Assembly Actions - Lowercase Senate Actions - UPPERCASE |
|
---|---|
Jan 08, 2020 | referred to consumer affairs and protection |
Aug 07, 2019 | referred to consumer affairs and protection |
assembly Bill A8526
2019-2020 Legislative Session
Relates to enacting the NY privacy act
Sponsored By
ROSENTHAL L
Archive: Last Bill Status - In Assembly Committee
- Introduced
- In Committee
- On Floor Calendar
- Passed Senate
- Passed Assembly
- Delivered to Governor
- Signed/Vetoed by Governor
Your Voice
Actions
-
view actions (2)
Co-Sponsors
Dan Quart
David Weprin
Daniel Rosenthal
Patrick Burke
A8526 (ACTIVE) - Details
A8526 (ACTIVE) - Summary
Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared; creates a special account to fund a new office of privacy and data protection.
A8526 (ACTIVE) - Bill Text download pdf
S T A T E O F N E W Y O R K ________________________________________________________________________ 8526 2019-2020 Regular Sessions I N A S S E M B L Y August 7, 2019 ___________ Introduced by M. of A. L. ROSENTHAL -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to the management and oversight of personal data THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. Short title. This act may be known and cited as the "New York privacy act". § 2. The general business law is amended by adding a new article 42 to read as follows: ARTICLE 42 NEW YORK PRIVACY ACT SECTION 1100. DEFINITIONS. 1101. JURISDICTIONAL SCOPE. 1102. DATA FIDUCIARY. 1103. CONSUMER RIGHTS. 1104. TRANSPARENCY. 1105. RESPONSIBILITY ACCORDING TO ROLE. 1106. DE-IDENTIFIED DATA. 1107. EXEMPTIONS. 1108. LIABILITY. 1109. ENFORCEMENT. 1110. PREEMPTION. § 1100. DEFINITIONS. THE DEFINITIONS IN THIS ARTICLE APPLY UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE: 1. "AFFILIATE" MEANS A LEGAL ENTITY THAT CONTROLS, IS CONTROLLED BY, OR IS UNDER COMMON CONTROL WITH, ANOTHER LEGAL ENTITY, WHERE THE ENTITY HOLDS ITSELF OUT AS AFFILIATED OR UNDER COMMON OWNERSHIP SUCH THAT A CONSUMER ACTING REASONABLY UNDER THE CIRCUMSTANCES WOULD ANTICIPATE THEIR PERSONAL DATA BEING PROVIDED TO AN AFFILIATE. EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD10868-05-9
A. 8526 2 2. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT ESTABLISHING A FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT TO THE PROCESSING OF PERSONAL DATA RELATING TO THE CONSUMER, SUCH AS BY A WRITTEN STATEMENT OR OTHER CLEAR AFFIRMATIVE ACTION. 3. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT. IT DOES NOT INCLUDE AN EMPLOYEE OR CONTRACTOR OF A BUSINESS ACTING IN THEIR ROLE AS AN EMPLOYEE OR CONTRACTOR. 4. "CONTROLLER" MEANS THE NATURAL OR LEGAL PERSON WHO, ALONE OR JOINT- LY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA. 5. "DATA BROKER" MEANS A BUSINESS, OR UNIT OR UNITS OF A BUSINESS, SEPARATELY OR TOGETHER, THAT EARNS ITS PRIMARY REVENUE FROM SUPPLYING DATA OR INFERENCES ABOUT PEOPLE GATHERED MAINLY FROM SOURCES OTHER THAN THE DATA SOURCES THEMSELVES. 6. "DE-IDENTIFIED DATA" MEANS: (A) DATA THAT CANNOT BE LINKED TO A KNOWN NATURAL PERSON WITHOUT ADDI- TIONAL INFORMATION NOT AVAILABLE TO THE CONTROLLER; OR (B) DATA (I) THAT HAS BEEN MODIFIED TO A DEGREE THAT THE RISK OF RE-I- DENTIFICATION IS SMALL AS DETERMINED BY A PERSON WITH APPROPRIATE KNOW- LEDGE OF AND EXPERIENCE WITH GENERALLY ACCEPTED STATISTICAL AND SCIEN- TIFIC PRINCIPLES AND METHODS FOR DE-IDENTIFYING DATA, (II) THAT IS SUBJECT TO A PUBLIC COMMITMENT BY THE CONTROLLER NOT TO ATTEMPT TO RE-I- DENTIFY THE DATA, AND (III) TO WHICH ONE OR MORE ENFORCEABLE CONTROLS TO PREVENT RE-IDENTIFICATION HAS BEEN APPLIED. ENFORCEABLE CONTROLS TO PREVENT RE-IDENTIFICATION MAY INCLUDE LEGAL, ADMINISTRATIVE, TECHNICAL, OR CONTRACTUAL CONTROLS. 7. "DEVELOPER" MEANS A PERSON WHO CREATES OR MODIFIES THE SET OF INSTRUCTIONS OR PROGRAMS INSTRUCTING A COMPUTER OR DEVICE TO PERFORM TASKS. 8. "IDENTIFIED OR IDENTIFIABLE NATURAL PERSON" MEANS A PERSON WHO CAN BE IDENTIFIED, DIRECTLY OR INDIRECTLY, IN PARTICULAR BY REFERENCE TO SPECIFIC INFORMATION INCLUDING, BUT NOT LIMITED TO, A NAME, AN IDENTIFI- CATION NUMBER, SPECIFIC GEOLOCATION DATA, OR AN ONLINE IDENTIFIER. 9. "MINOR" MEANS ANY PERSON UNDER EIGHTEEN YEARS OF AGE. 10. "PERSONAL DATA" MEANS INFORMATION RELATING TO AN IDENTIFIED OR IDENTIFIABLE NATURAL PERSON. (A) "PERSONAL DATA" INCLUDES: (I) AN IDENTIFIER SUCH AS A REAL NAME, ALIAS, SIGNATURE, DATE OF BIRTH, GENDER IDENTITY, SEXUAL ORIENTATION, MARITAL STATUS, PHYSICAL CHARACTERISTIC OR DESCRIPTION, POSTAL ADDRESS, TELEPHONE NUMBER, UNIQUE PERSONAL IDENTIFIER, MILITARY IDENTIFICATION NUMBER, ONLINE IDENTIFIER, INTERNET PROTOCOL ADDRESS, EMAIL ADDRESS, ACCOUNT NAME, MOTHER'S MAIDEN NAME, SOCIAL SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT NUMBER, OR OTHER SIMILAR IDENTIFIER; (II) INFORMATION SUCH AS EMPLOYMENT, EMPLOYMENT HISTORY, BANK ACCOUNT NUMBER, CREDIT CARD NUMBER, DEBIT CARD NUMBER, INSURANCE POLICY NUMBER, OR ANY OTHER FINANCIAL INFORMATION, MEDICAL INFORMATION, MENTAL HEALTH INFORMATION, OR HEALTH INSURANCE INFORMATION; (III) COMMERCIAL INFORMATION, INCLUDING A RECORD OF PERSONAL PROPERTY, INCOME, ASSETS, LEASES, RENTALS, PRODUCTS OR SERVICES PURCHASED, OBTAINED, OR CONSIDERED, OR OTHER PURCHASING OR CONSUMING HISTORY; (IV) BIOMETRIC INFORMATION, INCLUDING A RETINA OR IRIS SCAN, FINGER- PRINT, VOICEPRINT, OR SCAN OF HAND OR FACE GEOMETRY; (V) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD- ING BROWSING HISTORY, SEARCH HISTORY, CONTENT, INCLUDING TEXT, PHOTO- GRAPHS, AUDIO OR VIDEO RECORDINGS, OR OTHER USER GENERATED-CONTENT, A. 8526 3 NON-PUBLIC COMMUNICATIONS, AND INFORMATION REGARDING AN INDIVIDUAL'S INTERACTION WITH AN INTERNET WEBSITE, MOBILE APPLICATION, OR ADVERTISE- MENT; (VI) HISTORICAL OR REAL-TIME GEOLOCATION DATA; (VII) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFOR- MATION; (VIII) EDUCATION RECORDS, AS DEFINED IN SECTION THIRTY-THREE HUNDRED TWO OF THE EDUCATION LAW; (IX) POLITICAL INFORMATION OR INFORMATION ON CRIMINAL CONVICTIONS OR ARRESTS; (X) ANY REQUIRED SECURITY CODE, ACCESS CODE, PASSWORD, OR USERNAME NECESSARY TO PERMIT ACCESS TO THE ACCOUNT OF AN INDIVIDUAL; (XI) CHARACTERISTICS OF PROTECTED CLASSES UNDER THE HUMAN RIGHTS LAW, INCLUDING RACE, COLOR, NATIONAL ORIGIN, RELIGION, SEX, AGE, OR DISABILI- TY; OR (XII) AN INFERENCE DRAWN FROM ANY OF THE INFORMATION DESCRIBED IN THIS PARAGRAPH TO CREATE A PROFILE ABOUT AN INDIVIDUAL REFLECTING THE INDI- VIDUAL'S PREFERENCES, CHARACTERISTICS, PSYCHOLOGICAL TRENDS, PREFER- ENCES, PREDISPOSITIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, OR APTITUDES. (B) THE TERM PERSONAL DATA DOES NOT INCLUDE PUBLICLY AVAILABLE INFOR- MATION. "PUBLICLY AVAILABLE INFORMATION": (I) MEANS INFORMATION THAT IS LAWFULLY MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS; AND (II) DOES NOT INCLUDE BIOMETRIC INFORMATION COLLECTED BY A COVERED ENTITY ABOUT AN INDIVIDUAL WITHOUT THE INDIVIDUAL'S KNOWLEDGE, OR INFOR- MATION USED FOR A PURPOSE THAT IS NOT COMPATIBLE WITH THE PURPOSE FOR WHICH THE INFORMATION IS MAINTAINED AND MADE AVAILABLE IN GOVERNMENT RECORDS. (C) PERSONAL DATA DOES NOT INCLUDE DE-IDENTIFIED DATA. 11. "PROCESS" OR "PROCESSING" MEANS ANY OPERATION OR SET OF OPERATIONS THAT IS PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS, SUCH AS COLLECTION, RECORDING, ORGANIZATION, STRUCTURING, STORAGE, ADAPTATION OR ALTERATION, RETRIEVAL, CONSULTATION, USE, DISCLOSURE BY TRANSMISSION, DISSEMINATION OR OTHERWISE MAKING AVAILABLE, ALIGNMENT OR COMBINATION, RESTRICTION, DELETION, OR DESTRUCTION. 12. "PROCESSOR" MEANS A NATURAL OR LEGAL PERSON WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROLLER. 13. "PROFILING" MEANS ANY FORM OF AUTOMATED PROCESSING OF PERSONAL DATA CONSISTING OF THE USE OF PERSONAL DATA TO EVALUATE CERTAIN PERSONAL ASPECTS RELATING TO A NATURAL PERSON, IN PARTICULAR TO ANALYZE OR PREDICT ASPECTS CONCERNING THAT NATURAL PERSON'S ECONOMIC SITUATION, HEALTH, PERSONAL PREFERENCES, INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS. 14. "RESTRICTION OF PROCESSING" MEANS THE MARKING OF STORED PERSONAL DATA WITH THE AIM OF LIMITING THE PROCESSING OF SUCH PERSONAL DATA IN THE FUTURE. 15.(A) "SALE", "SELL" OR "SOLD" MEANS THE EXCHANGE OF PERSONAL DATA FOR CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY. (B) "SALE" DOES NOT INCLUDE THE FOLLOWING: (I) THE DISCLOSURE OF PERSONAL DATA TO A PROCESSOR WHO PROCESSES THE PERSONAL DATA ON BEHALF OF THE CONTROLLER; (II) THE DISCLOSURE OF PERSONAL DATA TO A THIRD PARTY WITH WHOM THE CONSUMER HAS A DIRECT RELATIONSHIP FOR PURPOSES OF PROVID- ING A PRODUCT OR SERVICE REQUESTED BY THE CONSUMER OR OTHERWISE IN A MANNER THAT IS CONSISTENT WITH A CONSUMER'S REASONABLE EXPECTATIONS A. 8526 4 CONSIDERING THE CONTEXT IN WHICH THE CONSUMER PROVIDED THE PERSONAL DATA TO THE CONTROLLER; (III) THE DISCLOSURE OR TRANSFER OF PERSONAL DATA TO AN AFFILIATE OF THE CONTROLLER; OR (IV) THE DISCLOSURE OR TRANSFER OF PERSONAL DATA TO A THIRD PARTY AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES CONTROL OF ALL OR PART OF THE CONTROLLER'S ASSETS, IF CONSUMERS ARE NOTIFIED OF THE TRANSFER OF THEIR DATA AND OF THEIR RIGHTS UNDER THIS ARTICLE AND AFFIRMATIVELY CONSENT TO THE DISCLOSURE AND TRANSFER OF DATA. 16. "TARGETED ADVERTISING" MEANS DISPLAYING ADVERTISEMENTS TO A CONSUMER WHERE THE ADVERTISEMENT IS SELECTED BASED ON PERSONAL DATA OBTAINED OR INFERRED OVER TIME FROM A CONSUMER'S ACTIVITIES ACROSS WEB SITES, APPLICATIONS OR ONLINE SERVICES. IT DOES NOT INCLUDE ADVERTISING TO A CONSUMER BASED UPON THE CONSUMER'S CURRENT VISIT TO A WEB SITE, APPLICATION, OR ONLINE SERVICE, OR IN RESPONSE TO THE CONSUMER'S REQUEST FOR INFORMATION OR FEEDBACK. 17. "OPT-IN" MEANS AFFIRMATIVE, EXPRESS CONSENT OF AN INDIVIDUAL FOR A COVERED ENTITY TO USE, DISCLOSE, OR PERMIT ACCESS TO THE INDIVIDUAL'S PERSONAL DATA AFTER THE INDIVIDUAL HAS RECEIVED EXPLICIT NOTIFICATION OF THE REQUEST OF THE COVERED ENTITY WITH RESPECT TO THAT DATA. § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL ENTI- TIES THAT CONDUCT BUSINESS IN NEW YORK STATE OR PRODUCE PRODUCTS OR SERVICES THAT ARE INTENTIONALLY TARGETED TO RESIDENTS OF NEW YORK STATE. 2. THIS ARTICLE DOES NOT APPLY TO: (A) STATE AND LOCAL GOVERNMENTS; (B) PERSONAL DATA SETS TO THE EXTENT THAT THEY ARE REGULATED BY THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, OR THE GRAMM-LEACH-BLILEY ACT OF 1999; OR (C) DATA SETS MAINTAINED FOR EMPLOYMENT RECORDS PURPOSES. § 1102. DATA FIDUCIARY. 1. PERSONAL DATA OF CONSUMERS SHALL NOT BE USED, PROCESSED OR TRANSFERRED TO A THIRD PARTY, UNLESS THE CONSUMER PROVIDES EXPRESS AND DOCUMENTED CONSENT. EVERY LEGAL ENTITY, OR ANY AFFILIATE OF SUCH ENTITY, AND EVERY CONTROLLER AND DATA BROKER, WHICH COLLECTS, SELLS OR LICENSES PERSONAL INFORMATION OF CONSUMERS, SHALL EXERCISE THE DUTY OF CARE, LOYALTY AND CONFIDENTIALITY EXPECTED OF A FIDUCIARY WITH RESPECT TO SECURING THE PERSONAL DATA OF A CONSUMER AGAINST A PRIVACY RISK; AND SHALL ACT IN THE BEST INTERESTS OF THE CONSUMER, WITHOUT REGARD TO THE INTERESTS OF THE ENTITY, CONTROLLER OR DATA BROKER, IN A MANNER EXPECTED BY A REASONABLE CONSUMER UNDER THE CIRCUMSTANCES. (A) EVERY LEGAL ENTITY, OR AFFILIATE OF SUCH ENTITY, AND EVERY CONTROLLER AND DATA BROKER TO WHICH THIS ARTICLE APPLIES SHALL: (I) REASONABLY SECURE PERSONAL DATA FROM UNAUTHORIZED ACCESS; AND (II) PROMPTLY INFORM A CONSUMER OF ANY BREACH OF THE DUTY DESCRIBED IN THIS PARAGRAPH WITH RESPECT TO PERSONAL DATA OF SUCH CONSUMER. (B) A LEGAL ENTITY, AN AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER MAY NOT USE PERSONAL DATA, OR DATA DERIVED FROM PERSONAL DATA, IN ANY WAY THAT: (I) WILL BENEFIT THE ONLINE SERVICE PROVIDER TO THE DETRIMENT OF AN END USER; AND (II) (A) WILL RESULT IN REASONABLY FORESEEABLE AND MATERIAL PHYSICAL OR FINANCIAL HARM TO A CONSUMER; OR (B) WOULD BE UNEXPECTED AND HIGHLY OFFENSIVE TO A REASONABLE CONSUMER. (C) A LEGAL ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER: A. 8526 5 (I) MAY NOT DISCLOSE OR SELL PERSONAL DATA TO, OR SHARE PERSONAL DATA WITH, ANY OTHER PERSON EXCEPT AS CONSISTENT WITH THE DUTIES OF CARE AND LOYALTY UNDER PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION; (II) MAY NOT DISCLOSE OR SELL PERSONAL DATA TO, OR SHARE PERSONAL DATA WITH, ANY OTHER PERSON UNLESS THAT PERSON ENTERS INTO A CONTRACT THAT IMPOSES THE SAME DUTIES OF CARE, LOYALTY, AND CONFIDENTIALLY TOWARD THE CONSUMER AS ARE IMPOSED UNDER THIS SECTION; AND (III) SHALL TAKE REASONABLE STEPS TO ENSURE THAT THE PRACTICES OF ANY PERSON TO WHOM THE ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER DISCLOSES OR SELLS, OR WITH WHOM THE ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER SHARES. PERSONAL DATA FULFILLS THE DUTIES OF CARE, LOYALTY, AND CONFIDENTIALITY ASSUMED BY THE PERSON UNDER THE CONTRACT DESCRIBED IN SUBPARAGRAPH (II) OF THIS PARAGRAPH, INCLUDING BY AUDITING, ON A REGULAR BASIS, THE DATA SECURITY AND DATA INFORMATION PRACTICES OF ANY SUCH ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER. 2. FOR THE PURPOSES OF THIS SECTION THE TERM "PRIVACY RISK" MEANS POTENTIAL ADVERSE CONSEQUENCES TO CONSUMERS AND SOCIETY ARISING FROM THE PROCESSING OF PERSONAL DATA, INCLUDING, BUT NOT LIMITED TO: (A) DIRECT OR INDIRECT FINANCIAL LOSS OR ECONOMIC HARM; (B) PHYSICAL HARM; (C) PSYCHOLOGICAL HARM, INCLUDING ANXIETY, EMBARRASSMENT, FEAR, AND OTHER DEMONSTRABLE MENTAL TRAUMA; (D) SIGNIFICANT INCONVENIENCE OR EXPENDITURE OF TIME; (E) ADVERSE OUTCOMES OR DECISIONS WITH RESPECT TO AN INDIVIDUAL'S ELIGIBILITY FOR RIGHTS, BENEFITS OR PRIVILEGES IN EMPLOYMENT (INCLUDING, BUT NOT LIMITED TO, HIRING, FIRING, PROMOTION, DEMOTION, COMPENSATION), CREDIT AND INSURANCE (INCLUDING, BUT NOT LIMITED TO, DENIAL OF AN APPLI- CATION OR OBTAINING LESS FAVORABLE TERMS), HOUSING, EDUCATION, PROFES- SIONAL CERTIFICATION, OR THE PROVISION OF HEALTH CARE AND RELATED SERVICES; (F) STIGMATIZATION OR REPUTATIONAL HARM; (G) DISRUPTION AND INTRUSION FROM UNWANTED COMMERCIAL COMMUNICATIONS OR CONTACTS; (H) PRICE DISCRIMINATION; (I) EFFECTS ON AN INDIVIDUAL THAT ARE NOT REASONABLY FORESEEABLE, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE PERSONAL DATA RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEABLE, CONTEMPLATED BY, OR EXPECTED BY THE CONTROLLER ASSESSING PRIVACY RISK, THAT: (A) ALTERS THAT INDIVIDUAL'S EXPERIENCES; (B) LIMITS THAT INDIVIDUAL'S CHOICES; (C) INFLUENCES THAT INDIVIDUAL'S RESPONSES; OR (D) PREDETERMINES RESULTS; OR (J) OTHER ADVERSE CONSEQUENCES THAT AFFECT AN INDIVIDUAL'S PRIVATE LIFE, INCLUDING PRIVATE FAMILY MATTERS, ACTIONS AND COMMUNICATIONS WITH- IN AN INDIVIDUAL'S HOME OR SIMILAR PHYSICAL, ONLINE, OR DIGITAL LOCATION, WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION THAT PERSONAL DATA WILL NOT BE COLLECTED OR USED. 3. THE FIDUCIARY DUTY OWED TO A CONSUMER UNDER THIS SECTION SHALL SUPERSEDE ANY DUTY OWED TO OWNERS OR SHAREHOLDERS OF A LEGAL ENTITY OR AFFILIATE THEREOF, CONTROLLER OR DATA BROKER, TO WHOM THIS ARTICLE APPLES. § 1103. CONSUMER RIGHTS. ANY ENTITY SUBJECT TO THE PROVISIONS OF THIS ARTICLE SHALL PROVIDE NOTICE TO CONSUMERS OF THEIR RIGHTS UNDER THIS ARTICLE AND SHALL PROVIDE CONSUMERS THE OPPORTUNITY TO OPT IN OR OPT OUT OF PROCESSING THEIR PERSONAL DATA IN SUCH A MANNER THAT THE CONSUMER A. 8526 6 MUST SELECT AND CLEARLY INDICATE THEIR CONSENT OR DENIAL OF CONSENT. CONTROLLERS SHALL FACILITATE REQUESTS TO EXERCISE THE CONSUMER RIGHTS SET FORTH IN SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION. 1. ON REQUEST FROM A CONSUMER, A CONTROLLER SHALL CONFIRM WHETHER OR NOT PERSONAL DATA CONCERNING THE CONSUMER IS BEING PROCESSED BY THE CONTROL- LER, INCLUDING WHETHER SUCH PERSONAL DATA IS SOLD TO DATA BROKERS, AND, WHERE PERSONAL DATA CONCERNING THE CONSUMER IS BEING PROCESSED BY THE CONTROLLER, PROVIDE ACCESS TO SUCH PERSONAL DATA CONCERNING THE CONSUMER AND THE NAMES OF THIRD PARTIES TO WHOM PERSONAL DATA IS SOLD OR LICENSED. ON REQUEST FROM A CONSUMER, A CONTROLLER SHALL PROVIDE A COPY OF THE PERSONAL DATA UNDERGOING PROCESSING FREE OF CHARGE, UP TO TWICE ANNUALLY. FOR ANY FURTHER COPIES REQUESTED BY THE CONSUMER, THE CONTROL- LER MAY CHARGE A REASONABLE FEE BASED ON ADMINISTRATIVE COSTS. WHERE THE CONSUMER MAKES THE REQUEST BY ELECTRONIC MEANS, AND UNLESS OTHERWISE REQUESTED BY THE CONSUMER, THE INFORMATION SHALL BE PROVIDED IN A COMMONLY USED ELECTRONIC FORM. 2. ON REQUEST FROM A CONSUMER, THE CONTROLLER, WITHOUT UNDUE DELAY, SHALL CORRECT INACCURATE PERSONAL DATA CONCERNING THE CONSUMER. TAKING INTO ACCOUNT THE PURPOSES OF THE PROCESSING, THE CONTROLLER SHALL COMPLETE INCOMPLETE PERSONAL DATA, INCLUDING BY MEANS OF PROVIDING A SUPPLEMENTARY STATEMENT. 3. (A) ON REQUEST FROM A CONSUMER, A CONTROLLER SHALL DELETE THE CONSUMER'S PERSONAL DATA WITHOUT UNDUE DELAY WHERE ONE OF THE FOLLOWING GROUNDS APPLIES: (I) THE PERSONAL DATA IS NO LONGER NECESSARY IN RELATION TO THE PURPOSES FOR WHICH THE PERSONAL DATA WAS COLLECTED OR OTHERWISE PROC- ESSED; (II) FOR PROCESSING THAT REQUIRES CONSENT UNDER SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE, THE CONSUMER WITHDRAWS CONSENT TO PROCESSING; (III) THE PERSONAL DATA HAS BEEN UNLAWFULLY PROCESSED; (IV) TO COMPLY WITH A LEGAL OBLIGATION UNDER FEDERAL, STATE, OR LOCAL LAW TO WHICH THE CONTROLLER IS SUBJECT; OR (V) THE CONSUMER OTHERWISE REQUESTS THAT THE DATA BE DELETED. (B) WHERE THE CONTROLLER IS OBLIGED TO DELETE PERSONAL DATA UNDER THIS SECTION THAT HAS BEEN DISCLOSED TO THIRD PARTIES BY THE CONTROLLER, INCLUDING DATA BROKERS THAT RECEIVED THE DATA THROUGH A SALE, THE CONTROLLER SHALL TAKE REASONABLE STEPS, WHICH MAY INCLUDE TECHNICAL MEASURES, TO INFORM OTHER CONTROLLERS THAT ARE PROCESSING THE PERSONAL DATA THAT THE CONSUMER HAS REQUESTED THE DELETION BY THE OTHER CONTROL- LERS OF ANY LINKS TO, OR COPY OR REPLICATION OF, THE PERSONAL DATA. COMPLIANCE WITH THIS OBLIGATION SHALL TAKE INTO ACCOUNT AVAILABLE TECH- NOLOGY AND COST OF IMPLEMENTATION. (C) THIS SUBDIVISION DOES NOT APPLY TO THE EXTENT PROCESSING IS NECES- SARY: (I) FOR EXERCISING THE RIGHT OF FREE SPEECH; (II) FOR COMPLIANCE WITH A LEGAL OBLIGATION THAT REQUIRES PROCESSING BY FEDERAL, STATE, OR LOCAL LAW TO WHICH THE CONTROLLER IS SUBJECT OR FOR THE PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTEREST OR IN THE EXERCISE OF OFFICIAL AUTHORITY VESTED IN THE CONTROLLER; (III) FOR REASONS OF PUBLIC INTEREST IN THE AREA OF PUBLIC HEALTH, WHERE THE PROCESSING (A) IS SUBJECT TO SUITABLE AND SPECIFIC MEASURES TO SAFEGUARD THE RIGHTS OF THE CONSUMER; AND (B) IS PROCESSED BY OR UNDER THE RESPONSIBILITY OF A PROFESSIONAL SUBJECT TO CONFIDENTIALITY OBLI- GATIONS UNDER FEDERAL, STATE, OR LOCAL LAW; (IV) FOR ARCHIVING PURPOSES IN THE PUBLIC INTEREST, SCIENTIFIC OR HISTORICAL RESEARCH PURPOSES, OR STATISTICAL PURPOSES, WHERE THE A. 8526 7 DELETION OF SUCH PERSONAL DATA IS LIKELY TO RENDER IMPOSSIBLE OR SERI- OUSLY IMPAIR THE ACHIEVEMENT OF THE OBJECTIVES OF THE PROCESSING; OR (V) FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS. 4. (A) THE CONTROLLER SHALL CEASE PROCESSING IF ONE OF THE FOLLOWING GROUNDS APPLIES: (I) THE ACCURACY OF THE PERSONAL DATA IS CONTESTED BY THE CONSUMER, FOR A PERIOD ENABLING THE CONTROLLER TO VERIFY THE ACCURACY OF THE PERSONAL DATA; (II) THE PROCESSING IS UNLAWFUL AND THE CONSUMER OPPOSES THE DELETION OF THE PERSONAL DATA AND REQUESTS THE RESTRICTION OF PROCESSING INSTEAD; (III) THE CONTROLLER NO LONGER NEEDS THE PERSONAL DATA FOR THE PURPOSES OF THE PROCESSING, BUT SUCH PERSONAL DATA IS REQUIRED BY THE CONSUMER FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS; OR (IV) THE CONSUMER OTHERWISE REQUESTS THAT THE CONTROLLER CEASE PROC- ESSING. (B) WHERE PERSONAL DATA IS SUBJECT TO A RESTRICTION OR PROCESSING UNDER THIS SUBDIVISION, THE PERSONAL DATA SHALL, WITH THE EXCEPTION OF STORAGE, ONLY BE PROCESSED (I) WITH THE CONSUMER'S CONSENT; (II) FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS; OR (III) FOR REASONS OF IMPORTANT PUBLIC INTEREST UNDER FEDERAL, STATE, OR LOCAL LAW. (C) WHERE A CONSUMER HAS TAKEN STEPS BY THE ONLINE SELECTION OF OPTIONS RELATED TO SHARING PERSONAL DATA A CONTROLLER IS OBLIGATED TO ADHERE TO SUCH SELECTIONS. 5. (A) ON REQUEST FROM A CONSUMER, THE CONTROLLER SHALL PROVIDE THE CONSUMER ANY PERSONAL DATA CONCERNING SUCH CONSUMER THAT SUCH CONSUMER HAS PROVIDED TO THE CONTROLLER IN A STRUCTURED, COMMONLY USED, AND MACHINE-READABLE FORMAT IF (I)(A) THE PROCESSING OF SUCH PERSONAL DATA REQUIRES CONSENT UNDER SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE, (B) THE PROCESSING OF SUCH PERSONAL DATA IS NECESSARY FOR THE PERFORMANCE OF A CONTRACT TO WHICH THE CONSUMER IS A PARTY, OR (C) IN ORDER TO TAKE STEPS AT THE REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT; AND (II) THE PROCESSING IS CARRIED OUT BY AUTOMATED MEANS. (B) CONTROLLERS SHALL TRANSMIT THE PERSONAL DATA REQUESTED UNDER THIS SUBDIVISION DIRECTLY FROM ONE CONTROLLER TO ANOTHER, WHERE TECHNICALLY FEASIBLE, AND TRANSMIT THE PERSONAL DATA TO ANOTHER CONTROLLER WITHOUT HINDRANCE FROM THE CONTROLLER TO WHICH THE PERSONAL DATA WAS PROVIDED. (C) REQUESTS FOR PERSONNEL DATA UNDER THIS SUBDIVISION SHALL BE WITH- OUT PREJUDICE TO SUBDIVISION THREE OF THIS SECTION. (D) THE RIGHTS PROVIDED IN THIS SUBDIVISION DO NOT APPLY TO PROCESSING NECESSARY FOR THE PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTER- EST AND SHALL NOT ADVERSELY AFFECT THE RIGHTS OF CONSUMERS. 6. A CONSUMER SHALL NOT BE SUBJECT TO A DECISION BASED SOLELY ON PROFILING WHICH PRODUCES LEGAL EFFECTS CONCERNING SUCH CONSUMER OR SIMI- LARLY SIGNIFICANTLY AFFECTS THE CONSUMER. LEGAL OR SIMILARLY SIGNIFICANT EFFECTS INCLUDE, BUT ARE NOT LIMITED TO, DENIAL OF CONSEQUENTIAL SERVICES OR SUPPORT, SUCH AS FINANCIAL AND LENDING SERVICES, HOUSING, INSURANCE, EDUCATION ENROLLMENT, CRIMINAL JUSTICE, EMPLOYMENT OPPORTU- NITIES, AND HEALTH CARE SERVICES. (A) THIS SUBDIVISION DOES NOT APPLY IF THE DECISION IS AUTHORIZED BY FEDERAL OR STATE LAW TO WHICH THE CONTROLLER IS SUBJECT AND WHICH INCOR- PORATES SUITABLE MEASURES TO SAFEGUARD THE CONSUMER'S RIGHTS AND LEGITI- MATE INTERESTS, AS INDICATED BY THE RISK ASSESSMENTS REQUIRED BY SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE. (B) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, THE CONTROLLER SHALL IMPLEMENT SUITABLE MEASURES TO SAFEGUARD CONSUMER'S RIGHTS AND LEGITIMATE INTERESTS WITH RESPECT TO DECISIONS BASED SOLELY ON PROFIL- A. 8526 8 ING, INCLUDING PROVIDING HUMAN REVIEW OF THE DECISION, TO EXPRESS THE CONSUMER'S POINT OF VIEW WITH RESPECT TO THE DECISION, AND TO CONTEST THE DECISION. 7. A CONTROLLER SHALL COMMUNICATE ANY CORRECTION, DELETION, OR RESTRICTION OF PROCESSING CARRIED OUT IN ACCORDANCE WITH SUBDIVISIONS TWO, THREE OR FOUR OF THIS SECTION TO EACH THIRD-PARTY RECIPIENT TO WHOM THE PERSONAL DATA HAS BEEN DISCLOSED, INCLUDING THIRD PARTIES THAT RECEIVED THE DATA THROUGH A SALE, UNLESS THIS PROVES IMPOSSIBLE. THE CONTROLLER SHALL INFORM THE CONSUMER ABOUT SUCH THIRD-PARTY RECIPIENTS, IF ANY, IF THE CONSUMER REQUESTS SUCH INFORMATION. 8. A CONTROLLER SHALL PROVIDE INFORMATION ON ACTION TAKEN ON A REQUEST UNDER SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN THIRTY DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED BY SIXTY ADDITIONAL DAYS WHERE NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER SHALL INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN THIRTY DAYS OF RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHERE THE CONSUMER MAKES THE REQUEST BY ELECTRONIC MEANS, THE INFORMATION SHALL BE PROVIDED BY ELECTRONIC MEANS WHERE POSSIBLE, UNLESS OTHERWISE REQUESTED BY THE CONSUMER. (A) IF A CONTROLLER DOES NOT TAKE ACTION ON THE REQUEST OF A CONSUMER, THE CONTROLLER SHALL INFORM THE CONSUMER WITHOUT UNDUE DELAY AND AT THE LATEST WITHIN THIRTY DAYS OF RECEIPT OF THE REQUEST OF THE REASONS FOR NOT TAKING ACTION AND ANY POSSIBILITY FOR INTERNAL REVIEW OF THE DECI- SION BY THE CONTROLLER. (B) INFORMATION PROVIDED UNDER THIS SECTION MUST BE PROVIDED BY THE CONTROLLER FREE OF CHARGE TO THE CONSUMER. WHERE REQUESTS FROM A CONSUM- ER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR BECAUSE OF THEIR REPETITIVE CHARACTER, THE CONTROLLER MAY EITHER: (I) CHARGE A REASONABLE FEE TAKING INTO ACCOUNT THE ADMINISTRATIVE COSTS OF PROVIDING THE INFOR- MATION OR COMMUNICATION OR TAKING THE ACTION REQUESTED; OR (II) REFUSE TO ACT ON THE REQUEST. THE CONTROLLER BEARS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE CHARACTER OF THE REQUEST. (C) WHERE THE CONTROLLER HAS REASONABLE DOUBTS CONCERNING THE IDENTITY OF THE CONSUMER MAKING A REQUEST UNDER SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION, THE CONTROLLER MAY REQUEST THE PROVISION OF ADDITIONAL INFORMATION NECESSARY TO CONFIRM THE IDENTITY OF THE CONSUMER. (D) A CONTROLLER SHALL CONDUCT AN INTERNAL REVIEW ON ANY ACTION TAKEN UPON REQUEST OF A CONSUMER UNDER SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION. § 1104. TRANSPARENCY. 1. CONTROLLERS SHALL BE TRANSPARENT AND ACCOUNT- ABLE FOR THEIR PROCESSING OF PERSONAL DATA, BY MAKING AVAILABLE IN A FORM THAT IS REASONABLY ACCESSIBLE TO CONSUMERS A CLEAR, MEANINGFUL PRIVACY NOTICE THAT IS EASILY UNDERSTOOD AND WHICH INCLUDES: (A) THE CATEGORIES OF PERSONAL DATA COLLECTED BY THE CONTROLLER; (B) THE PURPOSES FOR WHICH THE CATEGORIES OF PERSONAL DATA IS USED AND DISCLOSED TO THIRD PARTIES, IF ANY; (C) THE RIGHTS THAT CONSUMERS MAY EXERCISE PURSUANT TO SECTION ELEVEN HUNDRED THREE OF THIS ARTICLE, IF ANY; (D) THE CATEGORIES OF PERSONAL DATA THAT THE CONTROLLER SHARES WITH THIRD PARTIES, IF ANY; AND (E) THE NAMES AND CATEGORIES OF THIRD PARTIES, IF ANY, WITH WHOM THE CONTROLLER SHARES PERSONAL DATA. 2. CONTROLLERS THAT ENGAGE IN PROFILING SHALL DISCLOSE SUCH PROFILING TO THE CONSUMER AT OR BEFORE THE TIME PERSONAL DATA IS OBTAINED, INCLUD- A. 8526 9 ING MEANINGFUL INFORMATION ABOUT THE LOGIC INVOLVED AND THE SIGNIFICANCE AND ENVISAGED CONSEQUENCES OF THE PROFILING. 3. IF A CONTROLLER SELLS PERSONAL DATA TO DATA BROKERS OR PROCESSES PERSONAL DATA FOR DIRECT MARKETING PURPOSES, INCLUDING TARGETED MARKET- ING AND PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING, IT SHALL DISCLOSE SUCH PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OBJECT TO SUCH PROCESSING, IN A CLEAR AND PROMINENT MANNER. § 1105. RESPONSIBILITY ACCORDING TO ROLE. 1. CONTROLLERS AND BROKERS SHALL BE RESPONSIBLE FOR MEETING THE OBLIGATIONS SET FORTH UNDER THIS ARTICLE. 2. PROCESSORS AND BROKERS ARE RESPONSIBLE UNDER THIS ARTICLE FOR ADHERING TO THE INSTRUCTIONS OF THE CONTROLLER AND ASSISTING THE CONTROLLER TO MEET ITS OBLIGATIONS UNDER THIS ARTICLE. 3. PROCESSING BY A PROCESSOR SHALL BE GOVERNED BY A CONTRACT BETWEEN THE CONTROLLER AND THE PROCESSOR THAT IS BINDING ON THE PROCESSOR AND THAT SETS OUT THE PROCESSING INSTRUCTIONS TO WHICH THE PROCESSOR IS BOUND. § 1106. DE-IDENTIFIED DATA. A CONTROLLER OR PROCESSOR THAT USES DE-I- DENTIFIED DATA SHALL EXERCISE REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY CONTRACTUAL COMMITMENTS TO WHICH THE DE-IDENTIFIED DATA IS SUBJECT, AND SHALL TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES OF CONTRACTUAL COMMITMENTS. § 1107. EXEMPTIONS. 1. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESS- OR'S ABILITY TO: (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS; (B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI- GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN- MENTAL AUTHORITIES; (C) DISCLOSE PERSONAL DATA TO A LAW ENFORCEMENT AGENCY IF SUCH INFOR- MATION: (I) WAS INADVERTENTLY OBTAINED BY THE CONTROLLER OR DATA BROKER; AND (II) APPEARS TO PERTAIN TO THE COMMISSION OF A CRIME; (D) COOPERATE WITH A GOVERNMENTAL ENTITY IF THE CONTROLLER OR DATA BROKER, IN GOOD FAITH, BELIEVES THAT AN EMERGENCY INVOLVING DANGER OF DEATH OR SERIOUS PHYSICAL INJURY TO ANY PERSON REQUIRES DISCLOSURE OF PERSONAL DATA WITHOUT DELAY; (E) INVESTIGATE, EXERCISE, OR DEFEND LEGAL CLAIMS; OR (F) PREVENT OR DETECT IDENTITY THEFT, FRAUD, OR OTHER CRIMINAL ACTIV- ITY OR VERIFY IDENTITIES. 2. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI- LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION. 3. A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A THIRD- PARTY CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THE REQUIREMENTS OF THIS ARTICLE IS NOT IN VIOLATION OF THIS ARTICLE, INCLUDING UNDER SECTION ELEVEN HUNDRED EIGHT OF THIS ARTICLE, IF THE THIRD-PARTY RECIPI- ENT PROCESSES SUCH PERSONAL DATA IN VIOLATION OF THIS ARTICLE, PROVIDED THAT, AT THE TIME OF DISCLOSING THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE THIRD- PARTY RECIPIENT INTENDED TO COMMIT A VIOLATION. A THIRD-PARTY RECIPIENT RECEIVING PERSONAL DATA FROM A CONTROLLER OR PROCESSOR IS LIKEWISE NOT A. 8526 10 LIABLE UNDER THIS ARTICLE, INCLUDING UNDER SECTION ELEVEN HUNDRED EIGHT OF THIS ARTICLE, FOR THE OBLIGATIONS OF A CONTROLLER OR PROCESSOR TO WHOM IT PROVIDES SERVICES. 4. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER OR PROCESSOR TO DO THE FOLLOWING: (A) RE-IDENTIFY DE-IDENTIFIED DATA; (B) RETAIN PERSONAL DATA CONCERNING A CONSUMER THAT HE OR SHE WOULD NOT OTHERWISE RETAIN IN THE ORDINARY COURSE OF BUSINESS; OR (C) COMPLY WITH A REQUEST TO EXERCISE ANY OF THE RIGHTS UNDER SUBDIVI- SIONS ONE THROUGH SIX OF SECTION ELEVEN HUNDRED THREE OF THIS ARTICLE IF THE CONTROLLER IS UNABLE TO VERIFY, USING COMMERCIALLY REASONABLE EFFORTS, THE IDENTITY OF THE CONSUMER MAKING THE REQUEST. 5. OBLIGATIONS IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS ARTI- CLE DO NOT APPLY TO THE PROCESSING OF PERSONAL DATA BY A NATURAL PERSON IN THE COURSE OF A PURELY PERSONAL OR HOUSEHOLD ACTIVITY. § 1108. LIABILITY. WHERE MORE THAN ONE CONTROLLER OR PROCESSOR, OR BOTH A CONTROLLER AND A PROCESSOR, INVOLVED IN THE SAME PROCESSING, IS IN VIOLATION OF THIS ARTICLE, THE LIABILITY SHALL BE ALLOCATED AMONG THE PARTIES ACCORDING TO PRINCIPLES OF COMPARATIVE FAULT, UNLESS SUCH LIABILITY IS OTHERWISE ALLOCATED BY CONTRACT AMONG THE PARTIES. § 1109. ENFORCEMENT. 1. THE LEGISLATURE FINDS THAT THE PRACTICES COVERED BY THIS ARTICLE ARE MATTERS VITALLY AFFECTING THE PUBLIC INTER- EST FOR THE PURPOSE OF PROVIDING CONSUMER PROTECTION FROM DECEPTIVE ACTS AND PRACTICES UNDER ARTICLE TWENTY-TWO-A OF THIS CHAPTER. A VIOLATION OF THIS ARTICLE IS NOT REASONABLE IN RELATION TO THE DEVELOPMENT AND PRES- ERVATION OF BUSINESS AND IS AN UNFAIR OR DECEPTIVE ACT IN TRADE OR COMMERCE AND AN UNFAIR METHOD OF COMPETITION FOR THE PURPOSE OF APPLYING ARTICLE TWENTY-TWO-A OF THIS CHAPTER. 2. THE ATTORNEY GENERAL MAY BRING AN ACTION IN THE NAME OF THE STATE, OR AS PARENS PATRIAE ON BEHALF OF PERSONS RESIDING IN THE STATE, TO ENFORCE THIS ARTICLE. 3. IN ADDITION TO ANY RIGHT OF ACTION GRANTED TO ANY GOVERNMENTAL BODY PURSUANT TO THIS SECTION, ANY PERSON WHO HAS BEEN INJURED BY REASON OF A VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH UNLAWFUL ACT, OR TO RECOVER HIS OR HER ACTUAL DAMAGES, OR BOTH SUCH ACTIONS. THE COURT MAY AWARD REASONABLE ATTORNEY'S FEES TO A PREVAILING PLAINTIFF. 4. ANY CONTROLLER OR PROCESSOR WHO VIOLATES THIS ARTICLE IS SUBJECT TO AN INJUNCTION AND LIABLE FOR DAMAGES AND A CIVIL PENALTY. WHEN CALCULAT- ING DAMAGES AND CIVIL PENALTIES, THE COURT SHALL CONSIDER THE NUMBER OF AFFECTED INDIVIDUALS, THE SEVERITY OF THE VIOLATION, AND THE SIZE AND REVENUES OF THE COVERED ENTITY. EACH INDIVIDUAL WHOSE INFORMATION WAS UNLAWFULLY PROCESSED COUNTS AS A SEPARATE VIOLATION. EACH PROVISION OF THIS ARTICLE THAT WAS VIOLATED COUNTS AS A SEPARATE VIOLATION. § 1110. PREEMPTION. THIS ARTICLE SUPERSEDES AND PREEMPTS LAWS ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING OF PERSONAL DATA BY CONTROLLERS OR PROCESSORS. § 3. This act shall take effect on the one hundred eightieth day after it shall have become a law.