessary to demonstrate the third-
    56  party's compliance with the obligations in this section;

        S. 7695                             5

     1    (d) allow, and cooperate with, reasonable assessments by the  operator
     2  or the operator's designated assessor for purposes of evaluating compli-
     3  ance  with  the  obligations  of  this article. Alternatively, the third
     4  party may arrange for a qualified and independent assessor to conduct an
     5  assessment  of  the  third-party's  policies and technical and organiza-
     6  tional measures in support of the obligations under this  article  using
     7  an appropriate and accepted control standard or framework and assessment
     8  procedure  for  such assessments. The third party shall provide a report
     9  of such assessment to the operator upon request; and
    10    (e) notify the operator a reasonable time in advance before disclosing
    11  or transferring the personal data of covered users to any further  third
    12  parties, which may be in the form of a regularly updated list of further
    13  third parties that may access personal data of covered users.
    14    § 899-hh. Ongoing safeguards. Upon learning that a user is no longer a
    15  covered  user,  an  operator  may  not process the personal data of such
    16  person in a manner not previously permitted unless and until it receives
    17  informed consent pursuant to subdivision three of section eight  hundred
    18  ninety-nine-ff of this article.
    19    §  899-ii.  Respecting user-provided age flags. 1. For the purposes of
    20  this article, an operator shall treat a user as a covered  user  if  the
    21  user's  device  communicates  or  signals  that  the user is or shall be
    22  treated as a minor, including  through  a  browser  plug-in  or  privacy
    23  setting, device setting, or other mechanism.
    24    2.  For  the  purposes  of  subdivision three of section eight hundred
    25  ninety-nine-ff of this article, an operator shall adhere  to  any  clear
    26  and  unambiguous communications or signals from a covered user's device,
    27  including through a browser plug-in or privacy setting, device  setting,
    28  or other mechanism, concerning processing that the covered user consents
    29  to or declines to consent to. An operator shall not adhere to unclear or
    30  ambiguous  communications  or  signals from a covered user's device, and
    31  shall instead request informed consent pursuant  to  the  provisions  of
    32  paragraph a of subdivision three of section eight hundred ninety-nine-ff
    33  of this article.
    34    §  899-jj.  Protections  for  third-party  operators.  Sections  eight
    35  hundred ninety-nine-ff and eight hundred ninety-nine-gg of this  article
    36  shall not apply to an operator processing the personal data of a covered
    37  user  of  another  website,  online  service, online application, mobile
    38  application, or connected device, or portion thereof, where the operator
    39  received  reasonable  written  representations  that  the  covered  user
    40  provided informed consent for such processing, or:
    41    1.  the  operator does not have actual knowledge that the covered user
    42  is a minor; and
    43    2. the operator does not have actual knowledge that the other website,
    44  online service, online application,  mobile  application,  or  connected
    45  device, or portion thereof, is primarily directed to minors.
    46    §  899-kk.  Rulemaking  authority. The attorney general may promulgate
    47  such rules and regulations as are necessary to  effectuate  and  enforce
    48  the provisions of this article.
    49    § 899-ll. Scope. 1. This article shall apply to conduct that occurs in
    50  whole or in part in the state of New York. For purposes of this article,
    51  commercial  conduct  takes place wholly outside of the state of New York
    52  if the business collected such information while the  covered  user  was
    53  outside  of  the  state  of  New York, no part of the use of the covered
    54  user's personal data occurred in the state of New York, and no  personal
    55  data  collected  while  the covered user was in the state of New York is
    56  used.

        S. 7695                             6

     1    2. Nothing in this article shall be construed to prohibit an  operator
     2  from  storing a covered user's personal data that was collected pursuant
     3  to section eight  hundred  ninety-nine-ff  of  this  article  when  such
     4  covered user is in the state.
     5    3.  Nothing in this article shall be construed to impose liability for
     6  commercial activities or actions by operators subject to 15 U.S.C.  6501
     7  that is inconsistent with the treatment of such  activities  or  actions
     8  under 15 U.S.C. 6502.
     9    §  899-mm.  Remedies.  1. Whenever it appears to the attorney general,
    10  either upon complaint or otherwise, that any person, within  or  outside
    11  the  state,  has  engaged in or is about to engage in any of the acts or
    12  practices stated to be unlawful in this article,  the  attorney  general
    13  may  bring  an action or special proceeding in the name and on behalf of
    14  the people of the state of New York to  enjoin  any  violation  of  this
    15  article,  to  obtain  restitution  of  any  moneys  or property obtained
    16  directly or indirectly by any such violation, to obtain disgorgement  of
    17  any  profits  or  gains  obtained  directly  or  indirectly  by any such
    18  violation, including but not limited to the  destruction  of  unlawfully
    19  obtained  data  and  algorithms  trained on such data, to obtain damages
    20  caused directly or indirectly by any such  violation,  to  obtain  civil
    21  penalties  of  up  to five thousand dollars per violation, and to obtain
    22  any such other and further relief as the court may deem proper,  includ-
    23  ing preliminary relief.
    24    2.  Any  covered  user  who has been injured by a violation of section
    25  eight hundred ninety-nine-ff  of this article, or the  parent  or  legal
    26  guardian  of  a  covered  minor  who  has been injured by a violation of
    27  section eight hundred ninety-nine-ff  of  this  article,  may  bring  an
    28  action to obtain:
    29    (a)  Damages of up to five thousand dollars per covered user per inci-
    30  dent or actual damages, whichever is greater;
    31    (b) Injunctive or declaratory relief; and/or
    32    (c) Any other relief the court deems proper.
    33    3. Actions pursuant to this section may be  brought  on  a  class-wide
    34  basis.
    35    4.  The  court  may  award  reasonable attorneys' fees to a prevailing
    36  plaintiff.
    37    5. Prior to bringing any action for violations of this article  pursu-
    38  ant to subdivision two of this section, a covered user shall provide the
    39  operator thirty days' written notice identifying the specific provisions
    40  of  this  article  the  covered  user  alleges  have  been  or are being
    41  violated. In the event a cure is possible, if within the thirty days the
    42  operator actually cures the noticed violation and provides  the  covered
    43  user  an  express  written statement that the violations have been cured
    44  and that no further violations shall occur,  no  action  for  individual
    45  statutory  damages  or  class-wide  statutory  damages  may be initiated
    46  against the operator. No notice shall be required prior to an individual
    47  consumer initiating  an  action  solely  for  actual  pecuniary  damages
    48  suffered as a result of the alleged violations of this title. If a busi-
    49  ness  continues to violate this article in breach of the express written
    50  statement provided to the covered user under this section,  the  covered
    51  user  may initiate an action against the business to enforce the written
    52  statement and may pursue  statutory  damages  for  each  breach  of  the
    53  express written statement, as well as any other violation of the article
    54  that postdates such written statement.
    55    §  2.  Severability.  If any clause, sentence, paragraph, subdivision,
    56  section or part of this act shall be adjudged by any court of  competent

        S. 7695                             7

     1  jurisdiction  to  be invalid, such judgment shall not affect, impair, or
     2  invalidate the remainder thereof, but shall be confined in its operation
     3  to the clause, sentence, paragraph, subdivision, section or part thereof
     4  directly  involved  in the controversy in which such judgment shall have
     5  been rendered. It is hereby declared to be the intent of the legislature
     6  that this act would have been enacted even if  such  invalid  provisions
     7  had not been included herein.
     8    §  3. This act shall take effect one year after it shall have become a
     9  law. Effective immediately, the addition, amendment and/or repeal of any
    10  rule or regulation necessary for the implementation of this act  on  its
    11  effective date are authorized to be made and completed on or before such
    12  effective date.
feedback