Assembly Bill A5703

                            
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                  5703

                       2009-2010 Regular Sessions

                          I N  A S S E M B L Y

                            February 17, 2009
                               ___________

Introduced  by  M.  of A. PHEFFER, MILLMAN, SWEENEY, BRODSKY, EDDINGTON,
  LUPARDO, GIANARIS, JAFFEE, GREENE, GALEF,  CLARK,  LAVINE,  FIELDS  --
  Multi-Sponsored  by -- M. of A.  BENJAMIN, BING, BROOK-KRASNY, COLTON,
  DESTITO, DINOWITZ, GLICK, GOTTFRIED, GUNTHER, HEASTIE,  HOOPER,  JOHN,
  KOON,  LATIMER, MAGEE, MAGNARELLI, MAISEL, MAYERSOHN, PERRY, ROBINSON,
  ROSENTHAL, WEISENBERG -- read once and referred to  the  Committee  on
  Consumer Affairs and Protection

AN  ACT  to  amend  the  general  business law and the executive law, in
  relation to protecting personal information collected and  distributed
  by information brokers

  THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. Legislative findings and declaration. The legislature here-
by finds that individuals in today's society must engage in a wide vari-
ety of commercial, financial  and  other  transactions  with  local  and
national  businesses,  educational institutions and other organizations.
These transactions frequently involve the transfer of  information  that
is  inherently private, which the individual would prefer not to reveal.
The legislature further finds that, when engaging in these transactions,
many  individuals  appropriately  assume  that  the  information   being
provided will be treated as confidential and will not be disseminated to
others.  The  information  generally is necessary solely to complete the
transaction and to deliver the necessary goods or services, and  further
sale or dissemination of that personal, private information to others is
not  a  consequence anticipated or desired by the consumer. The legisla-
ture further finds that, despite the strong  interest  that  individuals
have  in preserving confidentiality of this private information, details
about their finances, habits, purchasing preferences and backgrounds are
routinely sold or otherwise released for commercial or  other  purposes.
The  rapid  evolution of information technology enables many individuals
and entities to gain access to private, identifiable information without

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD08611-01-9
              

A. 5703                             2

the knowledge and consent of the person to whom the information relates.
As a result, there has been a dramatic proliferation of large electronic
databases containing an array of sensitive details about New York  resi-
dents.  The existence of these databases and the disclosure of confiden-
tial  personal  information  have  led  to numerous adverse consequences
including: (1) the rapid increase in  identity  fraud  crimes;  (2)  the
proliferation  of  fraudulent, misleading, intrusive and deceptive tele-
phone, direct mail and internet solicitations; (3)  undue  embarrassment
for  individuals who have had private information revealed without their
consent; and (4) the dissemination of incorrect  information  which  has
led to the denial or refusal of housing, employment, insurance and other
services and opportunities.
  The  legislature  therefore finds and declares that there are insuffi-
cient controls on the entities that compile and disseminate this  infor-
mation  and that it is in the public's and state's interest to establish
protections limiting the collection and distribution of personal  infor-
mation.  Although  this could be accomplished by prohibiting all sale or
disclosure of personal information by  third  parties,  the  legislature
recognizes  that  such  a  broad  prohibition would unduly restrict some
legitimate uses of the information. The legislature finds that organiza-
tions that collect and sell personal information and lists  for  profit,
present  a significant threat to the protection of personal privacy, and
that the restrictions imposed by this legislation on the  activities  of
such information brokers will meaningfully and substantially advance the
state's  interest  in  protecting  personal  privacy in a manner that is
narrowly tailored to avoid undue impact on other rights.
  S 2. The general business law is amended by adding a new article  32-A
to read as follows:
                              ARTICLE 32-A
             PROTECTION OF CONFIDENTIAL PERSONAL INFORMATION
SECTION 676.   DEFINITIONS.
        676-A. COLLECTION  AND  DISTRIBUTION  OF PERSONAL INFORMATION BY
                 INDIVIDUAL REFERENCE SERVICES PROVIDERS.
        676-B. COLLECTION AND DISTRIBUTION OF  PERSONAL  INFORMATION  BY
                 MARKETING LIST BROKERS.
        676-C. EXCLUSION LISTS.
        676-D. PENALTIES.
        676-E. CIVIL LIABILITY.
  S  676.  DEFINITIONS. FOR PURPOSES OF THIS ARTICLE THE FOLLOWING TERMS
SHALL HAVE THE FOLLOWING MEANINGS:
  1. "AFFILIATE" SHALL HAVE THE SAME MEANING AS PROVIDED IN SECTION NINE
HUNDRED TWELVE OF THE BUSINESS CORPORATION LAW.
  2. "BOARD" SHALL MEAN THE CONSUMER PROTECTION BOARD.
  3. "CONFIDENTIAL PERSONAL INFORMATION" MEANS THE FOLLOWING INFORMATION
RELATING TO AN IDENTIFIABLE DATA SUBJECT: (A) SOCIAL  SECURITY  INFORMA-
TION INCLUDING, BUT NOT LIMITED TO, SOCIAL SECURITY NUMBER; (B) MOTHER'S
FORMER  AND  CURRENT  NAMES; (C) BIRTH DATE; (D) NON-PUBLISHED TELEPHONE
NUMBERS; (E) RECORDS OF TELEPHONE CALLS MADE AND RECEIVED;  (F)  INCOME;
(G)  BANK  ACCOUNT  AND INVESTMENT INFORMATION; (H) TAX INFORMATION; (I)
ORGANIZATION MEMBERSHIPS AND DONATIONS; (J)  PURCHASING  INFORMATION  OR
PREFERENCES;  (K)  MEDICAL  INFORMATION  INCLUDING,  BUT NOT LIMITED TO,
MEDICAL HISTORY; (L) DRIVING RECORD; (M) CRIMINAL RECORD; OR (N) HISTORY
OF CIVIL ACTIONS.
  4. "CONSUMER REPORTING AGENCY" SHALL HAVE THE SAME MEANING AS PROVIDED
IN SUBDIVISION (E) OF SECTION THREE HUNDRED EIGHTY-A OF THIS CHAPTER.

A. 5703                             3

  5. "DATA SUBJECT" MEANS ANY NATURAL  PERSON  ABOUT  WHOM  CONFIDENTIAL
PERSONAL INFORMATION HAS BEEN COLLECTED OR IS MAINTAINED.
  6. "EXCLUSION LISTS" MEANS THE LISTS ESTABLISHED AND MAINTAINED BY THE
BOARD  OF  DATA  SUBJECTS RESIDING IN THIS STATE WHO HAVE REQUESTED THAT
THEIR CONFIDENTIAL PERSONAL INFORMATION NOT BE DISCLOSED BY AN  INFORMA-
TION BROKER.
  7.  (A)  "INFORMATION  BROKER" MEANS ANY INDIVIDUAL REFERENCE SERVICES
PROVIDER OR A MARKETING LIST BROKER.
  (B) "INDIVIDUAL REFERENCE SERVICES  PROVIDER"  MEANS  ANY  PERSON  WHO
PRIMARILY ENGAGES IN THE BUSINESS OF COLLECTING, ASSEMBLING OR MAINTAIN-
ING  CONFIDENTIAL  PERSONAL  INFORMATION  FOR  THE PURPOSE OF PROVIDING,
DIRECTLY OR INDIRECTLY, REPORTS CONTAINING SUCH INFORMATION ABOUT  INDI-
VIDUAL DATA SUBJECTS TO THIRD PARTIES FOR MONETARY COMPENSATION OR OTHER
CONSIDERATION.  A  PERSON OR ENTITY THAT ENGAGES IN INDIVIDUAL REFERENCE
SERVICES PROVIDER ACTIVITIES SHALL BE PRESUMED TO BE  PRIMARILY  ENGAGED
IN  SUCH PRACTICE IF THE REVENUE SUCH PERSON OR ENTITY DERIVES FROM SUCH
PRACTICE REPRESENTS MORE THAN TWENTY PERCENT OF SUCH PERSON'S  OR  ENTI-
TY'S PROFESSIONAL SERVICE-RELATED REVENUE.
  (C) "MARKETING LIST BROKER" MEANS ANY PERSON WHO, FOR MONETARY COMPEN-
SATION  OR  OTHER  CONSIDERATION,  PRIMARILY  ENGAGES IN THE BUSINESS OF
CREATING, ASSEMBLING, EVALUATING OR PROVIDING, DIRECTLY  OR  INDIRECTLY,
MARKETING  REPORTS.  A  PERSON  OR ENTITY THAT ENGAGES IN MARKETING LIST
BROKER ACTIVITIES SHALL BE PRESUMED TO  BE  PRIMARILY  ENGAGED  IN  SUCH
PRACTICE IF THE REVENUE SUCH PERSON OR ENTITY DERIVES FROM SUCH PRACTICE
REPRESENTS MORE THAN TWENTY PERCENT OF SUCH PERSON'S OR ENTITY'S PROFES-
SIONAL  SERVICE-RELATED REVENUE.   FOR THE PURPOSES OF THIS ARTICLE, THE
TERMS "INFORMATION BROKER", "INDIVIDUAL REFERENCE SERVICES PROVIDER" AND
"MARKETING LIST BROKER" SHALL NOT INCLUDE THE FOLLOWING:
  (I) THE FEDERAL OR STATE GOVERNMENT OR ANY POLITICAL SUBDIVISION THER-
EOF;
  (II) ANY PERSON, WHEN FURNISHING INFORMATION TO THE FEDERAL  OR  STATE
GOVERNMENT, OR ANY POLITICAL SUBDIVISION THEREOF;
  (III)  A  CONSUMER  REPORTING  AGENCY, WHEN ENGAGED IN THE PRACTICE OF
CREATING, ASSEMBLING, EVALUATING, OR  PROVIDING  A  CONSUMER  REPORT  OR
INVESTIGATIVE  CONSUMER  REPORT  PURSUANT TO ARTICLE TWENTY-FIVE OF THIS
CHAPTER;
  (IV) ANY PERSON, WHEN FURNISHING INFORMATION TO A  CONSUMER  REPORTING
AGENCY  TO BE INCLUDED IN A CONSUMER REPORT OR AN INVESTIGATIVE CONSUMER
REPORT PURSUANT TO ARTICLE TWENTY-FIVE OF THIS CHAPTER;
  (V) ANY PERSON, OTHER THAN A NATURAL PERSON, WHEN COMMUNICATING INFOR-
MATION SOLELY AMONG AFFILIATES;
  (VI) ANY PERSON WITH AN ESTABLISHED  BUSINESS  RELATIONSHIP  WITH  THE
DATA SUBJECT;
  (VII) NEWS MEDIA ORGANIZATIONS;
  (VIII)  LICENSED PRIVATE INVESTIGATORS WHEN ENGAGED IN THE BUSINESS OF
PRIVATE INVESTIGATOR AS DEFINED IN SECTION SEVENTY-ONE OF THIS  CHAPTER,
EXCEPT  WHEN PROVIDING INFORMATION SET FORTH IN PARAGRAPH (A), (D), (E),
(G), (H) OR (K) OF SUBDIVISION THREE OF THIS SECTION; OR
  (IX) ANY LABOR UNION ENGAGED IN A PRACTICE OR PURSUANT  TO  A  PURPOSE
AUTHORIZED BY THE FEDERAL NATIONAL LABOR RELATIONS ACT.
  8.  "INDIVIDUAL REFERENCE SERVICES REPORT" MEANS A REPORT OR PRESENTA-
TION CONTAINING CONFIDENTIAL PERSONAL INFORMATION PROVIDED BY  AN  INDI-
VIDUAL  REFERENCE  SERVICES  PROVIDER  TO  ANOTHER  PERSON  FOR MONETARY
COMPENSATION OR OTHER CONSIDERATION.
  9. "MARKETING LIST INFORMATION" MEANS THE NAMES, MAILING ADDRESSES  OR
ELECTRONIC MAIL ADDRESSES OF DATA SUBJECTS.

A. 5703                             4

  10.  "MARKETING  REPORT"  MEANS  A REPORT OR LIST CONTAINING MARKETING
LIST INFORMATION REGARDING DATA SUBJECTS CATEGORIZED OR GROUPED BY CHAR-
ACTERISTICS, CONDITIONS, CIRCUMSTANCES, TRAITS, PREFERENCES OR  MODE  OF
LIVING.
  11.  "PERSON"  MEANS  ANY  NATURAL  PERSON AND ANY FIRM, ORGANIZATION,
PARTNERSHIP,  ASSOCIATION,  CORPORATION  OR  OTHER  ENTITY,   EXCEPT   A
NOT-FOR-PROFIT ORGANIZATION.
  S  676-A. COLLECTION AND DISTRIBUTION OF PERSONAL INFORMATION BY INDI-
VIDUAL REFERENCE SERVICES PROVIDERS.  1. RIGHT OF INDIVIDUALS TO PROTECT
CONFIDENTIAL PERSONAL INFORMATION.  EVERY DATA SUBJECT  SHALL  HAVE  THE
RIGHT  TO REQUIRE THAT CONFIDENTIAL PERSONAL INFORMATION ABOUT SUCH DATA
SUBJECT IS EXCLUDED FROM ANY INDIVIDUAL  REFERENCE  SERVICES  REPORT  BY
PROVIDING NOTICE EITHER THROUGH A NOTIFICATION SYSTEM ESTABLISHED BY THE
INDIVIDUAL  REFERENCE SERVICES PROVIDER PURSUANT TO SUBDIVISION THREE OF
THIS SECTION, OR THROUGH THE NOTIFICATION SYSTEM MAINTAINED BY THE BOARD
PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-C OF THIS ARTICLE.
  2. WITHHOLDING CONFIDENTIAL  PERSONAL  INFORMATION.  UPON  RECEIPT  OF
NOTICE  THAT A DATA SUBJECT DOES NOT WANT CONFIDENTIAL PERSONAL INFORMA-
TION REVEALED, WHETHER  NOTIFICATION  IS  PROVIDED  THROUGH  THE  SYSTEM
ESTABLISHED PURSUANT TO SUBDIVISION THREE OF THIS SECTION OR THROUGH THE
SYSTEM  MAINTAINED PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-C OF THIS
ARTICLE, EVERY INDIVIDUAL REFERENCE SERVICES PROVIDER SHALL BE PROHIBIT-
ED FROM DISCLOSING CONFIDENTIAL PERSONAL  INFORMATION  ABOUT  THAT  DATA
SUBJECT, UNLESS THE DATA SUBJECT PROVIDES WRITTEN CONSENT TO THE DISCLO-
SURE.  AN  ELECTION BY A DATA SUBJECT UNDER THIS SECTION SHALL BE EFFEC-
TIVE WITH RESPECT TO THE  INDIVIDUAL  REFERENCE  SERVICES  PROVIDER  AND
EVERY AFFILIATE, AGENT AND EMPLOYEE OF THE INDIVIDUAL REFERENCE SERVICES
PROVIDER,  ON THE DATE ON WHICH THE DATA SUBJECT NOTIFIES THE INDIVIDUAL
REFERENCE SERVICES PROVIDER. NOTIFICATION FROM A DATA SUBJECT  THAT  ALL
CONFIDENTIAL  PERSONAL  INFORMATION  MUST  BE  WITHHELD  SHALL REMAIN IN
EFFECT FOR A PERIOD OF FIVE YEARS.
  3. NOTIFICATION OF ELECTION TO HAVE CONFIDENTIAL PERSONAL  INFORMATION
WITHHELD.  EVERY  INDIVIDUAL REFERENCE SERVICES PROVIDER SHALL ESTABLISH
AND MAINTAIN A NOTIFICATION SYSTEM THROUGH  WHICH  A  DATA  SUBJECT  MAY
ELECT TO HAVE ALL CONFIDENTIAL PERSONAL INFORMATION ON SUCH DATA SUBJECT
EXCLUDED  FROM  ANY INDIVIDUAL REFERENCE SERVICES REPORT PROVIDED BY THE
INDIVIDUAL  REFERENCE  SERVICES  PROVIDER.  THE   INDIVIDUAL   REFERENCE
SERVICES  PROVIDER  SHALL ACCEPT REQUESTS IN WRITING OR BY TELEPHONE AND
SHALL ESTABLISH A TOLL-FREE TELEPHONE  NUMBER  FOR  THIS  PURPOSE.  EACH
INDIVIDUAL  REFERENCE  SERVICES  PROVIDER  THAT  MAINTAINS FILES ON DATA
SUBJECTS ON A NATIONWIDE BASIS SHALL ESTABLISH AND MAINTAIN SUCH NOTIFI-
CATION SYSTEM JOINTLY  WITH  AFFILIATED  INDIVIDUAL  REFERENCE  SERVICES
PROVIDERS.  UNDER NO CIRCUMSTANCES MAY ANY INFORMATION ABOUT AN INDIVID-
UAL ACQUIRED THROUGH THE NOTIFICATION SYSTEM BE DISCLOSED IN  ANY  INDI-
VIDUAL  REFERENCE  SERVICES  REPORT OR OTHERWISE, EXCEPT TO A GOVERNMENT
AGENCY OR PURSUANT TO A COURT ORDER.
  4. NOTICE OF REQUEST  FOR  AND  DISCLOSURE  OF  CONFIDENTIAL  PERSONAL
INFORMATION. (A) EVERY INDIVIDUAL REFERENCE SERVICES PROVIDER SHALL SEND
A  WRITTEN  NOTICE  TO  A DATA SUBJECT WHENEVER THE INDIVIDUAL REFERENCE
SERVICES PROVIDER HAS PROVIDED AN INDIVIDUAL REFERENCE  SERVICES  REPORT
CONCERNING  THE  DATA SUBJECT; EXCEPT THAT NO SUCH NOTICE SHALL BE GIVEN
WHEN A REPORT IS PROVIDED TO A GOVERNMENTAL  AGENCY  OR  PURSUANT  TO  A
COURT  ORDER.  THE  NOTICE  SHALL CLEARLY AND CONSPICUOUSLY DESCRIBE THE
FOLLOWING: (1) THE NAME, ADDRESS AND THE TELEPHONE NUMBER OF THE  PERSON
WHO  REQUESTED THE INDIVIDUAL REFERENCE SERVICES REPORT; (2) THE DATE OF
SUCH REQUEST; (3) THE DATA SUBJECT HAS THE RIGHT TO RECEIVE  A  COPY  OF

A. 5703                             5

THE REPORT FREE OF CHARGE ANNUALLY AND TO RECEIVE ADDITIONAL COPIES AT A
FEE  NOT  EXCEEDING EIGHT DOLLARS; (4) THE DATA SUBJECT HAS THE RIGHT TO
REQUEST THAT CONFIDENTIAL PERSONAL INFORMATION BE WITHHELD  FROM  FUTURE
REPORTS;  AND  (5)  THE  DATA  SUBJECT'S  RIGHTS  UNDER THIS SECTION AND
SECTION SIX HUNDRED SEVENTY-SIX-C OF THIS ARTICLE. SUCH NOTICE SHALL  BE
PRINTED  IN NO SMALLER THAN TWELVE POINT TYPE AND SHALL BE SENT NO LATER
THAN THE DATE WHEN SUCH INDIVIDUAL REFERENCE SERVICES REPORT IS SENT  TO
THE REQUESTING PERSON.
  (B)  EVERY  INDIVIDUAL  REFERENCE  SERVICES PROVIDER SHALL CLEARLY AND
CONSPICUOUSLY POST ON ANY WEBSITE MAINTAINED BY SAID  INDIVIDUAL  REFER-
ENCE  SERVICES  PROVIDER  A NOTICE OUTLINING THE DATA SUBJECT RIGHTS AND
LIABILITIES; AND SUCH NOTICE SHALL BE PRINTED IN NO SMALLER THAN  TWELVE
POINT TYPE AND SHALL BE PERMANENTLY DISPLAYED ON SUCH WEBSITES.
  5. DISCLOSURE OF INDIVIDUAL REFERENCE SERVICES REPORT TO DATA SUBJECT.
EVERY  DATA SUBJECT SHALL HAVE THE RIGHT TO OBTAIN ALL INFORMATION ABOUT
SUCH DATA SUBJECT IN THE  FILES  OF  AN  INDIVIDUAL  REFERENCE  SERVICES
PROVIDER PURSUANT TO THE PROCEDURES SET FORTH IN THIS SUBDIVISION.
  (A)  EVERY  INDIVIDUAL REFERENCE SERVICES PROVIDER SHALL, UPON REQUEST
AND PROPER IDENTIFICATION OF ANY DATA SUBJECT,  CLEARLY  AND  ACCURATELY
DISCLOSE  TO THE DATA SUBJECT THE NATURE, CONTENTS, AND SUBSTANCE OF ALL
INFORMATION IN ITS FILE PERTAINING TO THE DATA SUBJECT,  OR  DELIVER  TO
THE  DATA SUBJECT A COPY OF ALL SUCH INFORMATION, INCLUDING ANY CODES OR
KEYS NECESSARY TO INTERPRET SUCH INFORMATION.  IN ADDITION, THE INDIVID-
UAL REFERENCE SERVICES PROVIDER SHALL PROVIDE THE DATA SUBJECT WITH  THE
NAME  AND ADDRESS OF THE RECIPIENTS OF ANY INDIVIDUAL REFERENCE SERVICES
REPORTS REGARDING THE DATA  SUBJECT  PROVIDED  WITHIN  THE  TWELVE-MONTH
PERIOD  PRECEDING  THE REQUEST, OTHER THAN REPORTS PROVIDED TO A GOVERN-
MENTAL AGENCY OR PURSUANT TO A COURT  ORDER.  THE  INDIVIDUAL  REFERENCE
SERVICES PROVIDER MAY NOT IMPOSE ANY FEE OR CHARGE UPON THE DATA SUBJECT
FOR  THE DISCLOSURE REQUIRED BY THIS SUBDIVISION, PROVIDED THAT A FEE OF
NOT MORE THAN EIGHT DOLLARS MAY BE  CHARGED  IF  THE  DATA  SUBJECT  HAS
REQUESTED AND RECEIVED SUCH A REPORT WITHIN THE PRIOR TWELVE MONTHS.
  (B)  IF A DATA SUBJECT REQUESTS DISCLOSURE OF INFORMATION IN THE FILES
OF AN INDIVIDUAL REFERENCE SERVICES PROVIDER  WITHOUT  PROVIDING  SUFFI-
CIENT  PROOF  OF  IDENTITY,  THE  INDIVIDUAL REFERENCE SERVICES PROVIDER
SHALL ADVISE THE DATA SUBJECT OF THE INFORMATION REQUIRED  TO  ESTABLISH
SUCH  PROOF  OF  IDENTITY.  NO  INFORMATION SHALL BE DISCLOSED TO A DATA
SUBJECT UNLESS AND UNTIL THE DATA SUBJECT PROVIDES SUFFICIENT  PROOF  OF
IDENTITY.  INFORMATION  RECEIVED  BY  AN  INDIVIDUAL  REFERENCE SERVICES
PROVIDER FOR THE PURPOSE OF ESTABLISHING PROOF OF IDENTITY  MAY  NOT  BE
USED  FOR  ANY  OTHER  PURPOSE AND MAY NOT BE DISCLOSED IN AN INDIVIDUAL
REFERENCE SERVICES REPORT OR OTHERWISE, EXCEPT TO A GOVERNMENT AGENCY OR
PURSUANT TO COURT ORDER.
  6. NOTICE OF RIGHTS  OF  DATA  SUBJECTS.  EVERY  INDIVIDUAL  REFERENCE
SERVICES  PROVIDER, UPON CONTACT BY A DATA SUBJECT BY TELEPHONE, REGULAR
MAIL, ELECTRONIC MAIL OR IN PERSON REGARDING INFORMATION  WHICH  MAY  BE
CONTAINED  IN THE INDIVIDUAL REFERENCE SERVICES PROVIDER'S FILES REGARD-
ING THAT DATA SUBJECT, SHALL NOTIFY  THE  DATA  SUBJECT  OF  THE  RIGHTS
ESTABLISHED  BY  THIS  SECTION  AND SECTION SIX HUNDRED SEVENTY-SIX-C OF
THIS ARTICLE. IF THE CONTACT IS MADE BY  TELEPHONE  OR  IN  PERSON,  THE
INDIVIDUAL  REFERENCE SERVICES PROVIDER SHALL PROVIDE SUCH NOTICE ORALLY
AT THE TIME OF SUCH CONVERSATION OR IF CONTACT IS BY ELECTRONIC MAIL  OR
IN  WRITING, SUCH NOTICE SHALL BE IN WRITING, IN A CLEAR AND CONSPICUOUS
FORMAT IN NO SMALLER THAN TWELVE POINT TYPE.
  7. PROTECTION OF CONFIDENTIAL PERSONAL INFORMATION.  EVERY  INDIVIDUAL
REFERENCE  SERVICES PROVIDER SHALL ESTABLISH APPROPRIATE ADMINISTRATIVE,

A. 5703                             6

TECHNICAL AND PHYSICAL SAFEGUARDS TO ENSURE THE SECURITY  AND  CONFIDEN-
TIALITY  OF  RECORDS  AND  TO PROTECT AGAINST ANY ANTICIPATED THREATS OR
HAZARDS TO THEIR SECURITY OR INTEGRITY WHICH COULD RESULT IN SUBSTANTIAL
HARM,  EMBARRASSMENT,  INCONVENIENCE  OR  UNFAIRNESS TO ANY DATA SUBJECT
ABOUT WHOM INFORMATION IS MAINTAINED.
  S 676-B.  COLLECTION  AND  DISTRIBUTION  OF  PERSONAL  INFORMATION  BY
MARKETING  LIST BROKERS.   1. RIGHT OF EXCLUSION FROM MARKETING REPORTS.
EVERY DATA SUBJECT SHALL HAVE THE RIGHT TO HAVE MARKETING LIST  INFORMA-
TION  ABOUT  THE  DATA SUBJECT EXCLUDED FROM MARKETING REPORTS ISSUED BY
MARKETING LIST BROKERS  BY  PROVIDING  NOTICE  EITHER  DIRECTLY  TO  THE
MARKETING  LIST  BROKER OR THROUGH THE NOTIFICATION SYSTEM MAINTAINED BY
THE BOARD PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-C OF THIS ARTICLE.
  2. REMOVAL OF DATA SUBJECTS FROM MARKETING REPORTS.  UPON  RECEIPT  OF
NOTICE  THAT  A  DATA  SUBJECT  DOES NOT WANT MARKETING LIST INFORMATION
INCLUDED IN ANY MARKETING REPORT, EVERY MARKETING LIST BROKER  SHALL  BE
PROHIBITED FROM INCLUDING SUCH MARKETING LIST INFORMATION IN ANY MARKET-
ING  REPORT,  UNLESS  THE  DATA  SUBJECT PROVIDES WRITTEN CONSENT TO THE
INCLUSION OF SUCH INFORMATION. AN ELECTION BY A DATA SUBJECT UNDER  THIS
SECTION  SHALL  BE  EFFECTIVE WITH RESPECT TO THE MARKETING LIST BROKER,
AND EVERY AFFILIATE, AGENT AND EMPLOYEE OF SUCH MARKETING  LIST  BROKER,
THIRTY  DAYS  AFTER  THE  DATE  ON  WHICH  THE DATA SUBJECT NOTIFIES THE
MARKETING LIST BROKER.  NOTIFICATION FROM A DATA SUBJECT THAT  MARKETING
LIST INFORMATION MUST BE WITHHELD SHALL REMAIN IN EFFECT FOR FIVE YEARS.
  3.  DISCLOSURE  OF  MARKETING  LIST REPORT TO DATA SUBJECT. EVERY DATA
SUBJECT SHALL HAVE THE RIGHT TO OBTAIN ALL INFORMATION ABOUT  SUCH  DATA
SUBJECT  IN  THE FILES OF A MARKETING LIST BROKER PURSUANT TO THE PROCE-
DURES SET FORTH IN THIS SUBDIVISION.   (A) EVERY MARKETING  LIST  BROKER
SHALL,  UPON  REQUEST  AND  PROPER  IDENTIFICATION  OF ANY DATA SUBJECT,
CLEARLY  AND  ACCURATELY  DISCLOSE  TO  THE  DATA  SUBJECT  THE  NATURE,
CONTENTS, AND SUBSTANCE OF ALL INFORMATION IN ITS FILE PERTAINING TO THE
DATA SUBJECT, OR DELIVER TO THE DATA SUBJECT A COPY OF ALL SUCH INFORMA-
TION,  INCLUDING  ANY CODES OR KEYS NECESSARY TO INTERPRET SUCH INFORMA-
TION. IN ADDITION, THE MARKETING LIST  BROKER  SHALL  PROVIDE  THE  DATA
SUBJECT  WITH  THE NAME AND ADDRESSES OF THE RECIPIENTS OF ANY MARKETING
REPORTS REGARDING THE DATA  SUBJECT  PROVIDED  WITHIN  THE  TWELVE-MONTH
PERIOD  PRECEDING  THE REQUEST, OTHER THAN REPORTS PROVIDED TO A GOVERN-
MENTAL AGENCY OR PURSUANT TO A COURT ORDER. THE  MARKETING  LIST  BROKER
MAY  NOT  IMPOSE ANY FEE OR CHARGE UPON THE DATA SUBJECT FOR THE DISCLO-
SURE REQUIRED BY THIS SUBDIVISION, PROVIDED THAT A FEE OF NOT MORE  THAN
EIGHT  DOLLARS  MAY  BE  CHARGED  IF  THE DATA SUBJECT HAS REQUESTED AND
RECEIVED SUCH A REPORT WITHIN THE PRIOR TWELVE MONTHS.
  (B) IF A DATA SUBJECT REQUESTS DISCLOSURE OF INFORMATION IN THE  FILES
OF A MARKETING LIST BROKER WITHOUT PROVIDING SUFFICIENT PROOF OF IDENTI-
TY,  THE  MARKETING  LIST  BROKER  SHALL  ADVISE THE DATA SUBJECT OF THE
INFORMATION REQUIRED TO ESTABLISH SUCH PROOF OF IDENTITY. NO INFORMATION
SHALL BE DISCLOSED TO A DATA SUBJECT UNLESS AND UNTIL THE  DATA  SUBJECT
PROVIDES SUFFICIENT PROOF OF IDENTITY. INFORMATION RECEIVED BY A MARKET-
ING  LIST  BROKER  FOR THE PURPOSE OF ESTABLISHING PROOF OF IDENTITY MAY
NOT BE USED FOR ANY OTHER PURPOSE AND MAY NOT BE DISCLOSED IN A  MARKET-
ING  REPORT OR OTHERWISE, EXCEPT TO A GOVERNMENT AGENCY OR PURSUANT TO A
COURT ORDER.
  4. NOTICE OF RIGHTS OF DATA SUBJECTS. EVERY MARKETING LIST BROKER UPON
CONTACT BY A DATA SUBJECT BY TELEPHONE, REGULAR MAIL, ELECTRONIC MAIL OR
IN PERSON REGARDING INFORMATION WHICH MAY BE CONTAINED IN THE  MARKETING
LIST  BROKER'S  FILES REGARDING THAT DATA SUBJECT, SHALL NOTIFY THE DATA
SUBJECT OF THE RIGHTS  ESTABLISHED  BY  THIS  SECTION  AND  SECTION  SIX

A. 5703                             7

HUNDRED  SEVENTY-SIX-C  OF THIS ARTICLE. IF THE CONTACT IS MADE BY TELE-
PHONE OR IN PERSON, THE MARKETING LIST BROKER SHALL PROVIDE SUCH  NOTICE
ORALLY  AT  THE  TIME OF SUCH CONVERSATION, OR IF THE CONTACT IS MADE BY
ELECTRONIC  MAIL  OR  IN  WRITING,  SUCH NOTICE SHALL BE IN WRITING IN A
CLEAR AND CONSPICUOUS FORMAT AND IN NO SMALLER THAN TWELVE POINT TYPE.
  5. PROTECTION OF MARKETING  LIST  INFORMATION.  EVERY  MARKETING  LIST
BROKER SHALL ESTABLISH, MAINTAIN AND UPDATE APPROPRIATE WRITTEN ADMINIS-
TRATIVE,  TECHNICAL  AND  PHYSICAL SAFEGUARDS TO ENSURE THE SECURITY AND
CONFIDENTIALITY OF RECORDS AND  TO  PROTECT  AGAINST  ANY  UNANTICIPATED
THREATS  OR HAZARDS TO THEIR SECURITY OR INTEGRITY WHICH COULD RESULT IN
SUBSTANTIAL HARM, EMBARRASSMENT, INCONVENIENCE OR UNFAIRNESS TO ANY DATA
SUBJECT ABOUT WHOM INFORMATION IS MAINTAINED.
  S 676-C. EXCLUSION LISTS. 1. THE BOARD  SHALL  ESTABLISH,  MANAGE  AND
OPERATE,  OR  ENTER  INTO AN AGREEMENT WITH ANOTHER PERSON WHO IS NOT AN
INFORMATION BROKER TO ESTABLISH, MANAGE AND OPERATE, THE  FOLLOWING  TWO
EXCLUSION LISTS:
  (A)  AN INDIVIDUAL REFERENCE SERVICES PROVIDER EXCLUSION LIST CONSIST-
ING OF THE DATA SUBJECTS WHO DO NOT  WANT  THEIR  CONFIDENTIAL  PERSONAL
INFORMATION DISCLOSED IN ANY INFORMATION REFERENCE SERVICES REPORT; AND
  (B)  A MARKETING BROKER EXCLUSION LIST CONSISTING OF THE DATA SUBJECTS
WHO DO NOT WANT THEIR MARKETING LIST INFORMATION INCLUDED IN ANY MARKET-
ING REPORT.
  2. EACH EXCLUSION LIST SHALL INCLUDE ALL DATA SUBJECTS WHO HAVE  NOTI-
FIED  THE BOARD THAT THEY WISH TO BE INCLUDED ON THE LIST OR HAVE OTHER-
WISE INDICATED THAT THEY DO NOT WISH TO HAVE THEIR CONFIDENTIAL PERSONAL
INFORMATION DISCLOSED IN ANY INFORMATION REFERENCE SERVICES REPORT OR TO
HAVE THEIR MARKETING LIST INFORMATION INCLUDED IN ANY MARKETING  REPORT.
THE  NAME  AND  OTHER IDENTIFYING INFORMATION OF EACH DATA SUBJECT SHALL
REMAIN ON THE EXCLUSION LISTS FOR FIVE YEARS, AND THE BOARD MAY BY REGU-
LATION PROVIDE FOR OTHER CIRCUMSTANCES UNDER WHICH REMOVAL MAY BE  MADE.
THE  EXCLUSION  LISTS  SHALL  BE PUBLISHED EVERY THIRTY-ONE DAYS IN HARD
COPY AND MAY BE MADE AVAILABLE IN OTHER FORMATS  AS  PRESCRIBED  BY  THE
BOARD.
  3.  NOTWITHSTANDING ANY OTHER PROVISION OF LAW, NO INFORMATION BROKER,
OR ANY AFFILIATE, AGENT OR EMPLOYEE OF SUCH  INFORMATION  BROKER,  SHALL
ISSUE  OR CAUSE TO BE ISSUED ANY REPORT CONTAINING CONFIDENTIAL PERSONAL
INFORMATION OR MARKETING LIST INFORMATION RELATING TO ANY  DATA  SUBJECT
LISTED  IN  THE  MOST  RECENT  RELEVANT  EXCLUSION LIST PUBLISHED BY THE
BOARD.
  4. (A) THE BOARD SHALL PROMULGATE RULES OR REGULATIONS WHICH SPECIFY:
  (1) THE METHODS BY WHICH MEMBERS OF THE PUBLIC WILL  BE  ADVISED  THAT
THE  EXCLUSION  LISTS  HAVE BEEN CREATED AND THAT DATA SUBJECTS HAVE THE
RIGHT TO BE ADDED TO THE LISTS;
  (2) THE METHODS BY WHICH A DATA SUBJECT MAY GIVE NOTICE TO  THE  BOARD
OR OTHER ENTITY OPERATING THE EXCLUSION LIST THAT SUCH DATA SUBJECT MUST
BE LISTED ON THE EXCLUSION LIST;
  (3) THE METHODS BY WHICH A DATA SUBJECT MAY REVOKE A NOTICE PREVIOUSLY
GIVEN AND BE REMOVED FROM THE EXCLUSION LIST;
  (4)  THE  METHODS BY WHICH ANY INFORMATION BROKER MAY OBTAIN ACCESS TO
THE EXCLUSION LIST; AND
  (5) SUCH OTHER MATTERS THAT THE BOARD  DEEMS  NECESSARY  TO  IMPLEMENT
THIS SECTION.
  (B)  THE BOARD MAY IMPOSE A CHARGE ON INFORMATION BROKERS IN AN AMOUNT
CALCULATED TO DEFRAY THE COSTS OF COMPILING AND MAINTAINING  THE  EXCLU-
SION  LISTS.   IF SUCH EXCLUSION LISTS ARE COMPILED AND MAINTAINED BY AN
ENTITY OTHER THAN THE BOARD, THE AGREEMENT ENTERED  INTO  SHALL  SPECIFY

A. 5703                             8

THE  AMOUNT  THAT  SUCH  ENTITY SHALL BE PERMITTED TO CHARGE INFORMATION
BROKERS FOR OBTAINING ACCESS TO THE EXCLUSION LISTS. IN NO  CASE  MAY  A
DATA SUBJECT BE CHARGED FOR BEING INCLUDED IN THE EXCLUSION LIST.
  (C)  INFORMATION  OBTAINED  FOR THE PURPOSE OF COMPILING THE EXCLUSION
LISTS, INCLUDING BUT NOT LIMITED TO  THE  NAMES,  ADDRESSES,  ELECTRONIC
MAIL  ADDRESSES AND TELEPHONE NUMBERS OF DATA SUBJECTS WHO REQUEST TO BE
ADDED TO THE EXCLUSION LIST, MAY BE USED ONLY FOR THE PURPOSE OF COMPLI-
ANCE WITH THIS SECTION OR IN A PROCEEDING OR ACTION  COMMENCED  PURSUANT
TO  THIS  SECTION.  SUCH  INFORMATION  SHALL  NOT  BE  SUBJECT TO PUBLIC
INSPECTION OR ANY OTHER DISCLOSURE.
  S 676-D. PENALTIES.  1. WHERE IT IS DETERMINED AFTER HEARING THAT  ANY
PERSON  HAS  VIOLATED ONE OR MORE PROVISIONS OF THIS SECTION, THE CHAIR-
PERSON OF THE BOARD, OR ANY PERSON DEPUTIZED OR SO DESIGNATED BY HIM  OR
HER  MAY  ASSESS  A  FINE  NOT  TO EXCEED FIVE THOUSAND DOLLARS FOR EACH
VIOLATION.
  2. ANY PROCEEDING  CONDUCTED  PURSUANT  TO  SUBDIVISION  ONE  OF  THIS
SECTION SHALL BE SUBJECT TO THE STATE ADMINISTRATIVE PROCEDURE ACT.
  3.  NOTHING  IN  THIS SECTION SHALL BE CONSTRUED TO RESTRICT ANY RIGHT
WHICH ANY PERSON MAY HAVE UNDER ANY OTHER STATUTE OR AT COMMON LAW.
  S 676-E. CIVIL LIABILITY. 1. IN ADDITION TO THE RIGHT OF ACTION GRANT-
ED TO THE BOARD PURSUANT TO THIS ARTICLE, ANY PERSON WHO HAS HAD  CONFI-
DENTIAL  PERSONAL INFORMATION OR MARKETING LIST INFORMATION DISCLOSED IN
VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER OWN NAME  TO
ENJOIN  SUCH  UNLAWFUL  ACT OR PRACTICE, AN ACTION TO RECOVER HIS OR HER
ACTUAL DAMAGES OR ONE THOUSAND DOLLARS, WHICHEVER IS  GREATER,  OR  BOTH
SUCH  ACTIONS.  THE  COURT MAY, IN ITS DISCRETION, INCREASE THE AWARD OF
DAMAGES TO AN AMOUNT NOT TO EXCEED THREE TIMES  THE  ACTUAL  DAMAGES  OR
FIVE THOUSAND DOLLARS, WHICHEVER IS GREATER, FOR EACH WILLFUL OR KNOWING
VIOLATION.  THE COURT MAY AWARD REASONABLE ATTORNEY'S FEES TO A PREVAIL-
ING PLAINTIFF. THE REMEDIES, DUTIES, PROHIBITIONS AND PENALTIES PROVIDED
IN THIS ARTICLE ARE NOT EXCLUSIVE AND ARE IN ADDITION TO ALL OTHER CAUS-
ES OF ACTION, REMEDIES, AND PENALTIES PROVIDED BY LAW.
  S  3.  Section  553  of  the  executive law is amended by adding a new
subdivision 4 to read as follows:
  4. THE CONSUMER PROTECTION BOARD  SHALL  ESTABLISH  AND  MAINTAIN  TWO
EXCLUSION LISTS PURSUANT TO ARTICLE THIRTY-TWO-A OF THE GENERAL BUSINESS
LAW.
  S 4. Severability. If any clause, sentence, paragraph, section or part
of  this act shall be adjudged by any court of competent jurisdiction to
be invalid, such judgment shall not affect,  impair  or  invalidate  the
remainder thereof, but shall be confined in its operation to the clause,
sentence,  paragraph,  section  or part thereof directly involved in the
controversy in which such judgment shall have been rendered.
  S 5. This act shall take effect May 1, 2011.  The consumer  protection
board  shall  promulgate  such  rules or regulations as are necessary to
implement this act within 120 days after such effective date.