S T A T E O F N E W Y O R K
________________________________________________________________________
8631
I N A S S E M B L Y
January 29, 2014
___________
Introduced by M. of A. DINOWITZ, GOTTFRIED, ROSENTHAL, GALEF, MILLMAN,
CRESPO, CAHILL, JAFFEE, BRAUNSTEIN, ROBINSON, CLARK, COOK, MAYER,
OTIS, ABINANTI, MONTESANO, RAIA -- Multi-Sponsored by -- M. of A.
ARROYO, CAMARA, CROUCH, JACOBS, McDONOUGH, RIVERA, SCHIMEL, WEISENBERG
-- read once and referred to the Committee on Consumer Affairs and
Protection
AN ACT to amend the general business law, in relation to providing
consumers with access to personal information retained by businesses
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The general business law is amended by adding a new section
391-t to read as follows:
S 391-T. CONSUMER PRIVACY DISCLOSURE. 1. FOR THE PURPOSES OF THIS
SECTION, THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
(A) "BUSINESS" MEANS ANY PERSON, FIRM, CORPORATION, LIMITED LIABILITY
COMPANY, PARTNERSHIP OR ASSOCIATION, PROVIDED, HOWEVER, THAT "BUSINESS"
DOES NOT MEAN OR INCLUDE:
(I) ANY CHARITABLE ORGANIZATION REGISTERED PURSUANT TO SECTION ONE
HUNDRED SEVENTY-TWO OF THE EXECUTIVE LAW;
(II) ANY RELIGIOUS CORPORATION AS DEFINED IN SECTION TWO OF THE RELI-
GIOUS CORPORATIONS LAW;
(III) ANY PARTY AS DEFINED IN SUBDIVISION THREE OF SECTION 1-104 OF
THE ELECTION LAW;
(IV) ANY POLITICAL COMMITTEE AS DEFINED IN SUBDIVISION ONE OF SECTION
14-100 OF THE ELECTION LAW;
(V) ORGANIZATIONS THAT ARE CLASSIFIED AS CHARITABLE ORGANIZATIONS
UNDER SECTION 501 (C) (3) OF THE U.S. INTERNAL REVENUE CODE; AND
(VI) ANY CORPORATION FORMED UNDER THE NOT-FOR-PROFIT CORPORATION LAW.
(B) "CATEGORIES OF PERSONAL INFORMATION" SHALL INCLUDE, BUT NOT BE
LIMITED TO:
(I) IDENTITY INFORMATION, INCLUDING NAME, ALIAS, AND/OR USER NAME;
(II) ADDRESS INFORMATION, INCLUDING AN EMAIL ADDRESS OR EMAIL
ADDRESSES;
(III) TELEPHONE NUMBER OR NUMBERS;
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD13351-03-4
A. 8631 2
(IV) ACCOUNT NAME OR NAMES;
(V) SOCIAL SECURITY NUMBER OR OTHER GOVERNMENT-ISSUED IDENTIFICATION
NUMBER, DRIVER'S LICENSE NUMBER, IDENTIFICATION CARD NUMBER, OR PASSPORT
NUMBER;
(VI) BIRTHDATE OR AGE;
(VII) PHYSICAL CHARACTERISTIC INFORMATION;
(VIII) SEXUAL ORIENTATION OR GENDER IDENTITY INFORMATION;
(IX) RACE AND/OR ETHNICITY;
(X) RELIGIOUS AFFILIATION;
(XI) POLITICAL AFFILIATION;
(XII) EDUCATIONAL, PROFESSIONAL, OR EMPLOYMENT-RELATED INFORMATION;
(XIII) MEDICAL INFORMATION;
(XIV) FINANCIAL INFORMATION;
(XV) COMMERCIAL INFORMATION;
(XVI) LOCATION INFORMATION;
(XVII) INTERNET OR MOBILE ACTIVITY INFORMATION;
(XVIII) CONTENT, INCLUDING TEXT, PHOTOGRAPHS, AUDIO OR VIDEO
RECORDINGS, OR OTHER MATERIAL GENERATED BY OR PROVIDED BY THE CONSUMER;
AND
(XIX) ANY OF THE ABOVE CATEGORIES OF INFORMATION AS THEY PERTAIN TO
THE CHILDREN OF A CONSUMER.
(C) "CONSUMER" MEANS AN INDIVIDUAL WHO IS A RESIDENT OF NEW YORK WHO
PROVIDES PERSONAL INFORMATION TO A BUSINESS, WITH OR WITHOUT AN EXCHANGE
OF CONSIDERATION, IN THE COURSE OF PURCHASING, VIEWING, ACCESSING, RENT-
ING, LEASING, OR OTHERWISE USING REAL OR PERSONAL PROPERTY, OR ANY
INTEREST THEREIN, OR OBTAINING A PRODUCT OR SERVICE FROM THE BUSINESS
INCLUDING ADVERTISING OR ANY OTHER CONTENT.
(D) "DESIGNATED REQUEST ADDRESS" MEANS A MAILING ADDRESS, EMAIL
ADDRESS, WEB PAGE, TOLL-FREE TELEPHONE NUMBER, OR OTHER APPLICABLE
CONTACT INFORMATION, WHEREBY CONSUMERS MAY REQUEST OR OBTAIN THE INFOR-
MATION REQUIRED TO BE PROVIDED UNDER SUBDIVISION TWO OF THIS SECTION.
(E) "DISCLOSE" MEANS TO DISCLOSE, RELEASE, SHARE, TRANSFER, DISSEM-
INATE, MAKE AVAILABLE, OR OTHERWISE COMMUNICATE ORALLY, IN WRITING, OR
BY ELECTRONIC OR ANY OTHER MEANS TO ANY THIRD PARTY AS DEFINED IN THIS
SECTION, PROVIDED, HOWEVER, THAT "DISCLOSE" DOES NOT MEAN OR INCLUDE THE
DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY:
(I) PURSUANT TO A WRITTEN CONTRACT AUTHORIZING THE THIRD PARTY TO
UTILIZE THE PERSONAL INFORMATION TO PERFORM SERVICES ON BEHALF OF THE
BUSINESS, INCLUDING MAINTAINING OR SERVICING ACCOUNTS, PROVIDING CONSUM-
ER SERVICE, PROCESSING OR FULFILLING ORDERS AND TRANSACTIONS, VERIFYING
CONSUMER INFORMATION, PROCESSING PAYMENTS, PROVIDING FINANCING, OR SIMI-
LAR SERVICES, BUT ONLY IF THE CONTRACT PROHIBITS THE THIRD PARTY FROM
USING THE PERSONAL INFORMATION FOR ANY REASON OTHER THAN PERFORMING THE
SPECIFIED SERVICE OR SERVICES ON BEHALF OF THE BUSINESS AND FROM
DISCLOSING ANY SUCH PERSONAL INFORMATION TO ADDITIONAL THIRD PARTIES;
(II) BASED ON A GOOD-FAITH BELIEF THAT DISCLOSURE IS REQUIRED TO
COMPLY WITH APPLICABLE LAW, REGULATION, LEGAL PROCESS, OR COURT ORDER;
(III) THAT IS REASONABLY NECESSARY TO:
(1) ADDRESS FRAUD, SECURITY, OR TECHNICAL ISSUES; OR
(2) PROTECT CONSUMERS OR THE PUBLIC FROM ILLEGAL ACTIVITIES AS
REQUIRED OR PERMITTED BY LAW;
(IV) THAT IS OTHERWISE LAWFULLY AVAILABLE TO THE GENERAL PUBLIC,
PROVIDED THAT THE BUSINESS DID NOT DIRECT THE THIRD PARTY TO THE
PERSONAL INFORMATION;
(V) WHERE SUCH DISCLOSURE IS REQUIRED FOR THE PROTECTION OF THE BUSI-
NESS'S RIGHTS OR PROPERTY.
A. 8631 3
(F) "PERSONAL INFORMATION" MEANS:
(I) ANY INFORMATION THAT IDENTIFIES OR REFERENCES A PARTICULAR INDI-
VIDUAL OR ELECTRONIC DEVICE, INCLUDING, BUT NOT LIMITED TO ANY AND ALL
OF THOSE DESCRIBED IN SUBPARAGRAPHS (I) THROUGH (XIX) OF PARAGRAPH (B)
OF THIS SUBDIVISION OR ANY OTHER IDENTIFIER INTENDED OR ABLE TO BE
UNIQUELY ASSOCIATED WITH A PARTICULAR INDIVIDUAL OR DEVICE;
(II) ANY INFORMATION THAT RELATES TO OR DESCRIBES AN INDIVIDUAL,
INCLUDING, BUT NOT LIMITED TO ANY AND ALL OF THOSE DESCRIBED IN SUBPARA-
GRAPHS (I) THROUGH (XIX) OF PARAGRAPH (B) OF THIS SUBDIVISION PROVIDED
THAT SUCH INFORMATION DOES NOT INCLUDE PUBLICLY AVAILABLE INFORMATION
THAT IS LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC FROM FEDERAL,
STATE, OR LOCAL GOVERNMENT RECORDS.
(G) "RETAINS" MEANS TO STORE OR OTHERWISE HOLD INFORMATION, WHETHER
THE INFORMATION IS COLLECTED OR OBTAINED DIRECTLY FROM THE SUBJECT OF
THE INFORMATION OR FROM ANY THIRD PARTY, PROVIDED, HOWEVER, THAT
"RETAINS" DOES NOT INCLUDE INFORMATION THAT IS STORED OR OTHERWISE HELD
SOLELY FOR ONE OR MORE OF THE FOLLOWING PURPOSES, SO LONG AS THE INFOR-
MATION IS DELETED AS SOON AS IT IS NO LONGER NEEDED FOR SUCH PURPOSE OR
PURPOSES:
(I) TO PERFORM A SERVICE OR COMPLETE A TRANSACTION INITIATED BY OR ON
BEHALF OF THE CONSUMER, INCLUDING MAINTAINING OR SERVICING ACCOUNTS,
PROVIDING CUSTOMER SERVICE, PROCESSING OR FULFILLING ORDERS AND TRANS-
ACTIONS, VERIFYING CONSUMER INFORMATION, PROCESSING PAYMENTS, PROVIDING
FINANCING, OR SIMILAR SERVICES;
(II) TO ADDRESS FRAUD, SECURITY OR TECHNICAL ISSUES;
(III) TO PROTECT CONSUMERS OR THE PUBLIC FROM ILLEGAL ACTIVITIES AS
REQUIRED OR PERMITTED BY LAW; AND
(IV) TO COMPLY WITH APPLICABLE LAW OR REGULATION WITH A COURT ORDER OR
OTHER LEGAL PROCESS WHERE THE BUSINESS HAS A GOOD-FAITH BELIEF THAT THE
LAW, REGULATION, COURT ORDER, OR LEGAL PROCESS REQUIRES SUCH SPECIFIC
INFORMATION TO BE STORED OR HELD.
(H) "THIRD PARTY" OR "THIRD PARTIES" MEANS ONE OR MORE OF THE FOLLOW-
ING:
(I) A BUSINESS THAT IS A SEPARATE LEGAL ENTITY FROM THE BUSINESS THAT
HAS DISCLOSED PERSONAL INFORMATION;
(II) A BUSINESS THAT DOES NOT SHARE COMMON OWNERSHIP OR COMMON CORPO-
RATE CONTROL WITH THE BUSINESS THAT HAS DISCLOSED PERSONAL INFORMATION;
OR
(III) A BUSINESS THAT DOES NOT SHARE A BRAND NAME OR COMMON BRANDING
WITH THE BUSINESS THAT HAS DISCLOSED PERSONAL INFORMATION SUCH THAT THE
AFFILIATE RELATIONSHIP IS CLEAR TO THE CONSUMER.
2. (A) A BUSINESS THAT RETAINS A CONSUMER'S PERSONAL INFORMATION SHALL
MAKE AVAILABLE TO THE CONSUMER FREE OF CHARGE ACCESS TO, OR COPIES OF,
ALL OF THE CONSUMER'S PERSONAL INFORMATION RETAINED BY THE BUSINESS.
(B) A BUSINESS THAT DISCLOSES A CONSUMER'S PERSONAL INFORMATION TO A
THIRD PARTY SHALL MAKE THE FOLLOWING INFORMATION AVAILABLE TO THE
CONSUMER FREE OF CHARGE:
(I) ALL CATEGORIES OF THE CONSUMER'S PERSONAL INFORMATION THAT WERE
DISCLOSED, INCLUDING THE CATEGORIES SET FORTH IN PARAGRAPH (B) OF SUBDI-
VISION ONE OF THIS SECTION; AND
(II) THE NAMES AND CONTACT INFORMATION OF ALL OF THE THIRD PARTIES
THAT RECEIVED THE CONSUMER'S PERSONAL INFORMATION FROM THE BUSINESS,
INCLUDING THE THIRD PARTY'S DESIGNATED REQUEST ADDRESS OR ADDRESSES, IF
AVAILABLE;
A. 8631 4
(C) A BUSINESS REQUIRED TO COMPLY WITH PARAGRAPHS (A) AND (B) OF THIS
SUBDIVISION SHALL MAKE THE REQUIRED INFORMATION AVAILABLE IN A CLEAR AND
CONSPICUOUS MANNER BY ONE OR MORE OF THE FOLLOWING MEANS:
(I) BY PROVIDING A DESIGNATED REQUEST ADDRESS AND, UPON RECEIPT OF A
REQUEST UNDER THIS SECTION TO THE DESIGNATED REQUEST ADDRESS, PROVIDING
THE CONSUMER, WITHIN THIRTY DAYS, WITH THE REQUIRED INFORMATION FOR ALL
DISCLOSURES OCCURRING WITHIN THE PAST TWELVE MONTHS, PROVIDED THAT:
(1) IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY, EACH POLICY INCLUDES
A DESCRIPTION OF A CONSUMER'S RIGHTS PURSUANT TO THIS SECTION ACCOMPA-
NIED BY ONE OR MORE DESIGNATED REQUEST ADDRESSES;
(2) THE BUSINESS PROVIDES INFORMATION PERTAINING TO THE SPECIFIC
CONSUMER IF THAT INFORMATION IS REASONABLY AVAILABLE TO THE BUSINESS;
AND
(3) THE BUSINESS PROVIDES INFORMATION IN A STANDARDIZED FORMAT IF
INFORMATION PERTAINING TO THE SPECIFIC CONSUMER IS NOT REASONABLY AVAIL-
ABLE;
(II) FOR INFORMATION REQUIRED TO BE PROVIDED BY PARAGRAPH (B) OF THIS
SUBDIVISION, BY PROVIDING THE CONSUMER WITH A NOTICE INCLUDING THE
REQUIRED INFORMATION PRIOR TO OR IMMEDIATELY FOLLOWING A DISCLOSURE;
(III) BY PROVIDING THE CONSUMER WITH A DISCLOSURE REQUIRED BY FEDERAL
LAW, BUT ONLY IF THE DISCLOSURE IS AT LEAST AS STRINGENT AS PROVIDED FOR
IN THIS SECTION.
(D) (I) A BUSINESS IS NOT OBLIGATED TO PROVIDE MORE THAN ONE NOTICE
UNDER PARAGRAPH (B) OF THIS SUBDIVISION TO THE SAME CONSUMER IN A
TWELVE-MONTH PERIOD ABOUT THE DISCLOSURE OF THE SAME PERSONAL INFORMA-
TION TO THE SAME THIRD PARTY AND IS NOT OBLIGATED UNDER SUBPARAGRAPH (I)
OF PARAGRAPH (C) OF THIS SUBDIVISION TO RESPOND TO A REQUEST BY THE SAME
CONSUMER MORE THAN ONCE WITHIN A GIVEN TWELVE-MONTH PERIOD.
(II) A BUSINESS IS NOT OBLIGATED TO PROVIDE INFORMATION TO THE CONSUM-
ER PURSUANT TO SUBPARAGRAPH (I) OF THIS PARAGRAPH IF THE BUSINESS CANNOT
REASONABLY VERIFY THAT THE INDIVIDUAL MAKING THE REQUEST IS THE CONSUM-
ER.
3. (A) WHEREVER THERE SHALL BE A VIOLATION OF THIS SECTION, AN APPLI-
CATION MAY BE MADE BY THE ATTORNEY GENERAL IN THE NAME OF THE PEOPLE OF
THE STATE OF NEW YORK TO A COURT OR JUSTICE HAVING JURISDICTION BY A
SPECIAL PROCEEDING TO ISSUE AN INJUNCTION, AND UPON NOTICE TO THE
DEFENDANT OF NOT LESS THAN FIVE DAYS, TO ENJOIN OR RESTRAIN THE CONTIN-
UANCE OF SUCH VIOLATION; AND IF IT SHALL APPEAR TO THE SATISFACTION OF
THE COURT OR JUSTICE THAT THE DEFENDANT HAS, IN FACT, VIOLATED THIS
SECTION, AN INJUNCTION MAY BE ISSUED BY SUCH COURT OR JUSTICE, ENJOINING
AND RESTRAINING ANY FURTHER VIOLATION, WITHOUT REQUIRING PROOF THAT ANY
PERSON HAS, IN FACT, BEEN INJURED OR DAMAGED THEREBY. IN ANY SUCH
PROCEEDING, THE COURT MAY MAKE ALLOWANCES TO THE ATTORNEY GENERAL AS
PROVIDED IN PARAGRAPH SIX OF SUBDIVISION (A) OF SECTION EIGHTY-THREE
HUNDRED THREE OF THE CIVIL PRACTICE LAW AND RULES, AND DIRECT RESTITU-
TION. WHENEVER THE COURT SHALL DETERMINE THAT A VIOLATION OF THIS
SECTION HAS OCCURRED, THE COURT MAY IMPOSE A CIVIL PENALTY OF NOT MORE
THAN FIVE HUNDRED DOLLARS FOR EACH VIOLATION, EXCEPT THAT THE COURT MAY
IMPOSE A CIVIL PENALTY OF NOT MORE THAN THREE THOUSAND DOLLARS IF THE
VIOLATION IS KNOWING, INTENTIONAL, OR WILLFUL. IN CONNECTION WITH ANY
SUCH PROPOSED APPLICATION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE
PROOF AND MAKE A DETERMINATION OF THE RELEVANT FACTS AND TO ISSUE
SUBPOENAS IN ACCORDANCE WITH THE CIVIL PRACTICE LAW AND RULES. A
PREVAILING PLAINTIFF IN ANY ACTION COMMENCED UNDER THIS SECTION MAY ALSO
BE ENTITLED TO RECOVER HIS OR HER REASONABLE ATTORNEY'S FEES AND COSTS.
A. 8631 5
THE RIGHTS AND REMEDIES AVAILABLE UNDER THIS SECTION ARE CUMULATIVE TO
EACH OTHER AND TO ANY OTHER RIGHTS AND REMEDIES AVAILABLE UNDER LAW.
(B) UNLESS THE VIOLATION IS KNOWING, INTENTIONAL, OR WILLFUL, A BUSI-
NESS THAT IS ALLEGED TO HAVE NOT PROVIDED ALL THE INFORMATION REQUIRED,
PROVIDED INACCURATE INFORMATION, OR FAILED TO PROVIDE INFORMATION IN THE
TIME PERIOD REQUIRED BY SUBPARAGRAPH (I) OF PARAGRAPH (C) OF SUBDIVISION
TWO OF THIS SECTION, MAY ASSERT AS A COMPLETE DEFENSE IN ANY ACTION IN
LAW OR EQUITY THAT IT THEREAFTER PROVIDED THE INFORMATION THAT WAS
ALLEGED TO BE INCOMPLETE, NOT PROVIDED AT ALL, INACCURATE, OR UNTIMELY
TO ALL NECESSARY CONSUMERS WITHIN NINETY DAYS OF THE DATE THE BUSINESS
KNEW IT HAD FAILED TO PROVIDE ANY OR ALL OF THE INFORMATION, ACCURATE
INFORMATION, OR TIMELY INFORMATION.
(C) NO BUSINESS SHALL BE DEEMED TO HAVE VIOLATED THE PROVISIONS OF
THIS SECTION IF SUCH PERSON SHOWS, BY A PREPONDERANCE OF THE EVIDENCE,
THAT THE VIOLATION WAS NOT INTENTIONAL AND RESULTED FROM A BONA FIDE
ERROR MADE NOTWITHSTANDING THE MAINTENANCE OF PROCEDURES REASONABLY
ADOPTED TO AVOID SUCH ERROR.
(D) THE PROVISIONS OF THIS SECTION MAY BE ENFORCED CONCURRENTLY BY THE
DIRECTOR OF A MUNICIPAL CONSUMER AFFAIRS OFFICE, OR BY THE TOWN ATTOR-
NEY, CITY CORPORATION COUNSEL, OR OTHER LAWFUL DESIGNEE OF A MUNICI-
PALITY OR LOCAL GOVERNMENT, AND ALL MONEYS COLLECTED UNDER THIS SECTION
SHALL BE RETAINED BY SUCH MUNICIPALITY OR LOCAL GOVERNMENT.
S 2. If any clause, sentence, paragraph or part of this section shall
be adjudged by any court of competent jurisdiction to be invalid, such
judgment shall not affect, impair or invalidate the remainder thereof,
but shall be confined in its operation to the clause, sentence, para-
graph or part thereof directly involved in the controversy in which such
judgment shall have been rendered.
S 3. This act shall take effect one year after it shall have become a
law; provided, however, that effective immediately, the addition, amend-
ment, and/or repeal of any rule or regulation necessary for the imple-
mentation of this act on its effective date are authorized and directed
to be made and completed on or before such effective date.