NY State Senate Bill 2019-S9073

Archive: Last Bill Status - In Senate Committee Rules Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Oct 28, 2020	referred to rules

2019-S9073 (ACTIVE) - Details

See Assembly Version of this Bill:: A7736
Current Committee:: Senate Rules
Law Section:: Civil Rights Law
Laws Affected:: Amd §§50 & 51, Civ Rts L; add Art 32-A §§676 - 676-q, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2021-2022: S4021, A3586
2023-2024: S5555
2025-2026: S5156

2019-S9073 (ACTIVE) - Summary

Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.

2019-S9073 (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S9073

SPONSOR: COMRIE
 
TITLE OF BILL:

An act to amend the civil rights law and the general business law, in
relation to establishing the "It's Your Data Act"

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill seeks to establish a duty of care requirement for data extrac-
tors & miners, and mandates these entities adhere strictly to this legal
obligation when it comes to the sovereignty and privacy of an individ-
ual's private information.

 
SUMMARY OF PROVISIONS:

Section one sets the title as the "Its Your Data Act"

Section two amends section 50 of the civil rights law so any person,
firm or corporation that collects, stores, or uses for the purpose of

advertising, trade, data-mining, or generating commercial or economic
value, the name, portrait, picture, video, voice, likeness, and all
other personal data, biometric data, and location data of any living
person without having first obtained the written consent of such person,
or if a minor of his or her parent or guardian, or, if such consent is
obtained, subsequently fails to exercise reasonable care consistent with
its obligations as bailee of that individual's name, portrait, picture,
video, voice, likeness, and all other personal data, biometric data, and
location data, is guilty of a misdemeanor.

Section three amends section 51 of the civil rights law to establish the
means of redress for individuals whose rights under this act have been
violated.

Section four amends the general business law to establish the defi-
nitions for terms or phrases used in this act, and introduces the
following clauses in relation to this act: "Transparency of the
collection , use, retention, and sharing of personal information", "Fair
Collection and use of personal information", "Deletion of personal
information", " Access to retained personal information", "Access to
disclosure of personal information", "Consent to additional collection
or sharing of personal information", "No discrimination by a business
against a consumer for exercise of rights", "Reasonable security", "
Business implementation of duties", "Exceptions", "Consumer's private
right of actions", " Agency enforcement action", "Construction", "Attor-
ney general regulations", "Intermediate transactions", "Non-waiver", and
"Severability".

Section five sets forward an effective date 1 year after enactment.

 
JUSTIFICATION:

In the 21st century, Americans' fundamental right to privacy has steadi-
ly eroded in the shadow of surveillance capitalism. The passage of the
Patriot Act and the rise of big tech companies have enabled the public
and private sector to siphon more and more of our personal data, often
without our consent or knowledge. The institutional legitimization of

mass surveillance and data extraction has begun to warp our society's
very perspective on individual autonomy and privacy.

The commercial sector of the Internet is now being used in ways that
repeatedly wear away an individual's ability to exercise control over
his or her life. Every video we watch, every ad we click on, and every
word we search is now being logged, analyzed, and synthesized by corpo-
rations in order to predict and influence our behaviors as consumers.
The internet is no longer a peer-to-peer experiment; it has morphed into
a data extraction infrastructure that relies on machine-learning algo-
rithms which can ultimately shape our views or control our future
actions.

We have to recognize that life in a society of pervasive monitoring is
not truly life under the rule of law. Businesses that make hundreds of
billions of dollars monitoring every aspect of our daily lives - the
essence of Surveillance Capitalism - represent new, unregulated, and
dangerous territory. The It's Your Data Act (IYD) is designed to regain
individual sovereignty and end abusive and exploitative data-mining
practices, so that an individual's inalienable rights includes their
right to retain control of their own data under all circumstances.

The IYD Act institutes a duty of care requirement for data extractors &
miners, and mandates that they strictly adhere to this legal obligation
when it comes to the sovereignty and privacy of a person's private
information. Our data is more than alienable property that can be sold
to the highest bidder.

 
PRIOR LEGISLATIVE HISTORY:

This is a new bill.

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect one year after it shall have become law.

2019-S9073 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   9073
 
                             I N  S E N A T E
 
                             October 28, 2020
                                ___________
 
 Introduced  by  Sen.  COMRIE -- read twice and ordered printed, and when
   printed to be committed to the Committee on Rules
 
 AN ACT to amend the civil rights law and the general  business  law,  in
   relation to establishing the "It's Your Data Act"
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:

   Section 1. This act shall be known and may be cited as the "It's  Your
 Data Act".
   § 2. Section 50 of the civil rights law is amended to read as follows:
   §  50.  Right of privacy. A person, firm or corporation that COLLECTS,
 STORES, AND/OR uses for THE PURPOSE OF advertising [purposes, or for the
 purposes of], trade, DATA-MINING, OR GENERATING COMMERCIAL  OR  ECONOMIC
 VALUE, the name, portrait [or], picture, VIDEO, VOICE, LIKENESS, AND ALL
 OTHER  PERSONAL  DATA,  BIOMETRIC  DATA, AND LOCATION DATA of any living
 person without having first obtained the written consent of such person,
 or if a minor of his or her parent or guardian, OR, IF SUCH  CONSENT  IS
 OBTAINED, SUBSEQUENTLY FAILS TO EXERCISE REASONABLE CARE CONSISTENT WITH
 ITS  OBLIGATIONS AS BAILEE OF THAT INDIVIDUAL'S NAME, PORTRAIT, PICTURE,
 VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND
 LOCATION DATA, is guilty of a misdemeanor.
   § 3. Section 51 of the civil rights law, as amended by chapter 674  of
 the laws of 1995, is amended to read as follows:
   §  51.  Action for injunction and for damages. Any person [whose name,
 portrait, picture or voice is used within  this  state  for  advertising
 purposes or for the purposes of trade without the written consent], FIRM
 OR  CORPORATION  THAT  COLLECTS,  STORES, AND/OR USES FOR THE PURPOSE OF
 ADVERTISING, TRADE, DATA-MINING, OR GENERATING  COMMERCIAL  OR  ECONOMIC
 VALUE,  NAME,  PORTRAIT,  PICTURE, VIDEO, VOICE, LIKENESS, AND ALL OTHER
 PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA OF  ANY  LIVING  PERSON
 WITHOUT  HAVING FIRST OBTAINED THE WRITTEN CONSENT OF SUCH PERSON, OR IF
 A MINOR OF HIS OR HER PARENT OR  GUARDIAN,  OR,  WHEN  SUCH  CONSENT  IS
 OBTAINED, SUBSEQUENTLY FAILS TO EXERCISE REASONABLE CARE CONSISTENT WITH
 ITS  OBLIGATIONS AS BAILEE OF THAT INDIVIDUAL'S NAME, PORTRAIT, PICTURE,
 VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets

                       [ ] is old law to be omitted.
                                                            LBD11575-01-9

 S. 9073                             2
 
 LOCATION DATA first obtained as above provided may maintain an equitable
 action in the supreme court of this state against the  person,  firm  or
 corporation  so  using  his  OR HER name, portrait, picture [or], VIDEO,
 voice,  LIKENESS,  AND  ALL  OTHER  PERSONAL  DATA,  BIOMETRIC DATA, AND
 LOCATION DATA to prevent and restrain the use thereof; and may also  sue
 and recover damages for any injuries sustained by reason of such use and
 if the defendant shall have knowingly used such person's name, portrait,
 picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOM-
 ETRIC DATA, AND LOCATION DATA in such manner as is forbidden or declared
 to  be  unlawful  by  section  fifty  of  this article, the jury, in its
 discretion, may award exemplary damages. But nothing contained  in  this
 article  shall  be so construed as to prevent any person, firm or corpo-
 ration from selling or otherwise transferring  any  material  containing
 such name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER
 PERSONAL  DATA,  BIOMETRIC DATA, AND LOCATION DATA in whatever medium to
 any user of such name, portrait, picture [or], VIDEO,  voice,  LIKENESS,
 AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA or to any
 third  party  [for  sale]  or  transfer directly or indirectly to such a
 user, for use, PROVIDED THAT THE TRANSFERRING PARTY  UNDERTAKES  REASON-
 ABLE STEPS TO ENSURE THAT ANY SUCH USE IS CONSISTENT WITH THE SELLING OR
 TRANSFERRING  PARTY'S  OBLIGATIONS  AS BAILEE OF THAT INDIVIDUAL'S NAME,
 PORTRAIT, PICTURE, VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL  DATA,
 BIOMETRIC  DATA, AND LOCATION DATA AND USE in a manner lawful under this
 article; nothing contained in this article shall be so construed  as  to
 prevent  any  person,  firm or corporation, practicing the profession of
 photography, from exhibiting in or about his or its establishment speci-
 mens of the work of such establishment, unless the same is continued  by
 such  person, firm or corporation after written notice objecting thereto
 has been given by the person portrayed; and nothing  contained  in  this
 article  shall  be so construed as to prevent any person, firm or corpo-
 ration from using the name, portrait, picture [or], VIDEO, voice,  LIKE-
 NESS,  AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA of
 any manufacturer or dealer in  connection  with  the  goods,  wares  and
 merchandise manufactured, produced or dealt in by him OR HER which he OR
 SHE  has  sold  or  disposed  of with such name, portrait, picture [or],
 VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND
 LOCATION DATA used in connection therewith;  or  from  using  the  name,
 portrait,  picture  [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL
 DATA, BIOMETRIC DATA, AND LOCATION  DATA  of  any  author,  composer  or
 artist  in  connection  with  his  OR  HER literary, musical or artistic
 productions which he OR SHE has sold or  disposed  of  with  such  name,
 portrait,  picture  [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL
 DATA, BIOMETRIC DATA, AND LOCATION DATA used  in  connection  therewith.
 Nothing  contained  in  this  section shall be construed to prohibit the
 copyright owner of a sound recording  from  disposing  of,  dealing  in,
 licensing  or selling that sound recording to any party, if the right to
 dispose of, deal in, license or  sell  such  sound  recording  has  been
 conferred by contract or other written document by such living person or
 the  holder  of  such right. Nothing contained in the foregoing sentence
 shall be deemed to abrogate or otherwise limit any  rights  or  remedies
 otherwise conferred by federal law or state law.
   §  4. The general business law is amended by adding a new article 32-A
 to read as follows:
                               ARTICLE 32-A
                            IT'S YOUR DATA ACT
 SECTION 676.   DEFINITIONS.

 S. 9073                             3
 
         676-A. TRANSPARENCY OF THE COLLECTION, USE, RETENTION, AND SHAR-
                  ING OF PERSONAL INFORMATION.
         676-B. FAIR COLLECTION AND USE OF PERSONAL INFORMATION.
         676-C. DELETION OF PERSONAL INFORMATION.
         676-D. ACCESS TO RETAINED PERSONAL INFORMATION.
         676-E. ACCESS TO DISCLOSURE OF PERSONAL INFORMATION.
         676-F. CONSENT  TO  ADDITIONAL COLLECTION OR SHARING OF PERSONAL
                  INFORMATION.
         676-G. NO DISCRIMINATION BY A BUSINESS AGAINST  A  CONSUMER  FOR
                  EXERCISE OF RIGHTS.
         676-H. REASONABLE SECURITY.
         676-I. BUSINESS IMPLEMENTATION OF DUTIES.
         676-J. EXCEPTIONS.
         676-K. CONSUMER'S PRIVATE RIGHT OF ACTION.
         676-L. AGENCY ENFORCEMENT ACTION.
         676-M. CONSTRUCTION.
         676-N. ATTORNEY GENERAL REGULATIONS.
         676-O. INTERMEDIATE TRANSACTIONS.
         676-P. NON-WAIVER.
         676-Q. SEVERABILITY.
   § 676. DEFINITIONS. 1. FOR THE PURPOSES OF THIS ARTICLE:
   (A) "AGGREGATE CONSUMER INFORMATION" MEANS INFORMATION THAT RELATES TO
 A  GROUP  OF  CONSUMERS,  FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE
 BEEN REMOVED, THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY  CONSUMER
 OR  HOUSEHOLD,  INCLUDING  VIA A DEVICE.  AGGREGATE CONSUMER INFORMATION
 DOES NOT MEAN ONE OR MORE INDIVIDUAL CONSUMER  RECORDS  THAT  HAVE  BEEN
 DE-IDENTIFIED.
   (B)  "BIOMETRIC  INFORMATION"  MEANS  AN  INDIVIDUAL'S  PHYSIOLOGICAL,
 BIOLOGICAL OR BEHAVIORAL CHARACTERISTICS OR AN ELECTRONIC REPRESENTATION
 OF SUCH, INCLUDING AN INDIVIDUAL'S DEOXYRIBONUCLEIC ACID (DNA), THAT CAN
 BE USED, SINGLY OR IN COMBINATION WITH EACH OTHER OR WITH OTHER  IDENTI-
 FYING  DATA,  TO  ESTABLISH INDIVIDUAL IDENTITY.   BIOMETRIC INFORMATION
 INCLUDES, BUT IS NOT LIMITED TO, IMAGERY OF THE  IRIS,  RETINA,  FINGER-
 PRINT, FACE, HAND, PALM, VEIN PATTERNS, AND VOICE RECORDINGS, FROM WHICH
 AN  IDENTIFIER  TEMPLATE, SUCH AS A FACEPRINT, A MINUTIAE TEMPLATE, OR A
 VOICEPRINT, CAN BE EXTRACTED, AND KEYSTROKE PATTERNS  OR  RHYTHMS,  GAIT
 PATTERNS  OR  RHYTHMS,  AND SLEEP, HEALTH, OR EXERCISE DATA THAT CONTAIN
 IDENTIFYING INFORMATION.
   (C) "BUSINESS" MEANS:
   (I) A SOLE PROPRIETORSHIP,  PARTNERSHIP,  LIMITED  LIABILITY  COMPANY,
 CORPORATION,  ASSOCIATION,  OR  OTHER  LEGAL ENTITY THAT IS ORGANIZED OR
 OPERATED FOR THE PROFIT OR FINANCIAL  BENEFIT  OF  ITS  SHAREHOLDERS  OR
 OTHER  OWNERS,  THAT COLLECTS CONSUMERS' PERSONAL INFORMATION, OR ON THE
 BEHALF OF WHICH SUCH INFORMATION IS COLLECTED AND THAT ALONE, OR JOINTLY
 WITH OTHERS, DETERMINES THE PURPOSES AND  MEANS  OF  THE  PROCESSING  OF
 CONSUMERS'  PERSONAL INFORMATION, THAT DOES BUSINESS IN THE STATE OF NEW
 YORK, AND THAT SATISFIES ONE OR MORE OF THE FOLLOWING THRESHOLDS:
   (1) HAS ANNUAL GROSS REVENUES IN EXCESS OF FIFTY MILLION  DOLLARS,  AS
 ADJUSTED  PURSUANT  TO  PARAGRAPH  (F) OF SUBDIVISION ONE OF SECTION SIX
 HUNDRED SEVENTY-SIX-N OF THIS ARTICLE;
   (2) ALONE OR IN COMBINATION, ANNUALLY BUYS, RECEIVES FOR THE BUSINESS'
 COMMERCIAL PURPOSES, SELLS, OR DISCLOSES FOR COMMERCIAL PURPOSES,  ALONE
 OR  IN  COMBINATION,  THE PERSONAL INFORMATION OF FIFTY THOUSAND OR MORE
 CONSUMERS, HOUSEHOLDS, OR DEVICES; OR
   (3) DERIVES FIFTY PERCENT OR MORE OF ITS ANNUAL REVENUES FROM  SELLING
 CONSUMERS' PERSONAL INFORMATION; AND

 S. 9073                             4
 
   (II)  ANY  ENTITY  THAT  CONTROLS  OR  IS CONTROLLED BY A BUSINESS, AS
 DEFINED IN SUBPARAGRAPH (I) OF THIS PARAGRAPH, AND  THAT  SHARES  COMMON
 BRANDING WITH SUCH BUSINESS.
   (D)  "CONTROL"  OR  "CONTROLLED"  MEANS  OWNERSHIP OF, OR THE POWER TO
 VOTE, MORE THAN FIFTY PERCENT OF THE OUTSTANDING SHARES OF ANY CLASS  OF
 VOTING  SECURITY  OF A BUSINESS; CONTROL IN ANY MANNER OVER THE ELECTION
 OF A MAJORITY OF THE DIRECTORS, OR  OF  INDIVIDUALS  EXERCISING  SIMILAR
 FUNCTIONS;  OR  THE  POWER  TO EXERCISE A CONTROLLING INFLUENCE OVER THE
 MANAGEMENT OF A BUSINESS.
   (E) "COMMON BRANDING" MEANS A SHARED NAME, SERVICEMARK, OR TRADEMARK.
   (F) "OPERATIONAL PURPOSE" MEANS THE USE OF PERSONAL  INFORMATION  WHEN
 REASONABLY  NECESSARY  AND PROPORTIONATE TO ACHIEVE ONE OF THE FOLLOWING
 OPERATIONAL PURPOSES:
   (I) AUDITING RELATED TO A CURRENT INTERACTION WITH  THE  CONSUMER  AND
 CONCURRENT  TRANSACTIONS,  INCLUDING,  BUT  NOT  LIMITED TO, COUNTING AD
 IMPRESSIONS TO UNIQUE VISITORS, VERIFYING POSITIONING AND QUALITY OF  AD
 IMPRESSIONS, AND AUDITING COMPLIANCE WITH THIS PARAGRAPH AND OTHER STAN-
 DARDS;
   (II)  DETECTING  AND  RESPONDING  TO  SECURITY  INCIDENTS,  PROTECTING
 AGAINST MALICIOUS, DECEPTIVE, FRAUDULENT, OR ILLEGAL ACTIVITY, AND PROS-
 ECUTING THOSE RESPONSIBLE FOR THAT ACTIVITY;
   (III) DEBUGGING TO IDENTIFY AND REPAIR  ERRORS  THAT  IMPAIR  EXISTING
 INTENDED FUNCTIONALITY;
   (IV)  SHORT-TERM,  TRANSIENT USE, PROVIDED THE PERSONAL INFORMATION IS
 NOT DISCLOSED TO ANOTHER THIRD PARTY AND IS NOT USED TO BUILD A  PROFILE
 ABOUT  A CONSUMER OR OTHERWISE ALTER AN INDIVIDUAL CONSUMER'S EXPERIENCE
 OUTSIDE THE CURRENT INTERACTION, INCLUDING,  BUT  NOT  LIMITED  TO,  THE
 CONTEXTUAL CUSTOMIZATION OF ADS SHOWN AS PART OF THE SAME INTERACTION;
   (V)  PERFORMING  OR  PROVIDING  SERVICES  ON BEHALF OF THE BUSINESS OR
 SERVICE PROVIDER, INCLUDING MAINTAINING OR SERVICING  ACCOUNTS,  BILLING
 OR  COLLECTING  FOR  REQUESTED  PRODUCTS OR SERVICES, PROVIDING CUSTOMER
 SERVICE, PROCESSING OR FULFILLING  ORDERS  AND  TRANSACTIONS,  VERIFYING
 CUSTOMER  INFORMATION, PROCESSING PAYMENTS, PROVIDING FINANCING, PROVID-
 ING ADVERTISING OR MARKETING SERVICES, PROVIDING ANALYTIC  SERVICES,  OR
 PROVIDING  SIMILAR SERVICES ON BEHALF OF THE BUSINESS OR SERVICE PROVID-
 ER;
   (VI) UNDERTAKING INTERNAL RESEARCH FOR TECHNOLOGICAL  DEVELOPMENT  AND
 DEMONSTRATION;
   (VII)  UNDERTAKING  ACTIVITIES  TO  VERIFY  OR MAINTAIN THE QUALITY OR
 SAFETY OF A SERVICE OR DEVICE THAT IS OWNED, MANUFACTURED,  MANUFACTURED
 FOR,  OR  CONTROLLED BY THE BUSINESS, OR TO IMPROVE, UPGRADE, OR ENHANCE
 THE SERVICE OR DEVICE THAT IS OWNED, MANUFACTURED, MANUFACTURED FOR,  OR
 CONTROLLED BY THE BUSINESS;
   (VIII) CUSTOMIZATION OF CONTENT; OR
   (IX) CUSTOMIZATION OF ADVERTISING OR MARKETING.
   (G)  "COLLECTS,"  "COLLECTED,"  OR "COLLECTION" MEANS BUYING, RENTING,
 GATHERING, OBTAINING, RECEIVING, OR ACCESSING ANY  PERSONAL  INFORMATION
 PERTAINING TO A CONSUMER BY ANY MEANS. THIS SHALL INCLUDE, BUT SHALL NOT
 BE  LIMITED TO, RECEIVING INFORMATION FROM THE CONSUMER, EITHER ACTIVELY
 OR PASSIVELY, OR BY OBSERVING THE CONSUMER'S BEHAVIOR.
   (H) "COMMERCIAL PURPOSES" MEANS TO ADVANCE A  PERSON'S  COMMERCIAL  OR
 ECONOMIC  INTERESTS,  SUCH  AS  BY INDUCING ANOTHER PERSON TO BUY, RENT,
 LEASE, JOIN, SUBSCRIBE TO, PROVIDE, OR EXCHANGE PRODUCTS, GOODS, PROPER-
 TY, INFORMATION, OR SERVICES, OR  ENABLING  OR  EFFECTING,  DIRECTLY  OR
 INDIRECTLY,  A  COMMERCIAL  TRANSACTION.  COMMERCIAL  PURPOSES SHALL NOT
 INCLUDE ENGAGING IN SPEECH THAT STATE OR FEDERAL COURTS HAVE  RECOGNIZED

 S. 9073                             5
 
 AS NONCOMMERCIAL SPEECH, INCLUDING, BUT NOT LIMITED TO, POLITICAL SPEECH
 AND JOURNALISM.
   (I)  "CONSUMER"  MEANS A NATURAL PERSON WHO IS A RESIDENT OF THE STATE
 OF NEW YORK.
   (J) "DE-IDENTIFIED" MEANS INFORMATION THAT CANNOT REASONABLY IDENTIFY,
 RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE  LINKED,
 DIRECTLY  OR INDIRECTLY, TO A PARTICULAR CONSUMER, PROVIDED THAT A BUSI-
 NESS THAT USES DE-IDENTIFIED INFORMATION:
   (I) TAKES REASONABLE MEASURES TO ENSURE THAT THE  DATA  IS  DE-IDENTI-
 FIED;
   (II)  PUBLICLY COMMITS TO MAINTAIN AND USE THE DATA IN A DE-IDENTIFIED
 FASHION AND NOT TO ATTEMPT TO RE-IDENTIFY THE DATA; AND
   (III) CONTRACTUALLY PROHIBITS DOWNSTREAM RECIPIENTS FROM ATTEMPTING TO
 RE-IDENTIFY THE DATA.
   (K) "DESIGNATED METHODS  FOR  SUBMITTING  REQUESTS"  MEANS  A  MAILING
 ADDRESS,  EMAIL  ADDRESS,  INTERNET WEB PAGE, INTERNET WEB PORTAL, TOLL-
 FREE TELEPHONE NUMBER, OR OTHER APPLICABLE CONTACT INFORMATION,  WHEREBY
 CONSUMERS  MAY SUBMIT A REQUEST UNDER THIS ARTICLE, AND ANY NEW, CONSUM-
 ER-FRIENDLY MEANS OF CONTACTING A BUSINESS, AS APPROVED BY THE  ATTORNEY
 GENERAL PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-N OF THIS ARTICLE.
   (L)  "DEVICE"  MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECTING
 TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE.
   (M) "HEALTH INSURANCE INFORMATION" MEANS A CONSUMER'S INSURANCE POLICY
 NUMBER OR SUBSCRIBER IDENTIFICATION NUMBER, ANY UNIQUE  IDENTIFIER  USED
 BY  A HEALTH INSURER TO IDENTIFY THE CONSUMER, OR ANY INFORMATION IN THE
 CONSUMER'S  APPLICATION  AND  CLAIMS  HISTORY,  INCLUDING  ANY   APPEALS
 RECORDS,  IF  THE  INFORMATION  IS  LINKED  OR  REASONABLY LINKABLE TO A
 CONSUMER OR HOUSEHOLD, INCLUDING VIA A DEVICE, BY A BUSINESS OR  SERVICE
 PROVIDER.
   (N)  "INFER" OR "INFERENCE" MEANS THE DERIVATION OF INFORMATION, DATA,
 ASSUMPTIONS, OR CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER  SOURCE  OF
 INFORMATION OR DATA.
   (O)  "PERSON"  MEANS AN INDIVIDUAL, PROPRIETORSHIP, FIRM, PARTNERSHIP,
 JOINT VENTURE, SYNDICATE, BUSINESS TRUST, COMPANY, CORPORATION,  LIMITED
 LIABILITY COMPANY, ASSOCIATION, COMMITTEE, AND ANY OTHER ORGANIZATION OR
 GROUP OF PERSONS ACTING IN CONCERT.
   (P)  "PERSONAL INFORMATION" MEANS INFORMATION THAT IDENTIFIES OR COULD
 REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A PARTICULAR  CONSUM-
 ER,  HOUSEHOLD,  OR  CONSUMER  DEVICE.    PERSONAL INFORMATION SHALL NOT
 INCLUDE PUBLICLY AVAILABLE INFORMATION, INFORMATION THAT  IS  DE-IDENTI-
 FIED, OR AGGREGATE CONSUMER INFORMATION.
   (Q)  "PUBLICLY  AVAILABLE"  MEANS  INFORMATION  THAT  IS LAWFULLY MADE
 AVAILABLE FROM FEDERAL, STATE, OR  LOCAL  GOVERNMENT  RECORDS.  PUBLICLY
 AVAILABLE  DOES  NOT  MEAN  INFORMATION  COLLECTED BY A BUSINESS ABOUT A
 CONSUMER WITHOUT THE CONSUMER'S KNOWLEDGE.
   (R) "SERVICE" OR "SERVICES" MEANS WORK, LABOR, AND SERVICES, INCLUDING
 SERVICES FURNISHED IN CONNECTION WITH THE PRODUCTION, SALE OR REPAIR  OF
 GOODS.
   (S)  "SERVICE PROVIDER" MEANS AN INDIVIDUAL SOLE PROPRIETORSHIP, PART-
 NERSHIP, LIMITED LIABILITY COMPANY, CORPORATION, ASSOCIATION,  OR  OTHER
 LEGAL  ENTITY  THAT IS ORGANIZED OR OPERATED FOR THE PROFIT OR FINANCIAL
 BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS, THAT PROCESSES  INFORMATION
 ON  BEHALF  OF A BUSINESS AND TO WHICH SUCH BUSINESS DISCLOSES A CONSUM-
 ER'S PERSONAL INFORMATION FOR AN OPERATIONAL PURPOSE PURSUANT TO A WRIT-
 TEN OR ELECTRONIC CONTRACT, PROVIDED THAT  THE  CONTRACT  PROHIBITS  THE
 ENTITY  RECEIVING  THE  INFORMATION FROM RETAINING, USING, OR DISCLOSING

 S. 9073                             6
 
 THE PERSONAL INFORMATION FOR ANY PURPOSE OTHER  THAN  FOR  THE  SPECIFIC
 PURPOSE  OF  PERFORMING  THE SERVICES SPECIFIED IN THE CONTRACT FOR SUCH
 BUSINESS, OR AS OTHERWISE PERMITTED BY THIS ARTICLE, INCLUDING A  PROHI-
 BITION ON RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR A
 COMMERCIAL  PURPOSE  OTHER  THAN PROVIDING THE SERVICES SPECIFIED IN THE
 CONTRACT WITH SUCH BUSINESS.
   (T) "VERIFIABLE CONSUMER REQUEST" MEANS A REQUEST THAT IS  MADE  BY  A
 CONSUMER, BY A CONSUMER ON BEHALF OF THE CONSUMER'S MINOR CHILD, OR BY A
 NATURAL  PERSON  OR  A  PERSON  REGISTERED  WITH THE SECRETARY OF STATE,
 AUTHORIZED BY THE CONSUMER TO ACT ON THE CONSUMER'S BEHALF, AND THAT THE
 BUSINESS CAN REASONABLY VERIFY. A BUSINESS SHALL  NOT  BE  OBLIGATED  TO
 PROVIDE  ANY  PERSONAL INFORMATION TO A CONSUMER IF SUCH BUSINESS CANNOT
 VERIFY THAT THE CONSUMER MAKING THE REQUEST IS THE CONSUMER  ABOUT  WHOM
 SUCH  BUSINESS HAS COLLECTED PERSONAL INFORMATION OR IS A PERSON AUTHOR-
 IZED BY THE CONSUMER TO ACT ON SUCH CONSUMER'S BEHALF.
   (U) "THIRD PARTY" MEANS A PERSON OR BUSINESS THAT IS NOT  ANY  OF  THE
 FOLLOWING:
   (I)  THE  BUSINESS  THAT  COLLECTS PERSONAL INFORMATION FROM CONSUMERS
 UNDER THIS ARTICLE; OR
   (II) A PERSON TO WHOM THE BUSINESS  DISCLOSES  A  CONSUMER'S  PERSONAL
 INFORMATION  FOR  AN OPERATIONAL PURPOSE PURSUANT TO A WRITTEN CONTRACT,
 PROVIDED THAT THE CONTRACT:
   (1) PROHIBITS THE PERSON RECEIVING THE PERSONAL INFORMATION FROM:
   (A) SELLING THE PERSONAL INFORMATION;
   (B) RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION  FOR  ANY
 PURPOSE  OTHER  THAN FOR THE SPECIFIC PURPOSE OF PERFORMING THE SERVICES
 SPECIFIED IN THE CONTRACT, INCLUDING RETAINING, USING, OR DISCLOSING THE
 PERSONAL INFORMATION FOR A COMMERCIAL PURPOSE OTHER THAN  PROVIDING  THE
 SERVICES SPECIFIED IN THE CONTRACT; AND
   (C)  RETAINING,  USING,  OR  DISCLOSING THE INFORMATION OUTSIDE OF THE
 DIRECT BUSINESS RELATIONSHIP BETWEEN THE PERSON AND THE BUSINESS; AND
   (2) INCLUDES A CERTIFICATION MADE BY THE PERSON RECEIVING THE PERSONAL
 INFORMATION THAT THE PERSON UNDERSTANDS THE RESTRICTIONS IN  CLAUSE  ONE
 OF THIS PARAGRAPH AND WILL COMPLY WITH SUCH RESTRICTIONS.
   2.  FOR REFERENCES TO A CATEGORY OR CATEGORIES OF PERSONAL INFORMATION
 REQUIRED TO BE DISCLOSED PURSUANT TO THIS ARTICLE:
   (A) "PROCESSING" MEANS ANY OPERATION OR SET  OF  OPERATIONS  THAT  ARE
 PERFORMED  ON  PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT
 BY AUTOMATED MEANS.
   (B) "RESEARCH" MEANS SCIENTIFIC AND SYSTEMATIC STUDY AND  OBSERVATION,
 INCLUDING  BASIC  RESEARCH  OR  APPLIED  RESEARCH  THAT IS IN THE PUBLIC
 INTEREST AND THAT ADHERES TO ALL OTHER  APPLICABLE  ETHICS  AND  PRIVACY
 LAWS  OR  STUDIES CONDUCTED IN THE PUBLIC INTEREST IN THE AREA OF PUBLIC
 HEALTH. RESEARCH WITH PERSONAL INFORMATION THAT MAY HAVE BEEN  COLLECTED
 FROM  A  CONSUMER  IN  THE  COURSE OF THE CONSUMER'S INTERACTIONS WITH A
 BUSINESS' SERVICE OR DEVICE FOR OTHER PURPOSES SHALL BE:
   (I) COMPATIBLE WITH AN OPERATIONAL  PURPOSE  FOR  WHICH  THE  PERSONAL
 INFORMATION WAS COLLECTED;
   (II)  SUBSEQUENTLY  DE-IDENTIFIED,  OR IN THE AGGREGATE, SUCH THAT THE
 INFORMATION CANNOT REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE  CAPABLE
 OF  BEING  ASSOCIATED  WITH,  OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A
 PARTICULAR CONSUMER;
   (III) MADE SUBJECT TO TECHNICAL SAFEGUARDS TO  PREVENT  RE-IDENTIFICA-
 TION OF THE CONSUMER TO WHOM THE INFORMATION MAY PERTAIN;
   (IV) SUBJECT TO BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT RE-IDEN-
 TIFICATION OF THE INFORMATION;

 S. 9073                             7
 
   (V)  MADE SUBJECT TO BUSINESS PROCESSES TO PREVENT INADVERTENT RELEASE
 OF DE-IDENTIFIED INFORMATION;
   (VI) PROTECTED FROM ANY RE-IDENTIFICATION ATTEMPTS;
   (VII)  USED  SOLELY FOR RESEARCH PURPOSES THAT ARE COMPATIBLE WITH THE
 CONTEXT IN WHICH THE PERSONAL INFORMATION WAS COLLECTED;
   (VIII) NOT BE USED FOR ANY COMMERCIAL PURPOSE; AND
   (IX) SUBJECTED BY THE BUSINESS CONDUCTING THE RESEARCH  TO  ADDITIONAL
 SECURITY  CONTROLS  THAT LIMIT ACCESS TO THE RESEARCH DATA TO ONLY THOSE
 INDIVIDUALS IN A BUSINESS AS ARE NECESSARY TO  CARRY  OUT  THE  RESEARCH
 PURPOSE.
   (C)  (I) "SELL," "SELLING," "SALE," OR "SOLD," MEANS SELLING, RENTING,
 RELEASING, DISCLOSING, DISSEMINATING, MAKING AVAILABLE, TRANSFERRING, OR
 OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY  ELECTRONIC  OR  OTHER
 MEANS,  A  CONSUMER'S  PERSONAL  INFORMATION  BY THE BUSINESS TO ANOTHER
 BUSINESS OR A THIRD PARTY FOR MONETARY OR OTHER VALUABLE CONSIDERATION.
   (II) FOR PURPOSES OF THIS ARTICLE, A BUSINESS DOES NOT  SELL  PERSONAL
 INFORMATION WHEN:
   (1)  A CONSUMER USES OR DIRECTS THE BUSINESS TO INTENTIONALLY DISCLOSE
 PERSONAL INFORMATION OR USES THE BUSINESS TO INTENTIONALLY INTERACT WITH
 A THIRD PARTY, PROVIDED SUCH THIRD PARTY DOES NOT ALSO SELL THE PERSONAL
 INFORMATION,  UNLESS  SUCH  DISCLOSURE  WOULD  BE  CONSISTENT  WITH  THE
 PROVISIONS  OF  THIS ARTICLE. AN INTENTIONAL INTERACTION OCCURS WHEN THE
 CONSUMER INTENDS TO INTERACT WITH THE  THIRD  PARTY,  VIA  ONE  OR  MORE
 DELIBERATE  INTERACTIONS.   HOVERING OVER, MUTING, PAUSING, OR CLOSING A
 GIVEN PIECE OF CONTENT SHALL  NOT  CONSTITUTE  A  CONSUMER'S  INTENT  TO
 INTERACT WITH A THIRD PARTY;
   (2)  THE  BUSINESS  USES OR DISCLOSES AN IDENTIFIER FOR A CONSUMER WHO
 HAS OPTED OUT OF THE SALE OF THE CONSUMER'S PERSONAL INFORMATION FOR THE
 PURPOSES OF ALERTING THIRD PARTIES THAT THE CONSUMER HAS  OPTED  OUT  OF
 THE SALE OF THE CONSUMER'S PERSONAL INFORMATION;
   (3)  THE BUSINESS USES OR DISCLOSES PERSONAL INFORMATION OF A CONSUMER
 WITH A SERVICE PROVIDER THAT IS  NECESSARY  TO  PERFORM  AN  OPERATIONAL
 PURPOSE AND THE BUSINESS HAS PROVIDED NOTICE THAT INFORMATION BEING USED
 OR  DISCLOSED  IN  ITS  TERMS AND CONDITIONS CONSISTENT WITH SECTION SIX
 HUNDRED SEVENTY-SIX-I OF THIS ARTICLE; OR
   (4) THE BUSINESS TRANSFERS TO A THIRD PARTY THE  PERSONAL  INFORMATION
 OF  A  CONSUMER AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANK-
 RUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES CONTROL OF
 ALL OR PART OF THE  BUSINESS,  PROVIDED  THAT  INFORMATION  IS  USED  OR
 DISCLOSED  CONSISTENTLY  WITH  THIS ARTICLE. A THIRD PARTY MAY NOT MATE-
 RIALLY ALTER HOW IT USES OR DISCLOSES  THE  PERSONAL  INFORMATION  OF  A
 CONSUMER  IN  A MANNER THAT IS MATERIALLY INCONSISTENT WITH THE PROMISES
 MADE AT THE TIME OF COLLECTION, UNLESS IT FIRST OBTAINS OPT-IN  CONSENT,
 AS SET FORTH IN THIS ARTICLE.
   §  676-A.  TRANSPARENCY OF THE COLLECTION, USE, RETENTION, AND SHARING
 OF  PERSONAL  INFORMATION.  ANY  BUSINESS  THAT  COLLECTS  A  CONSUMER'S
 PERSONAL  INFORMATION  SHALL  DISCLOSE  THE FOLLOWING INFORMATION IN ITS
 ONLINE PRIVACY POLICY OR POLICIES, IF THE BUSINESS HAS AN ONLINE PRIVACY
 POLICY, AND UPDATE SUCH INFORMATION AT LEAST ONCE EVERY TWELVE MONTHS:
   1. A DESCRIPTION OF A  CONSUMER'S  RIGHTS  PURSUANT  TO  SECTIONS  SIX
 HUNDRED  SEVENTY-SIX-B,  SIX HUNDRED SEVENTY-SIX-D, SIX HUNDRED SEVENTY-
 SIX-E, SIX HUNDRED SEVENTY-SIX-F AND SIX HUNDRED SEVENTY-SIX-G  OF  THIS
 ARTICLE  AND  ONE  OR  MORE  DESIGNATED  METHODS FOR SUBMITTING REQUESTS
 PURSUANT  TO   SECTIONS   SIX   HUNDRED   SEVENTY-SIX-C,   SIX   HUNDRED
 SEVENTY-SIX-D, AND SIX HUNDRED SEVENTY-SIX-E OF THIS ARTICLE;

 S. 9073                             8
 
   2.  A  DESCRIPTION  OF THE PERSONAL INFORMATION SUCH BUSINESS COLLECTS
 ABOUT CONSUMERS;
   3.  THE  CATEGORIES  OF SOURCES FROM WHICH THE PERSONAL INFORMATION IS
 COLLECTED;
   4. A DESCRIPTION OF THE METHODS SUCH BUSINESS USES TO COLLECT PERSONAL
 INFORMATION;
   5. THE SPECIFIC PURPOSES  FOR  COLLECTING,  DISCLOSING,  OR  RETAINING
 PERSONAL INFORMATION;
   6.  A  DESCRIPTION  OF  THE  PERSONAL  INFORMATION  IT DISCLOSES ABOUT
 CONSUMERS, OR IF THE BUSINESS  DOES  NOT  DISCLOSE  CONSUMERS'  PERSONAL
 INFORMATION, THE BUSINESS SHALL DISCLOSE SUCH FACT;
   7.  THE  CATEGORIES  OF  THIRD  PARTIES WITH WHOM SUCH BUSINESS SHARES
 PERSONAL INFORMATION WITH, OR IF THE BUSINESS DOES NOT DISCLOSE  CONSUM-
 ERS'  PERSONAL INFORMATION TO THIRD PARTIES, THE BUSINESS SHALL DISCLOSE
 SUCH FACT;
   8. THE CATEGORIES OF SERVICE PROVIDERS WITH WHOM SUCH BUSINESS  SHARES
 PERSONAL  INFORMATION WITH, OR IF THE BUSINESS DOES NOT DISCLOSE CONSUM-
 ERS' PERSONAL INFORMATION  TO  SERVICE  PROVIDERS,  THE  BUSINESS  SHALL
 DISCLOSE SUCH FACT;
   9.  A DESCRIPTION OF THE LENGTH OF TIME FOR WHICH PERSONAL INFORMATION
 IS RETAINED; AND
   10. IF PERSONAL DATA IS  DE-IDENTIFIED  SUCH  THAT  IT  IS  NO  LONGER
 CONSIDERED  PERSONAL  INFORMATION  BUT  SUBSEQUENTLY  RETAINED, USED, OR
 SHARED BY THE BUSINESS, A DESCRIPTION OF THE METHOD OR METHODS OF  DE-I-
 DENTIFICATION.
   §  676-B.  FAIR COLLECTION AND USE OF PERSONAL INFORMATION. 1. SUBJECT
 TO SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS  ARTICLE  A  BUSINESS  THAT
 COLLECTS  A  CONSUMER'S  PERSONAL INFORMATION SHALL LIMIT ITS COLLECTION
 AND SHARING OF PERSONAL  INFORMATION  WITH  THIRD  PARTIES  TO  WHAT  IS
 REASONABLY  NECESSARY TO PROVIDE A SERVICE OR CONDUCT AN ACTIVITY THAT A
 CONSUMER HAS REQUESTED OR IS REASONABLY NECESSARY FOR SECURITY OR  FRAUD
 PREVENTION, AND SHALL REQUIRE ANY SUCH THIRD PARTY TO EXERCISE CARE OVER
 THE  CONSUMER'S  PERSONAL INFORMATION CONSISTENT WITH THE ORIGINAL BUSI-
 NESS'S OBLIGATIONS AS BAILEE OF SUCH INFORMATION.
   2. SUBJECT TO SECTION SIX HUNDRED SEVENTY-SIX-F  OF  THIS  ARTICLE,  A
 BUSINESS  THAT COLLECTS A CONSUMER'S PERSONAL INFORMATION SHALL BE OBLI-
 GATED TO EXERCISE REASONABLE CARE WITH RESPECT TO THE COLLECTION,  STOR-
 AGE,  AND  USE OF THAT INFORMATION, CONSISTENT WITH ITS OBLIGATIONS AS A
 BAILEE, AND SHALL LIMIT ITS USE AND RETENTION OF PERSONAL INFORMATION TO
 WHAT IS REASONABLY NECESSARY TO PROVIDE A SERVICE OR CONDUCT AN ACTIVITY
 THAT A CONSUMER HAS REQUESTED OR A RELATED OPERATIONAL PURPOSE, PROVIDED
 HOWEVER THAT DATA COLLECTED OR RETAINED SOLELY  FOR  SECURITY  OR  FRAUD
 PREVENTION MAY NOT BE USED FOR RELATED OPERATIONAL PURPOSES.
   §  676-C.  DELETION  OF PERSONAL INFORMATION. 1. A CONSUMER SHALL HAVE
 THE RIGHT TO REQUEST THAT A BUSINESS  DELETE  ANY  PERSONAL  INFORMATION
 ABOUT SUCH CONSUMER WHICH THE BUSINESS HAS COLLECTED FROM THE CONSUMER.
   2. A BUSINESS THAT COLLECTS PERSONAL INFORMATION ABOUT CONSUMERS SHALL
 DISCLOSE,  PURSUANT  TO  THE  NOTICE REQUIREMENTS OF SECTION SIX HUNDRED
 SEVENTY-SIX-I OF THIS ARTICLE, THE  CONSUMER'S  RIGHTS  TO  REQUEST  THE
 DELETION OF THE CONSUMER'S PERSONAL INFORMATION.
   3.  A  BUSINESS  THAT  RECEIVES  A  VERIFIABLE CONSUMER REQUEST FROM A
 CONSUMER TO DELETE  THE  CONSUMER'S  PERSONAL  INFORMATION  PURSUANT  TO
 SUBDIVISION  ONE  OF  THIS  SECTION SHALL DELETE THE CONSUMER'S PERSONAL
 INFORMATION FROM ITS RECORDS AND DIRECT ANY SERVICE PROVIDERS TO  DELETE
 THE CONSUMER'S PERSONAL INFORMATION FROM THEIR RECORDS.

 S. 9073                             9
 
   4.  A  BUSINESS  OR A SERVICE PROVIDER SHALL NOT BE REQUIRED TO COMPLY
 WITH A CONSUMER'S REQUEST TO DELETE THE CONSUMER'S PERSONAL  INFORMATION
 IF:
   (A)  SUCH  RETENTION OF PERSONAL INFORMATION IS REASONABLY ANTICIPATED
 WITHIN THE CONTEXT OF A BUSINESS'S ONGOING  BUSINESS  RELATIONSHIP  WITH
 THE CONSUMER; OR
   (B)  IT  IS NECESSARY FOR THE BUSINESS OR SERVICE PROVIDER TO MAINTAIN
 THE CONSUMER'S PERSONAL INFORMATION IN ORDER TO:
   (I) COMPLETE THE TRANSACTION FOR WHICH THE  PERSONAL  INFORMATION  WAS
 COLLECTED,  PROVIDE  A  GOOD  OR  SERVICE  REQUESTED BY THE CONSUMER, OR
 OTHERWISE PERFORM A CONTRACT BETWEEN THE BUSINESS AND THE CONSUMER;
   (II) DETECT OR RESPOND TO SECURITY INCIDENTS,  PROTECT  AGAINST  MALI-
 CIOUS,  DECEPTIVE,  FRAUDULENT,  OR ILLEGAL ACTIVITY, OR PROSECUTE THOSE
 RESPONSIBLE FOR THAT ACTIVITY;
   (III) DEBUG  TO  IDENTIFY  AND  REPAIR  ERRORS  THAT  IMPAIR  EXISTING
 INTENDED FUNCTIONALITY;
   (IV)  EXERCISE  FREE  SPEECH,  ENSURE THE RIGHT OF ANOTHER CONSUMER TO
 EXERCISE HIS OR HER RIGHT OF FREE SPEECH;
   (V) ENGAGE IN  PUBLIC  OR  PEER-REVIEWED  SCIENTIFIC,  HISTORICAL,  OR
 STATISTICAL  RESEARCH  IN  THE PUBLIC INTEREST THAT ADHERES TO ALL OTHER
 APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE BUSINESSES' DELETION OF THE
 INFORMATION IS LIKELY TO  RENDER  IMPOSSIBLE  OR  SERIOUSLY  IMPAIR  THE
 ACHIEVEMENT  OF  SUCH  RESEARCH,  IF  THE CONSUMER HAS PROVIDED INFORMED
 CONSENT; OR
   (VI) COMPLY WITH A LEGAL OBLIGATION.
   § 676-D. ACCESS TO RETAINED PERSONAL INFORMATION.  1.  IF  A  BUSINESS
 COLLECTS  PERSONAL INFORMATION ABOUT A CONSUMER, THE CONSUMER SHALL HAVE
 THE RIGHT TO ASK THE BUSINESS FOR THE  FOLLOWING  INFORMATION,  AND  THE
 BUSINESS SHALL HAVE THE DUTY TO PROVIDE IT, PROMPTLY AND FREE OF CHARGE,
 UPON RECEIPT OF A VERIFIABLE REQUEST:
   (A)  THE  SPECIFIC  PIECES  OF  PERSONAL INFORMATION THAT THE BUSINESS
 RETAINS ABOUT THAT CONSUMER;
   (B) THE  SPECIFIC  SOURCES  FROM  WHICH  THE  BUSINESS  COLLECTED  THE
 PERSONAL INFORMATION; AND
   (C) ITS PURPOSE FOR COLLECTING THE PERSONAL INFORMATION.
   2.  WHEN  A  BUSINESS  RECEIVES  A  VERIFIABLE CONSUMER REQUEST FROM A
 CONSUMER FOR THE SPECIFIC PIECES OF  THEIR  PERSONAL  INFORMATION,  SUCH
 BUSINESS  SHALL  DISCLOSE  SUCH  INFORMATION IN AN ELECTRONIC, PORTABLE,
 MACHINE-READABLE, AND READILY-USEABLE FORMAT OR FORMATS THAT  ALLOW  THE
 CONSUMER TO UNDERSTAND SUCH INFORMATION AND TO TRANSMIT SUCH INFORMATION
 TO ANOTHER ENTITY WITHOUT HINDRANCE.
   §  676-E.  ACCESS TO DISCLOSURE OF PERSONAL INFORMATION. IF A BUSINESS
 DISCLOSES PERSONAL INFORMATION ABOUT A CONSUMER TO A  THIRD  PARTY,  THE
 CONSUMER  SHALL HAVE THE RIGHT TO REQUEST THE FOLLOWING INFORMATION FROM
 THE BUSINESS, AND SUCH BUSINESS SHALL  HAVE  THE  DUTY  TO  PROVIDE  IT,
 PROMPTLY AND FREE OF CHARGE, UPON RECEIPT OF A VERIFIABLE REQUEST:
   1.  THE CATEGORIES OF PERSONAL INFORMATION THAT THE BUSINESS DISCLOSED
 ABOUT THE CONSUMER, AND THE CATEGORIES OF  THIRD  PARTIES  TO  WHOM  THE
 PERSONAL  INFORMATION WAS DISCLOSED, BY CATEGORY OF PERSONAL INFORMATION
 FOR EACH CATEGORY OF THIRD PARTY; AND
   2. THE SPECIFIC THIRD PARTIES TO WHOM  THE  PERSONAL  INFORMATION  WAS
 DISCLOSED.
   §  676-F.  CONSENT  TO  ADDITIONAL  COLLECTION  OR SHARING OF PERSONAL
 INFORMATION. 1. OTHER THAN AS DESCRIBED IN SECTION SIX HUNDRED  SEVENTY-
 SIX-B  OF  THIS ARTICLE, A BUSINESS SHALL NOT COLLECT OR SHARE A CONSUM-
 ER'S PERSONAL INFORMATION UNLESS THE CONSUMER HAS AFFIRMATIVELY  AUTHOR-

 S. 9073                            10
 
 IZED  THE  COLLECTION  OR  DISCLOSURE.  THIS RIGHT TO COLLECT OR SHARE A
 CONSUMER'S PERSONAL INFORMATION MAY BE  REFERRED  TO  AS  THE  RIGHT  TO
 "OPT-IN CONSENT".
   2.  ANY  PERSONAL  INFORMATION  OF A CONSUMER COLLECTED OR SHARED BY A
 BUSINESS UPON THE AFFIRMATIVE AUTHORIZATION OF THE CONSUMER SHALL REMAIN
 THE PROPERTY OF SUCH CONSUMER, AND THE BUSINESS  SHALL  BE  REQUIRED  TO
 EXERCISE  REASONABLE  CARE  IN  THE COLLECTION AND SHARING OF SUCH DATA,
 CONSISTENT WITH ITS OBLIGATIONS TOWARDS THE CONSUMER AS BAILEE OF HIS OR
 HER PERSONAL INFORMATION.
   3. A BUSINESS SHALL REQUEST A USER'S OPT-IN  CONSENT  SEPARATELY  FROM
 ANY  OTHER  PERMISSION OR CONSENT, WITH THE OPTION TO DECLINE CONSENT AT
 LEAST AS PROMINENT AS THE OPTION TO PROVIDE CONSENT.
   4. IF A CONSUMER DECLINES TO  PROVIDE  THEIR  OPT-IN  CONSENT  TO  THE
 DISCLOSURE  OF  THEIR PERSONAL INFORMATION, A BUSINESS SHALL REFRAIN FOR
 AT LEAST TWELVE MONTHS BEFORE AGAIN REQUESTING THAT THE CONSUMER PROVIDE
 THEIR OPT-IN CONSENT TO THE DISCLOSURE OF THEIR PERSONAL INFORMATION.
   5. A BUSINESS MAY MAKE AVAILABLE A SETTING OR OTHER USER CONTROL  THAT
 THE  CONSUMER MAY AFFIRMATIVELY ACCESS IN ORDER TO CONSENT TO ADDITIONAL
 DATA COLLECTION OR SHARING.
   6. A BUSINESS THAT OBTAINS A CONSUMER'S OPT-IN CONSENT TO  COLLECT  OR
 DISCLOSE  THEIR  PERSONAL  INFORMATION  PURSUANT  TO  THIS SECTION SHALL
 PROVIDE CONSUMERS THE ABILITY TO WITHDRAW SUCH CONSENT THROUGH A READILY
 USABLE AND AUTOMATED MEANS AT ANY TIME.
   § 676-G. NO DISCRIMINATION BY A BUSINESS AGAINST A CONSUMER FOR  EXER-
 CISE  OF  RIGHTS.  A  BUSINESS SHALL NOT DISCRIMINATE AGAINST A CONSUMER
 BECAUSE THE CONSUMER EXERCISED ANY OF THE CONSUMER'S RIGHTS  UNDER  THIS
 ARTICLE  OR  DOES  NOT  PROVIDE CONSENT TO ADDITIONAL DATA COLLECTION OR
 SHARING UNDER SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS ARTICLE  INCLUD-
 ING, BUT NOT LIMITED TO, BY:
   1. DENYING GOODS OR SERVICES TO THE CONSUMER;
   2. CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, INCLUDING
 THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS OR IMPOSING PENALTIES;
   3.  PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES TO THE
 CONSUMER; OR
   4. SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE
 FOR GOODS OR SERVICES OR A  DIFFERENT  LEVEL  OR  QUALITY  OF  GOODS  OR
 SERVICES.
   §  676-H. REASONABLE SECURITY. 1. A BUSINESS OR SERVICE PROVIDER SHALL
 IMPLEMENT AND MAINTAIN REASONABLE  SECURITY  PROCEDURES  AND  PRACTICES,
 INCLUDING  ADMINISTRATIVE, PHYSICAL, AND TECHNICAL SAFEGUARDS, APPROPRI-
 ATE TO THE NATURE OF THE INFORMATION AND  THE  PURPOSES  FOR  WHICH  THE
 PERSONAL INFORMATION WILL BE USED, TO PROTECT CONSUMERS' PERSONAL INFOR-
 MATION  FROM  UNAUTHORIZED  USE,  DISCLOSURE,  ACCESS,  DESTRUCTION,  OR
 MODIFICATION.
   2. A BUSINESS OR SERVICE PROVIDER MAY EMPLOY ANY LAWFUL SECURITY MEAS-
 URES THAT ALLOW IT TO COMPLY WITH THE REQUIREMENTS  SET  FORTH  IN  THIS
 SECTION.
   § 676-I. BUSINESS IMPLEMENTATION OF DUTIES. 1. A BUSINESS SHALL:
   (A)  MAKE  AVAILABLE  TO  CONSUMERS TWO OR MORE DESIGNATED METHODS FOR
 SUBMITTING REQUESTS PURSUANT TO SECTIONS SIX HUNDRED SEVENTY-SIX-C,  SIX
 HUNDRED  SEVENTY-SIX-D,  AND  SIX HUNDRED SEVENTY-SIX-E OF THIS ARTICLE,
 INCLUDING, AT A MINIMUM, A TELEPHONE NUMBER, AND, IF THE BUSINESS  MAIN-
 TAINS AN INTERNET WEB SITE, A WEB SITE ADDRESS;
   (B)  DISCLOSE  AND DELIVER THE REQUIRED INFORMATION TO A CONSUMER FREE
 OF CHARGE WITHIN FORTY-FIVE DAYS  OF  RECEIVING  A  VERIFIABLE  CONSUMER
 REQUEST. A BUSINESS SHALL TAKE STEPS TO DETERMINE WHETHER THE REQUEST IS

 S. 9073                            11
 
 A  VERIFIABLE  CONSUMER  REQUEST  FROM THE IDENTIFIED CONSUMER. THE TIME
 PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE DAYS  WHEN  REASONABLY  NECES-
 SARY,  PROVIDED  THE CONSUMER IS PROVIDED NOTICE OF THE EXTENSION WITHIN
 THE  FIRST  FORTY-FIVE DAY PERIOD. THE DISCLOSURE SHALL COVER THE TWELVE
 MONTH PERIOD PRECEDING THE REQUEST. IT SHALL BE  DELIVERED  THROUGH  THE
 CONSUMER'S  ACCOUNT  WITH  THE  BUSINESS,  IF  THE CONSUMER MAINTAINS AN
 ACCOUNT WITH THE BUSINESS, OR BY MAIL OR ELECTRONICALLY AT  THE  CONSUM-
 ER'S OPTION, IF THE CONSUMER DOES NOT MAINTAIN AN ACCOUNT WITH THE BUSI-
 NESS.  THE  BUSINESS SHALL NOT REQUIRE THE CONSUMER TO CREATE AN ACCOUNT
 WITH THE BUSINESS IN ORDER TO MAKE A VERIFIABLE REQUEST;
   (C) ENSURE THAT ALL  INDIVIDUALS  RESPONSIBLE  FOR  HANDLING  CONSUMER
 INQUIRIES  ABOUT  THE  BUSINESS'S  PRIVACY  PRACTICES  OR THE BUSINESS'S
 COMPLIANCE WITH THIS ARTICLE ARE INFORMED OF ALL  REQUIREMENTS  IN  THIS
 ARTICLE,  AND  HOW  TO DIRECT CONSUMERS TO EXERCISE THEIR RIGHTS IN THIS
 ARTICLE; AND
   (D) LIMIT THE USE OF  ANY  PERSONAL  INFORMATION  COLLECTED  FROM  THE
 CONSUMER  IN CONNECTION WITH A BUSINESS'S VERIFICATION OF THE CONSUMER'S
 REQUEST SOLELY FOR THE PURPOSES OF VERIFICATION.
   2. A BUSINESS SHALL  NOT  BE  OBLIGATED  TO  PROVIDE  THE  INFORMATION
 REQUIRED  BY SECTIONS SIX HUNDRED SEVENTY-SIX-D AND SIX HUNDRED SEVENTY-
 SIX-E OF THIS ARTICLE TO THE SAME CONSUMER MORE THAN TWICE IN  A  TWELVE
 MONTH PERIOD.
   §  676-J. EXCEPTIONS. 1. THE OBLIGATIONS IMPOSED ON BUSINESSES BY THIS
 ARTICLE SHALL NOT RESTRICT A BUSINESS'S OR  SERVICE  PROVIDER'S  ABILITY
 TO:
   (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS;
   (B)  COMPLY  WITH  A  CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI-
 GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES;
   (C) COOPERATE WITH LAW  ENFORCEMENT  AGENCIES  CONCERNING  CONDUCT  OR
 ACTIVITY  THAT THE BUSINESS, SERVICE PROVIDER, OR THIRD PARTY REASONABLY
 AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAW;
   (D) EXERCISE OR DEFEND LEGAL CLAIMS;
   (E) COLLECT, USE, RETAIN, SELL, OR DISCLOSE CONSUMER INFORMATION  THAT
 IS DE-IDENTIFIED OR IN THE AGGREGATE; OR
   (F)  COLLECT OR SELL A CONSUMER'S PERSONAL INFORMATION IF EVERY ASPECT
 OF THAT COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE OF THE STATE.  FOR
 PURPOSES  OF THIS SECTION, COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE
 OF THE STATE IF THE BUSINESS COLLECTED INFORMATION  WHILE  THE  CONSUMER
 WAS OUTSIDE OF THE STATE, NO PART OF THE SALE OF THE CONSUMER'S PERSONAL
 INFORMATION OCCURRED IN THE STATE, AND NO PERSONAL INFORMATION COLLECTED
 WHILE  THE  CONSUMER  WAS IN THE STATE IS SOLD. THIS PARAGRAPH SHALL NOT
 PERMIT A BUSINESS FROM STORING, INCLUDING ON A DEVICE, PERSONAL INFORMA-
 TION ABOUT A CONSUMER WHEN SUCH  CONSUMER  IS  IN  THE  STATE  AND  THEN
 COLLECTING  SUCH  PERSONAL  INFORMATION  WHEN  SUCH  CONSUMER AND STORED
 PERSONAL INFORMATION IS OUTSIDE OF THE STATE.
   2. NOTHING IN THIS ARTICLE SHALL REQUIRE  A  BUSINESS  TO  VIOLATE  AN
 EVIDENTIARY  PRIVILEGE  UNDER STATE OR FEDERAL LAW OR PREVENT A BUSINESS
 FROM PROVIDING THE PERSONAL INFORMATION OF A CONSUMER WHO IS COVERED  BY
 AN  EVIDENTIARY PRIVILEGE UNDER STATE OR FEDERAL LAW AS PART OF A PRIVI-
 LEGED COMMUNICATION.
   3. THIS ARTICLE SHALL NOT APPLY TO ANY OF THE FOLLOWING:
   (A) MEDICAL INFORMATION GOVERNED BY PART 2.6 OF THE CONFIDENTIALITY OF
 MEDICAL  INFORMATION  ACT  OR  PROTECTED  HEALTH  INFORMATION  THAT   IS
 COLLECTED  BY  A  COVERED  ENTITY  OR BUSINESS ASSOCIATE GOVERNED BY THE
 PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED  OR  ESTABLISHED
 BY  THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, 45 C.F.R.

 S. 9073                            12
 
 PARTS 160 AND 164, THE HEALTH INSURANCE PORTABILITY  AND  ACCOUNTABILITY
 ACT OF 1996, OR THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLIN-
 ICAL HEALTH ACT;
   (B)  A  PROVIDER  OF HEALTH CARE GOVERNED BY PART 2.6 OF THE CONFIDEN-
 TIALITY OF MEDICAL INFORMATION ACT OR A COVERED ENTITY GOVERNED  BY  THE
 PRIVACY,  SECURITY,  AND BREACH NOTIFICATION RULES ISSUED OR ESTABLISHED
 BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, 45  C.F.R.
 PARTS  160 AND 164, OR THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABIL-
 ITY ACT OF 1996, TO THE EXTENT THE PROVIDER OR COVERED ENTITY  MAINTAINS
 PATIENT  INFORMATION  IN  THE  SAME  MANNER  AS  MEDICAL  INFORMATION OR
 PROTECTED HEALTH INFORMATION AS  DESCRIBED  IN  PARAGRAPH  (A)  OF  THIS
 SUBDIVISION;
   (C)  INFORMATION  COLLECTED AS PART OF A CLINICAL TRIAL SUBJECT TO THE
 FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN  AS  THE
 "COMMON  RULE",  PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY
 THE INTERNATIONAL COUNCIL FOR HARMONIZATION OR PURSUANT TO HUMAN SUBJECT
 PROTECTION REQUIREMENTS OF THE UNITED  STATES  FOOD  AND  DRUG  ADMINIS-
 TRATION;
   (D)  THE  SALE OF PERSONAL INFORMATION TO OR FROM A CONSUMER REPORTING
 AGENCY IF SUCH INFORMATION IS TO BE REPORTED IN, OR USED TO GENERATE,  A
 CONSUMER  REPORT  AS  DEFINED  IN SECTION THREE HUNDRED EIGHTY-A OF THIS
 CHAPTER AND USE OF THAT INFORMATION IS LIMITED BY THE FEDERAL FAIR CRED-
 IT REPORTING ACT, 15 USC 1681;
   (E) PERSONAL INFORMATION  COLLECTED,  PROCESSED,  SOLD,  OR  DISCLOSED
 PURSUANT  TO THE FEDERAL GRAMM-LEACH-BLILEY ACT OR ANY FINANCIAL PRIVACY
 LAWS OR REGULATIONS OF THE STATE OF NEW  YORK,  AND  IMPLEMENTING  REGU-
 LATIONS, IF IT IS IN CONFLICT WITH SUCH LAW; OR
   (F)  PERSONAL  INFORMATION  COLLECTED,  PROCESSED,  SOLD, OR DISCLOSED
 PURSUANT TO THE DRIVER'S PRIVACY PROTECTION ACT OF 1994,  IF  IT  IS  IN
 CONFLICT WITH SUCH ACT.
   4.  NOTWITHSTANDING  A  BUSINESS'  OBLIGATIONS TO RESPOND TO AND HONOR
 CONSUMER RIGHTS REQUESTS PURSUANT TO SECTIONS SIX HUNDRED SEVENTY-SIX-C,
 SIX HUNDRED SEVENTY-SIX-D, AND SIX HUNDRED SEVENTY-SIX-E OF  THIS  ARTI-
 CLE:
   (A) THE TIME PERIOD FOR A BUSINESS TO RESPOND TO ANY VERIFIED CONSUMER
 REQUEST MAY BE EXTENDED BY UP TO NINETY ADDITIONAL DAYS WHERE NECESSARY,
 TAKING  INTO  ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. A BUSI-
 NESS SHALL INFORM THE CONSUMER OF ANY SUCH EXTENSION  WITHIN  FORTY-FIVE
 DAYS OF RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY;
   (B) IF A BUSINESS DOES NOT TAKE ACTION ON THE REQUEST OF THE CONSUMER,
 SUCH BUSINESS SHALL INFORM THE CONSUMER, WITHOUT DELAY AND AT THE LATEST
 WITHIN  THE  TIME  PERIOD  PERMITTED OF RESPONSE BY THIS SECTION, OF THE
 REASONS FOR NOT TAKING ACTION AND ANY RIGHTS THE CONSUMER  MAY  HAVE  TO
 APPEAL THE DECISION TO THE BUSINESS; AND
   (C) IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE,
 IN  PARTICULAR  BECAUSE  OF  THEIR  REPETITIVE CHARACTER, A BUSINESS MAY
 EITHER CHARGE A REASONABLE FEE, TAKING INTO ACCOUNT  THE  ADMINISTRATIVE
 COSTS OF PROVIDING THE INFORMATION OR COMMUNICATION OR TAKING THE ACTION
 REQUESTED,  OR  REFUSE  TO ACT ON THE REQUEST AND NOTIFY THE CONSUMER OF
 THE REASON FOR REFUSING THE REQUEST. SUCH BUSINESS SHALL BEAR THE BURDEN
 OF DEMONSTRATING  THAT  ANY  VERIFIED  CONSUMER  REQUEST  IS  MANIFESTLY
 UNFOUNDED OR EXCESSIVE.
   5. A BUSINESS THAT DISCLOSES PERSONAL INFORMATION TO A SERVICE PROVID-
 ER  SHALL  NOT  BE  LIABLE  UNDER  THIS  ARTICLE IF THE SERVICE PROVIDER
 RECEIVING  THE  PERSONAL  INFORMATION  USES  IT  IN  VIOLATION  OF   THE
 RESTRICTIONS  SET  FORTH  IN THIS ARTICLE, PROVIDED THAT, AT THE TIME OF

 S. 9073                            13
 
 DISCLOSING THE PERSONAL INFORMATION, SUCH BUSINESS DOES NOT HAVE  ACTUAL
 KNOWLEDGE,  OR  REASON  TO BELIEVE, THAT THE SERVICE PROVIDER INTENDS TO
 COMMIT SUCH A VIOLATION. A SERVICE PROVIDER SHALL NOT  BE  LIABLE  UNDER
 THIS  ARTICLE  FOR  THE  OBLIGATIONS OF A BUSINESS FOR WHICH IT PROVIDES
 SERVICES AS SET FORTH IN THIS ARTICLE.
   6. THIS ARTICLE SHALL NOT BE CONSTRUED TO: (A) REQUIRE A  BUSINESS  TO
 COLLECT  OR  RETAIN PERSONAL INFORMATION ABOUT A CONSUMER LONGER THAN IT
 WOULD BE RETAINED SUCH INFORMATION IN THE ORDINARY COURSE  OF  BUSINESS;
 OR
   (B)  REQUIRE  A  BUSINESS TO RE-IDENTIFY OR OTHERWISE LINK INFORMATION
 THAT IS NOT MAINTAINED IN A MANNER THAT  WOULD  BE  CONSIDERED  PERSONAL
 INFORMATION.
   7.  THE  RIGHTS AFFORDED TO CONSUMERS AND THE OBLIGATIONS IMPOSED ON A
 BUSINESS PURSUANT TO THIS ARTICLE SHALL NOT ADVERSELY AFFECT THE  RIGHTS
 AND FREEDOMS OF OTHER CONSUMERS.
   8. THE RIGHTS AFFORDED TO CONSUMERS AND THE OBLIGATIONS IMPOSED ON ANY
 BUSINESS  PURSUANT  TO  THIS  ARTICLE SHALL NOT APPLY TO THE EXTENT THAT
 THEY INFRINGE ON THE NONCOMMERCIAL ACTIVITIES OF  A  PUBLISHER,  EDITOR,
 REPORTER,  OR  OTHER PERSON CONNECTED WITH OR EMPLOYED UPON A NEWSPAPER,
 MAGAZINE, OR OTHER PERIODICAL PUBLICATION, OR BY A PRESS ASSOCIATION  OR
 WIRE SERVICE.
   §  676-K.  CONSUMER'S  PRIVATE  RIGHT OF ACTION. 1. A CONSUMER WHO HAS
 SUFFERED A VIOLATION OF THIS ARTICLE MAY BRING  A  LAWSUIT  AGAINST  THE
 BUSINESS  THAT  COMMITTED  SUCH  VIOLATION.  A VIOLATION OF THIS ARTICLE
 SHALL BE DEEMED TO CONSTITUTE AN INJURY IN FACT TO THE CONSUMER WHO  HAS
 SUFFERED  SUCH  VIOLATION,  AND THE CONSUMER NEED NOT SUFFER MONETARY OR
 PROPERTY LOSS AS A RESULT OF SUCH VIOLATION IN ORDER TO BRING AN  ACTION
 FOR A VIOLATION OF THIS ARTICLE.
   2.  A CONSUMER WHO PREVAILS IN SUCH AN ACTION SHALL OBTAIN THE FOLLOW-
 ING REMEDIES:
   (A) DAMAGES IN AN AMOUNT NOT TO EXCEED SEVEN HUNDRED FIFTY DOLLARS PER
 CONSUMER PER VIOLATION OR ACTUAL DAMAGES, WHICHEVER IS GREATER;
   (B) INJUNCTIVE OR DECLARATORY RELIEF, AS THE COURT DEEMS PROPER;
   (C) REASONABLE ATTORNEY FEES AND COSTS; AND
   (D) ANY OTHER RELIEF THE COURT DEEMS PROPER.
   3. IN ASSESSING THE AMOUNT  OF  STATUTORY  DAMAGES,  THE  COURT  SHALL
 CONSIDER  ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY
 OF THE PARTIES TO THE CASE, INCLUDING, BUT NOT LIMITED  TO,  THE  NATURE
 AND  SERIOUSNESS  OF  THE  MISCONDUCT,  THE  NUMBER  OF  VIOLATIONS, THE
 PERSISTENCE OF THE MISCONDUCT, THE LENGTH OF TIME OVER WHICH THE MISCON-
 DUCT OCCURRED, THE WILLFULNESS OF THE DEFENDANT'S  MISCONDUCT,  AND  THE
 DEFENDANT'S ASSETS, LIABILITIES, AND NET WORTH.
   4. A CONSUMER BRINGING AN ACTION PURSUANT TO THIS SECTION SHALL NOTIFY
 THE ATTORNEY GENERAL WITHIN THIRTY DAYS OF THE FILING OF SUCH ACTION.
   §  676-L.  AGENCY  ENFORCEMENT ACTION. 1. THE ATTORNEY GENERAL, COUNTY
 DISTRICT ATTORNEY, OR CITY CORPORATION COUNSEL HAVING  PROPER  JURISDIC-
 TION  MAY BRING A CIVIL ACTION IN THE NAME OF THE PEOPLE OF THE STATE OF
 NEW YORK AGAINST ANY PERSON, BUSINESS, OR SERVICE PROVIDER WHO  VIOLATES
 ANY PROVISION OF THIS ARTICLE.
   2.  ANY  PERSON,  BUSINESS,  OR  SERVICE  PROVIDER  WHO  VIOLATES  THE
 PROVISIONS OF THIS ARTICLE MAY BE LIABLE FOR A CIVIL PENALTY  OF  UP  TO
 SEVEN  THOUSAND  FIVE HUNDRED DOLLARS FOR EACH INTENTIONAL VIOLATION AND
 OF UP TO TWO  THOUSAND  FIVE  HUNDRED  DOLLARS  FOR  EACH  UNINTENTIONAL
 VIOLATION.
   § 676-M. CONSTRUCTION. THIS ARTICLE IS INTENDED TO FURTHER THE CONSTI-
 TUTIONAL  RIGHT  OF  PRIVACY AND TO SUPPLEMENT EXISTING LAWS RELATING TO

 S. 9073                            14
 
 CONSUMERS' PERSONAL INFORMATION. THE PROVISIONS OF THIS ARTICLE ARE  NOT
 LIMITED  TO  INFORMATION  COLLECTED ELECTRONICALLY OR OVER THE INTERNET,
 BUT SHALL APPLY TO THE COLLECTION AND SALE OF ALL  PERSONAL  INFORMATION
 COLLECTED  BY A BUSINESS FROM CONSUMERS. WHEREVER POSSIBLE, LAW RELATING
 TO CONSUMERS' PERSONAL INFORMATION SHOULD BE CONSTRUED TO HARMONIZE WITH
 THE PROVISIONS OF THIS ARTICLE, BUT IN THE EVENT OF A  CONFLICT  BETWEEN
 OTHER LAWS AND THE PROVISIONS OF THIS ARTICLE, THE PROVISIONS OF THE LAW
 THAT AFFORD THE GREATEST PROTECTION FOR THE RIGHT OF PRIVACY FOR CONSUM-
 ERS SHALL CONTROL.
   §  676-N.  ATTORNEY  GENERAL  REGULATIONS.  1.  WITHIN ONE YEAR OF THE
 EFFECTIVE DATE OF THIS ARTICLE, THE ATTORNEY GENERAL SHALL  ADOPT  REGU-
 LATIONS  TO  FURTHER  THE  PURPOSES  OF THIS ARTICLE, INCLUDING, BUT NOT
 LIMITED TO:
   (A) DETAILING AS NEEDED THE TYPES OF  INFORMATION  THAT  ARE  PERSONAL
 INFORMATION  IN  TECHNOLOGY,  DATA  COLLECTION  PRACTICES,  OBSTACLES TO
 IMPLEMENTATION, AND PRIVACY CONCERNS;
   (B) ESTABLISHING ANY EXCEPTIONS NECESSARY  TO  COMPLY  WITH  STATE  OR
 FEDERAL  LAW,  INCLUDING,  BUT  NOT  LIMITED TO, THOSE RELATING TO TRADE
 SECRETS AND INTELLECTUAL PROPERTY RIGHTS;
   (C) FACILITATING AND GOVERNING  THE  SUBMISSION  OF  A  REQUEST  BY  A
 CONSUMER  TO  OPT  OUT  OF  THE SALE OF PERSONAL INFORMATION PURSUANT TO
 SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS ARTICLE;
   (D) GOVERNING BUSINESS COMPLIANCE WITH A CONSUMER'S OPT-OUT REQUEST;
   (E) DEVELOPING A RECOGNIZABLE AND UNIFORM OPT-OUT LOGO  OR  BUTTON  BY
 ALL  BUSINESSES TO PROMOTE CONSUMER AWARENESS OF THE OPPORTUNITY TO OPT-
 OUT OF THE SALE OF PERSONAL INFORMATION;
   (F) ADJUSTING THE MONETARY THRESHOLD IN CLAUSE ONE OF SUBPARAGRAPH (I)
 OF PARAGRAPH (C) OF SUBDIVISION ONE OF SECTION SIX  HUNDRED  SEVENTY-SIX
 OF  THIS  ARTICLE  IN  JANUARY OF EVERY ODD-NUMBERED YEAR TO REFLECT ANY
 INCREASE IN THE CONSUMER PRICE INDEX;
   (G) ESTABLISHING RULES, PROCEDURES, AND ANY  EXCEPTIONS  NECESSARY  TO
 ENSURE  THAT THE NOTICES AND INFORMATION THAT BUSINESSES ARE REQUIRED TO
 PROVIDE PURSUANT TO THIS ARTICLE ARE PROVIDED IN A MANNER  THAT  MAY  BE
 EASILY  UNDERSTOOD  BY THE AVERAGE CONSUMER, ARE ACCESSIBLE TO CONSUMERS
 WITH DISABILITIES, AND ARE AVAILABLE IN THE LANGUAGE PRIMARILY  USED  TO
 INTERACT  WITH THE CONSUMER, INCLUDING ESTABLISHING RULES AND GUIDELINES
 REGARDING FINANCIAL INCENTIVE OFFERINGS; AND
   (H) ESTABLISHING RULES AND  PROCEDURES  TO  FURTHER  THE  PURPOSES  OF
 SECTIONS SIX HUNDRED SEVENTY-SIX-D AND SIX HUNDRED SEVENTY-SIX-E OF THIS
 ARTICLE  AND  TO  FACILITATE  A  CONSUMER'S OR THE CONSUMER'S AUTHORIZED
 AGENT'S ABILITY TO OBTAIN INFORMATION PURSUANT TO  SECTION  SIX  HUNDRED
 SEVENTY-SIX-I  OF THIS ARTICLE, WITH THE GOAL OF MINIMIZING THE ADMINIS-
 TRATIVE BURDEN ON CONSUMERS, TAKING INTO ACCOUNT  AVAILABLE  TECHNOLOGY,
 SECURITY CONCERNS, AND THE BURDEN ON THE BUSINESS, TO GOVERN A BUSINESS'
 DETERMINATION THAT A REQUEST FOR INFORMATION RECEIVED BY A CONSUMER IS A
 VERIFIABLE  CONSUMER  REQUEST,  INCLUDING  TREATING  A REQUEST SUBMITTED
 THROUGH A PASSWORD-PROTECTED ACCOUNT MAINTAINED BY THE CONSUMER WITH THE
 BUSINESS WHILE THE CONSUMER IS LOGGED INTO THE ACCOUNT AS  A  VERIFIABLE
 CONSUMER  REQUEST  AND PROVIDING A MECHANISM FOR A CONSUMER WHO DOES NOT
 MAINTAIN AN ACCOUNT WITH THE BUSINESS TO REQUEST INFORMATION THROUGH THE
 BUSINESS' AUTHENTICATION OF THE CONSUMER'S IDENTITY.
   2. THE ATTORNEY GENERAL MAY  UPDATE  THE  FOREGOING  REGULATIONS,  AND
 ADOPT  ADDITIONAL  REGULATIONS,  AS NECESSARY TO FURTHER THE PURPOSES OF
 THIS ARTICLE.
   3. BEFORE ADOPTING ANY REGULATIONS, THE ATTORNEY GENERAL SHALL SOLICIT
 BROAD PUBLIC PARTICIPATION CONCERNING THOSE REGULATIONS.

 S. 9073                            15
 
   § 676-O. INTERMEDIATE TRANSACTIONS. IF A SERIES  OF  STEPS  OR  TRANS-
 ACTIONS  WERE  COMPONENT PARTS OF A SINGLE TRANSACTION INTENDED FROM THE
 BEGINNING TO BE TAKEN WITH THE INTENTION OF AVOIDING THE REACH  OF  THIS
 ARTICLE,  A COURT SHALL DISREGARD THE INTERMEDIATE STEPS OR TRANSACTIONS
 FOR PURPOSES OF EFFECTUATING THE PURPOSES OF THIS ARTICLE.
   §  676-P.  NON-WAIVER. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY
 KIND THAT PURPORTS TO WAIVE OR LIMIT IN  ANY  WAY  A  CONSUMER'S  RIGHTS
 UNDER THIS ARTICLE, INCLUDING, BUT NOT LIMITED TO, ANY RIGHT TO A REMEDY
 OR  MEANS  OF ENFORCEMENT, SHALL BE DEEMED CONTRARY TO PUBLIC POLICY AND
 SHALL BE VOID AND  UNENFORCEABLE.  THIS  SECTION  SHALL  NOT  PREVENT  A
 CONSUMER  FROM DECLINING TO REQUEST INFORMATION FROM A BUSINESS, DECLIN-
 ING TO OPT OUT OF A BUSINESS' SALE OF THE CONSUMER'S  PERSONAL  INFORMA-
 TION, OR AUTHORIZING A BUSINESS TO SELL THE CONSUMER'S PERSONAL INFORMA-
 TION AFTER PREVIOUSLY OPTING OUT.
   §  676-Q. SEVERABILITY. IF ANY PROVISION OF THIS ARTICLE OR THE APPLI-
 CATION THEREOF TO ANY PERSON, BUSINESS,  SERVICE  PROVIDER,  OR  CIRCUM-
 STANCES  IS  HELD  INVALID,  SUCH  INVALIDITY  SHALL  NOT  AFFECT  OTHER
 PROVISIONS OR APPLICATIONS OF THIS ARTICLE WHICH  CAN  BE  GIVEN  EFFECT
 WITHOUT  THE  INVALID  PROVISION  OR  APPLICATION,  AND  TO THIS END THE
 PROVISIONS OF THIS ARTICLE ARE DECLARED TO BE SEVERABLE.
   § 5. This act shall take effect one year after it shall have become  a
 law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S9073

Sponsored By

Archive: Last Bill Status - In Senate Committee Rules Committee

Actions

2019-S9073 (ACTIVE) - Details

2019-S9073 (ACTIVE) - Summary

2019-S9073 (ACTIVE) - Sponsor Memo

2019-S9073 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2019-S9073

Senate Bill S9073

Share this bill

Sponsored By

Leroy Comrie

Archive: Last Bill Status - In Senate Committee Rules Committee

Actions

2019-S9073 (ACTIVE) - Details

2019-S9073 (ACTIVE) - Summary

2019-S9073 (ACTIVE) - Sponsor Memo

2019-S9073 (ACTIVE) - Bill Text download pdf

Comments