LBD09748-03-1
A. 6042 2
The legislature further finds that entities that collect, use, retain,
share, and monetize personal information have specialized knowledge
about the algorithms and data security measures they use, as well as
about how they collect, use, retain, share, and monetize personal infor-
mation, that the average individual is unlikely to understand. Just as
banks, lawyers, and medical providers, given their specialized know-
ledge, have special obligations to individuals, entities collecting
intimate personal information in the digital age and benefiting from
similarly specialized knowledge should have similar obligations.
The legislature also finds that individuals in New York state, like
individuals across the country, value privacy and wish to control who
has access to their personal information. Ninety-two percent of Face-
book users alter the social network's default privacy settings, demon-
strating that they wish to choose with whom they share personal informa-
tion. Similarly, ninety-two percent of Americans believe companies
should obtain individuals' permission before sharing or selling their
personal information.
The legislature additionally finds that biometric information is
unlike other unique identifiers, because biometric information is
biologically unique to an individual and cannot be changed if compro-
mised. As a result, biometric information merits special protections.
The legislature also finds that it has had a decades long interest in
protecting New Yorkers' privacy. For example, since 1996, section 79-l
of the New York civil rights law has protected the privacy of genetic
information, requiring an individual's informed, written consent prior
to genetic testing and restricting the disclosure and retention of
genetic information.
The legislature further finds that the use of automated decision
systems to make core government and business decisions raises concerns
around due process, fairness, accountability, and transparency, as well
as other civil rights and liberties. Reliance on automated decision
systems without adequate transparency, oversight, or safeguards can
undermine market predictability, harm consumers, and deny historically
disadvantaged or vulnerable groups the full measure of their civil
rights and liberties.
The legislature finally finds that New York has the longest standing
human rights law in the nation and that the state has prioritized root-
ing out discrimination in employment, housing, credit, public accommo-
dations, and educational institutions based on age, race, national
origin, sex, sexual orientation, gender identity, disability, and other
protected classes. Ensuring that sophisticated algorithms cannot be used
to circumvent the state's civil and human rights laws is an important
exercise of the legislature's authority.
§ 3. The general business law is amended by adding a new article 39-FF
to read as follows:
ARTICLE 39-FF
DIGITAL FAIRNESS ACT
SECTION 899-CC. DEFINITIONS.
899-DD. MEANINGFUL NOTICE.
899-EE. OPT-IN CONSENT.
899-FF. AFFIRMATIVE OBLIGATIONS.
899-GG. BIOMETRIC INFORMATION; RETENTION, COLLECTION, DISCLOSURE
AND DESTRUCTION.
899-HH. SURREPTITIOUS SURVEILLANCE.
899-II. ENFORCEMENT.
A. 6042 3
§ 899-CC. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE, THE FOLLOWING
TERMS SHALL HAVE THE FOLLOWING MEANINGS:
1. "BIOMETRIC INFORMATION" SHALL MEAN A RECORD OF ONE OR MORE MEASUR-
ABLE BIOLOGICAL OR BEHAVIORAL CHARACTERISTICS THAT CAN BE USED SINGULAR-
LY OR IN COMBINATION WITH OTHER CHARACTERISTICS, OR WITH OTHER INFORMA-
TION, FOR AUTOMATED RECOGNITION OF A KNOWN OR UNKNOWN INDIVIDUAL.
EXAMPLES OF SUCH TERM SHALL INCLUDE, BUT NOT BE LIMITED TO: FINGER-
PRINTS, RETINA AND IRIS PATTERNS, VOICEPRINTS, DNA SEQUENCE, FACIAL
CHARACTERISTICS, GAIT, HANDWRITING, KEY STROKE DYNAMICS, AND MOUSE MOVE-
MENTS.
2. "COLLECT" SHALL MEAN TO BUY, RENT, GATHER, OBTAIN, RECEIVE, OR
ACCESS ANY PERSONAL INFORMATION PERTAINING TO AN INDIVIDUAL BY ANY
MEANS, ONLINE OR OFFLINE, INCLUDING BUT NOT LIMITED TO, RECEIVING INFOR-
MATION FROM THE INDIVIDUAL OR FROM A THIRD PARTY, ACTIVELY OR PASSIVELY,
OR OBTAINING INFORMATION BY OBSERVING SUCH INDIVIDUAL'S BEHAVIOR.
3. "CONDUCT BUSINESS IN NEW YORK" SHALL MEAN TO PRODUCE, SOLICIT, OR
OFFER FOR USE OR SALE ANY PRODUCT OR SERVICE IN A MANNER THAT INTEN-
TIONALLY TARGETS, OR MAY REASONABLY BE EXPECTED TO CONTACT, NEW YORK
RESIDENTS, OR TO ENGAGE IN ANY ACTIVITY THAT WOULD SUBJECT THE ACTOR TO
PERSONAL JURISDICTION UNDER SECTION THREE HUNDRED ONE OR SECTION THREE
HUNDRED TWO OF THE CIVIL PRACTICE LAW AND RULES, WHETHER OR NOT FOR
PROFIT.
4. "COVERED ENTITY" SHALL MEAN A LEGAL ENTITY THAT CONDUCTS BUSINESS
IN NEW YORK STATE AND AS PART OF SUCH BUSINESS, PROCESSES AND MAINTAINS
THE PERSONAL INFORMATION OF FIVE HUNDRED OR MORE UNIQUE INDIVIDUALS.
5. "DATA PROCESSOR" SHALL MEAN A PERSON THAT PROCESSES PERSONAL INFOR-
MATION ON BEHALF OF A COVERED ENTITY.
6. "DE-IDENTIFIED INFORMATION" SHALL MEAN INFORMATION THAT CANNOT
REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED
WITH, OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR INDIVIDUAL;
PROVIDED THAT A COVERED ENTITY THAT USES DE-IDENTIFIED INFORMATION:
(A) HAS IMPLEMENTED TECHNICAL SAFEGUARDS THAT PROHIBIT REIDENTIFICA-
TION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
(B) HAS IMPLEMENTED BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT
REIDENTIFICATION OF SUCH INFORMATION;
(C) HAS IMPLEMENTED BUSINESS PROCESSES THAT PREVENT INADVERTENT
RELEASE OF SUCH DE-IDENTIFIED INFORMATION; AND
(D) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
7. "DEVICE" SHALL MEAN A PRODUCT THAT IS CAPABLE OF SENDING, ROUTING,
OR RECEIVING COMMUNICATIONS TO OR FROM ANOTHER DEVICE AND INTENDED FOR
USE BY A SINGLE INDIVIDUAL OR SINGLE HOUSEHOLD OR, IF USED OUTSIDE OF A
HOME, FOR USE BY THE GENERAL PUBLIC.
8. "DEVICE FINGERPRINTING" SHALL MEAN INFORMATION PASSIVELY COLLECTED
FOR THE PURPOSE OF IDENTIFYING A DEVICE THROUGH A COMBINATION OF DEVICE
IDENTIFIERS, WIRELESS OR CELLULAR NETWORKS, LANGUAGE SETTINGS, SOFTWARE
VERSIONS, TIME ZONE, FREQUENTLY VISITED SITES, DRIVERS, OR OTHER SPEC-
IFICATIONS.
9. "DEVICE INDICATOR" SHALL MEAN ANY IDENTIFIER TIED TO AN INDIVIDUAL,
HOUSEHOLD, OR DEVICE, INCLUDING BUT NOT LIMITED TO A COMBINATORY METHOD
SUCH AS DEVICE FINGERPRINTING OR A TECHNICAL IDENTIFIER SUCH AS INTERNET
PROTOCOL ADDRESS, DEVICE ADVERTISEMENT IDENTIFIER, SERIAL NUMBER, INTER-
NATIONAL MOBILE EQUIPMENT IDENTITY, MEDIA ACCESS CONTROL ADDRESS, COOKIE
IDENTIFIER, OR SUBSCRIBER IDENTIFICATION MODULE CARD SERIAL NUMBER,
WHETHER RESETTABLE OR PERSISTENT.
10. "DISCLOSE" SHALL MEAN ANY ACTION, SET OF ACTIONS, OR OMISSION IN
WHICH A COVERED ENTITY, DATA PROCESSOR, OR THIRD PARTY MAKES PERSONAL
A. 6042 4
INFORMATION AVAILABLE TO ANOTHER PERSON, INTENTIONALLY OR UNINTEN-
TIONALLY, INCLUDING BUT NOT LIMITED TO, SHARING, PUBLISHING, RELEASING,
TRANSFERRING, DISSEMINATING, MAKING AVAILABLE, SELLING, LEASING, PROVID-
ING ACCESS TO, FAILING TO RESTRICT ACCESS TO, OR OTHERWISE COMMUNICATING
ORALLY, IN WRITING, ELECTRONICALLY, OR BY ANY OTHER MEANS.
11. "DIVISION" SHALL MEAN THE CONSUMER PROTECTION DIVISION, UNLESS
CONTEXT CLEARLY INDICATES OTHERWISE.
12. "GOVERNMENTAL ENTITY" SHALL MEAN A DEPARTMENT OR AGENCY OF THE
STATE OR A POLITICAL SUBDIVISION THEREOF, OR AN INDIVIDUAL ACTING FOR OR
ON BEHALF OF THE STATE OR A POLITICAL SUBDIVISION THEREOF.
13. "HARM" SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO AN
INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
(A) DIRECT OR INDIRECT FINANCIAL HARM.
(B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
LIMITED TO BIAS-RELATED CRIMES AND THREATS, HARASSMENT, AND SEXUAL
HARASSMENT.
(C) DISCRIMINATION IN GOODS, SERVICES, OR ECONOMIC OPPORTUNITY,
INCLUDING BUT NOT LIMITED TO HOUSING, EMPLOYMENT, CREDIT, INSURANCE,
EDUCATION, OR HEALTH CARE ON THE BASIS OF AN INDIVIDUAL OR CLASS OF
INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
ORIENTATION, GENDER IDENTITY, MARITAL STATUS, DISABILITY, MILITARY
STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
(D) INTERFERENCE WITH OR SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
ACTIVITIES BY STATE ACTORS.
(E) INTERFERENCE WITH THE RIGHT TO VOTE OR WITH FREE AND FAIR
ELECTIONS.
(F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
(G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
(H) THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
OF SECLUSION OR ACCESS CONTROL.
(I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
ABLE TO, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE
PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
BLE, CONTEMPLATED BY, OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
14. "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED ENTITY
KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
15. "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT IS CAPTURED IN
EXCHANGE FOR ANY KIND OF VALUE PROVIDED TO THE INDIVIDUAL TO WHOM THE
INFORMATION PERTAINS, INCLUDING BUT NOT LIMITED TO A GOOD OR SERVICE,
THE PLACEMENT OF TARGETED ADVERTISEMENTS, OR A MEMBERSHIP; AS A RESULT
OF AN INDIVIDUAL, HOUSEHOLD, OR DEVICE'S ESTABLISHMENT OR MAINTENANCE OF
AN ACCOUNT WITH A COVERED ENTITY; OR AS A RESULT OF AN INDIVIDUAL,
HOUSEHOLD, OR DEVICE'S INTERACTION WITH A COVERED ENTITY. SUCH TERM
SHALL ALSO INCLUDE INFORMATION THAT DIRECTLY OR INDIRECTLY IDENTIFIES,
RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSOCIATED WITH, OR COULD
REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL, HOUSEHOLD, OR DEVICE
THAT PROVIDES OR PROVIDED INFORMATION TO A COVERED ENTITY IN EXCHANGE
FOR ANY KIND OF VALUE PROVIDED TO THE INDIVIDUAL TO WHOM SUCH INFORMA-
TION PERTAINS OR THAT ESTABLISHED, MAINTAINED, ESTABLISHES OR MAINTAINS
AN ACCOUNT WITH A COVERED ENTITY. INFORMATION IS REASONABLY LINKABLE TO
AN INDIVIDUAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN
COMBINATION WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF
A. 6042 5
WHETHER SUCH OTHER INFORMATION IS HELD BY THE COVERED ENTITY, TO IDENTI-
FY AN INDIVIDUAL, HOUSEHOLD, OR DEVICE.
16. "MONETIZE" SHALL MEAN TO SELL, RENT, RELEASE, DISCLOSE, DISSEM-
INATE, MAKE AVAILABLE, TRANSFER, OR OTHERWISE COMMUNICATE ORALLY, IN
WRITING, OR BY ELECTRONIC OR OTHER MEANS, AN INDIVIDUAL'S PERSONAL
INFORMATION BY A COVERED ENTITY, A THIRD PARTY, OR A DATA PROCESSOR IN
EXCHANGE FOR MONETARY OR OTHER CONSIDERATION, AS WELL AS TO LEVERAGE OR
USE AN INDIVIDUAL'S PERSONAL INFORMATION TO PLACE A TARGETED ADVERTISE-
MENT OR TO OTHERWISE PROFIT, REGARDLESS OF WHETHER SUCH INDIVIDUAL'S
PERSONAL INFORMATION CHANGES HANDS.
17. "PROCESS" OR "PROCESSING" SHALL MEAN ANY ACTION OR SET OF ACTIONS
PERFORMED ON OR WITH PERSONAL INFORMATION, INCLUDING BUT NOT LIMITED TO,
COLLECTION, ACCESS, USE, RETENTION, SHARING, MONETIZING, ANALYSIS,
CREATION, GENERATION, DERIVATION, DECISION-MAKING, RECORDING, ALTER-
NATION, ORGANIZATION, STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION,
SALE, LICENSING, DISPOSAL, DESTRUCTION, DE-IDENTIFYING, OR OTHER HANDL-
ING OF PERSONAL INFORMATION.
18. "REASONABLY UNDERSTANDABLE" SHALL MEAN OF A LENGTH AND COMPLEXITY
SUCH THAT AN INDIVIDUAL WITH A FOURTH-GRADE READING LEVEL, AS ESTAB-
LISHED BY THE NEW YORK DEPARTMENT OF EDUCATION'S FOURTH GRADE ENGLISH
LANGUAGE ARTS LEARNING STANDARDS, CAN READ AND COMPREHEND THE CONTENTS
IN TWO MINUTES OR LESS.
19. "TARGETED ADVERTISEMENT" SHALL MEAN AN ADVERTISEMENT DIRECTED TO
AN INDIVIDUAL WHERE THE ADVERTISEMENT IS SELECTED BASED ON PERSONAL
INFORMATION OBTAINED OR INFERRED OVER TIME FROM SUCH INDIVIDUAL'S OR THE
INDIVIDUAL'S DEVICE'S ACTIVITIES, COMMUNICATIONS, OR ASSOCIATIONS ACROSS
WEBSITES, APPLICATIONS, SERVICES, OR COVERED ENTITIES. SUCH TERM SHALL
NOT INCLUDE ADVERTISEMENTS DIRECTED TO AN INDIVIDUAL SOLELY BASED UPON
THE INDIVIDUAL'S CURRENT VISIT TO A WEBSITE, APPLICATION, SERVICE, OR
COVERED ENTITY, OR IN RESPONSE TO THE INDIVIDUAL'S REQUEST FOR INFORMA-
TION OR FEEDBACK.
20. "THIRD PARTY" SHALL MEAN, WITH RESPECT TO AN INDIVIDUAL'S PERSONAL
INFORMATION, ANY PERSON THAT IS NOT THE COVERED ENTITY OR A DATA PROCES-
SOR.
21. "USE MODEL" SHALL MEAN A DISCRETE PURPOSE FOR WHICH COLLECTED
PERSONAL INFORMATION IS TO BE PROCESSED, INCLUDING BUT NOT LIMITED TO,
FIRST PARTY MARKETING, THIRD PARTY MARKETING, FIRST PARTY RESEARCH AND
DEVELOPMENT, THIRD PARTY RESEARCH AND DEVELOPMENT, AND PRODUCT IMPROVE-
MENT.
§ 899-DD. MEANINGFUL NOTICE. 1. IN ADDITION TO ANY LONG FORM PRIVACY
POLICY, EACH COVERED ENTITY SHALL MAKE PERSISTENTLY AND CONSPICUOUSLY
AVAILABLE A SHORT-FORM PRIVACY NOTICE--
(A) THAT AN INDIVIDUAL MUST INTERACT WITH UPON THE INDIVIDUAL'S FIRST
VISIT TO THE COVERED ENTITY'S WEBSITE OR FIRST USE OF THE COVERED ENTI-
TY'S MOBILE APPLICATION;
(B) PERSISTENTLY AVAILABLE AND READILY ACCESSIBLE ON A COVERED ENTI-
TY'S WEBSITE OR MOBILE APPLICATION;
(C) AT THE PHYSICAL PLACE OF BUSINESS OR ANY OFFLINE EQUIVALENT MAIN-
TAINED BY THE COVERED ENTITY; AND
(D) AT OR PRIOR TO THE POINT OF SALE OF A PRODUCT OR SERVICE,
SUBSCRIPTION TO A SERVICE, OR ESTABLISHMENT OF AN ACCOUNT WITH, THE
COVERED ENTITY OR IF THERE IS NO SUCH SALE, SUBSCRIPTION, OR ESTABLISH-
MENT, BEFORE THE INDIVIDUAL USES SUCH PRODUCT OR SERVICE OF THE COVERED
ENTITY.
2. THE SHORT-FORM PRIVACY NOTICE REQUIRED BY SUBDIVISION ONE OF THIS
SECTION SHALL:
A. 6042 6
(A) BE CLEAR, CONCISE, WELL-ORGANIZED, AND COMPLETE;
(B) BE CLEAR AND PROMINENT IN APPEARANCE;
(C) USE CLEAR AND PLAIN LANGUAGE;
(D) USE VISUALIZATIONS WHERE APPROPRIATE TO MAKE COMPLEX INFORMATION
UNDERSTANDABLE BY THE ORDINARY USER;
(E) BE REASONABLY UNDERSTANDABLE;
(F) BE CLEARLY DISTINGUISHABLE FROM OTHER MATTERS;
(G) NOT CONTAIN ANY UNRELATED, CONFUSING, OR CONTRADICTORY INFORMA-
TION;
(H) BE NO MORE THAN FIVE HUNDRED WORDS, EXCLUDING THE LIST OF THIRD
PARTIES REQUIRED UNDER PARAGRAPH (F) OF SUBDIVISION THREE OF THIS
SECTION; AND
(I) BE PROVIDED FREE OF CHARGE.
3. THE SHORT-FORM PRIVACY NOTICE REQUIRED BY SUBDIVISION ONE OF THIS
SECTION SHALL INCLUDE:
(A) WHAT PERSONAL INFORMATION IS BEING PROCESSED;
(B) THE MANNER IN WHICH PERSONAL INFORMATION IS PROCESSED;
(C) HOW AND FOR WHAT PURPOSE THE COVERED ENTITY PROCESSES PERSONAL
INFORMATION;
(D) HOW LONG PERSONAL INFORMATION WILL BE RETAINED;
(E) WHETHER AND HOW THE COVERED ENTITY MONETIZES PERSONAL INFORMATION;
(F) TO WHICH THIRD PARTIES THE COVERED ENTITY DISCLOSES PERSONAL
INFORMATION AND FOR WHAT PURPOSES; AND
(G) HOW THE COVERED ENTITY COLLECTS PERSONAL INFORMATION, INCLUDING
OFFLINE PRACTICES, WHEN THE INDIVIDUAL IS NOT DIRECTLY INTERACTING WITH
SUCH COVERED ENTITY.
4. THE LIST OF THIRD PARTIES REQUIRED UNDER PARAGRAPH (F) OF SUBDIVI-
SION THREE OF THIS SECTION, SHALL BE OFFSET BY AT LEAST TWO LINE BREAKS
FROM THE REST OF THE SHORT-FORM PRIVACY NOTICE REQUIRED UNDER SUBDIVI-
SION ONE OF THIS SECTION.
5. WITHIN ONE YEAR OF THE ENACTMENT OF THIS ARTICLE, THE CONSUMER
PROTECTION DIVISION SHALL ESTABLISH STANDARDIZED SHORT-FORM PRIVACY
NOTICES THAT COMPLY WITH THIS SECTION. A COVERED ENTITY MAY SATISFY THE
SHORT-FORM PRIVACY NOTICE REQUIREMENTS BY ADOPTING THE STANDARDIZED
SHORT-FORM PRIVACY NOTICE ESTABLISHED BY THE DIVISION.
6. WITHIN ONE YEAR OF THE ENACTMENT OF THIS ARTICLE, THE CONSUMER
PROTECTION DIVISION SHALL DEVELOP A RECOGNIZABLE AND UNIFORM LOGO OR
BUTTON TO PROMOTE INDIVIDUAL AWARENESS OF THE SHORT-FORM PRIVACY NOTICE
THAT MAY BE USED BY COVERED ENTITIES.
7. THE CONSUMER PROTECTION DIVISION MAY PROMULGATE RULES AND REGU-
LATIONS SPECIFYING ADDITIONAL REQUIREMENTS FOR THE FORMAT AND SUBSTANCE
OF SUCH SHORT-FORM PRIVACY NOTICES.
§ 899-EE. OPT-IN CONSENT. 1. A COVERED ENTITY SHALL OBTAIN FREELY
GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM AN INDI-
VIDUAL TO:
(A) PROCESS SUCH INDIVIDUAL'S PERSONAL INFORMATION; AND
(B) MAKE ANY CHANGES IN THE PROCESSING OF SUCH INDIVIDUAL'S INFORMA-
TION THAT NECESSITATE A CHANGE TO THE ENTITY'S SHORT-FORM PRIVACY NOTICE
REQUIRED UNDER SECTION EIGHT HUNDRED NINETY-NINE-DD OF THIS ARTICLE.
2. WITHIN ONE YEAR OF THE ENACTMENT OF THIS ARTICLE, THE DIVISION
SHALL PROMULGATE RULES AND REGULATIONS GROUPING DIFFERENT TYPES OF PROC-
ESSING OF PERSONAL INFORMATION BY USE MODEL AND PERMITTING A COVERED
ENTITY TO SIMULTANEOUSLY OBTAIN FREELY GIVEN, SPECIFIC, INFORMED, AND
UNAMBIGUOUS OPT-IN CONSENT FROM AN INDIVIDUAL FOR MULTIPLE TRANSACTIONS
OF THE SAME USE MODEL.
A. 6042 7
3. A COVERED ENTITY SHALL ENSURE THAT THE OPTION TO WITHHOLD CONSENT
IS DISPLAYED AS CLEARLY AND PROMINENTLY AS THE OPTION TO PROVIDE
CONSENT.
4. A COVERED ENTITY SHALL PROVIDE A MECHANISM FOR AN INDIVIDUAL TO
WITHDRAW PREVIOUSLY-GIVEN CONSENT AT ANY TIME. SUCH MECHANISM SHALL MAKE
IT AS EASY FOR AN INDIVIDUAL TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH
INDIVIDUAL TO PROVIDE CONSENT.
5. A COVERED ENTITY SHALL NOT BE REQUIRED TO OBTAIN FREELY GIVEN,
SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM AN INDIVIDUAL
UNDER SUBDIVISION ONE OF THIS SECTION IF:
(A) THE PROCESSING IS NECESSARY FOR THE PRIMARY PURPOSE OF THE TRANS-
ACTION FOR WHICH PERSONAL INFORMATION IS PROVIDED, SUCH AS THE PROVISION
OF FINANCIAL INFORMATION TO COMPLETE A PURCHASE OR THE PROVISION OF A
MAILING ADDRESS FOR PACKAGE DELIVERY; PROVIDED THAT THE PERSONAL INFOR-
MATION SHALL NOT BE PROCESSED OR MONETIZED FOR ANY OTHER PURPOSE WITHOUT
THE FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT
FROM THE INDIVIDUAL TO WHOM THE PERSONAL INFORMATION PERTAINS.
(B) THE COVERED ENTITY, IN GOOD FAITH, BELIEVES THAT AN EMERGENCY
PRESENTING THE RISK OF DEATH OR SERIOUS PHYSICAL INJURY TO ANY INDIVID-
UAL REQUIRES DISCLOSURE, WITHOUT DELAY, OF PERSONAL INFORMATION RELATING
TO SUCH EMERGENCY, THE COVERED ENTITY MAY DISCLOSE THE PERSONAL INFORMA-
TION RELATING TO SUCH EMERGENCY TO A GOVERNMENTAL ENTITY. A COVERED
ENTITY THAT DISCLOSES THE PERSONAL INFORMATION OF AN INDIVIDUAL WITHOUT
OBTAINING OPT-IN APPROVAL SHALL, WITHIN TWENTY-FOUR HOURS, INFORM THE
INDIVIDUAL OF THE PERSONAL INFORMATION THAT THE COVERED ENTITY
DISCLOSED, THE DETAILS OF THE EMERGENCY, AND THE REASONS WHY THE COVERED
ENTITY NEEDED TO USE, ACCESS, OR DISCLOSE THE PERSONAL INFORMATION.
(C) PROCESSING THE PERSONAL INFORMATION IS NECESSARY FOR ENGAGING IN
PUBLIC OR PEER-REVIEWED SCIENTIFIC, MEDICAL, HISTORICAL, SOCIAL SCIENCE,
OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL OTHER
APPLICABLE ETHICAL STANDARDS OR LAWS, WITH INFORMED CONSENT.
(D) PROCESSING THE PERSONAL INFORMATION IS NECESSARY FOR CLINICAL,
TREATMENT, PUBLIC HEALTH, MEDICAL EDUCATIONAL, MEDICAL TRAINING, OR
INSURANCE PURPOSES, PROVIDED THAT THE PERSONAL INFORMATION SHALL NOT BE
PROCESSED OR MONETIZED FOR ANY OTHER PURPOSE WITHOUT THE FREELY GIVEN,
SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM SUCH INDIVIDUAL
TO WHOM THE PERSONAL INFORMATION PERTAINS.
(E) THE PROCESSING INVOLVES ONLY DE-IDENTIFIED INFORMATION.
(F) IN RESPONSE TO A WARRANT ISSUED BY A COURT OF COMPETENT JURISDIC-
TION UNDER THE PROCEDURES DESCRIBED IN THE FEDERAL RULES OF CRIMINAL
PROCEDURE OR ARTICLE SIX HUNDRED NINETY OF THE CRIMINAL PROCEDURE LAW.
(G) IF REQUIRED BY STATE OR FEDERAL LAW.
6. THE DIVISION IS HEREBY AUTHORIZED AND DIRECTED TO CONDUCT A STUDY
TO DETERMINE THE MOST EFFECTIVE WAY FOR ENTITIES TO OBTAIN INDIVIDUALS'
FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FOR
EACH TYPE OF PERSONAL INFORMATION PROCESSING AND, TO THE EXTENT POSSI-
BLE, TO AVOID NOTICE FATIGUE.
7. THE DIVISION MAY REQUEST DATA AND INFORMATION FROM COVERED ENTITIES
CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK STATE GOVERNMENT
ENTITIES ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER PROTECTION
AND PRIVACY ADVOCATES AND RESEARCHERS, INTERNET STANDARDS SETTING
BODIES, SUCH AS THE INTERNET ENGINEERING TASKFORCE AND THE INSTITUTE OF
ELECTRICAL AND ELECTRONICS ENGINEERS, AND OTHER RELEVANT SOURCES TO
EFFECTUATE THE PURPOSE OF SUCH STUDY. THE DIVISION SHALL RECEIVE, UPON
REQUEST, DATA FROM OTHER NEW YORK STATE GOVERNMENTAL ENTITIES.
A. 6042 8
8. WITHIN ONE YEAR OF THE ENACTMENT OF THIS ARTICLE, THE DIVISION
SHALL PROMULGATE RULES AND REGULATIONS SPECIFYING THE MANNER IN WHICH
COVERED ENTITIES SHALL OBTAIN INDIVIDUALS' FREELY GIVEN, SPECIFIC,
INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FOR EACH TYPE OF PERSONAL
INFORMATION PROCESSING, AS WELL AS THE MANNER IN WHICH INDIVIDUALS MAY
WITHDRAW THEIR CONSENT AT ANY TIME. SUCH RULES AND REGULATIONS SHALL
REQUIRE COVERED ENTITIES TO MAKE IT AS EASY FOR AN INDIVIDUAL TO WITH-
DRAW THEIR CONSENT AS IT IS FOR THE INDIVIDUAL TO PROVIDE CONSENT.
9. UNDER NO CIRCUMSTANCES SHALL AN INDIVIDUAL'S INTERACTION WITH A
COVERED ENTITY OR USE OF A COVERED ENTITY'S PRODUCT OR SERVICE, WHEN THE
COVERED ENTITY HAS A TERMS OF SERVICE OR A PRIVACY POLICY, INCLUDING THE
SHORT-FORM PRIVACY NOTICE REQUIRED UNDER SECTION EIGHT HUNDRED NINETY-
NINE-DD OF THIS ARTICLE, IN AND OF ITSELF CONSTITUTE FREELY GIVEN,
SPECIFIC, INFORMED, AND UNAMBIGUOUS CONSENT.
10. TO THE EXTENT THAT A COVERED ENTITY MUST PROCESS INTERNET PROTOCOL
ADDRESSES, SYSTEM CONFIGURATION INFORMATION, URLS OF REFERRING PAGES,
LOCALE AND LANGUAGE PREFERENCES, KEYSTROKES, AND OTHER PERSONAL INFORMA-
TION IN ORDER TO OBTAIN INDIVIDUALS' FREELY GIVEN, SPECIFIC, INFORMED,
AND UNAMBIGUOUS OPT-IN CONSENT, THE COVERED ENTITY SHALL:
(A) ONLY PROCESS THE PERSONAL INFORMATION NECESSARY TO REQUEST FREELY
GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT;
(B) PROCESS THE PERSONAL INFORMATION SOLELY TO REQUEST FREELY GIVEN,
SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; AND
(C) IMMEDIATELY DELETE THE PERSONAL INFORMATION IF CONSENT IS WITHHELD
OR WITHDRAWN.
11. A COVERED ENTITY SHALL NOT REFUSE TO SERVE AN INDIVIDUAL WHO DOES
NOT APPROVE THE PROCESSING OF SUCH INDIVIDUAL'S PERSONAL INFORMATION
UNDER THIS SECTION, UNLESS THE PROCESSING IS NECESSARY FOR THE PRIMARY
PURPOSE OF THE TRANSACTION SUCH INDIVIDUAL HAS REQUESTED.
12. A COVERED ENTITY SHALL NOT OFFER AN INDIVIDUAL A PROGRAM THAT
RELATES THE PRICE OR QUALITY OF A PRODUCT OR SERVICE TO THE PRIVACY
PROTECTIONS AFFORDED TO THE INDIVIDUAL, INCLUDING BY PROVIDING A
DISCOUNT OR OTHER INCENTIVE IN EXCHANGE FOR THE OPT-IN APPROVAL OF SUCH
INDIVIDUAL TO THE PROCESSING OF SUCH INDIVIDUAL'S PERSONAL INFORMATION,
OR BECAUSE AN INDIVIDUAL DECLINES TO EXERCISE THE OPPORTUNITIES PROVIDED
UNDER SUBDIVISION TWO OF SECTION EIGHT HUNDRED NINETY-NINE-FF OF THIS
ARTICLE.
13. NOTWITHSTANDING SUBDIVISION TWELVE OF THIS SECTION, A COVERED
ENTITY MAY, WITH THE INDIVIDUAL'S FREELY GIVEN, SPECIFIC, INFORMED, AND
UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION, OPERATE A
PROGRAM IN WHICH INFORMATION, PRODUCTS, OR SERVICES SOLD TO THE INDIVID-
UAL ARE DISCOUNTED BASED ON SUCH INDIVIDUAL'S PRIOR PURCHASES FROM THE
COVERED ENTITY; PROVIDED THAT THE CAPTURED PERSONAL INFORMATION SHALL BE
PROCESSED SOLELY FOR THE PURPOSE OF OPERATING SUCH PROGRAM.
§ 899-FF. AFFIRMATIVE OBLIGATIONS. 1. CARE. (A) A COVERED ENTITY SHALL
STORE, TRANSMIT, AND PROTECT FROM DISCLOSURE ALL PERSONAL INFORMATION
USING THE REASONABLE STANDARD OF CARE WITHIN THE COVERED ENTITY'S INDUS-
TRY; AND SUCH COVERED ENTITY SHALL STORE, TRANSMIT, AND PROTECT FROM
DISCLOSURE ALL PERSONAL INFORMATION IN A MANNER THAT IS THE SAME AS OR
MORE PROTECTIVE THAN THE MANNER IN WHICH THE COVERED ENTITY STORES,
TRANSMITS, AND PROTECTS OTHER CONFIDENTIAL INFORMATION.
(B) THE DIVISION, IN CONSULTATION WITH THE OFFICE OF INFORMATION TECH-
NOLOGY SERVICES AND THE DEPARTMENT OF FINANCIAL SERVICES, MAY DEVELOP
APPROPRIATE SECURITY STANDARDS FOR PERSONAL INFORMATION. THIS PARAGRAPH
SHALL PREEMPT PARAGRAPH (A) OF THIS SUBDIVISION ONLY TO THE EXTENT THAT
A. 6042 9
THE SECURITY STANDARDS DEVELOPED ARE MORE PROTECTIVE OF PERSONAL INFOR-
MATION THAN THE INDUSTRY STANDARD OF CARE.
2. LOYALTY. (A) ABSENT FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIG-
UOUS OPT-IN CONSENT FROM THE INDIVIDUAL ENGAGING IN A TRANSACTION WITH A
COVERED ENTITY, A COVERED ENTITY SHALL NOT PROCESS PERSONAL INFORMATION
BEYOND WHAT IS ADEQUATE, RELEVANT, AND NECESSARY FOR THE COMPLETION OF
THE TRANSACTION REQUESTED BY SUCH INDIVIDUAL.
(B) A COVERED ENTITY THAT MAINTAINS AN INDIVIDUAL'S PERSONAL INFORMA-
TION SHALL PROVIDE SUCH INDIVIDUAL WITH A REASONABLE MEANS TO ACCESS
THEIR PERSONAL INFORMATION, INCLUDING ANY INFORMATION OBTAINED ABOUT
THAT INDIVIDUAL FROM A THIRD-PARTY, WHETHER ONLINE OR OFFLINE, AS WELL
AS INFORMATION ABOUT WHERE OR FROM WHOM THE COVERED ENTITY OBTAINED THE
PERSONAL INFORMATION AND THE NAMES OF THE THIRD PARTIES TO WHICH THE
COVERED ENTITY HAS DISCLOSED OR WILL DISCLOSE THE PERSONAL INFORMATION.
(C) A COVERED ENTITY THAT MAINTAINS AN INDIVIDUAL'S PERSONAL INFORMA-
TION SHALL PROVIDE THE ACCESS TO SUCH PERSONAL INFORMATION UNDER PARA-
GRAPH (B) OF THIS SUBDIVISION, IN A USABLE AND SEARCHABLE FORMAT THAT
ALLOWS THE INDIVIDUAL TO TRANSFER THE PERSONAL INFORMATION FROM ONE
ENTITY TO ANOTHER ENTITY WITHOUT HINDRANCE.
(D) A COVERED ENTITY THAT MAINTAINS AN INDIVIDUAL'S PERSONAL INFORMA-
TION IN A NON-PUBLIC PROFILE OR ACCOUNT SHALL DELETE SUCH PERSONAL
INFORMATION, AND ANY INFORMATION DERIVED THEREFROM, PERTAINING TO AN
INDIVIDUAL UPON SUCH INDIVIDUAL'S REQUEST.
(E) A COVERED ENTITY SHALL PROVIDE THE OPPORTUNITIES REQUIRED UNDER
PARAGRAPHS (B), (C) AND (D) OF THIS SUBDIVISION, IN A FORM THAT IS:
(I) CLEAR AND CONSPICUOUS;
(II) MADE AVAILABLE AT NO ADDITIONAL COST TO THE INDIVIDUAL TO WHOM
THE INFORMATION PERTAINS; AND
(III) IN A LANGUAGE OTHER THAN ENGLISH IF THE COVERED ENTITY COMMUNI-
CATES WITH THE INDIVIDUAL TO WHOM THE INFORMATION PERTAINS IN SUCH OTHER
LANGUAGE.
(F) A COVERED ENTITY SHALL COMPLY WITH AN INDIVIDUAL'S REQUEST UNDER
PARAGRAPHS (B), (C) AND (D) OF THIS SUBDIVISION, NOT LATER THAN NINETY
DAYS AFTER RECEIVING A VERIFIABLE REQUEST FROM THE INDIVIDUAL; OR, IF
THE INDIVIDUAL IS A MINOR UNDER THE AGE OF THIRTEEN, THE INDIVIDUAL'S
PARENT OR GUARDIAN; OR, IF THE INDIVIDUAL IS A MINOR BETWEEN THE AGES OF
THIRTEEN AND EIGHTEEN, EITHER THE INDIVIDUAL OR THE INDIVIDUAL'S PARENT
OR GUARDIAN.
(I) WHERE THE COVERED ENTITY HAS REASONABLE DOUBTS OR CANNOT VERIFY
THE IDENTITY OF THE INDIVIDUAL MAKING A REQUEST UNDER PARAGRAPHS (B),
(C) OR (D) OF THIS SUBDIVISION, THE COVERED ENTITY MAY REQUEST ADDI-
TIONAL PERSONAL INFORMATION NECESSARY FOR THE SPECIFIC PURPOSE OF
CONFIRMING THE IDENTITY OF SUCH INDIVIDUAL. IN SUCH CASES, THE ADDI-
TIONAL PERSONAL INFORMATION SHALL NOT BE PROCESSED FOR ANY PURPOSE OTHER
THAN VERIFYING THE IDENTITY OF THE INDIVIDUAL AND SHALL BE DELETED IMME-
DIATELY UPON VERIFICATION OR FAILURE TO VERIFY THE INDIVIDUAL.
(II) A COVERED ENTITY MAY NOT DE-IDENTIFY AN INDIVIDUAL'S PERSONAL
INFORMATION DURING THE NINETY-DAY PERIOD BEGINNING ON THE DATE ON WHICH
THE COVERED ENTITY RECEIVES A REQUEST FROM THE INDIVIDUAL PURSUANT TO
PARAGRAPHS (B), (C) AND (D) OF THIS SUBDIVISION.
(III) THE DIVISION MAY PROMULGATE RULES AND REGULATIONS SPECIFYING
ADDITIONAL REQUIREMENTS FOR A COVERED ENTITY'S RESPONSE TO REQUESTS
PURSUANT TO PARAGRAPHS (B), (C) AND (D) OF THIS SUBDIVISION.
(G) WHERE AN INDIVIDUAL HAS TAKEN STEPS BY THE ONLINE SELECTION OF
OPTIONS RELATED TO THE PROCESSING OF PERSONAL INFORMATION, A COVERED
ENTITY SHALL ADHERE TO SUCH SELECTIONS.
A. 6042 10
(H) A COVERED ENTITY SHALL NOT SHARE AN INDIVIDUAL'S DEVICE IDENTIFI-
ERS WITH ANY THIRD PARTY WITHOUT THE INDIVIDUAL'S FREELY GIVEN, SPECIF-
IC, INFORMED, AND UNAMBIGUOUS OPT-IN WRITTEN CONSENT.
3. CONFIDENTIALITY. (A) A COVERED ENTITY SHALL NOT DISCLOSE PERSONAL
INFORMATION TO A THIRD PARTY UNLESS THAT THIRD PARTY IS CONTRACTUALLY
BOUND TO THE COVERED ENTITY TO MEET THE SAME PRIVACY AND SECURITY OBLI-
GATIONS AS THE COVERED ENTITY. A COVERED ENTITY SHALL EXERCISE REASON-
ABLE OVERSIGHT AND TAKE REASONABLE ACTIONS, INCLUDING BY AUDITING THE
DATA SECURITY AND PROCESSING PRACTICES OF THE THIRD PARTY NO LESS THAN
ONCE ANNUALLY, TO ENSURE THE THIRD PARTY'S COMPLIANCE. THE COVERED ENTI-
TY SHALL PUBLISH THE RESULTS OF SUCH AUDIT PUBLICLY ON ITS WEBSITE.
(I) A COVERED ENTITY SHALL NOT PROCESS PERSONAL INFORMATION IT HAS
ACQUIRED FROM A THIRD PARTY, WITHOUT THE FREELY GIVEN, SPECIFIC,
INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM THE INDIVIDUAL TO WHOM
THAT PERSONAL INFORMATION PERTAINS UNLESS THE PROCESSING IS NECESSARY TO
OBTAIN SUCH INDIVIDUALS' FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIG-
UOUS OPT-IN CONSENT, IN WHICH THE COVERED ENTITY SHALL ONLY PROCESS THE
PERSONAL INFORMATION NECESSARY TO REQUEST FREELY GIVEN, SPECIFIC,
INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT AND SHALL IMMEDIATELY DELETE
SUCH PERSONAL INFORMATION IF CONSENT IS WITHHELD OR WITHDRAWN.
(II) A COVERED ENTITY THAT FACILITATES ACCESS TO PERSONAL INFORMATION
BY OTHER COVERED ENTITIES SHALL LIMIT ACCESS TO AND SEEK PROOF OF
DESTRUCTION OF SUCH PERSONAL INFORMATION IF THE FIRST COVERED ENTITY HAS
ACTUAL KNOWLEDGE THAT ANOTHER COVERED ENTITY HAS VIOLATED THIS SECTION.
(B) A COVERED ENTITY SHALL NOT DISCLOSE PERSONAL INFORMATION TO A DATA
PROCESSOR UNLESS THE COVERED ENTITY ENTERS INTO A CONTRACTUAL AGREEMENT
WITH SUCH DATA PROCESSOR THAT PROHIBITS THE DATA PROCESSOR FROM PROCESS-
ING SUCH PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN THE PURPOSES
FOR WHICH THE INDIVIDUAL PROVIDED THE PERSONAL INFORMATION TO THE
COVERED ENTITY, AND THAT REQUIRES THE DATA PROCESSOR TO MEET THE SAME
PRIVACY AND SECURITY OBLIGATIONS AS THE COVERED ENTITY. SUCH DATA
PROCESSOR SHALL NOT FURTHER DISCLOSE OR PROCESS PERSONAL INFORMATION IT
HAS ACQUIRED FROM THE COVERED ENTITY EXCEPT AS EXPLICITLY AUTHORIZED BY
THE CONTRACT. A COVERED ENTITY SHALL EXERCISE REASONABLE OVERSIGHT AND
TAKE REASONABLE ACTIONS, INCLUDING BUT NOT LIMITED TO, AUDITING THE DATA
SECURITY AND PROCESSING PRACTICES OF THE DATA PROCESSOR NO LESS THAN
ONCE ANNUALLY, TO ENSURE ITS DATA PROCESSOR'S COMPLIANCE. THE COVERED
ENTITY SHALL PUBLISH THE RESULTS OF SUCH AUDIT PUBLICLY ON ITS WEBSITE.
4. DUTY. A COVERED ENTITY THAT COLLECTS PERSONAL INFORMATION DIRECTLY
FROM AN INDIVIDUAL HAS A DUTY, WHEN PROCESSING SUCH PERSONAL INFORMA-
TION, TO PUT THE INTERESTS OF THE INDIVIDUAL AHEAD OF THE INTERESTS OF
THE COVERED ENTITY'S BUSINESS.
§ 899-GG. BIOMETRIC INFORMATION; RETENTION, COLLECTION, DISCLOSURE AND
DESTRUCTION. 1. A COVERED ENTITY OR GOVERNMENTAL ENTITY IN POSSESSION
OF BIOMETRIC INFORMATION SHALL DEVELOP A WRITTEN POLICY, MADE AVAILABLE
TO THE PUBLIC, ESTABLISHING A RETENTION SCHEDULE AND GUIDELINES FOR
PERMANENTLY DESTROYING BIOMETRIC INFORMATION WHEN THE INITIAL PURPOSE
FOR COLLECTING OR OBTAINING SUCH INFORMATION HAS BEEN SATISFIED, OR
WITHIN ONE YEAR OF THE INDIVIDUAL'S LAST INTERACTION WITH THE COVERED
ENTITY OR GOVERNMENTAL ENTITY, WHICHEVER OCCURS FIRST. ABSENT A VALID
WARRANT ISSUED BY A COURT OF COMPETENT JURISDICTION, A COVERED ENTITY OR
GOVERNMENTAL ENTITY IN POSSESSION OF BIOMETRIC INFORMATION SHALL COMPLY
WITH ITS ESTABLISHED RETENTION SCHEDULE AND DESTRUCTION GUIDELINES.
2. NO COVERED ENTITY SHALL COLLECT, CAPTURE, PURCHASE, RECEIVE THROUGH
TRADE, OR OTHERWISE OBTAIN AN INDIVIDUAL'S BIOMETRIC INFORMATION, UNLESS
IT FIRST:
A. 6042 11
(A) INFORMS THE SUBJECT OR THE SUBJECT'S LEGALLY AUTHORIZED REPRESEN-
TATIVE IN WRITING THAT BIOMETRIC INFORMATION IS BEING COLLECTED OR
STORED;
(B) INFORMS THE SUBJECT OR THE SUBJECT'S LEGALLY AUTHORIZED REPRESEN-
TATIVE IN WRITING OF THE SPECIFIC PURPOSE AND LENGTH OF TERM FOR WHICH
SUCH BIOMETRIC INFORMATION IS BEING COLLECTED, STORED, AND USED; AND
(C) RECEIVES A WRITTEN RELEASE EXECUTED BY THE SUBJECT OF THE BIOME-
TRIC INFORMATION OR THE SUBJECT'S LEGALLY AUTHORIZED REPRESENTATIVE.
3. ABSENT A LAW ENFORCEMENT INVESTIGATION PURSUANT TO A CRIMINAL INCI-
DENT, NO GOVERNMENTAL ENTITY SHALL COLLECT, CAPTURE, PURCHASE, RECEIVE
THROUGH TRADE, OR OTHERWISE OBTAIN AN INDIVIDUAL'S BIOMETRIC INFORMA-
TION, UNLESS:
(A) IT FIRST OBTAINS A VALID WARRANT ISSUED BY A COURT OF COMPETENT
JURISDICTION UNDER THE PROCEDURES DESCRIBED IN THE FEDERAL RULES OF
CRIMINAL PROCEDURE OR ARTICLE SIX HUNDRED NINETY OF THE CRIMINAL PROCE-
DURE LAW.
(B) IT BELIEVES THAT AN EMERGENCY INVOLVING IMMEDIATE DANGER OF DEATH
OR SERIOUS PHYSICAL INJURY TO ANY INDIVIDUAL REQUIRES OBTAINING, WITHOUT
DELAY, BIOMETRIC INFORMATION RELATED TO SUCH EMERGENCY AND THE REQUEST
IS NARROWLY TAILORED TO ADDRESS SUCH EMERGENCY, SUBJECT TO THE FOLLOWING
LIMITATIONS:
(I) THE REQUEST SHALL DOCUMENT THE FACTUAL BASIS FOR BELIEVING THAT AN
EMERGENCY INVOLVING IMMEDIATE DANGER OF DEATH OR SERIOUS PHYSICAL INJURY
TO AN INDIVIDUAL REQUIRES OBTAINING, WITHOUT DELAY, BIOMETRIC INFORMA-
TION RELATING TO SUCH EMERGENCY; AND
(II) NOT LATER THAN FORTY-EIGHT HOURS AFTER THE DATE ON WHICH A
GOVERNMENTAL ENTITY OBTAINS BIOMETRIC INFORMATION UNDER THIS PARAGRAPH,
THE GOVERNMENTAL ENTITY SHALL FILE WITH THE APPROPRIATE COURT A SIGNED,
SWORN STATEMENT OF A SUPERVISORY OFFICIAL OF A RANK DESIGNATED BY THE
HEAD OF SUCH GOVERNMENTAL ENTITY SETTING FORTH THE GROUNDS FOR THE EMER-
GENCY ACCESS; OR
(C) IT FIRST INFORMS THE SUBJECT OR THE SUBJECT'S LEGALLY AUTHORIZED
REPRESENTATIVE IN WRITING THAT BIOMETRIC INFORMATION IS BEING COLLECTED
OR STORED, THE SPECIFIC PURPOSE AND LENGTH OF TERM FOR WHICH SUCH BIOME-
TRIC INFORMATION IS BEING COLLECTED, STORED, AND USED, AND IT RECEIVES A
WRITTEN RELEASE EXECUTED BY THE SUBJECT OF THE BIOMETRIC INFORMATION OR
THE SUBJECT'S LEGALLY AUTHORIZED REPRESENTATIVE.
4. NO COVERED ENTITY OR GOVERNMENTAL ENTITY IN POSSESSION OF BIOMETRIC
INFORMATION SHALL SELL, LEASE, TRADE, MONETIZE, OR OTHERWISE PROFIT FROM
SUCH BIOMETRIC INFORMATION.
5. NO COVERED ENTITY OR GOVERNMENTAL ENTITY IN POSSESSION OF AN INDI-
VIDUAL'S BIOMETRIC INFORMATION SHALL DISCLOSE, REDISCLOSE, OR OTHERWISE
DISSEMINATE SUCH INDIVIDUAL'S BIOMETRIC INFORMATION UNLESS:
(A) THE SUBJECT OF THE BIOMETRIC INFORMATION OR THE SUBJECT'S LEGALLY
AUTHORIZED REPRESENTATIVE CONSENTS IN WRITING TO THE DISCLOSURE OR
REDISCLOSURE OF SUCH INFORMATION;
(B) THE DISCLOSURE OR REDISCLOSURE OF SUCH INFORMATION COMPLETES A
FINANCIAL TRANSACTION REQUESTED OR AUTHORIZED BY THE SUBJECT OF THE
BIOMETRIC IDENTIFIER OR THE BIOMETRIC INFORMATION OR THE SUBJECT'S
LEGALLY AUTHORIZED REPRESENTATIVE;
(C) THE DISCLOSURE OR REDISCLOSURE IS REQUIRED BY STATE OR FEDERAL
LAW; OR
(D) THE DISCLOSURE IS REQUIRED PURSUANT TO A VALID WARRANT ISSUED BY A
COURT OF COMPETENT JURISDICTION UNDER THE PROCEDURES DESCRIBED IN THE
FEDERAL RULES OF CRIMINAL PROCEDURE OR ARTICLE SIX HUNDRED NINETY OF THE
CRIMINAL PROCEDURE LAW.
A. 6042 12
6. THE REQUIREMENTS OF THIS SECTION ARE IN ADDITION TO THOSE IMPOSED
BY SECTIONS EIGHT HUNDRED NINETY-NINE-DD THROUGH EIGHT HUNDRED NINETY-
NINE-FF OF THIS ARTICLE.
7. (A) SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION SHALL NOT APPLY TO
BIOMETRIC INFORMATION CAPTURED FROM A PATIENT BY A HEALTH CARE PROVIDER
OR HEALTH CARE FACILITY, AS DEFINED IN SECTION EIGHTEEN OF THE PUBLIC
HEALTH LAW, OR BIOMETRIC INFORMATION COLLECTED, USED, OR STORED FOR
MEDICAL EDUCATION OR RESEARCH, PUBLIC HEALTH OR EPIDEMIOLOGICAL
PURPOSES, HEALTH CARE TREATMENT, PAYMENT, OR OPERATIONS UNDER THE FEDER-
AL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, OR TO
X-RAY, ROENTGEN PROCESS, COMPUTED TOMOGRAPHY, MRI, PET SCAN, MAMMOGRA-
PHY, OR OTHER IMAGE OR FILM OF THE HUMAN ANATOMY USED TO DIAGNOSE, PROG-
NOSE, OR TREAT AN ILLNESS OR OTHER MEDICAL CONDITION OR TO FURTHER VALI-
DATE SCIENTIFIC TESTING OR SCREENING.
(B) BIOMETRIC INFORMATION CAPTURED, COLLECTED, USED, OR STORED PURSU-
ANT TO PARAGRAPH (A) OF THIS SUBDIVISION, INCLUDING INFORMATION THAT HAS
BEEN DE-IDENTIFIED OR AGGREGATED, SHALL NOT BE USED, DISCLOSED, OR
OTHERWISE DISSEMINATED EXCEPT FOR:
(I) CLINICAL, TREATMENT, SCIENTIFIC, PUBLIC HEALTH, MEDICAL EDUCA-
TIONAL, MEDICAL TRAINING, RESEARCH, OR INSURANCE PURPOSES;
(II) IF REQUIRED BY STATE OR FEDERAL LAW;
(III) TO RESPOND TO A WARRANT ISSUED BY A COURT OF COMPETENT JURISDIC-
TION UNDER THE PROCEDURES DESCRIBED IN THE FEDERAL RULES OF CRIMINAL
PROCEDURE OR ARTICLE SIX HUNDRED NINETY OF THE CRIMINAL PROCEDURE LAW;
OR
(IV) IF THE SUBJECT OF THE BIOMETRIC INFORMATION OR THE SUBJECT'S
LEGALLY AUTHORIZED REPRESENTATIVE CONSENTS IN WRITING TO THE DISCLOSURE
OR REDISCLOSURE.
8. NOTHING IN SUBDIVISION SEVEN OF THIS SECTION SHALL AFFECT ANY
PERSON OR COVERED ENTITY'S RIGHTS OR OBLIGATIONS UNDER SECTION EIGHTEEN
OF THE PUBLIC HEALTH LAW.
§ 899-HH. SURREPTITIOUS SURVEILLANCE. A COVERED ENTITY SHALL NOT ACTI-
VATE THE MICROPHONE, CAMERA, OR OTHER SENSOR ON A DEVICE IN THE LAWFUL
POSSESSION OF AN INDIVIDUAL THAT IS CAPABLE OF COLLECTING OR TRANSMIT-
TING AUDIO, VIDEO, OR IMAGE DATA OR DATA THAT CAN BE DIRECTLY USED TO
MEASURE BIOMETRIC INFORMATION, HUMAN MOVEMENT, LOCATION, CHEMICALS,
LIGHT, RADIATION, AIR PRESSURE, SPEED, WEIGHT OR MASS, POSITIONAL OR
PHYSICAL ORIENTATION, MAGNETIC FIELDS, TEMPERATURE, OR SOUND WITHOUT
PROVIDING THE NOTICE REQUIRED BY SECTION EIGHT HUNDRED NINETY-NINE-DD OF
THIS ARTICLE AND OBTAINING THE INDIVIDUAL'S FREELY GIVEN, SPECIFIC,
INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT PURSUANT TO SECTION EIGHT
HUNDRED NINETY-NINE-EE OF THIS ARTICLE.
§ 899-II. ENFORCEMENT. 1. ANY INDIVIDUAL MAY BRING A CIVIL ACTION IN
ANY COURT OF COMPETENT JURISDICTION ALLEGING A VIOLATION OF THIS ARTI-
CLE, OR A VIOLATION OF A RULE OR REGULATION PROMULGATED TO EFFECTUATE
THE PROVISIONS OF THIS ARTICLE.
(A) A VIOLATION OF THIS ARTICLE, OR A VIOLATION OF A RULE OR REGU-
LATION PROMULGATED TO EFFECTUATE THE PROVISIONS OF THIS ARTICLE, WITH
RESPECT TO THE PERSONAL INFORMATION OF AN INDIVIDUAL CONSTITUTES A
REBUTTABLE PRESUMPTION OF HARM TO SUCH INDIVIDUAL.
(B) IN A CIVIL ACTION IN WHICH THE PLAINTIFF PREVAILS, THE COURT MAY
AWARD:
(I) LIQUIDATED DAMAGES OF TEN THOUSAND DOLLARS OR ACTUAL DAMAGES,
WHICHEVER IS GREATER;
(II) PUNITIVE DAMAGES; AND
A. 6042 13
(III) ANY OTHER RELIEF, INCLUDING AN INJUNCTION, THAT THE COURT DEEMS
APPROPRIATE.
(C) IN ADDITION TO ANY RELIEF AWARDED UNDER PARAGRAPH (B) OF THIS
SUBDIVISION, THE COURT SHALL AWARD REASONABLE ATTORNEY'S FEES AND COSTS
TO ANY PREVAILING PLAINTIFF.
2. THE ATTORNEY GENERAL MAY BRING AN ACTION IN THE NAME OF THE STATE,
OR AS A PARENS PATRIAE PROCEEDING ON BEHALF OF PERSONS RESIDING IN THE
STATE, TO ENFORCE THIS ARTICLE. IN SUCH ACTION, THE COURT MAY AWARD:
(A) INJUNCTIVE RELIEF, INCLUDING PRELIMINARY INJUNCTIONS, TO PREVENT
FURTHER VIOLATIONS OF AND COMPEL COMPLIANCE WITH THE PROVISIONS OF THIS
ARTICLE;
(B) CIVIL PENALTIES OF UP TO TWENTY-FIVE THOUSAND DOLLARS PER
VIOLATION, OR UP TO FOUR PERCENT OF ANNUAL REVENUE OF THE COVERED ENTI-
TY, DATA PROCESSOR, OR THIRD PARTY;
(C) OTHER APPROPRIATE RELIEF, INCLUDING RESTITUTION, TO REDRESS HARMS
TO INDIVIDUALS OR TO MITIGATE ALL SUBSTANTIAL RISK OF HARM; AND
(D) ANY OTHER RELIEF THE COURT DEEMS APPROPRIATE.
3. A DISTRICT ATTORNEY, OR A CITY ATTORNEY IN A CITY HAVING A POPU-
LATION IN EXCESS OF SEVEN HUNDRED FIFTY THOUSAND PEOPLE, MAY BRING AN
ACTION TO ENFORCE THIS ARTICLE. IN SUCH ACTION, THE COURT MAY AWARD:
(A) INJUNCTIVE RELIEF, INCLUDING PRELIMINARY INJUNCTIONS, TO PREVENT
FURTHER VIOLATIONS OF AND COMPEL COMPLIANCE WITH THE PROVISIONS OF THIS
ARTICLE;
(B) CIVIL PENALTIES OF UP TO TWENTY-FIVE THOUSAND DOLLARS PER
VIOLATION, OR UP TO FOUR PERCENT OF ANNUAL REVENUE OF THE COVERED ENTI-
TY, DATA PROCESSOR, OR THIRD PARTY;
(C) OTHER APPROPRIATE RELIEF, INCLUDING RESTITUTION, TO REDRESS HARMS
TO INDIVIDUALS OR TO MITIGATE ALL SUBSTANTIAL RISK OF HARM; AND
(D) ANY OTHER RELIEF THE COURT DEEMS APPROPRIATE.
4. WHEN CALCULATING DAMAGES AND CIVIL PENALTIES, THE COURT SHALL
CONSIDER THE NUMBER OF AFFECTED INDIVIDUALS, THE SEVERITY OF THE
VIOLATION, AND THE SIZE AND REVENUES OF THE COVERED ENTITY.
5. EACH INDIVIDUAL WHOSE PERSONAL INFORMATION IS UNLAWFULLY PROCESSED,
AND EACH INSTANCE OF PROCESSING COUNTS AS A SEPARATE VIOLATION. EACH
PROVISION OF THIS ARTICLE THAT IS VIOLATED COUNTS AS A SEPARATE
VIOLATION.
6. IT IS A VIOLATION OF THIS ARTICLE FOR A COVERED ENTITY, GOVERN-
MENTAL ENTITY, OR ANYONE ELSE ACTING ON BEHALF OF A COVERED ENTITY OR
GOVERNMENTAL ENTITY TO RETALIATE AGAINST AN INDIVIDUAL WHO MAKES A GOOD-
FAITH COMPLAINT THAT THERE HAS BEEN A FAILURE TO COMPLY WITH ANY
PROVISION OF THIS ARTICLE. AN INDIVIDUAL WHO IS INJURED BY A VIOLATION
OF THIS SUBDIVISION MAY BRING A CIVIL ACTION FOR MONETARY DAMAGES AND
INJUNCTIVE RELIEF IN ANY COURT OF COMPETENT JURISDICTION.
7. IF A SERIES OF STEPS OR TRANSACTIONS WERE COMPONENT PARTS OF A
SINGLE TRANSACTION INTENDED TO BE TAKEN WITH THE INTENTION OF AVOIDING
THE REACH OF THIS ARTICLE, A COURT SHALL DISREGARD THE INTERMEDIATE
STEPS OR TRANSACTIONS FOR PURPOSES OF EFFECTUATING THE PURPOSES OF THIS
ARTICLE.
8. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY KIND, INCLUDING A
COVERED ENTITY'S TERMS OF SERVICE OR A PRIVACY POLICY, INCLUDING THE
SHORT-FORM PRIVACY NOTICE REQUIRED UNDER SECTION EIGHT HUNDRED NINETY-
NINE-DD OF THIS ARTICLE, THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY AN
INDIVIDUAL'S RIGHTS UNDER THIS ARTICLE, INCLUDING BUT NOT LIMITED TO,
ANY RIGHT TO A REMEDY OR MEANS OF ENFORCEMENT, SHALL BE DEEMED CONTRARY
TO PUBLIC POLICY AND SHALL BE VOID AND UNENFORCEABLE.
A. 6042 14
9. NO COVERED ENTITY, THAT IS A PROVIDER OF AN INTERACTIVE COMPUTER
SERVICE AS DEFINED IN 47 U.S.C. § 230, SHALL BE LIABLE FOR ANY PERSONAL
INFORMATION OR BIOMETRIC INFORMATION POSTED BY ANOTHER INFORMATION
CONTENT PROVIDER, AS DEFINED IN 47 U.S.C. § 230.
10. NO PRIVATE OR GOVERNMENT ACTION BROUGHT PURSUANT TO THIS SECTION
SHALL PRECLUDE ANY OTHER ACTION UNDER THIS ARTICLE.
§ 4. Section 292 of the executive law is amended by adding nine new
subdivisions 39, 40, 41, 42, 43, 44, 45, 46 and 47 to read as follows:
39. THE TERM "ADVERTISER" SHALL MEAN A PERSON WHO PROPOSES A COMMER-
CIAL TRANSACTION OR DISSEMINATES A PUBLIC OR PRIVATE COMMUNICATION OF
WHICH THE PRIMARY PURPOSE IS TO SOLICIT FOR AN OPPORTUNITY.
40. THE TERM "CONDUCT BUSINESS IN NEW YORK" SHALL MEAN TO PRODUCE,
SOLICIT, OR OFFER FOR USE OR SALE ANY PRODUCT OR SERVICE IN A MANNER
THAT INTENTIONALLY TARGETS, OR MAY REASONABLY BE EXPECTED TO CONTACT,
NEW YORK RESIDENTS, OR TO ENGAGE IN ANY ACTIVITY THAT WOULD SUBJECT THE
ACTOR TO PERSONAL JURISDICTION UNDER SECTION THREE HUNDRED ONE OR THREE
HUNDRED TWO OF THE CIVIL PRACTICE LAW AND RULES, WHETHER OR NOT FOR
PROFIT.
41. THE TERM "COVERED ENTITY" SHALL MEAN A LEGAL ENTITY THAT CONDUCTS
BUSINESS IN NEW YORK STATE AND AS PART OF SUCH BUSINESS, PROCESSES AND
MAINTAINS THE DATA OF FIVE HUNDRED OR MORE UNIQUE INDIVIDUALS.
42. THE TERM "GOVERNMENTAL ENTITY" SHALL MEAN A DEPARTMENT OR AGENCY
OF THE STATE OR A POLITICAL SUBDIVISION THEREOF, OR AN INDIVIDUAL ACTING
FOR OR ON BEHALF OF THE STATE OR A POLITICAL SUBDIVISION THEREOF.
43. THE TERM "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED
ENTITY KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
44. THE TERM "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT
DIRECTLY OR INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF
BEING ASSOCIATED WITH, OR COULD REASONABLY BE LINKED TO A PARTICULAR
INDIVIDUAL, HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO
AN INDIVIDUAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN
COMBINATION WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF
WHETHER SUCH OTHER INFORMATION IS HELD BY THE COVERED ENTITY, TO IDENTI-
FY AN INDIVIDUAL, HOUSEHOLD, OR DEVICE.
45. THE TERM "PROCESS" OR "PROCESSING" SHALL MEAN ANY ACTION OR SET OF
ACTIONS PERFORMED ON OR WITH PERSONAL INFORMATION, INCLUDING BUT NOT
LIMITED TO, COLLECTION, ACCESS, USE, RETENTION, SHARING, MONETIZING,
ANALYSIS, CREATION, GENERATION, DERIVATION, DECISION-MAKING, RECORDING,
ALTERNATION, ORGANIZATION, STRUCTURING, STORAGE, DISCLOSURE, TRANS-
MISSION, SALE, LICENSING, DISPOSAL, DESTRUCTION, DE-IDENTIFYING, OR
OTHER HANDLING OF PERSONAL INFORMATION.
46. THE TERM "PROXY" OR "PROXIES" SHALL MEAN INFORMATION THAT, BY
ITSELF OR IN COMBINATION WITH OTHER INFORMATION, IS USED BY A COVERED
ENTITY IN A WAY THAT DISCRIMINATES BASED ON ACTUAL OR PERCEIVED PERSONAL
CHARACTERISTICS OR CLASSES PROTECTED UNDER SECTION TWO HUNDRED NINETY-
SIX OF THIS ARTICLE.
47. THE TERM "TARGETED ADVERTISEMENT" SHALL MEAN AN ADVERTISEMENT
DIRECTED TO AN INDIVIDUAL WHERE THE ADVERTISEMENT IS SELECTED BASED ON
PERSONAL INFORMATION OBTAINED OR INFERRED OVER TIME FROM SUCH INDIVID-
UAL'S OR THE INDIVIDUAL'S DEVICE'S ACTIVITIES, COMMUNICATIONS, OR ASSO-
CIATIONS ACROSS WEBSITES, APPLICATIONS, SERVICES, OR COVERED ENTITIES.
SUCH TERM SHALL NOT INCLUDE ADVERTISEMENTS DIRECTED TO AN INDIVIDUAL
SOLELY BASED UPON THE INDIVIDUAL'S CURRENT VISIT TO A WEBSITE, APPLICA-
TION, SERVICE, OR COVERED ENTITY, OR IN RESPONSE TO THE INDIVIDUAL'S
REQUEST FOR INFORMATION OR FEEDBACK.
A. 6042 15
§ 5. The executive law is amended by adding a new section 296-e to
read as follows:
§ 296-E. UNLAWFUL DISCRIMINATORY PRACTICES RELATING TO TARGETED ADVER-
TISING. 1. IT SHALL BE AN UNLAWFUL DISCRIMINATORY PRACTICE:
(A) FOR A COVERED ENTITY TO PROCESS PERSONAL INFORMATION FOR THE
PURPOSE OF ADVERTISING, MARKETING, SOLICITING, OFFERING, SELLING, LEAS-
ING, LICENSING, RENTING, OR OTHERWISE COMMERCIALLY CONTRACTING FOR
EMPLOYMENT, FINANCE, HEALTH CARE, CREDIT, INSURANCE, HOUSING, OR EDUCA-
TION OPPORTUNITIES, IN A MANNER THAT DISCRIMINATES AGAINST OR OTHERWISE
MAKES THE OPPORTUNITY UNAVAILABLE ON THE BASIS OF AN INDIVIDUAL'S OR
CLASS OF INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, CREED, COLOR,
NATIONAL ORIGIN, SEXUAL ORIENTATION, GENDER IDENTITY OR EXPRESSION, SEX,
DISABILITY, PREDISPOSING GENETIC CHARACTERISTICS, OR DOMESTIC VIOLENCE
VICTIM STATUS.
(B) FOR A COVERED ENTITY OR GOVERNMENTAL ENTITY TO PROCESS PERSONAL
INFORMATION IN A MANNER THAT DISCRIMINATES IN OR OTHERWISE MAKES
UNAVAILABLE, ON THE BASIS OF AN INDIVIDUAL'S OR CLASS OF INDIVIDUALS'
ACTUAL OR PERCEIVED AGE, RACE, CREED, COLOR, NATIONAL ORIGIN, SEXUAL
ORIENTATION, GENDER IDENTITY OR EXPRESSION, SEX, DISABILITY, PREDISPOS-
ING GENETIC CHARACTERISTICS, OR DOMESTIC VIOLENCE VICTIM STATUS, ANY OF
THE FOLLOWING:
(I) THE GOODS, SERVICES, FACILITIES, PRIVILEGES, ADVANTAGES, OR ACCOM-
MODATIONS OF ANY INN, HOTEL, MOTEL, OR OTHER PLACE OF LODGING, EXCEPT
FOR AN ESTABLISHMENT LOCATED WITHIN A BUILDING THAT CONTAINS NOT MORE
THAN FIVE ROOMS FOR RENT OR HIRE AND THAT IS ACTUALLY OCCUPIED BY THE
PROPRIETOR OF SUCH ESTABLISHMENT AS THE RESIDENCE OF SUCH PROPRIETOR;
(II) ANY RESTAURANT, BAR, OR OTHER ESTABLISHMENT SERVING FOOD OR DRINK
TO THE PUBLIC;
(III) ANY MOTION PICTURE HOUSE, THEATER, CONCERT HALL, STADIUM, AUDI-
TORIUM, CONVENTION CENTER, OR LECTURE HALL;
(IV) ANY SALES OR RENTAL ESTABLISHMENT;
(V) ANY LAUNDROMAT, DRY-CLEANER, BANK, BARBER SHOP, BEAUTY SHOP, TRAV-
EL SERVICE, SHOE REPAIR SERVICE, FUNERAL PARLOR, GAS STATION, OFFICE OF
AN ACCOUNTANT OR LAWYER, PHARMACY, INSURANCE OFFICE, PROFESSIONAL OFFICE
OF A HEALTH CARE PROVIDER, HOSPITAL, OR OTHER SERVICE ESTABLISHMENT;
(VI) ANY TERMINAL, DEPOT, OR OTHER STATION USED FOR SPECIFIED PUBLIC
TRANSPORTATION;
(VII) ANY MUSEUM, LIBRARY, OR GALLERY;
(VIII) ANY PARK, ZOO, OR AMUSEMENT PARK;
(IX) A NURSERY, ELEMENTARY, SECONDARY, UNDERGRADUATE, OR POSTGRADUATE
SCHOOL, OR OTHER PLACE OF EDUCATION;
(X) ANY DAY CARE CENTER, SENIOR CITIZEN CENTER, HOMELESS SHELTER, FOOD
BANK, ADOPTION AGENCY, OR OTHER SOCIAL SERVICE CENTER ESTABLISHMENT; OR
(XI) ANY GYMNASIUM, HEALTH SPA, BOWLING ALLEY, GOLF COURSE, OR OTHER
PLACE OF EXERCISE.
(C) FOR A COVERED ENTITY OR GOVERNMENTAL ENTITY THAT OFFERS, FACILI-
TATES, SELLS, PLACES, DISPLAYS, OR PROVIDES INDIVIDUAL LEVEL INFORMATION
TO ENABLE TARGETED ADVERTISEMENTS FOR EMPLOYMENT, FINANCE, HEALTH CARE,
CREDIT, INSURANCE, HOUSING, EDUCATION OPPORTUNITIES, OR PLACES OF PUBLIC
ACCOMMODATION, RESORT OR AMUSEMENT, AS DESCRIBED IN PARAGRAPH (B) OF
THIS SUBDIVISION, TO ENABLE ADVERTISERS TO TARGET SUCH ADVERTISEMENTS
BASED ON ACTUAL OR PERCEIVED PERSONAL CHARACTERISTICS OR CLASSES, OR
PROXIES THEREFOR, PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THIS
ARTICLE, INCLUDING ACTUAL OR PERCEIVED AGE, RACE, CREED, COLOR, NATIONAL
ORIGIN, SEXUAL ORIENTATION, GENDER IDENTITY OR EXPRESSION, SEX, DISABIL-
A. 6042 16
ITY, PREDISPOSING GENETIC CHARACTERISTICS, OR DOMESTIC VIOLENCE VICTIM
STATUS.
2. A COVERED ENTITY OR GOVERNMENTAL ENTITY THAT SELLS OR PLACES
TARGETED ADVERTISEMENTS FOR EMPLOYMENT, FINANCE, HEALTH CARE, CREDIT,
INSURANCE, HOUSING, EDUCATION OPPORTUNITIES OR PLACES OF PUBLIC ACCOMMO-
DATION, RESORT OR AMUSEMENT, AS DESCRIBED IN PARAGRAPH (B) OF THIS
SUBDIVISION, SHALL REQUIRE ADVERTISERS TO CERTIFY THAT THEY ARE IN
COMPLIANCE WITH SECTION TWO HUNDRED NINETY-SIX OF THIS ARTICLE.
3. NOTHING IN THIS SECTION SHALL LIMIT A COVERED ENTITY FROM PROCESS-
ING PERSONAL INFORMATION FOR LEGITIMATE TESTING FOR THE PURPOSE OF
PREVENTING UNLAWFUL DISCRIMINATION OR OTHERWISE DETERMINING THE EXTENT
OR EFFECTIVENESS OF SUCH COVERED ENTITY'S OR GOVERNMENTAL ENTITY'S
COMPLIANCE WITH THIS SECTION.
§ 6. The general business law is amended by adding a new section 350-
a-1 to read as follows:
§ 350-A-1. TARGETED ADVERTISING. 1. FOR THE PURPOSES OF THIS SECTION,
THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEANINGS:
(A) "ADVERTISER" SHALL MEAN A PERSON WHO PROPOSES A COMMERCIAL TRANS-
ACTION OR DISSEMINATES A PUBLIC OR PRIVATE COMMUNICATION OF WHICH THE
PRIMARY PURPOSE IS TO SOLICIT FOR AN OPPORTUNITY.
(B) "CONDUCT BUSINESS IN NEW YORK" SHALL MEAN TO PRODUCE, SOLICIT, OR
OFFER FOR USE OR SALE ANY PRODUCT OR SERVICE IN A MANNER THAT INTEN-
TIONALLY TARGETS, OR MAY REASONABLY BE EXPECTED TO CONTACT, NEW YORK
RESIDENTS, OR TO ENGAGE IN ANY ACTIVITY THAT WOULD SUBJECT THE ACTOR TO
PERSONAL JURISDICTION UNDER SECTION THREE HUNDRED ONE OR SECTION THREE
HUNDRED TWO OF THE CIVIL PRACTICE LAW AND RULES, WHETHER OR NOT FOR
PROFIT.
(C) "COVERED ENTITY" SHALL MEAN A LEGAL ENTITY THAT CONDUCTS BUSINESS
IN NEW YORK STATE AND AS PART OF SUCH BUSINESS, PROCESSES AND MAINTAINS
THE DATA OF FIVE HUNDRED OR MORE UNIQUE INDIVIDUALS.
(D) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED ENTITY
KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
(E) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT DIRECTLY OR
INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSO-
CIATED WITH, OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
OTHER INFORMATION IS HELD BY THE COVERED ENTITY, TO IDENTIFY AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE.
(F) "PROCESS" OR "PROCESSING" SHALL MEAN ANY ACTION OR SET OF ACTIONS
PERFORMED ON OR WITH PERSONAL INFORMATION, INCLUDING BUT NOT LIMITED TO,
COLLECTION, ACCESS, USE, RETENTION, SHARING, MONETIZING, ANALYSIS,
CREATION, GENERATION, DERIVATION, DECISION-MAKING, RECORDING, ALTER-
NATION, ORGANIZATION, STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION,
SALE, LICENSING, DISPOSAL, DESTRUCTION, DE-IDENTIFYING, OR OTHER HANDL-
ING OF PERSONAL INFORMATION.
(G) "PROXY" OR "PROXIES" SHALL MEAN INFORMATION THAT, BY ITSELF OR IN
COMBINATION WITH OTHER INFORMATION, IS USED BY A COVERED ENTITY IN A WAY
THAT DISCRIMINATES BASED ON ACTUAL OR PERCEIVED PERSONAL CHARACTERISTICS
OR CLASSES PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECU-
TIVE LAW.
(H) "TARGETED ADVERTISEMENT" SHALL MEAN AN ADVERTISEMENT DIRECTED TO
AN INDIVIDUAL WHERE THE ADVERTISEMENT IS SELECTED BASED ON PERSONAL
INFORMATION OBTAINED OR INFERRED OVER TIME FROM SUCH INDIVIDUAL'S OR THE
INDIVIDUAL'S DEVICE'S ACTIVITIES, COMMUNICATIONS, OR ASSOCIATIONS ACROSS
A. 6042 17
WEBSITES, APPLICATIONS, SERVICES, OR COVERED ENTITIES. SUCH TERM SHALL
NOT INCLUDE ADVERTISEMENTS DIRECTED TO AN INDIVIDUAL SOLELY BASED UPON
THE INDIVIDUAL'S CURRENT VISIT TO A WEBSITE, APPLICATION, SERVICE, OR
COVERED ENTITY, OR IN RESPONSE TO THE INDIVIDUAL'S REQUEST FOR INFORMA-
TION OR FEEDBACK.
2. IT SHALL BE UNLAWFUL:
(A) FOR A COVERED ENTITY TO PROCESS PERSONAL INFORMATION FOR THE
PURPOSE OF ADVERTISING, MARKETING, SOLICITING, OFFERING, SELLING, LEAS-
ING, LICENSING, RENTING, OR OTHERWISE COMMERCIALLY CONTRACTING FOR
EMPLOYMENT, FINANCE, HEALTH CARE, CREDIT, INSURANCE, HOUSING, OR EDUCA-
TION OPPORTUNITIES, IN A MANNER THAT DISCRIMINATES AGAINST OR OTHERWISE
MAKES THE OPPORTUNITY UNAVAILABLE ON THE BASIS OF AN INDIVIDUAL'S OR
CLASS OF INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, CREED, COLOR,
NATIONAL ORIGIN, SEXUAL ORIENTATION, GENDER IDENTITY OR EXPRESSION, SEX,
DISABILITY, PREDISPOSING GENETIC CHARACTERISTICS, OR DOMESTIC VIOLENCE
VICTIM STATUS.
(B) FOR A COVERED ENTITY OR GOVERNMENTAL ENTITY TO PROCESS PERSONAL
INFORMATION IN A MANNER THAT DISCRIMINATES IN OR OTHERWISE MAKES
UNAVAILABLE, ON THE BASIS OF AN INDIVIDUAL'S OR CLASS OF INDIVIDUALS'
ACTUAL OR PERCEIVED AGE, RACE, CREED, COLOR, NATIONAL ORIGIN, SEXUAL
ORIENTATION, GENDER IDENTITY OR EXPRESSION, SEX, DISABILITY, PREDISPOS-
ING GENETIC CHARACTERISTICS, OR DOMESTIC VIOLENCE VICTIM STATUS, ANY OF
THE FOLLOWING:
(I) THE GOODS, SERVICES, FACILITIES, PRIVILEGES, ADVANTAGES, OR ACCOM-
MODATIONS OF ANY INN, HOTEL, MOTEL, OR OTHER PLACE OF LODGING, EXCEPT
FOR AN ESTABLISHMENT LOCATED WITHIN A BUILDING THAT CONTAINS NOT MORE
THAN FIVE ROOMS FOR RENT OR HIRE AND THAT IS ACTUALLY OCCUPIED BY THE
PROPRIETOR OF SUCH ESTABLISHMENT AS THE RESIDENCE OF SUCH PROPRIETOR;
(II) ANY RESTAURANT, BAR, OR OTHER ESTABLISHMENT SERVING FOOD OR DRINK
TO THE PUBLIC;
(III) ANY MOTION PICTURE HOUSE, THEATER, CONCERT HALL, STADIUM, AUDI-
TORIUM, CONVENTION CENTER, OR LECTURE HALL;
(IV) ANY SALES OR RENTAL ESTABLISHMENT;
(V) ANY LAUNDROMAT, DRY-CLEANER, BANK, BARBER SHOP, BEAUTY SHOP, TRAV-
EL SERVICE, SHOE REPAIR SERVICE, FUNERAL PARLOR, GAS STATION, OFFICE OF
AN ACCOUNTANT OR LAWYER, PHARMACY, INSURANCE OFFICE, PROFESSIONAL OFFICE
OF A HEALTH CARE PROVIDER, HOSPITAL, OR OTHER SERVICE ESTABLISHMENT;
(VI) ANY TERMINAL, DEPOT, OR OTHER STATION USED FOR SPECIFIED PUBLIC
TRANSPORTATION;
(VII) ANY MUSEUM, LIBRARY, OR GALLERY;
(VIII) ANY PARK, ZOO, OR AMUSEMENT PARK;
(IX) A NURSERY, ELEMENTARY, SECONDARY, UNDERGRADUATE, OR POSTGRADUATE
SCHOOL, OR OTHER PLACE OF EDUCATION;
(X) ANY DAY CARE CENTER, SENIOR CITIZEN CENTER, HOMELESS SHELTER, FOOD
BANK, ADOPTION AGENCY, OR OTHER SOCIAL SERVICE CENTER ESTABLISHMENT; OR
(XI) ANY GYMNASIUM, HEALTH SPA, BOWLING ALLEY, GOLF COURSE, OR OTHER
PLACE OF EXERCISE.
(C) FOR A COVERED ENTITY THAT OFFERS, FACILITATES, SELLS, PLACES,
DISPLAYS, OR PROVIDES INDIVIDUAL LEVEL INFORMATION TO ENABLE TARGETED
ADVERTISEMENTS FOR EMPLOYMENT, FINANCE, HEALTH CARE, CREDIT, INSURANCE,
HOUSING, EDUCATION OPPORTUNITIES, OR PLACES OF PUBLIC ACCOMMODATION,
RESORT OR AMUSEMENT, AS DESCRIBED IN PARAGRAPH (B) OF THIS SUBDIVISION,
TO ENABLE ADVERTISERS TO TARGET SUCH ADVERTISEMENTS BASED ON ACTUAL OR
PERCEIVED PERSONAL CHARACTERISTICS OR CLASSES, OR PROXIES THEREFOR,
PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW,
INCLUDING ACTUAL OR PERCEIVED AGE, RACE, CREED, COLOR, NATIONAL ORIGIN,
A. 6042 18
SEXUAL ORIENTATION, GENDER IDENTITY OR EXPRESSION, SEX, DISABILITY,
PREDISPOSING GENETIC CHARACTERISTICS, OR DOMESTIC VIOLENCE VICTIM
STATUS.
3. A COVERED ENTITY THAT SELLS OR PLACES TARGETED ADVERTISEMENTS FOR
EMPLOYMENT, FINANCE, HEALTH CARE, CREDIT, INSURANCE, HOUSING, EDUCATION
OPPORTUNITIES OR PLACES OF PUBLIC ACCOMMODATION, RESORT OR AMUSEMENT, AS
DESCRIBED IN PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION, SHALL
REQUIRE ADVERTISERS TO CERTIFY THAT THEY ARE IN COMPLIANCE WITH SECTION
TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW.
4. NOTHING IN THIS SECTION SHALL LIMIT A COVERED ENTITY FROM PROCESS-
ING PERSONAL INFORMATION FOR LEGITIMATE TESTING FOR THE PURPOSE OF
PREVENTING UNLAWFUL DISCRIMINATION OR OTHERWISE DETERMINING THE EXTENT
OR EFFECTIVENESS OF SUCH COVERED ENTITY'S COMPLIANCE WITH THIS SECTION.
§ 7. Section 165 of the state finance law is amended by adding two new
subdivisions 9 and 10 to read as follows:
9. AUTOMATED DECISION SYSTEM IMPACT ASSESSMENTS.
A. FOR THE PURPOSE OF THIS SUBDIVISION, THE FOLLOWING TERMS SHALL HAVE
THE FOLLOWING MEANINGS:
(I) "AUTOMATED DECISION SYSTEM" SHALL MEAN ANY SOFTWARE, SYSTEM, OR
PROCESS THAT IS DESIGNED TO AID OR REPLACE HUMAN DECISION MAKING. SUCH
TERM MAY INCLUDE ANALYZING COMPLEX DATASETS TO GENERATE SCORES, PREDIC-
TIONS, CLASSIFICATIONS, OR SOME RECOMMENDED ACTION OR ACTIONS, WHICH ARE
USED BY AGENCIES TO MAKE DECISIONS THAT IMPACT HUMAN WELFARE.
(II) "AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT" SHALL MEAN A STUDY
EVALUATING AN AUTOMATED DECISION SYSTEM AND THE AUTOMATED DECISION
SYSTEM'S DEVELOPMENT PROCESSES, INCLUDING THE DESIGN AND TRAINING DATA
OF THE AUTOMATED DECISION SYSTEM, FOR STATISTICAL IMPACTS ON CLASSES
PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW, AS
WELL AS FOR IMPACTS ON PRIVACY, AND SECURITY THAT INCLUDES AT A MINIMUM:
(A) A DETAILED DESCRIPTION OF THE AUTOMATED DECISION SYSTEM, ITS
DESIGN, ITS TRAINING, ITS DATA, AND ITS PURPOSE;
(B) AN ASSESSMENT OF THE RELATIVE BENEFITS AND COSTS OF THE AUTOMATED
DECISION SYSTEM IN LIGHT OF ITS PURPOSE, TAKING INTO ACCOUNT RELEVANT
FACTORS, INCLUDING DATA MINIMIZATION PRACTICES, THE DURATION FOR WHICH
PERSONAL INFORMATION AND THE RESULTS OF THE AUTOMATED DECISION SYSTEM
ARE STORED, WHAT INFORMATION ABOUT THE AUTOMATED DECISION SYSTEM ARE
AVAILABLE TO THE PUBLIC, AND THE RECIPIENTS OF THE RESULTS OF THE AUTO-
MATED DECISION SYSTEM;
(C) AN ASSESSMENT OF THE RISK OF HARM POSED BY THE AUTOMATED DECISION
SYSTEM AND THE RISK THAT SUCH AUTOMATED DECISION SYSTEM MAY RESULT IN OR
CONTRIBUTE TO INACCURATE, UNFAIR, BIASED, OR DISCRIMINATORY DECISIONS
IMPACTING INDIVIDUALS; AND
(D) THE MEASURES THE STATE AGENCY WILL EMPLOY TO MINIMIZE THE RISKS
DESCRIBED IN ITEM (C) OF THIS SUBPARAGRAPH, INCLUDING TECHNOLOGICAL AND
PHYSICAL SAFEGUARDS.
(III) "HARM" SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO
AN INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
(A) DIRECT OR INDIRECT FINANCIAL HARM.
(B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
LIMITED TO BIAS-RELATED CRIMES AND THREATS, HARASSMENT, AND SEXUAL
HARASSMENT.
(C) DISCRIMINATION IN GOODS, SERVICES, OR ECONOMIC OPPORTUNITY,
INCLUDING BUT NOT LIMITED TO HOUSING, EMPLOYMENT, CREDIT, INSURANCE,
EDUCATION, OR HEALTH CARE ON THE BASIS OF AN INDIVIDUAL OR CLASS OF
INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
A. 6042 19
ORIENTATION, GENDER IDENTITY, MARITAL STATUS, DISABILITY, MILITARY
STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
(D) INTERFERENCE WITH OR SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
ACTIVITIES BY STATE ACTORS.
(E) INTERFERENCE WITH THE RIGHT TO VOTE OR WITH FREE AND FAIR
ELECTIONS.
(F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
(G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
(H) THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
OF SECLUSION OR ACCESS CONTROL.
(I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
ABLE TO, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE
PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
BLE, CONTEMPLATED BY, OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
(IV) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED ENTITY
KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
(V) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT DIRECTLY OR
INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSO-
CIATED WITH, OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
OTHER INFORMATION IS HELD BY THE STATE AGENCY, TO IDENTIFY AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE.
(VI) "PROXY" OR "PROXIES" SHALL MEAN INFORMATION THAT, BY ITSELF OR IN
COMBINATION WITH OTHER INFORMATION, IS USED BY A COVERED ENTITY IN A WAY
THAT DISCRIMINATES BASED ON ACTUAL OR PERCEIVED PERSONAL CHARACTERISTICS
OR CLASSES PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECU-
TIVE LAW.
(VII) "TRAINING DATA" SHALL MEAN THE DATASETS USED TO TRAIN AN AUTO-
MATED DECISION SYSTEM, MACHINE LEARNING ALGORITHM, OR CLASSIFIER TO
CREATE AND DERIVE PATTERNS FROM A PREDICTION MODEL.
B. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM UNLESS IT FIRST ENGAGES A NEUTRAL THIRD PARTY
TO CONDUCT AN AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT AND PUBLISHES
ON ITS PUBLIC WEBSITE THAT AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT:
(I) OF EXISTING AUTOMATED DECISION SYSTEM WITHIN ONE YEAR OF THE
EFFECTIVE DATE OF THIS SUBDIVISION AND EVERY TWO YEARS THEREAFTER.
(II) OF NEW AUTOMATED DECISION SYSTEMS PRIOR TO ACQUISITION AND EVERY
TWO YEARS THEREAFTER.
C. UPON PUBLICATION OF AN AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT,
THE PUBLIC SHALL HAVE FORTY-FIVE DAYS TO SUBMIT COMMENTS ON SUCH ASSESS-
MENT TO THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION. THE STATE AND ANY GOVERNMENTAL AGENCY, POLI-
TICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION SHALL CONSIDER SUCH
PUBLIC COMMENTS WHEN DETERMINING WHETHER TO PURCHASE, OBTAIN, PROCURE,
ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN AUTOMATED
DECISION SYSTEM AND SHALL POST RESPONSES TO SUCH PUBLIC COMMENTS TO ITS
WEBSITE WITHIN FORTY-FIVE DAYS AFTER THE CLOSE OF THE PUBLIC COMMENT
PERIOD.
A. 6042 20
D. THE STATE PROCUREMENT COUNCIL SHALL, IN CONSULTATION WITH THE
OFFICE OF INFORMATION TECHNOLOGY SERVICES, THE DIVISION OF HUMAN RIGHTS
AND EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL BE
DIRECTLY AFFECTED BY AUTOMATED DECISION SYSTEMS, PROMULGATE RULES AND
REGULATIONS TO SET THE MINIMUM STANDARD ENTITIES SHALL MEET TO SERVE AS
NEUTRAL THIRD PARTIES CONDUCTING AUTOMATED DECISION SYSTEM IMPACT
ASSESSMENTS.
E. THE STATE PROCUREMENT COUNCIL SHALL MAINTAIN A PUBLICLY AVAILABLE
LIST OF NEUTRAL THIRD PARTIES THAT MEET THE QUALIFICATIONS OUTLINED IN
PARAGRAPH D OF THIS SUBDIVISION.
F. WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS SUBDIVISION, THE
OFFICE OF INFORMATION TECHNOLOGY SERVICES, IN CONSULTATION WITH THE
DIVISION OF HUMAN RIGHTS AND EXPERTS AND REPRESENTATIVES FROM THE COMMU-
NITIES THAT WILL BE DIRECTLY AFFECTED BY AUTOMATED DECISION SYSTEMS,
SHALL COMPLETE AND PUBLISH ON ITS WEBSITE A COMPREHENSIVE STUDY OF THE
STATISTICAL IMPACTS OF AUTOMATED DECISION SYSTEMS ON CLASSES PROTECTED
UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW, INCLUDING BUT
NOT LIMITED TO, EVALUATING THE USE OF PROXIES AND THE TYPES OF DATA USED
IN TRAINING DATA SETS AND THE RISKS ASSOCIATED WITH PARTICULAR TYPES OF
TRAINING DATA.
(I) AS PART OF SUCH STUDY, THE OFFICE OF INFORMATION TECHNOLOGY
SERVICES SHALL REVIEW THE AUTOMATED DECISION SYSTEM IMPACT ASSESSMENTS
THAT HAVE BEEN PUBLISHED PRIOR TO COMPLETION OF THE STUDY, AS WELL AS
THE PUBLIC COMMENTS SUBMITTED IN RESPONSE TO SUCH AUTOMATED DECISION
IMPACT ASSESSMENTS.
(II) THE OFFICE MAY REQUEST DATA AND INFORMATION FROM: STATE AGENCIES;
CONSUMER PROTECTION, CIVIL RIGHTS, AND PRIVACY ADVOCATES; RESEARCHERS
AND ACADEMICS; PRIVATE ENTITIES THAT DEVELOP OR DEPLOY AUTOMATED DECI-
SION SYSTEMS; AND OTHER RELEVANT SOURCES TO MEET THE PURPOSE OF SUCH
STUDY. THE OFFICE SHALL RECEIVE, UPON REQUEST, DATA FROM OTHER STATE
AGENCIES.
10. AUTOMATED DECISION SYSTEM USE POLICIES; NOTICE AND HUMAN REVIEW
REQUIREMENTS.
A. FOR THE PURPOSE OF THIS SUBDIVISION, THE FOLLOWING TERMS SHALL HAVE
THE FOLLOWING MEANINGS:
(I) "AUTOMATED DECISION SYSTEM" SHALL MEAN ANY SOFTWARE, SYSTEM, OR
PROCESS THAT IS DESIGNED TO AID OR REPLACE HUMAN DECISION MAKING. SUCH
TERM MAY INCLUDE ANALYZING COMPLEX DATASETS TO GENERATE SCORES, PREDIC-
TIONS, CLASSIFICATIONS, OR SOME RECOMMENDED ACTION OR ACTIONS, WHICH ARE
USED BY AGENCIES TO MAKE DECISIONS THAT IMPACT HUMAN WELFARE.
(II) "AUTOMATED DECISION SYSTEM USE POLICY" SHALL MEAN:
(A) A DESCRIPTION OF THE CAPABILITIES OF THE AUTOMATED DECISION
SYSTEM, ANY DECISIONS THAT SUCH SYSTEM IS USED TO MAKE OR ASSIST IN
MAKING AND ANY SPECIFIC TYPES OR GROUPS OF PERSONS PROTECTED UNDER
SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW WHO ARE LIKELY TO BE
AFFECTED BY SUCH DECISIONS;
(B) RULES, PROCESSES, AND GUIDELINES ISSUED BY THE STATE AGENCY REGU-
LATING ACCESS TO OR USE OF SUCH AUTOMATED DECISION SYSTEM, AS WELL AS
ANY PROHIBITIONS OR RESTRICTIONS ON USE;
(C) SAFEGUARDS OR SECURITY MEASURES DESIGNED TO PROTECT INFORMATION
COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM, INCLUDING
BUT NOT LIMITED TO, THE EXISTENCE OF ENCRYPTION AND ACCESS CONTROL MECH-
ANISMS;
(D) POLICIES AND PRACTICES RELATING TO THE RETENTION, ACCESS, AND USE
OF DATA COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM, AS
WELL AS THE DECISIONS RENDERED BY SUCH AUTOMATED DECISION SYSTEM;
A. 6042 21
(E) WHETHER OTHER ENTITIES OUTSIDE THE STATE AGENCY HAVE ACCESS TO THE
INFORMATION AND DATA USED BY OR INPUTTED INTO THE AUTOMATED DECISION
SYSTEM OR THE DECISIONS RENDERED BY THE AUTOMATED DECISION SYSTEM,
INCLUDING WHETHER THE OUTSIDE ENTITY IS LOCAL, STATE, FEDERAL, OR
PRIVATE, THE TYPE OF INFORMATION AND DATA THAT MAY BE DISCLOSED, AND ANY
SAFEGUARDS OR RESTRICTIONS IMPOSED BY THE AGENCY ON THE OUTSIDE ENTITY
REGARDING THE USE OR DISSEMINATION OF THE INFORMATION, DATA, OR DECI-
SION;
(F) WHETHER ANY TRAINING IS REQUIRED BY THE STATE AGENCY FOR AN INDI-
VIDUAL TO USE SUCH AUTOMATED DECISION SYSTEM OR ACCESS INFORMATION
COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM OR THE
DECISIONS RENDERED BY THE AUTOMATED DECISION SYSTEM;
(G) A DESCRIPTION OF THE INTERNAL AND EXTERNAL AUDIT AND OVERSIGHT
MECHANISMS, INCLUDING THE MECHANISM FOR HUMAN REVIEW REQUIRED UNDER
PARAGRAPH G OF THIS SUBDIVISION, TO ENSURE COMPLIANCE WITH THE AUTOMATED
DECISION USE POLICY AND THAT THE AUTOMATED DECISION SYSTEM DOES NOT
RESULT IN HARM TO AN INDIVIDUAL;
(H) RELEVANT TECHNICAL INFORMATION ABOUT THE AUTOMATED DECISION
SYSTEM, INCLUDING THE SYSTEM'S NAME, VENDOR, AND VERSION, AS WELL AS A
DESCRIPTION OF THE AUTOMATED DECISION SYSTEM'S GENERAL CAPABILITIES,
INCLUDING REASONABLY FORESEEABLE CAPABILITIES OUTSIDE THE SCOPE OF THE
AGENCY'S PROPOSED USE;
(I) THE TYPE OR TYPES OF DATA INPUTS THAT THE AUTOMATED DECISION
SYSTEM USES, HOW THAT DATA IS GENERATED, COLLECTED, AND PROCESSED, AND
THE TYPES OF DATA THE SYSTEM IS REASONABLY LIKELY TO GENERATE;
(J) HOW AND WHEN THE AUTOMATED DECISION SYSTEM WILL BE DEPLOYED OR
USED AND BY WHOM, INCLUDING BUT NOT LIMITED TO, THE FACTORS THAT WILL BE
USED TO DETERMINE WHERE, WHEN, AND HOW THE TECHNOLOGY IS DEPLOYED;
(K) A DESCRIPTION OF ANY PUBLIC OR COMMUNITY ENGAGEMENT HELD AND ANY
FUTURE PUBLIC OR COMMUNITY ENGAGEMENT PLANS IN CONNECTION WITH THE AUTO-
MATED DECISION SYSTEM; AND
(L) A DESCRIPTION OF THE FISCAL IMPACT OF THE AUTOMATED DECISION
SYSTEM, INCLUDING INITIAL ACQUISITION COSTS, ONGOING OPERATING COSTS,
SUCH AS MAINTENANCE, LICENSING, PERSONNEL, LEGAL COMPLIANCE, USE AUDIT-
ING, DATA RETENTION, AND SECURITY COSTS, AND ANY CURRENT OR POTENTIAL
SOURCES OF FUNDING, INCLUDING ANY SUBSIDIES OR FREE PRODUCTS OFFERED BY
VENDORS OR GOVERNMENTAL ENTITIES.
(III) "DE-IDENTIFIED INFORMATION" SHALL MEAN INFORMATION THAT CANNOT
REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED
WITH, OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR INDIVIDUAL;
PROVIDED THAT A COVERED ENTITY THAT USES DE-IDENTIFIED INFORMATION:
(A) HAS IMPLEMENTED TECHNICAL SAFEGUARDS THAT PROHIBIT REIDENTIFICA-
TION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
(B) HAS IMPLEMENTED BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT
REIDENTIFICATION OF SUCH INFORMATION;
(C) HAS IMPLEMENTED BUSINESS PROCESSES THAT PREVENT INADVERTENT
RELEASE OF SUCH DE-IDENTIFIED INFORMATION; AND
(D) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
(IV) "HARM" SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO
AN INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
(A) DIRECT OR INDIRECT FINANCIAL HARM.
(B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
LIMITED TO BIAS-RELATED CRIMES AND THREATS, HARASSMENT, AND SEXUAL
HARASSMENT.
(C) DISCRIMINATION IN GOODS, SERVICES, OR ECONOMIC OPPORTUNITY,
INCLUDING BUT NOT LIMITED TO HOUSING, EMPLOYMENT, CREDIT, INSURANCE,
A. 6042 22
EDUCATION, OR HEALTH CARE ON THE BASIS OF AN INDIVIDUAL OR CLASS OF
INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
ORIENTATION, GENDER IDENTITY, MARITAL STATUS, DISABILITY, MILITARY
STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
(D) INTERFERENCE WITH OR SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
ACTIVITIES BY STATE ACTORS.
(E) INTERFERENCE WITH THE RIGHT TO VOTE OR WITH FREE AND FAIR
ELECTIONS.
(F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
(G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
(H) THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
OF SECLUSION OR ACCESS CONTROL.
(I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
ABLE TO, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE
PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
BLE, CONTEMPLATED BY, OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
(V) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED ENTITY
KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
(VI) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT DIRECTLY OR
INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSO-
CIATED WITH, OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
OTHER INFORMATION IS HELD BY THE STATE AGENCY, TO IDENTIFY AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE.
(VII) "RELEVANT TECHNICAL INFORMATION" SHALL INCLUDE, BUT NOT BE
LIMITED TO, SOURCE CODE, MODELS, DOCUMENTATION ON THE ALGORITHMS USED,
DESIGN DOCUMENTATION AND INFORMATION ABOUT TECHNICAL ARCHITECTURE,
TRAINING DATA, DATA PROVENANCE INFORMATION, JUSTIFICATION FOR THE VALID-
ITY OF THE MODEL, ANY RECORDS OF BIAS, AND ANY VALIDATION TESTING
PERFORMED ON THE SYSTEM.
B. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE THAT PURCHASES, OBTAINS,
PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
AN AUTOMATED DECISION SYSTEM SHALL PUBLISH ON ITS WEBSITE AT LEAST NINE-
TY DAYS PRIOR TO THE PURCHASE, OBTAINING, USE, ACQUISITION, OR DEPLOY-
MENT OF NEW AUTOMATED DECISION SYSTEMS AND, FOR EXISTING AUTOMATED DECI-
SION SYSTEMS, WITHIN ONE HUNDRED EIGHTY DAYS OF THE EFFECTIVE DATE OF
THIS SUBDIVISION, AN AUTOMATED DECISION SYSTEM USE POLICY.
(I) WHEN THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION
OR PUBLIC BENEFIT CORPORATION OF THE STATE SEEKS TO CHANGE OR CHANGES AN
AUTOMATED DECISION SYSTEM IN A WAY THAT AFFECTS THE RESULTS OR OUTCOMES
OF THE AUTOMATED DECISION SYSTEM OR USES SUCH AUTOMATED DECISION SYSTEM
FOR A PURPOSE OR MANNER NOT PREVIOUSLY DISCLOSED THROUGH AN AUTOMATED
DECISION SYSTEM USE POLICY, IT SHALL PROVIDE AN ADDENDUM TO THE EXISTING
AUTOMATED DECISION SYSTEM USE POLICY DESCRIBING SUCH CHANGE OR ADDI-
TIONAL USE AND RETAIN AN ARCHIVED COPY OF THE PREVIOUS AUTOMATED DECI-
SION SYSTEM SO THAT DECISIONS MADE UNDER THE OLD SYSTEM USE POLICY MAY
BE CHALLENGED UNDER PARAGRAPH G OF THIS SUBDIVISION.
(II) UPON PUBLICATION OF, OR ADDENDUM TO, ANY PROPOSED AUTOMATED DECI-
SION SYSTEM POLICY, THE PUBLIC SHALL HAVE FORTY-FIVE DAYS TO SUBMIT
A. 6042 23
COMMENTS ON SUCH POLICY TO THE STATE AND ANY GOVERNMENTAL AGENCY OR
POLITICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION.
(III) THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION SHALL CONSIDER PUBLIC COMMENTS AND PROVIDE
THE FINAL AUTOMATED DECISION SYSTEM USE POLICY TO THE OFFICE OF INFORMA-
TION TECHNOLOGY SERVICES, THE COMMITTEE ON OPEN GOVERNMENT, AND THE
STATE PROCUREMENT COUNCIL, AND SHALL POST SUCH DECISION TO ITS WEBSITE
NO LATER THAN FORTY-FIVE DAYS AFTER THE CLOSE OF THE PUBLIC COMMENT
PERIOD.
C. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION SHALL OBTAIN APPROVAL FROM THE CITY OR COUNTY
COUNCIL WITH APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE, FOLLOW-
ING THE PUBLIC COMMENT PERIOD REQUIRED IN PARAGRAPH B OF THIS SUBDIVI-
SION, AND A PROPERLY-NOTICED, GERMANE, PUBLIC HEARING AT WHICH THE
PUBLIC IS AFFORDED A FAIR AND ADEQUATE OPPORTUNITY TO PROVIDE ONLINE,
WRITTEN, AND ORAL TESTIMONY, PRIOR TO:
(I) SEEKING FUNDS FOR AN AUTOMATED DECISION SYSTEM THAT ASSIGNS OR
CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR
SERVICES FOR AN INDIVIDUAL, INCLUDING BUT NOT LIMITED TO, APPLYING FOR A
GRANT, OR SOLICITING OR ACCEPTING STATE OR FEDERAL FUNDS OR IN-KIND OR
OTHER DONATIONS;
(II) ACQUIRING OR BORROWING AN AUTOMATED DECISION SYSTEM THAT ASSIGNS
OR CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES,
OR SERVICES FOR AN INDIVIDUAL, WHETHER OR NOT SUCH ACQUISITION IS MADE
THROUGH THE EXCHANGE OF MONIES OR OTHER CONSIDERATION;
(III) USING A NEW OR EXISTING AUTOMATED DECISION SYSTEM THAT ASSIGNS
OR CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES,
OR SERVICES FOR AN INDIVIDUAL, OR DATA DERIVED THEREFROM, FOR A PURPOSE
OR IN A MANNER NOT PREVIOUSLY APPROVED BY THE CITY OR COUNTY COUNCIL
WITH APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE; OR
(IV) SOLICITING PROPOSALS FOR OR ENTERING INTO AN AGREEMENT WITH ANY
OTHER PERSON OR ENTITY TO ACQUIRE, SHARE, OR OTHERWISE USE AN AUTOMATED
DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMINATION OF
RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL OR AUTO-
MATED DECISION SYSTEM DATA.
D. THE COMMITTEE ON OPEN GOVERNMENT SHALL CONDUCT ANNUAL AUDITS OF
AUTOMATED DECISION SYSTEM USE POLICIES THAT SHALL:
(I) ASSESS WHETHER EACH STATE AGENCY THAT PURCHASES, OBTAINS,
PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
AN AUTOMATED DECISION SYSTEM COMPLIES WITH THE TERMS OF THE AUTOMATED
DECISION SYSTEM USE POLICY;
(II) DESCRIBES ANY KNOWN OR REASONABLY SUSPECTED VIOLATIONS OF ANY
AUTOMATED DECISION SYSTEM USE POLICIES; AND
(III) PUBLISH RECOMMENDATIONS, IF ANY, RELATING TO REVISION OF THE
RELEVANT AUTOMATED DECISION SYSTEM USE POLICIES.
E. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
UNLESS IT FIRST IMPLEMENTS A PROCESS TO PROVIDE A PLAIN-LANGUAGE NOTIFI-
CATION TO ANY INDIVIDUAL WHOSE PERSONAL INFORMATION IS PROCESSED BY THE
AUTOMATED DECISION SYSTEM AND WHOM THE AUTOMATED DECISION SYSTEM'S DECI-
SION AFFECTS OF THE FACT THAT SUCH SYSTEM IS IN USE, THE SYSTEM'S NAME,
VENDOR, AND VERSION, WHAT DECISION OR DECISIONS WILL BE USED TO MAKE OR
SUPPORT; AND WHAT POLICIES AND GUIDELINES APPLY TO ITS DEPLOYMENT.
A. 6042 24
F. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
UNLESS IT FIRST IMPLEMENTS A PROCESS TO PROVIDE A PLAIN-LANGUAGE NOTIFI-
CATION TO ANY INDIVIDUAL WHOSE PERSONAL INFORMATION IS PROCESSED BY SUCH
AUTOMATED DECISION SYSTEM AND WHOM SUCH AUTOMATED DECISION SYSTEM'S
DECISION AFFECTS, OF THE INVOLVEMENT OF AN AUTOMATED DECISION SYSTEM IN
MAKING THE DECISION, THE DEGREE OF HUMAN INTERVENTION IN THE SYSTEM, HOW
THE AUTOMATED DECISION SYSTEM MADE THE DECISION, THE JUSTIFICATION FOR
THE DECISION, THE VARIABLES CONSIDERED IN RENDERING THE DECISION, WHETH-
ER AND HOW THE DECISION DEVIATED FROM THE AUTOMATED DECISION'S SYSTEM'S
RECOMMENDATION, HOW THE INDIVIDUAL MAY CONTEST THE DECISION PURSUANT TO
PARAGRAPH G OF THIS SUBDIVISION, AND THE PROCESS FOR REQUESTING HUMAN
REVIEW OF THE DECISION PURSUANT TO PARAGRAPH G OF THIS SUBDIVISION.
(I) THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL ENSURE THAT IT CAN EXPLAIN
THE BASIS FOR ITS DECISION TO ANY IMPACTED INDIVIDUAL IN TERMS UNDER-
STANDABLE TO A LAYPERSON INCLUDING, WITHOUT LIMITATION, BY REQUIRING THE
VENDOR TO CREATE SUCH EXPLANATION.
(II) THE COMMITTEE ON OPEN GOVERNMENT, IN CONSULTATION WITH THE DIVI-
SION OF HUMAN RIGHTS, THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND
EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL BE DIRECTLY
AFFECTED BY AUTOMATED DECISION SYSTEMS, MAY PROMULGATE RULES AND REGU-
LATIONS SPECIFYING THE REQUIREMENTS FOR SUCH NOTICE.
G. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
UNLESS IT FIRST DEVELOPS A PROCESS FOR HUMAN REVIEW.
(I) THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, IN CONSULTATION
WITH THE DIVISION OF HUMAN RIGHTS, THE COMMITTEE ON OPEN GOVERNMENT AND
EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL BE DIRECTLY
AFFECTED BY AUTOMATED DECISION SYSTEMS, MAY PROMULGATE RULES AND REGU-
LATIONS SPECIFYING THE REQUIREMENTS FOR HUMAN REVIEW OF DECISIONS
RENDERED BY AUTOMATED DECISION SYSTEMS.
(II) AN INDIVIDUAL WHO WAS DENIED OR ASSIGNED A RIGHT, BENEFIT, OPPOR-
TUNITY OR SERVICE, MAY REQUEST HUMAN REVIEW OF THE DECISION RENDERED BY
THE AUTOMATED DECISION SYSTEM.
(III) WHERE THE HUMAN REVIEW OVERTURNS A DECISION RENDERED BY AN AUTO-
MATED DECISION SYSTEM, THE AFFECTED INDIVIDUAL EXPERIENCES HARM AS A
RESULT OF THE OVERTURNED DECISION, AND THE STATE OR ANY GOVERNMENTAL
AGENCY, POLITICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION OF THE STATE
CANNOT OR WILL NOT PROVIDE A REMEDY, OR WHERE THE HUMAN REVIEW DOES NOT
OVERTURN A DECISION RENDERED BY AN AUTOMATED DECISION SYSTEM, THE
AFFECTED INDIVIDUAL, OR THEIR HEIRS, ASSIGNS, ESTATE, OR SUCCESSORS IN
INTEREST, MAY BRING IN ANY COURT OF COMPETENT JURISDICTION AN ACTION
ALLEGING A VIOLATION OF THIS SUBDIVISION.
(IV) THE COURT SHALL AWARD TO THE PREVAILING PLAINTIFF IN SUCH ACTION,
THE FOLLOWING RELIEF:
(A) ANY INJUNCTIVE OR OTHER EQUITABLE RELIEF THE COURT DEEMS APPROPRI-
ATE;
A. 6042 25
(B) ANY ACTUAL DAMAGES RESULTING FROM ANY VIOLATION OF THIS SUBDIVI-
SION, OR TEN THOUSAND DOLLARS IN DAMAGES FOR EACH SUCH VIOLATION, WHICH-
EVER IS GREATER;
(C) REASONABLE ATTORNEY'S FEES AND COSTS; AND
(D) ANY OTHER RELIEF THE COURT DEEMS APPROPRIATE.
H. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE THAT PURCHASES, OBTAINS,
PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
AN AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
SHALL ANNUALLY PUBLISH PUBLICLY ON ITS WEBSITE METRICS ON THE NUMBER OF
REQUESTS FOR HUMAN REVIEW OF A DECISION RENDERED BY THE AUTOMATED DECI-
SION SYSTEM IT RECEIVED AND THE OUTCOME OF SUCH HUMAN REVIEW. THE
METRICS MAY INCLUDE DE-IDENTIFIED INFORMATION IN THE AGGREGATE BUT SHALL
NOT INCLUDE ANY PERSONAL INFORMATION.
§ 8. Section 8 of the state finance law is amended by adding a new
subdivision 21 to read as follows:
21. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, THAT ASSIGNS OR CONTRIBUTES TO
THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN
INDIVIDUAL UNLESS THE AUTOMATED DECISION SYSTEM USES ONLY OPEN SOURCE
SOFTWARE AND THE ACQUIRING AGENCY HAS COMPLIED WITH THE AUTOMATED DECI-
SION SYSTEM IMPACT ASSESSMENT AND AUTOMATED DECISION SYSTEM USE POLICY
REQUIREMENTS IN SECTION ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER. FOR THE
PURPOSES OF THIS SUBDIVISION, "OPEN SOURCE SOFTWARE" SHALL MEAN SOFTWARE
FOR WHICH THE HUMAN-READABLE SOURCE CODE IS AVAILABLE FOR USE, STUDY,
MODIFICATION, AND ENHANCEMENT BY THE USERS OF THAT SOFTWARE.
§ 9. Section 8 of the state finance law is amended by adding four new
subdivisions 22, 23, 24 and 25 to read as follows:
22. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, THAT ASSIGNS OR CONTRIBUTES TO
THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN
INDIVIDUAL, PRIOR TO THE APPROVAL FROM THE CITY OR COUNTY COUNCIL WITH
APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE AS REQUIRED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER.
23. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, IF THE VENDOR'S CONTRACT
CONTAINS NONDISCLOSURE OR OTHER PROVISIONS THAT PROHIBIT OR IMPAIR THE
STATE AND ANY GOVERNMENTAL AGENCY OR POLITICAL SUBDIVISION OR PUBLIC
BENEFIT CORPORATION OF THE STATE'S OBLIGATIONS UNDER SUBDIVISIONS NINE
AND TEN OF SECTION ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER.
24. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, IF THE AUTOMATED DECISION SYSTEM
DISCRIMINATES AGAINST AN INDIVIDUAL, OR TREATS AN INDIVIDUAL LESS FAVOR-
ABLY THAN ANOTHER, IN WHOLE OR IN PART, ON THE BASIS OF ONE OR MORE
FACTORS ENUMERATED IN SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE
LAW.
25. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM THAT MAKES FINAL DECI-
SIONS, JUDGMENTS, OR CONCLUSIONS WITHOUT HUMAN INTERVENTION THAT IMPACT
THE CONSTITUTIONAL OR LEGAL RIGHTS, DUTIES, OR PRIVILEGES OF ANY INDI-
A. 6042 26
VIDUAL IN NEW YORK STATE OR FOR ANY AUTOMATED DECISION SYSTEM THAT
DEPLOYS OR TRIGGERS ANY WEAPON.
§ 10. Section 814 of the education law, as added by chapter 526 of the
laws of 2006 and subdivision 3 as added by chapter 545 of the laws of
2008, is amended to read as follows:
§ 814. Courses of study in internet safety. 1. [Any school district in
the state may provide, to pupils] THE REGENTS SHALL ENSURE THAT THE
COURSE OF INSTRUCTION in grades kindergarten through twelve[, instruc-
tion designed to promote the] INCLUDES A COMPONENT ON DIGITAL LITERACY,
DIGITAL PRIVACY, AND THE proper and safe use of the internet.
2. THE BOARDS OF EDUCATION AND TRUSTEES OF THE CITIES AND SCHOOL
DISTRICTS OF THE STATE SHALL REQUIRE INSTRUCTION TO BE GIVEN IN SUCH
TOPICS, BY THE TEACHERS EMPLOYED IN THE SCHOOLS THEREIN, COMMENCING WITH
THE TWO THOUSAND TWENTY-THREE--TWO THOUSAND TWENTY-FOUR SCHOOL YEAR. ALL
PUPILS WHO ATTEND PUBLIC OR CHARTER SCHOOLS SHALL RECEIVE SUCH INSTRUC-
TION.
3. The commissioner, IN CONSULTATION WITH THE CHIEF PRIVACY OFFICER
AND THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, shall [provide tech-
nical assistance to assist in the development of curricula] DEVELOP AND
ESTABLISH A PROGRAM for such courses of study which shall be age appro-
priate and developed according to the needs and abilities of pupils at
successive grade levels in order to provide awareness, skills, informa-
tion and support to aid in the safe usage of the internet. SUCH PROGRAM
SHALL INCLUDE:
(A) LEARNING STANDARDS FOR DIGITAL LITERACY, DIGITAL PRIVACY, AND THE
PROPER AND SAFE USE OF THE INTERNET IN GRADES KINDERGARTEN THROUGH
TWELVE THAT, AT A MINIMUM, INSTRUCT STUDENTS ON HOW TO IDENTIFY ONLINE
FRAUD, AS WELL AS RELIABLE SOURCES AND INFORMATION, HELP STUDENTS TO
UNDERSTAND HOW ONLINE ACTIVITIES ARE TRACKED AND RECORDED, WHERE
PERSONAL INFORMATION POSTED ONLINE MAY GO, WITH WHOM IT MAY BE SHARED,
AND HOW IT MAY BE USED, AND OFFER BEST PRACTICES FOR PROTECTING DIGITAL
SECURITY AND DIGITAL PRIVACY;
(B) MODEL CURRICULA FOR DIGITAL LITERACY, DIGITAL PRIVACY, AND THE
PROPER AND SAFE USE OF THE INTERNET IN GRADES KINDERGARTEN THROUGH
TWELVE THAT ARE SUITABLE TO STUDENT AGE, BASED ON COGNITIVE, EMOTIONAL,
AND BEHAVIORAL CAPACITY;
(C) GUIDELINES AND PROFESSIONAL TRAINING AND DEVELOPMENT RESOURCES TO
SUPPORT IMPLEMENTATION OF SUCH INSTRUCTION IN SCHOOLS;
(D) PUBLIC AVAILABILITY OF ALL PROGRAM MATERIALS RELATED TO DIGITAL
LITERACY, DIGITAL PRIVACY, AND THE PROPER AND SAFE USE OF THE INTERNET
ON THE DEPARTMENT'S WEBSITE; AND
(E) A SYSTEM TO TRACK AND EVALUATE SUCH DIGITAL LITERACY, DIGITAL
PRIVACY, AND THE PROPER AND SAFE USE OF THE INTERNET EDUCATION, INCLUD-
ING, BUT NOT LIMITED TO, A REPORTING REQUIREMENT THAT TRACKS AND MAKES
DISTRICT COMPLIANCE PUBLICLY AVAILABLE.
4. SUCH PROGRAM SHALL BE REVIEWED PERIODICALLY BY THE COMMISSIONER, IN
CONSULTATION WITH THE CHIEF PRIVACY OFFICER AND THE OFFICE OF INFORMA-
TION TECHNOLOGY, AT INTERVALS SPECIFIED BY THE COMMISSIONER, AND UPDATED
AS NECESSARY.
5. THE COMMISSIONER SHALL PRESCRIBE RULES AND REGULATIONS RELATING TO
SUCH CONTENTS, TOPICS, AND COURSES TO BE INCLUDED IN A DIGITAL LITERACY,
DIGITAL PRIVACY, AND THE PROPER AND SAFE USE OF THE INTERNET CURRICULUM;
PROVIDED, HOWEVER, THAT THE CURRICULA NEED NOT BE UNIFORM THROUGHOUT THE
STATE; AND PROVIDED FURTHER, HOWEVER, THAT SCHOOL DISTRICTS SHALL
UTILIZE EITHER A CURRICULUM FOR DIGITAL LITERACY, DIGITAL PRIVACY, AND
THE PROPER AND SAFE USE OF THE INTERNET PRESCRIBED BY THE COMMISSIONER
A. 6042 27
OR A CURRICULUM IN ACCORDANCE WITH THE STANDARDS AND CRITERIA ESTAB-
LISHED BY THE COMMISSIONER.
6. THE COMMISSIONER SHALL MAKE RECOMMENDATIONS TO THE BOARD OF REGENTS
ABOUT A PROGRAM ON DIGITAL LITERACY, DIGITAL PRIVACY, AND THE PROPER AND
SAFE USE OF THE INTERNET, RELEVANT LEARNING STANDARDS, MODEL CURRICULA,
AND CURRICULUM RESOURCES, GUIDELINES, AND PROFESSIONAL DEVELOPMENT
RESOURCES WITHIN ONE YEAR OF THE EFFECTIVE DATE OF THIS SECTION. UPON
APPROVAL AND ADOPTION BY THE BOARD OF REGENTS, THE DEPARTMENT SHALL
ISSUE GUIDANCE TO SCHOOL DISTRICTS AND PUBLISH ON ITS WEBSITE MODEL
CURRICULA AND INSTRUCTIONAL RESOURCES REQUIRED BY THIS SECTION.
7. PRIOR TO MAKING SUCH RECOMMENDATIONS TO THE REGENTS, THE COMMIS-
SIONER SHALL SEEK THE RECOMMENDATIONS OF TEACHERS, SCHOOL ADMINISTRA-
TORS, TEACHER EDUCATORS, DIGITAL PRIVACY AND SECURITY EXPERTS, JOURNAL-
ISM EXPERTS, THE CHIEF INFORMATION SECURITY OFFICE, AND OTHERS WITH
EDUCATIONAL EXPERTISE IN THE PROPOSED CURRICULUM.
[3.] 8. The commissioner shall develop age-appropriate resources and
technical assistance for schools to provide to students in grades three
through twelve and their parents or legal guardians concerning the safe
and responsible use of the internet. The resources shall include, but
not be limited to, information regarding how child predators may use the
internet to lure and exploit children, protecting personal information,
internet scams and cyber-bullying.
§ 11. Severability. If any provision of this act, or any application
of any provision of this act, is held to be invalid, that shall not
affect the validity or effectiveness of any other provision of this act,
or of any other application of any provision of this act, which can be
given effect without that provision or application; and to that end, the
provisions and applications of this act are severable.
§ 12. This act shall take effect immediately; provided, however, that
sections one, two, three, four, five and six of this act shall take
effect one year after it shall have become a law and section eight of
this act shall take effect two years after it shall have become a law.
Effective immediately, the addition, amendment and/or repeal of any rule
or regulation necessary for the implementation of this act on its effec-
tive date are authorized to be made and completed on or before such
effective date.