Assembly Bill A7236

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   7236
 
                        2017-2018 Regular Sessions
 
                           I N  A S S E M B L Y
 
                              April 12, 2017
                                ___________
 
 Introduced  by  M. of A. ZEBROWSKI, SKOUFIS, BUCHWALD, JAFFEE, MONTESANO
   -- Multi-Sponsored by -- M. of A.  CROUCH,  SIMON  --  read  once  and
   referred to the Committee on Consumer Affairs and Protection
 
 AN  ACT  to  amend  the  general  business law, in relation to requiring
   internet service providers to provide customers with a copy  of  their
   privacy  policy  and  to obtain written and explicit permission from a
   customer prior to sharing, using, selling  or  providing  to  a  third
   party any sensitive information of such customer
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new section
 390-bb to read as follows:
   § 390-BB. INTERNET SERVICE PROVIDERS; CUSTOMER DATA  PRIVACY.  1.  FOR
 THE  PURPOSES OF THIS SECTION THE FOLLOWING TERMS SHALL HAVE THE FOLLOW-
 ING MEANINGS:
   (A) "INTERNET SERVICE PROVIDER" MEANS ANY PERSON, BUSINESS, OR  ORGAN-
 IZATION  WHO IS QUALIFIED TO CONDUCT BUSINESS IN THE STATE THAT PROVIDES
 INDIVIDUALS, CORPORATIONS, OR OTHER ENTITIES WITH ACCESS TO THE INTERNET
 AS PART OF A SERVICE.
   (B) "CUSTOMER" MEANS ANY PERSON, CORPORATION OR ENTITY  WHICH  PAYS  A
 FEE  TO  AN INTERNET SERVICE PROVIDER FOR ACCESS TO THE INTERNET AS PART
 OF A SERVICE.
   (C) "SENSITIVE INFORMATION" MEANS ANY INFORMATION THAT WHICH CAN IDEN-
 TIFY THE CUSTOMER OR ANY OTHER INFORMATION THAT IS SPECIFICALLY  ATTRIB-
 UTABLE  TO  SUCH  CUSTOMER  INCLUDING,  BUT NOT LIMITED TO, FINANCIAL OR
 MEDICAL DATA, BIOGRAPHICAL INFORMATION, COMMUNICATION CONTENT,  BROWSING
 OR WEB HISTORY, OR INTERNET USAGE.
   (D)  "NON-SENSITIVE  INFORMATION" MEANS INFORMATION COLLECTED ON USERS
 THAT IS NOT SPECIFIC TO AN INDIVIDUAL CUSTOMER INCLUDING, BUT NOT LIMIT-
 ED TO, AGGREGATED USE, SUBSCRIPTION DATA OR OTHER MACRO  LEVEL  INFORMA-
 TION.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
              

                                                            LBD10887-01-7

 A. 7236                             2
 
   2. EACH INTERNET SERVICE PROVIDER SHALL PROVIDE CUSTOMERS WITH A COPY,
 EITHER  IN  WRITING  OR IN ELECTRONIC FORM, OF THEIR PRIVACY POLICY THAT
 SHALL INCLUDE  ITS  DATA  COLLECTION  AND  USE  PRACTICES,  THIRD  PARTY
 RELATIONSHIPS,  PURPOSE OF THE DATA COLLECTION AND PROCESS FOR CUSTOMERS
 TO  EXERCISE CONTROL OVER THEIR INFORMATION AS PROVIDED IN THIS SECTION.
 THE PRIVACY POLICY SHALL BE PROVIDED TO CUSTOMERS UPON ENTERING  INTO  A
 CONTRACT  WITH  THE  INTERNET SERVICE PROVIDER AND SUBSEQUENTLY UPON ANY
 SIGNIFICANT CHANGES MADE TO SUCH POLICY.
   3. AN INTERNET SERVICE PROVIDER  SHALL  OBTAIN  WRITTEN  AND  EXPLICIT
 PERMISSION FROM A CUSTOMER PRIOR TO SHARING, USING, SELLING OR PROVIDING
 TO  A THIRD PARTY ANY SENSITIVE INFORMATION OF SUCH CUSTOMER. THE INTER-
 NET SERVICE PROVIDER SHALL PROVIDE TO THE CUSTOMER A CLEAR AND CONSPICU-
 OUS DESCRIPTION OF THE INTENDED USE OF THEIR INFORMATION, INCLUDING, BUT
 NOT LIMITED TO, TYPE OF INFORMATION THAT MAY BE  DISCLOSED,  PURPOSE  OF
 SUCH  DISCLOSURE,  AND ALL THIRD PARTY ENTITIES THAT MAY BE RECEIVING OR
 USING THE INFORMATION.
   4. A CUSTOMER SHALL HAVE THE OPTION TO REMOVE THEIR  CONSENT  FOR  THE
 USE  OR  DISCLOSURE  OF  NON-SENSITIVE INFORMATION. THE INTERNET SERVICE
 PROVIDER SHALL DEVELOP A PROCESS FOR A CUSTOMER TO EASILY  REMOVE  THEIR
 CONSENT  FOR THE USE OF ANY NON-SENSITIVE INFORMATION. THE PROCESS SHALL
 INCLUDE A DETAILED DESCRIPTION OF THE INTENDED USE OF THEIR INFORMATION,
 INCLUDING,  BUT  NOT  LIMITED  TO,  TYPE  OF  INFORMATION  THAT  MAY  BE
 DISCLOSED, PURPOSE OF SUCH DISCLOSURE, AND ALL THIRD PARTY ENTITIES THAT
 MAY BE RECEIVING OR USING THE INFORMATION.
   5.  AN  INTERNET  SERVICE  PROVIDER  SHALL  NOT, AS A CONDITION OF THE
 SERVICE, REQUIRE CONSENT FROM A CUSTOMER FOR USE OF THEIR  SENSITIVE  OR
 NON-SENSITIVE INFORMATION.
   6.  AN  INTERNET  SERVICE  PROVIDER MAY USE SENSITIVE OR NON-SENSITIVE
 INFORMATION WITHOUT CONSENT FROM THE CUSTOMER  IF  SUCH  INFORMATION  IS
 NECESSARY  IN  PROVIDING THE SERVICE TO THE CUSTOMER, INCLUDING, BUT NOT
 LIMITED TO, BILLING, INSTALLATION, AND SUPPORT.
   7. WHENEVER THERE SHALL BE A VIOLATION OF THIS SECTION, AN APPLICATION
 MAY BE MADE BY THE ATTORNEY GENERAL IN THE NAME OF  THE  PEOPLE  OF  THE
 STATE OF NEW YORK TO A COURT OR JUSTICE HAVING JURISDICTION BY A SPECIAL
 PROCEEDING  TO  ISSUE AN INJUNCTION, AND UPON NOTICE TO THE DEFENDANT OF
 NOT LESS THAN FIVE DAYS, TO ENJOIN AND RESTRAIN THE CONTINUANCE OF  SUCH
 VIOLATION;  AND  IF  IT SHALL APPEAR TO THE SATISFACTION OF THE COURT OR
 JUSTICE THAT THE DEFENDANT HAS,  IN  FACT,  VIOLATED  THIS  SECTION,  AN
 INJUNCTION  MAY  BE  ISSUED  BY  SUCH  COURT  OR  JUSTICE, ENJOINING AND
 RESTRAINING ANY FURTHER VIOLATION,  WITHOUT  REQUIRING  PROOF  THAT  ANY
 PERSON  HAS,  IN  FACT,  BEEN  INJURED  OR  DAMAGED THEREBY. IN ANY SUCH
 PROCEEDING, THE COURT MAY MAKE ALLOWANCES TO  THE  ATTORNEY  GENERAL  AS
 PROVIDED  IN  PARAGRAPH  SIX  OF SUBDIVISION (A) OF SECTION EIGHTY-THREE
 HUNDRED THREE OF THE CIVIL PRACTICE LAW AND RULES, AND  DIRECT  RESTITU-
 TION.  WHENEVER  THE  COURT  SHALL  DETERMINE  THAT  A VIOLATION OF THIS
 SECTION  HAS OCCURRED, THE COURT MAY IMPOSE A CIVIL PENALTY OF NOT  MORE
 THAN FIVE HUNDRED DOLLARS FOR A SINGLE VIOLATION AND NOT MORE THAN FIFTY
 THOUSAND  DOLLARS FOR MULTIPLE VIOLATIONS RESULTING FROM A SINGLE ACT OR
 INCIDENT. IN CONNECTION WITH ANY SUCH PROPOSED APPLICATION, THE ATTORNEY
 GENERAL IS AUTHORIZED TO TAKE PROOF AND  MAKE  A  DETERMINATION  OF  THE
 RELEVANT FACTS AND ISSUE SUBPOENAS IN ACCORDANCE WITH THE CIVIL PRACTICE
 LAW AND RULES.
   §  2.  This  act  shall take effect on the sixtieth day after it shall
 have become a law.