NY State Senate Bill 2023-S3162

Senate Bill S3162

2023-2024 Legislative Session

Allows consumers the right to request from businesses the categories of personal information a business has sold or disclosed to third parties

download bill text pdf

Archive: Last Bill Status - In Senate Committee Consumer Protection Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 03, 2024	referred to consumer protection
Jan 30, 2023	referred to consumer protection

2023-S3162 (ACTIVE) - Details

See Assembly Version of this Bill:: A4374
Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd Art 39-F Art Head, add §899-cc, Gen Bus L; add §99-m, St Fin L
Versions Introduced in Other Legislative Sessions:: 2019-2020: S4411, A6351
2021-2022: S567, A3709

2023-S3162 (ACTIVE) - Summary

Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

2023-S3162 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S3162

SPONSOR: HOYLMAN-SIGAL
 
TITLE OF BILL:

An act to amend the general business law and the state finance law, in
relation to allowing consumers the right to request from businesses the
categories of personal information the business has sold or disclosed to
third parties

 
PURPOSE:

To enact data privacy protections for consumers.

 
SUMMARY OF SPECIFIC PROVISIONS:

  Section  1  amends  the article heading of section 39-F of the General
Business Law

  Section 2 adds a new section to the General Business Law. It  provides
for  various  definitions.  It  also  creates  numerous consumer rights,
including:

a right for the consumer to request from  a  business  the  category  of
personal information it shares, such as name, social security number, IP
address, etc...

a  right for the consumer to request the identities of any third parties
to whom the business has sold or shared personal information

a right for the consumer to opt-out of having their information sold  to
third parties

a  right  to  protection from discrimination for consumers who choose to
opt-out

  Section 3 amends the state finance law to create a  "consumer  privacy
fund"  which  shall  consist of monies received by the state pursuant to
any violation of this bill.

  Section 4 is the effective date.

 
JUSTIFICATION:

The Internet and the sharing of information play such a tremendous  role
in  the  lives of New Yorkers. However, despite the Internet's increased
role in society, privacy  protections  have  not  kept  the  same  pace.
According  to  the  Pew  Research Center, "68% of internet users believe
current laws are not good enough in protecting people's privacy online."

We trust that the information we give  to  businesses  online  is  safe.
Everything  from  passport details when booking a vacation to data about
our children when helping them with homework is given away, often  with-
out  a  second  thought. However, countless investigations show that our
data is often sold or traded  in  order  to  enhance  companies'  bottom
lines.  According  to  the New York Times, "personal data has become the
most prized commodity of the digital age, traded on a vast scale by some
of the most powerful companies in Silicon Valley and beyond."

With data privacy protections being adopted in  Europe  and  California,
New  York  State  should ensure that our privacy is also protected. This
legislation enacts similar protections to those enacted in the State  of
California.

 
LEGISLATIVE HISTORY:

S.4411 of 2019-2020 (Hoylman): Died in Consumer Protection

A.6351 of 2019-2020 (Gunther): Died in Consumer Affairs and Protection

 
FISCAL IMPLICATIONS:

None to state.

 
EFFECTIVE DATE:
This  act  shall  take  effect on the one hundred eightieth day after it
shall have become a law. Effective immediately, the addition,  amendment
and/or repeal of any rule or regulation necessary for the implementation
of this act on its effective date are authorized and directed to be made
and completed on or before such effective date.

2023-S3162 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   3162
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                             January 30, 2023
                                ___________
 
 Introduced  by Sen. HOYLMAN-SIGAL -- read twice and ordered printed, and
   when printed to be committed to the Committee on Consumer Protection
 
 AN ACT to amend the general business law and the state finance  law,  in
   relation  to  allowing  consumers the right to request from businesses
   the categories of  personal  information  the  business  has  sold  or
   disclosed to third parties
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The article heading of article 39-F of the general business
 law, as amended by chapter 117 of the laws of 2019, is amended  to  read
 as follows:
 
          [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND CONTROL
            OF PRIVATE AND PERSONAL INFORMATION; DATA SECURITY
                                PROTECTIONS
 
   §  2. The general business law is amended by adding a new section 899-
 cc to read as follows:
   § 899-CC. CONSUMER CONTROL OF PERSONAL INFORMATION. 1. FOR PURPOSES OF
 THIS SECTION, THE FOLLOWING DEFINITIONS SHALL APPLY:
   (A) "BIOMETRIC DATA" MEANS AN INDIVIDUAL'S  PHYSIOLOGICAL,  BIOLOGICAL
 OR  BEHAVIORAL  CHARACTERISTICS,  INCLUDING AN INDIVIDUAL'S DEOXYRIBONU-
 CLEIC ACID THAT CAN BE USED, SINGLY OR IN COMBINATION WITH EACH OTHER OR
 WITH OTHER IDENTIFYING DATA TO ESTABLISH INDIVIDUAL IDENTITY.  BIOMETRIC
 DATA INCLUDES BUT IS NOT LIMITED TO IMAGERY OF THE IRIS, RETINA, FINGER-
 PRINT, FACE, HAND, PALM, VEIN PATTERNS, AND VOICE RECORDINGS, FROM WHICH
 AN  IDENTIFIER  TEMPLATE, SUCH AS A FACEPRINT, A MINUTIAE TEMPLATE, OR A
 VOICEPRINT, CAN BE EXTRACTED, AND KEYSTROKE PATTERNS  OR  RHYTHMS,  GAIT
 PATTERNS  OR  RHYTHMS,  AND SLEEP, HEALTH, OR EXERCISE DATA THAT CONTAIN
 IDENTIFYING INFORMATION.
   (B) "BUSINESS" MEANS:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD07607-01-3

 S. 3162                             2
 
   (1) A  SOLE-PROPRIETORSHIP,  PARTNERSHIP,  LIMITED-LIABILITY  COMPANY,
 CORPORATION,  ASSOCIATION,  OR  OTHER  LEGAL ENTITY THAT IS ORGANIZED OR
 OPERATED FOR THE PROFIT OR FINANCIAL  BENEFIT  OF  ITS  SHAREHOLDERS  OR
 OTHER  OWNERS,  THAT COLLECTS CONSUMERS' PERSONAL INFORMATION, THAT DOES
 BUSINESS  IN  THE STATE, AND THAT SATISFIES ONE OR MORE OF THE FOLLOWING
 THRESHOLDS: (A) HAS ANNUAL GROSS REVENUES IN  EXCESS  OF  FIFTY  MILLION
 DOLLARS,  AS  ADJUSTED PURSUANT TO SUBPARAGRAPH FIVE OF PARAGRAPH (A) OF
 SUBDIVISION FIFTEEN OF THIS SECTION; OR (B) ANNUALLY SELLS, ALONE OR  IN
 COMBINATION,  THE  PERSONAL  INFORMATION OF ONE HUNDRED THOUSAND OR MORE
 CONSUMERS OR DEVICES; OR (C) DERIVES FIFTY PERCENT OR MORE OF ITS ANNUAL
 REVENUES FROM SELLING CONSUMERS' PERSONAL INFORMATION; AND
   (2) ANY ENTITY THAT CONTROLS  OR  IS  CONTROLLED  BY  A  BUSINESS,  AS
 DEFINED  IN  PARAGRAPH  ONE  OF THIS SUBDIVISION, AND THAT SHARES COMMON
 BRANDING WITH THE BUSINESS.  "CONTROL" OR "CONTROLLED"  MEANS  OWNERSHIP
 OF,  OR  THE  POWER  TO VOTE, MORE THAN FIFTY PERCENT OF THE OUTSTANDING
 SHARES OF ANY CLASS OF VOTING SECURITY OF A  BUSINESS;  CONTROL  IN  ANY
 MANNER  OVER THE ELECTION OF A MAJORITY OF THE DIRECTORS, OR OF INDIVID-
 UALS EXERCISING SIMILAR FUNCTIONS; OR THE POWER TO EXERCISE, DIRECTLY OR
 INDIRECTLY, A CONTROLLING INFLUENCE OVER THE MANAGEMENT OR POLICIES OF A
 COMPANY.  "COMMON BRANDING" MEANS A SHARED NAME, SERVICEMARK, OR  TRADE-
 MARK.
   (C)  "BUSINESS  PURPOSE" MEANS THE USE OF PERSONAL INFORMATION FOR THE
 BUSINESS'S OPERATIONAL PURPOSES,  PROVIDED  THAT  THE  USE  OF  PERSONAL
 INFORMATION  SHALL  BE REASONABLY NECESSARY AND PROPORTIONATE TO ACHIEVE
 THE OPERATIONAL PURPOSE FOR WHICH IT IS SPECIFICALLY  PERMITTED.  UNREA-
 SONABLE  OR  DISPROPORTIONATE  USE  SHALL  NOT BE CONSIDERED A "BUSINESS
 PURPOSE".  BUSINESS PURPOSES ARE:
   (1) AUDITING RELATED TO A CURRENT INTERACTION WITH  THE  CONSUMER  AND
 CONCURRENT  TRANSACTIONS,  INCLUDING  BUT  NOT  LIMITED  TO, COUNTING AD
 IMPRESSIONS TO UNIQUE VISITORS, VERIFYING POSITIONING AND QUALITY OF  AD
 IMPRESSIONS  AND  AUDITING  COMPLIANCE WITH THIS SPECIFICATION AND OTHER
 STANDARDS;
   (2) DETECTING SECURITY INCIDENTS, PROTECTING AGAINST MALICIOUS, DECEP-
 TIVE, FRAUDULENT, OR ILLEGAL ACTIVITY, AND PROSECUTING THOSE RESPONSIBLE
 FOR SUCH ACTIVITY;
   (3) DEBUGGING TO IDENTIFY  AND  REPAIR  ERRORS  THAT  IMPAIR  EXISTING
 INTENDED FUNCTIONALITY;
   (4)  SHORT-TERM,  TRANSIENT  USE, PROVIDED THE PERSONAL INFORMATION IS
 NOT DISCLOSED TO ANOTHER PERSON AND IS NOT USED TO BUILD A PROFILE ABOUT
 A CONSUMER  OR  OTHERWISE  ALTER  AN  INDIVIDUAL  CONSUMER'S  EXPERIENCE
 OUTSIDE  THE  CURRENT  INTERACTION,  INCLUDING  BUT  NOT LIMITED TO, THE
 CONTEXTUAL CUSTOMIZATION OF ADS SHOWN AS PART OF THE  SAME  INTERACTION;
 AND
   (5) PERFORMING SERVICES ON BEHALF OF THE BUSINESS, INCLUDING MAINTAIN-
 ING  OR  SERVICING  ACCOUNTS,  PROVIDING CUSTOMER SERVICE, PROCESSING OR
 FULFILLING ORDERS  AND  TRANSACTIONS,  VERIFYING  CUSTOMER  INFORMATION,
 PROCESSING  PAYMENTS,  PROVIDING  FINANCING,  PROVIDING  ADVERTISING  OR
 MARKETING SERVICES, PROVIDING ANALYTICAL SERVICES, OR PROVIDING  SIMILAR
 SERVICES ON BEHALF OF THE BUSINESS.
   (D)  "CLEAR  AND CONSPICUOUS" MEANS (1) IN A COLOR THAT CONTRASTS WITH
 THE BACKGROUND COLOR OR IS OTHERWISE  DISTINGUISHABLE;  (2)  WRITTEN  IN
 LARGER TYPE THAN THE SURROUNDING TEXT AND IN A FASHION THAT CALLS ATTEN-
 TION TO THE LANGUAGE; AND (3) PROMINENTLY DISPLAYED SO THAT A REASONABLE
 VIEWER WOULD BE ABLE TO NOTICE, READ, AND UNDERSTAND IT.
   (E)  "COMMERCIAL  PURPOSES"  MEANS TO ADVANCE A PERSON'S COMMERCIAL OR
 ECONOMIC INTERESTS, SUCH AS BY INDUCING ANOTHER  PERSON  TO  BUY,  RENT,
 S. 3162                             3
 
 LEASE, JOIN, SUBSCRIBE TO, PROVIDE, OR EXCHANGE PRODUCTS, GOODS, PROPER-
 TY,  INFORMATION,  OR  SERVICES,  OR  ENABLING OR EFFECTING, DIRECTLY OR
 INDIRECTLY, A COMMERCIAL TRANSACTION.  "COMMERCIAL  PURPOSES"  DOES  NOT
 INCLUDE  FOR  THE  PURPOSE  OF  ENGAGING IN SPEECH THAT STATE OR FEDERAL
 COURTS HAVE RECOGNIZED AS  NON-COMMERCIAL  SPEECH,  INCLUDING  POLITICAL
 SPEECH AND JOURNALISM.
   (F)  "COLLECTS",  "COLLECTED"  OR  "COLLECTION" MEANS BUYING, RENTING,
 GATHERING, OBTAINING, STORING, USING, MONITORING, ACCESSING,  OR  MAKING
 INFERENCES BASED UPON, ANY PERSONAL INFORMATION PERTAINING TO A CONSUMER
 BY ANY MEANS.
   (G) "CONSUMER" MEANS A NATURAL PERSON WHO IS A RESIDENT OF THE STATE.
   (H) "DE-IDENTIFIED" MEANS INFORMATION THAT CANNOT REASONABLY IDENTIFY,
 RELATE  TO, DESCRIBE, REFERENCE, BE CAPABLE OF BEING ASSOCIATED WITH, OR
 BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR CONSUMER  OR  DEVICE,
 PROVIDED  THAT  A  BUSINESS THAT USES DE-IDENTIFIED INFORMATION: (1) HAS
 IMPLEMENTED TECHNICAL SAFEGUARDS THAT PROHIBIT RE-IDENTIFICATION OF  THE
 CONSUMER  OR  CONSUMERS  TO  WHOM  THE  INFORMATION MAY PERTAIN; (2) HAS
 IMPLEMENTED BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT RE-IDENTIFICA-
 TION OF THE INFORMATION;  (3)  HAS  IMPLEMENTED  BUSINESS  PROCESSES  TO
 PREVENT  INADVERTENT RELEASE OF DE-IDENTIFIED INFORMATION; AND (4) MAKES
 NO ATTEMPT TO RE-IDENTIFY THE INFORMATION.
   (I) "DESIGNATED METHODS  FOR  SUBMITTING  REQUESTS"  MEANS  A  MAILING
 ADDRESS,  E-MAIL  ADDRESS,  WEB  PAGE,  WEB  PORTAL, TOLL-FREE TELEPHONE
 NUMBER, OR OTHER APPLICABLE CONTACT INFORMATION, WHEREBY  CONSUMERS  MAY
 SUBMIT  A  REQUEST OR DIRECTION UNDER THIS SECTION. IF THE CONSUMER DOES
 NOT MAINTAIN AN ACCOUNT WITH THE BUSINESS, THE BUSINESS SHALL PROVIDE AN
 OPPORTUNITY FOR THE CONSUMER TO DESIGNATE WHETHER THE CONSUMER WISHES TO
 RECEIVE THE INFORMATION REQUIRED TO BE DISCLOSED  PURSUANT  TO  SUBDIVI-
 SIONS  TWO  AND  THREE OF THIS SECTION BY MAIL OR ELECTRONICALLY, AT THE
 CONSUMER'S OPTION.
   (J) "HOMEPAGE" MEANS THE  INTRODUCTORY  PAGE  OF  A  WEBSITE  AND  ANY
 WEBPAGE  WHERE  PERSONAL  INFORMATION  IS  COLLECTED.  IN THE CASE OF AN
 ONLINE SERVICE, SUCH AS A MOBILE APPLICATION, HOMEPAGE MEANS THE  APPLI-
 CATION'S  PLATFORM PAGE, A LINK WITHIN THE APPLICATION, SUCH AS FROM THE
 APPLICATION CONFIGURATION, "ABOUT", "INFORMATION", OR SETTINGS PAGE, AND
 ANY OTHER LOCATION THAT ALLOWS CONSUMERS TO REVIEW THE  NOTICE  REQUIRED
 BY PARAGRAPH (A) OF SUBDIVISION SEVEN OF THIS SECTION, INCLUDING BUT NOT
 LIMITED TO, BEFORE DOWNLOADING THE APPLICATION.
   (K)  "INFER" OR "INFERENCE" MEANS THE DERIVATION OF INFORMATION, DATA,
 ASSUMPTIONS, OR CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER  SOURCE  OF
 INFORMATION OR DATA.
   (L)  "PERSON"  MEANS AN INDIVIDUAL, PROPRIETORSHIP, FIRM, PARTNERSHIP,
 JOINT VENTURE, SYNDICATE, BUSINESS TRUST, COMPANY, CORPORATION,  LIMITED
 LIABILITY COMPANY, ASSOCIATION, COMMITTEE, AND ANY OTHER ORGANIZATION OR
 GROUP OF PERSONS ACTING IN CONCERT.
   (M)  (1)"PERSONAL  INFORMATION"  MEANS  INFORMATION  THAT  IDENTIFIES,
 RELATES TO, DESCRIBES, REFERENCES, IS CAPABLE OF BEING ASSOCIATED  WITH,
 OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A PARTICULAR
 CONSUMER OR DEVICE, INCLUDING, BUT NOT LIMITED TO:
   (A)  ANY  INFORMATION  THAT  IDENTIFIES,  RELATES TO, DESCRIBES, OR IS
 CAPABLE OF BEING ASSOCIATED WITH, A  PARTICULAR  INDIVIDUAL,  INCLUDING,
 BUT  NOT  LIMITED TO, HIS OR HER NAME, ALIAS, SIGNATURE, SOCIAL SECURITY
 NUMBER, PHYSICAL CHARACTERISTICS  OR  DESCRIPTION,  ADDRESS,  ELECTRONIC
 MAIL  ADDRESS,  INTERNET  PROTOCOL  ADDRESS,  UNIQUE IDENTIFIER, ACCOUNT
 NAME, TELEPHONE NUMBER, PASSPORT NUMBER, DRIVER'S LICENSE OR STATE IDEN-
 TIFICATION CARD NUMBER, INSURANCE POLICY NUMBER, EDUCATION,  EMPLOYMENT,
 S. 3162                             4
 
 EMPLOYMENT  HISTORY, BANK ACCOUNT NUMBER, CREDIT CARD NUMBER, DEBIT CARD
 NUMBER, OR ANY OTHER  FINANCIAL  INFORMATION,  MEDICAL  INFORMATION,  OR
 HEALTH INSURANCE INFORMATION;
   (B) CHARACTERISTICS OF PROTECTED CLASSIFICATIONS UNDER STATE OR FEDER-
 AL LAW;
   (C) COMMERCIAL INFORMATION, INCLUDING RECORDS OF PROPERTY, PRODUCTS OR
 SERVICES  PROVIDED,  OBTAINED,  OR  CONSIDERED,  OR  OTHER PURCHASING OR
 CONSUMING HISTORIES OR TENDENCIES;
   (D) BIOMETRIC DATA;
   (E) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD-
 ING BUT NOT LIMITED TO, BROWSING HISTORY, SEARCH HISTORY,  AND  INFORMA-
 TION  REGARDING A CONSUMER'S INTERACTION WITH A WEBSITE, APPLICATION, OR
 ADVERTISEMENT;
   (F) GEOLOCATION DATA;
   (G) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFORMA-
 TION;
   (H) PSYCHOMETRIC INFORMATION;
   (I) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
   (J) INFERENCES DRAWN FROM ANY OF THE INFORMATION IDENTIFIED ABOVE; AND
   (K) ANY OF THE CATEGORIES OF INFORMATION SET FORTH IN THIS SUBDIVISION
 AS THEY PERTAIN TO THE MINOR CHILDREN OF THE CONSUMER.
   (2) "PERSONAL  INFORMATION"  DOES  NOT  INCLUDE  INFORMATION  THAT  IS
 PUBLICLY AVAILABLE OR THAT IS DE-IDENTIFIED.
   (N)  "PROBABILISTIC IDENTIFIER" MEANS THE IDENTIFICATION OF A CONSUMER
 OR A DEVICE TO A DEGREE OF CERTAINTY OF MORE PROBABLE THAN NOT BASED  ON
 ANY  CATEGORIES  OF PERSONAL INFORMATION INCLUDED IN, OR SIMILAR TO, THE
 CATEGORIES ENUMERATED IN SUBPARAGRAPH  ONE  OF  PARAGRAPH  (M)  OF  THIS
 SUBDIVISION.
   (O)  "PSYCHOMETRIC  INFORMATION"  MEANS INFORMATION DERIVED OR CREATED
 FROM THE USE OR APPLICATION OF  PSYCHOMETRIC  THEORY  OR  PSYCHOMETRICS,
 WHEREBY THROUGH THE USE OF ANY METHOD, MODEL, TOOL, OR FORMULA, OBSERVA-
 BLE  PHENOMENA,  SUCH  AS  ACTIONS  OR  EVENTS, ARE CONNECTED, MEASURED,
 ASSESSED, OR RELATED TO A  CONSUMER'S  ATTRIBUTES,  INCLUDING,  BUT  NOT
 LIMITED  TO,  PSYCHOLOGICAL TRENDS, PREFERENCES, PREDISPOSITIONS, BEHAV-
 IOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND APTITUDES.
   (P) "PUBLICLY AVAILABLE"  MEANS  INFORMATION  THAT  IS  LAWFULLY  MADE
 AVAILABLE  FROM  FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS.  "PUBLICLY
 AVAILABLE" DOES NOT MEAN BIOMETRIC INFORMATION COLLECTED BY  A  BUSINESS
 ABOUT A CONSUMER WITHOUT THE CONSUMER'S KNOWLEDGE.
   (Q)(1)  "SELL",  "SELLING", "SALE" OR "SOLD" MEANS: (A) SELLING, RENT-
 ING, RELEASING,  DISCLOSING,  DISSEMINATING,  MAKING  AVAILABLE,  TRANS-
 FERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC
 OR  OTHER  MEANS, A CONSUMER'S PERSONAL INFORMATION BY THE BUSINESS TO A
 THIRD PARTY FOR VALUABLE CONSIDERATION; OR (B) SHARING ORALLY, IN  WRIT-
 ING,  OR BY ELECTRONIC OR OTHER MEANS, A CONSUMER'S PERSONAL INFORMATION
 WITH A THIRD PARTY, WHETHER FOR VALUABLE CONSIDERATION OR FOR NO CONSID-
 ERATION, FOR THE THIRD PARTY'S COMMERCIAL PURPOSES.
   (2) FOR PURPOSES OF THIS SECTION, A BUSINESS DOES  NOT  SELL  PERSONAL
 INFORMATION WHEN:
   (A)  A  CONSUMER  USES  THE  BUSINESS:  (I)  TO INTENTIONALLY DISCLOSE
 PERSONAL INFORMATION, OR (II) TO INTENTIONALLY  INTERACT  WITH  A  THIRD
 PARTY.  AN  INTENTIONAL  INTERACTION OCCURS WHEN THE CONSUMER INTENDS TO
 INTERACT WITH THE THIRD PARTY VIA ONE OR MORE  DELIBERATE  INTERACTIONS.
 HOVERING OVER, MUTING, PAUSING, OR CLOSING A GIVEN PIECE OF CONTENT DOES
 NOT CONSTITUTE A CONSUMER'S INTENT TO INTERACT WITH A THIRD PARTY; OR
 S. 3162                             5
 
   (B)  THE  BUSINESS USES AN IDENTIFIER FOR A CONSUMER WHO HAS OPTED OUT
 OF THE SALE OF THE CONSUMER'S PERSONAL INFORMATION FOR THE  PURPOSES  OF
 ALERTING  THIRD  PARTIES  THAT THE CONSUMER HAS OPTED OUT OF THE SALE OF
 THE CONSUMER'S PERSONAL INFORMATION.
   (R) "SERVICE" OR "SERVICES" MEANS WORK, LABOR, AND SERVICES, INCLUDING
 SERVICES FURNISHED IN CONNECTION WITH THE SALE OR REPAIR OF GOODS.
   (S) "THIRD PARTY" MEANS ANY PERSON WHO IS NOT:
   (1)  THE  BUSINESS  THAT  COLLECTS PERSONAL INFORMATION FROM CONSUMERS
 UNDER THIS SECTION; OR
   (2) A PERSON TO WHOM THE  BUSINESS  DISCLOSES  A  CONSUMER'S  PERSONAL
 INFORMATION  FOR  A  BUSINESS  PURPOSE  PURSUANT  TO A WRITTEN CONTRACT,
 PROVIDED THAT THE CONTRACT:
   (A) PROHIBITS THE PERSON RECEIVING THE PERSONAL INFORMATION FROM:  (I)
 SELLING  THE  PERSONAL INFORMATION; (II) RETAINING, USING, OR DISCLOSING
 THE PERSONAL INFORMATION FOR ANY PURPOSE OTHER  THAN  FOR  THE  SPECIFIC
 PURPOSE  OF PERFORMING THE SERVICES SPECIFIED IN THE CONTRACT, INCLUDING
 RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR  A  COMMER-
 CIAL  PURPOSE  OTHER  THAN  PROVIDING  THE  SERVICES  SPECIFIED  IN  THE
 CONTRACT; AND (III) RETAINING,  USING,  OR  DISCLOSING  THE  INFORMATION
 OUTSIDE  OF  THE DIRECT BUSINESS RELATIONSHIP BETWEEN THE PERSON AND THE
 BUSINESS; AND
   (B) INCLUDES A CERTIFICATION MADE BY THE PERSON RECEIVING THE PERSONAL
 INFORMATION THAT THE PERSON UNDERSTANDS THE RESTRICTIONS IN  CLAUSE  (A)
 OF THIS SUBPARAGRAPH AND WILL COMPLY WITH THEM. A PERSON COVERED BY THIS
 SUBPARAGRAPH  THAT  VIOLATES  ANY  OF THE RESTRICTIONS SET FORTH IN THIS
 SECTION SHALL BE LIABLE FOR SUCH VIOLATIONS UNDER THIS SECTION. A  BUSI-
 NESS  THAT  DISCLOSES  PERSONAL  INFORMATION TO A PERSON COVERED BY THIS
 SUBPARAGRAPH IN COMPLIANCE WITH SUCH SUBPARAGRAPH SHALL  NOT  BE  LIABLE
 UNDER THIS SECTION IF THE PERSON RECEIVING THE PERSONAL INFORMATION USES
 IT  IN VIOLATION OF THE RESTRICTIONS SET FORTH IN THIS SECTION, PROVIDED
 THAT, AT THE TIME OF DISCLOSING THE PERSONAL INFORMATION,  THE  BUSINESS
 DOES  NOT  HAVE  ACTUAL KNOWLEDGE, OR REASON TO BELIEVE, THAT THE PERSON
 INTENDS TO COMMIT SUCH A VIOLATION.
   (T) "UNIQUE IDENTIFIER" MEANS A PERSISTENT IDENTIFIER THAT CAN BE USED
 TO RECOGNIZE A CONSUMER OR A  DEVICE  OVER  TIME  AND  ACROSS  DIFFERENT
 SERVICES,  INCLUDING  BUT  NOT LIMITED TO, A DEVICE IDENTIFIER; INTERNET
 PROTOCOL ADDRESS; COOKIES, BEACONS, PIXEL TAGS, MOBILE  AD  IDENTIFIERS,
 OR SIMILAR TECHNOLOGY; CUSTOMER NUMBER, UNIQUE PSEUDONYM, OR USER ALIAS;
 AND  TELEPHONE  NUMBERS,  OR  OTHER FORMS OF PERSISTENT OR PROBABILISTIC
 IDENTIFIERS THAT CAN BE  USED  TO  IDENTIFY  A  PARTICULAR  CONSUMER  OR
 DEVICE.
   (U)  "VERIFIABLE  REQUEST"  MEANS  A  REQUEST  THAT:  (1) IS MADE BY A
 CONSUMER, BY A CONSUMER ON BEHALF OF THE CONSUMER'S MINOR CHILD, OR BY A
 PERSON AUTHORIZED BY THE CONSUMER TO ACT ON THE CONSUMER'S  BEHALF;  AND
 (2)  THE  BUSINESS  HAS VERIFIED, PURSUANT TO REGULATIONS ADOPTED BY THE
 ATTORNEY GENERAL PURSUANT TO SUBPARAGRAPH  SEVEN  OF  PARAGRAPH  (A)  OF
 SUBDIVISION  FIFTEEN  OF THIS SECTION, TO BE THE CONSUMER ABOUT WHOM THE
 BUSINESS HAS COLLECTED PERSONAL INFORMATION. A BUSINESS IS NOT OBLIGATED
 TO PROVIDE INFORMATION TO THE CONSUMER PURSUANT TO SUBDIVISIONS TWO  AND
 THREE  OF  THIS  SECTION IF THE BUSINESS CANNOT VERIFY, PURSUANT TO THIS
 SUBDIVISION AND REGULATIONS ADOPTED BY THE ATTORNEY GENERAL PURSUANT  TO
 SUBPARAGRAPH  SEVEN  OF  PARAGRAPH  (A)  OF  SUBDIVISION FIFTEEN OF THIS
 SECTION, THAT THE CONSUMER MAKING THE REQUEST IS THE CONSUMER ABOUT WHOM
 THE BUSINESS HAS COLLECTED INFORMATION.
   2. (A) A CONSUMER SHALL HAVE THE RIGHT TO REQUEST THAT A BUSINESS THAT
 COLLECTS PERSONAL INFORMATION ABOUT THE CONSUMER DISCLOSE TO THE CONSUM-
 S. 3162                             6

 ER THE CATEGORIES OF PERSONAL INFORMATION IT HAS  COLLECTED  ABOUT  THAT
 CONSUMER.
   (B)  A  BUSINESS  THAT  COLLECTS PERSONAL INFORMATION ABOUT A CONSUMER
 SHALL DISCLOSE TO THE CONSUMER, PURSUANT TO SUBPARAGRAPH THREE OF  PARA-
 GRAPH  (A) OF SUBDIVISION SIX OF THIS SECTION, THE INFORMATION SPECIFIED
 IN PARAGRAPH (A) OF SUBDIVISION ONE OF THIS SECTION UPON  RECEIPT  OF  A
 VERIFIABLE REQUEST FROM THE CONSUMER.
   (C)  A  BUSINESS  THAT  COLLECTS  PERSONAL INFORMATION ABOUT CONSUMERS
 SHALL DISCLOSE, PURSUANT TO CLAUSE (B) OF SUBPARAGRAPH FIVE OF PARAGRAPH
 (A) OF SUBDIVISION SIX OF  THIS  SECTION,  THE  CATEGORIES  OF  PERSONAL
 INFORMATION IT HAS COLLECTED ABOUT CONSUMERS.
   3. (A) A CONSUMER SHALL HAVE THE RIGHT TO REQUEST THAT A BUSINESS THAT
 SELLS  THE  CONSUMER'S  PERSONAL INFORMATION, OR THAT DISCLOSES IT FOR A
 BUSINESS PURPOSE, DISCLOSE TO  THAT  CONSUMER:  (1)  THE  CATEGORIES  OF
 PERSONAL  INFORMATION  THAT THE BUSINESS SOLD ABOUT THE CONSUMER AND THE
 IDENTITY OF THE THIRD PARTIES TO  WHOM  SUCH  PERSONAL  INFORMATION  WAS
 SOLD,  BY  CATEGORY OR CATEGORIES OF PERSONAL INFORMATION FOR EACH THIRD
 PARTY TO WHOM SUCH PERSONAL INFORMATION WAS SOLD; AND (2) THE CATEGORIES
 OF PERSONAL INFORMATION THAT THE BUSINESS DISCLOSED ABOUT  THE  CONSUMER
 FOR  A  BUSINESS  PURPOSE  AND  THE IDENTITY OF THE PERSONS TO WHOM SUCH
 PERSONAL INFORMATION WAS DISCLOSED FOR A BUSINESS PURPOSE,  BY  CATEGORY
 OR  CATEGORIES  OF  PERSONAL  INFORMATION  FOR  EACH PERSON TO WHOM SUCH
 PERSONAL INFORMATION WAS DISCLOSED FOR A BUSINESS PURPOSE.
   (B) A BUSINESS THAT SELLS PERSONAL INFORMATION ABOUT  A  CONSUMER,  OR
 THAT DISCLOSES A CONSUMER'S PERSONAL INFORMATION FOR A BUSINESS PURPOSE,
 SHALL DISCLOSE, PURSUANT TO SUBPARAGRAPH FOUR OF PARAGRAPH (A) OF SUBDI-
 VISION  SIX  OF THIS SECTION, THE INFORMATION SPECIFIED IN PARAGRAPH (A)
 OF THIS SUBDIVISION TO THE CONSUMER UPON RECEIPT OF A VERIFIABLE REQUEST
 FROM THE CONSUMER.
   (C) A BUSINESS THAT SELLS CONSUMERS'  PERSONAL  INFORMATION,  OR  THAT
 DISCLOSES  CONSUMERS' PERSONAL INFORMATION FOR A BUSINESS PURPOSE, SHALL
 DISCLOSE, PURSUANT TO CLAUSE (C) OF SUBPARAGRAPH FIVE OF  PARAGRAPH  (A)
 OF  SUBDIVISION  SIX  OF THIS SECTION: (1) THE CATEGORY OR CATEGORIES OF
 CONSUMERS' PERSONAL INFORMATION IT HAS SOLD; OR IF THE BUSINESS HAS  NOT
 SOLD  CONSUMERS'  PERSONAL INFORMATION, IT SHALL DISCLOSE THAT FACT; AND
 (2) THE CATEGORY OR CATEGORIES OF CONSUMERS' PERSONAL INFORMATION IT HAS
 DISCLOSED FOR A BUSINESS PURPOSE; OR IF THE BUSINESS HAS  NOT  DISCLOSED
 CONSUMERS'  PERSONAL  INFORMATION  FOR  A  BUSINESS  PURPOSE,  IT  SHALL
 DISCLOSE THAT FACT.
   4. (A) A CONSUMER SHALL HAVE THE RIGHT, AT ANY TIME, TO DIRECT A BUSI-
 NESS THAT SELLS PERSONAL INFORMATION ABOUT THE CONSUMER NOT TO SELL  THE
 CONSUMER'S  PERSONAL  INFORMATION.  THIS RIGHT MAY BE REFERRED TO AS THE
 RIGHT TO OPT OUT.
   (B) NOTWITHSTANDING PARAGRAPH (A)  OF  THIS  SUBDIVISION,  A  BUSINESS
 SHALL NOT SELL THE PERSONAL INFORMATION OF CONSUMERS IF THE BUSINESS HAS
 ACTUAL  KNOWLEDGE,  OR  WILLFULLY  DISREGARDS, THAT THE CONSUMER IS LESS
 THAN SIXTEEN YEARS OF AGE, UNLESS THE CONSUMER, IN THE CASE OF CONSUMERS
 THIRTEEN, FOURTEEN AND FIFTEEN YEARS OF AGE, OR THE CONSUMER'S PARENT OR
 GUARDIAN, IN THE CASE OF CONSUMERS WHO ARE LESS THAN THIRTEEN  YEARS  OF
 AGE,  HAS  AFFIRMATIVELY  AUTHORIZED THE SALE OF THE CONSUMER'S PERSONAL
 INFORMATION. THIS RIGHT MAY BE REFERRED TO AS THE RIGHT TO OPT IN.
   (C) A  BUSINESS  THAT  SELLS  CONSUMERS'  PERSONAL  INFORMATION  SHALL
 PROVIDE  NOTICE  TO  CONSUMERS, PURSUANT TO PARAGRAPH (A) OF SUBDIVISION
 SEVEN OF THIS SECTION, THAT  SUCH  INFORMATION  MAY  BE  SOLD  AND  THAT
 CONSUMERS HAVE THE RIGHT TO OPT OUT OF THE SALE OF THEIR PERSONAL INFOR-
 MATION.
 S. 3162                             7
 
   (D) A BUSINESS THAT HAS RECEIVED DIRECTION FROM A CONSUMER NOT TO SELL
 THE  CONSUMER'S PERSONAL INFORMATION, OR, IN THE CASE OF A MINOR CONSUM-
 ER'S PERSONAL INFORMATION, HAS NOT RECEIVED CONSENT TO  SELL  THE  MINOR
 CONSUMER'S  PERSONAL  INFORMATION,  SHALL  BE  PROHIBITED,  PURSUANT  TO
 SUBPARAGRAPH FOUR OF PARAGRAPH (A) OF SUBDIVISION SEVEN OF THIS SECTION,
 FROM  SELLING  THE  CONSUMER'S PERSONAL INFORMATION AFTER ITS RECEIPT OF
 THE CONSUMER'S DIRECTION,  UNLESS  THE  CONSUMER  SUBSEQUENTLY  PROVIDES
 EXPRESS  AUTHORIZATION  FOR THE SALE OF THE CONSUMER'S PERSONAL INFORMA-
 TION.
   5. A BUSINESS  SHALL  BE  PROHIBITED  FROM  DISCRIMINATING  AGAINST  A
 CONSUMER BECAUSE THE CONSUMER REQUESTED INFORMATION PURSUANT TO SUBDIVI-
 SIONS  TWO  AND  THREE OF THIS SECTION, OR BECAUSE THE CONSUMER DIRECTED
 THE BUSINESS NOT TO SELL THE CONSUMER'S PERSONAL INFORMATION PURSUANT TO
 SUBDIVISION FOUR OF THIS SECTION,  OR  BECAUSE  THE  CONSUMER  OTHERWISE
 EXERCISED RIGHTS UNDER THIS TITLE, OR EXERCISED THE CONSUMER'S RIGHTS TO
 ENFORCE  THIS  SECTION,  INCLUDING  BUT  NOT LIMITED TO, BY: (A) DENYING
 GOODS OR SERVICES TO THE CONSUMER;  (B)  CHARGING  DIFFERENT  PRICES  OR
 RATES  FOR  GOODS OR SERVICES, INCLUDING THROUGH THE USE OF DISCOUNTS OR
 OTHER BENEFITS OR IMPOSING PENALTIES; (C) PROVIDING A DIFFERENT LEVEL OR
 QUALITY OF GOODS OR SERVICES TO THE CONSUMER; OR (D) SUGGESTING THAT THE
 CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR GOODS  OR  SERVICES,
 OR  A  DIFFERENT  LEVEL OR QUALITY OF GOODS OR SERVICES, IF THE CONSUMER
 EXERCISES THE CONSUMER'S RIGHTS UNDER THIS SECTION.
   6. (A) IN ORDER TO COMPLY WITH SUBDIVISIONS TWO,  THREE  AND  FIVE  OF
 THIS SECTION, A BUSINESS SHALL:
   (1)  MAKE  AVAILABLE  TO  CONSUMERS TWO OR MORE DESIGNATED METHODS FOR
 SUBMITTING REQUESTS FOR INFORMATION REQUIRED TO BE DISCLOSED PURSUANT TO
 SUBDIVISIONS TWO AND THREE OF THIS SECTION, INCLUDING, AT A  MINIMUM,  A
 TOLL-FREE  TELEPHONE  NUMBER, AND IF THE BUSINESS MAINTAINS A WEBSITE, A
 WEBSITE ADDRESS.
   (2) DISCLOSE AND DELIVER THE REQUIRED INFORMATION TO A  CONSUMER  FREE
 OF  CHARGE WITHIN FORTY-FIVE DAYS OF RECEIVING A VERIFIABLE REQUEST FROM
 THE CONSUMER. THE BUSINESS SHALL PROMPTLY TAKE STEPS TO DETERMINE WHETH-
 ER THE REQUEST IS A VERIFIABLE REQUEST, BUT THIS SHALL  NOT  EXTEND  THE
 BUSINESS'S  DUTY  TO  DISCLOSE AND DELIVER THE INFORMATION WITHIN FORTY-
 FIVE DAYS OF RECEIPT OF THE CONSUMER'S  REQUEST.  THE  DISCLOSURE  SHALL
 COVER  THE  TWELVE-MONTH  PERIOD PRECEDING THE BUSINESS'S RECEIPT OF THE
 VERIFIABLE REQUEST AND SHALL BE MADE IN WRITING  AND  DELIVERED  THROUGH
 THE  CONSUMER'S  ACCOUNT WITH THE BUSINESS, IF THE CONSUMER MAINTAINS AN
 ACCOUNT WITH THE BUSINESS, OR BY MAIL OR ELECTRONICALLY AT  THE  CONSUM-
 ER'S  OPTION IF THE CONSUMER DOES NOT MAINTAIN AN ACCOUNT WITH THE BUSI-
 NESS. THE BUSINESS SHALL NOT REQUIRE THE CONSUMER TO CREATE  AN  ACCOUNT
 WITH THE BUSINESS IN ORDER TO MAKE A VERIFIABLE REQUEST.
   (3)  FOR PURPOSES OF PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION:
 (A) IDENTIFY THE CONSUMER, ASSOCIATE THE  INFORMATION  PROVIDED  BY  THE
 CONSUMER IN THE VERIFIABLE REQUEST TO ANY PERSONAL INFORMATION PREVIOUS-
 LY  COLLECTED  BY  THE  BUSINESS ABOUT THE CONSUMER; AND (B) IDENTIFY BY
 CATEGORY OR CATEGORIES THE  PERSONAL  INFORMATION  COLLECTED  ABOUT  THE
 CONSUMER  IN  THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED
 CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF THIS  SUBDIVISION  THAT  MOST
 CLOSELY DESCRIBES THE PERSONAL INFORMATION COLLECTED.
   (4)  FOR  PURPOSES  OF  PARAGRAPH  (B)  OF  SUBDIVISION  THREE OF THIS
 SECTION: (A) IDENTIFY THE CONSUMER, ASSOCIATE THE  INFORMATION  PROVIDED
 BY  THE  CONSUMER  IN THE VERIFIABLE REQUEST TO ANY PERSONAL INFORMATION
 PREVIOUSLY COLLECTED BY THE BUSINESS ABOUT THE CONSUMER; (B) IDENTIFY BY
 CATEGORY OR CATEGORIES THE PERSONAL INFORMATION OF THE CONSUMER THAT THE
 S. 3162                             8
 
 BUSINESS SOLD IN THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMER-
 ATED CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF  THIS  SUBDIVISION  THAT
 MOST  CLOSELY  DESCRIBES  THE PERSONAL INFORMATION, AND PROVIDE ACCURATE
 NAMES  AND CONTACT INFORMATION FOR THE THIRD PARTIES TO WHOM THE CONSUM-
 ER'S PERSONAL INFORMATION WAS SOLD IN THE  PRECEDING  TWELVE  MONTHS  BY
 REFERENCE  TO  THE ENUMERATED CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF
 THIS SUBDIVISION THAT MOST CLOSELY DESCRIBES  THE  PERSONAL  INFORMATION
 SOLD  FOR  EACH  THIRD PARTY; AND (C) IDENTIFY BY CATEGORY OR CATEGORIES
 THE PERSONAL INFORMATION OF THE CONSUMER THAT THE BUSINESS DISCLOSED FOR
 A BUSINESS PURPOSE IN THE PRECEDING TWELVE MONTHS BY  REFERENCE  TO  THE
 ENUMERATED  CATEGORY  OR CATEGORIES IN PARAGRAPH (C) OF THIS SUBDIVISION
 THAT MOST CLOSELY DESCRIBES THE PERSONAL INFORMATION, AND PROVIDE  ACCU-
 RATE  NAMES  AND CONTACT INFORMATION FOR THE PERSONS TO WHOM THE CONSUM-
 ER'S PERSONAL INFORMATION WAS DISCLOSED FOR A BUSINESS  PURPOSE  IN  THE
 PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED CATEGORY OR CATE-
 GORIES  IN  PARAGRAPH  (C) OF THIS SUBDIVISION OF THIS SECTION THAT MOST
 CLOSELY DESCRIBES THE PERSONAL INFORMATION DISCLOSED  FOR  EACH  PERSON.
 THE  BUSINESS SHALL DISCLOSE THE INFORMATION REQUIRED BY CLAUSES (B) AND
 (C) OF THIS SUBPARAGRAPH IN TWO SEPARATE LISTS.
   (5) DISCLOSE THE FOLLOWING INFORMATION IN ITS ONLINE PRIVACY POLICY OR
 POLICIES IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY OR POLICIES AND IN
 ANY NEW YORK-SPECIFIC DESCRIPTION OF CONSUMERS' PRIVACY  RIGHTS,  OR  IF
 THE BUSINESS DOES NOT MAINTAIN SUCH POLICIES, ON ITS WEBSITE, AND UPDATE
 SUCH INFORMATION AT LEAST ONCE EVERY TWELVE MONTHS:
   (A) A DESCRIPTION OF A CONSUMER'S RIGHTS PURSUANT TO SUBDIVISIONS TWO,
 THREE  AND  FIVE OF THIS SECTION, AND ONE OR MORE DESIGNATED METHODS FOR
 SUBMITTING REQUESTS;
   (B) FOR PURPOSES OF PARAGRAPH (C) OF SUBDIVISION TWO OF THIS  SECTION,
 A  LIST OF THE CATEGORIES OF PERSONAL INFORMATION IT HAS COLLECTED ABOUT
 CONSUMERS IN THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE  ENUMERATED
 CATEGORY  OR  CATEGORIES  IN PARAGRAPH (C) OF THIS SUBDIVISION THAT MOST
 CLOSELY DESCRIBES THE PERSONAL INFORMATION COLLECTED; AND
   (C) FOR PURPOSES OF SUBPARAGRAPHS ONE AND  TWO  OF  PARAGRAPH  (C)  OF
 SUBDIVISION THREE OF THIS SECTION, TWO SEPARATE LISTS: (I) A LIST OF THE
 CATEGORIES  OF  PERSONAL  INFORMATION IT HAS SOLD ABOUT CONSUMERS IN THE
 PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED CATEGORY OR CATE-
 GORIES IN PARAGRAPH (C) OF THIS SUBDIVISION THAT MOST CLOSELY  DESCRIBES
 THE  PERSONAL  INFORMATION SOLD, OR IF THE BUSINESS HAS NOT SOLD CONSUM-
 ERS' PERSONAL INFORMATION IN THE PRECEDING TWELVE MONTHS,  THE  BUSINESS
 SHALL  DISCLOSE THAT FACT; AND (II) A LIST OF THE CATEGORIES OF PERSONAL
 INFORMATION IT HAS DISCLOSED ABOUT CONSUMERS FOR A BUSINESS  PURPOSE  IN
 THE  PRECEDING  TWELVE MONTHS BY REFERENCE TO THE ENUMERATED CATEGORY OR
 CATEGORIES IN PARAGRAPH  (C)  OF  THIS  SUBDIVISION  THAT  MOST  CLOSELY
 DESCRIBES THE PERSONAL INFORMATION DISCLOSED, OR IF THE BUSINESS HAS NOT
 DISCLOSED  CONSUMERS' PERSONAL INFORMATION FOR A BUSINESS PURPOSE IN THE
 PRECEDING TWELVE MONTHS, THE BUSINESS SHALL DISCLOSE THAT FACT.
   (6) ENSURE THAT ALL  INDIVIDUALS  RESPONSIBLE  FOR  HANDLING  CONSUMER
 INQUIRIES  ABOUT  THE  BUSINESS'S  PRIVACY  PRACTICES  OR THE BUSINESS'S
 COMPLIANCE WITH THIS SECTION ARE INFORMED OF ALL  REQUIREMENTS  IN  THIS
 SUBDIVISION,  AS  WELL  AS  IN  SUBDIVISIONS TWO, THREE AND FIVE OF THIS
 SECTION, AND HOW TO DIRECT CONSUMERS  TO  EXERCISE  THEIR  RIGHTS  UNDER
 THOSE SECTIONS; AND
   (7)  USE  ANY  PERSONAL  INFORMATION  COLLECTED  FROM  THE CONSUMER IN
 CONNECTION WITH THE BUSINESS'S VERIFICATION OF  THE  CONSUMER'S  REQUEST
 SOLELY FOR THE PURPOSES OF VERIFICATION.
 S. 3162                             9

   (B) A BUSINESS IS NOT OBLIGATED TO PROVIDE THE INFORMATION REQUIRED BY
 SUBDIVISIONS  TWO  AND  THREE  OF THIS SECTION TO THE SAME CONSUMER MORE
 THAN ONCE IN A TWELVE-MONTH PERIOD.
   (C)  THE  CATEGORIES  OF PERSONAL INFORMATION REQUIRED TO BE DISCLOSED
 PURSUANT TO SUBDIVISIONS TWO AND THREE OF THIS SECTION ARE  ALL  OF  THE
 FOLLOWING:
   (1)  IDENTIFIERS  SUCH  AS  A REAL NAME, ALIAS, POSTAL ADDRESS, UNIQUE
 IDENTIFIER, INTERNET PROTOCOL ADDRESS, ELECTRONIC MAIL ADDRESS,  ACCOUNT
 NAME,  SOCIAL SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT NUMBER,
 OR OTHER SIMILAR IDENTIFIERS;
   (2) ALL CATEGORIES OF PERSONAL INFORMATION ENUMERATED IN PARAGRAPH (A)
 OF SUBDIVISION ONE OF THIS SECTION;
   (3) ALL CATEGORIES OF PERSONAL INFORMATION RELATING TO CHARACTERISTICS
 OF PROTECTED CLASSIFICATIONS UNDER STATE OR FEDERAL LAW,  WITH  SPECIFIC
 REFERENCE  TO  THE CATEGORY OF INFORMATION THAT HAS BEEN COLLECTED, SUCH
 AS RACE, ETHNICITY, OR GENDER;
   (4) COMMERCIAL INFORMATION, INCLUDING RECORDS OF PROPERTY, PRODUCTS OR
 SERVICES PROVIDED, OBTAINED,  OR  CONSIDERED,  OR  OTHER  PURCHASING  OR
 CONSUMING HISTORIES OR TENDENCIES;
   (5) BIOMETRIC DATA;
   (6) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD-
 ING  BUT  NOT LIMITED TO, BROWSING HISTORY, SEARCH HISTORY, AND INFORMA-
 TION REGARDING A CONSUMER'S INTERACTION WITH A WEBSITE, APPLICATION,  OR
 ADVERTISEMENT;
   (7) GEOLOCATION DATA;
   (8) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFORMA-
 TION;
   (9) PSYCHOMETRIC INFORMATION;
   (10) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
   (11)  INFERENCES  DRAWN  FROM ANY OF THE INFORMATION IDENTIFIED ABOVE;
 AND
   (12) ANY OF THE CATEGORIES OF INFORMATION SET FORTH IN THIS  PARAGRAPH
 AS THEY PERTAIN TO THE MINOR CHILDREN OF THE CONSUMER.
   7.  (A) A BUSINESS THAT IS REQUIRED TO COMPLY WITH SUBDIVISION FOUR OF
 THIS SECTION SHALL:
   (1) PROVIDE A CLEAR AND CONSPICUOUS LINK ON THE  BUSINESS'S  HOMEPAGE,
 TITLED  "DO NOT SELL MY PERSONAL INFORMATION", TO A WEBPAGE THAT ENABLES
 A CONSUMER, OR A PERSON AUTHORIZED BY THE CONSUMER, TO OPT  OUT  OF  THE
 SALE  OF  THE  CONSUMER'S  PERSONAL  INFORMATION.  A  BUSINESS SHALL NOT
 REQUIRE A CONSUMER TO CREATE AN ACCOUNT IN ORDER TO DIRECT THE  BUSINESS
 NOT TO SELL THE CONSUMER'S PERSONAL INFORMATION;
   (2)  INCLUDE A DESCRIPTION OF A CONSUMER'S RIGHTS PURSUANT TO SUBDIVI-
 SION FOUR OF THIS SECTION, ALONG WITH A SEPARATE LINK  TO  THE  "DO  NOT
 SELL  MY PERSONAL INFORMATION" WEBPAGE IN: (A) ITS ONLINE PRIVACY POLICY
 OR POLICIES IF THE BUSINESS HAS AN ONLINE PRIVACY  POLICY  OR  POLICIES,
 AND (B) ANY STATE SPECIFIC DESCRIPTION OF CONSUMERS' PRIVACY RIGHTS;
   (3)  ENSURE  THAT  ALL  INDIVIDUALS  RESPONSIBLE FOR HANDLING CONSUMER
 INQUIRIES ABOUT THE  BUSINESS'S  PRIVACY  PRACTICES  OR  THE  BUSINESS'S
 COMPLIANCE  WITH  THIS  SECTION ARE INFORMED OF ALL REQUIREMENTS IN THIS
 SUBDIVISION AS WELL AS SUBDIVISION FOUR OF  THIS  SECTION,  AND  HOW  TO
 DIRECT CONSUMERS TO EXERCISE THEIR RIGHTS UNDER THOSE SECTIONS;
   (4)  FOR  CONSUMERS WHO EXERCISE THEIR RIGHT TO OPT OUT OF THE SALE OF
 THEIR PERSONAL INFORMATION, REFRAIN FROM  SELLING  PERSONAL  INFORMATION
 COLLECTED BY THE BUSINESS ABOUT THE CONSUMER;
   (5)  FOR  A  CONSUMER  WHO HAS OPTED OUT OF THE SALE OF THE CONSUMER'S
 PERSONAL INFORMATION, RESPECT THE CONSUMER'S DECISION TO OPT OUT FOR  AT
 S. 3162                            10
 
 LEAST  TWELVE  MONTHS  BEFORE REQUESTING THAT THE CONSUMER AUTHORIZE THE
 SALE OF THE CONSUMER'S PERSONAL INFORMATION; AND
   (6)  USE  ANY  PERSONAL  INFORMATION  COLLECTED  FROM  THE CONSUMER IN
 CONNECTION WITH THE SUBMISSION OF THE CONSUMER'S OPT OUT REQUEST  SOLELY
 FOR THE PURPOSES OF COMPLYING WITH THE OPT OUT REQUEST.
   (B)  A CONSUMER MAY AUTHORIZE ANOTHER PERSON TO OPT OUT ON THE CONSUM-
 ER'S BEHALF, AND A  BUSINESS  SHALL  COMPLY  WITH  AN  OPT  OUT  REQUEST
 RECEIVED  FROM A PERSON AUTHORIZED BY THE CONSUMER TO ACT ON THE CONSUM-
 ER'S BEHALF.
   8. (A) THE OBLIGATIONS IMPOSED ON BUSINESSES BY SUBDIVISIONS  TWO  AND
 SEVEN OF THIS SECTION SHALL NOT RESTRICT A BUSINESS'S ABILITY TO:
   (1) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS;
   (2)  COMPLY  WITH  A  CIVIL,  CRIMINAL, OR REGULATORY INVESTIGATION OR
 SUBPOENA OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES;
   (3) COOPERATE WITH LAW  ENFORCEMENT  AGENCIES  CONCERNING  CONDUCT  OR
 ACTIVITY  THAT  THE  BUSINESS  REASONABLY AND IN GOOD FAITH BELIEVES MAY
 VIOLATE FEDERAL, STATE, OR LOCAL LAW; OR
   (4) COLLECT AND SELL A CONSUMER'S PERSONAL INFORMATION IF EVERY ASPECT
 OF SUCH COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE OF THE STATE.  FOR
 PURPOSES  OF THIS SECTION, COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE
 OF THE STATE IF  THE  BUSINESS  COLLECTED  SUCH  INFORMATION  WHILE  THE
 CONSUMER WAS OUTSIDE OF THE STATE, NO PART OF THE SALE OF THE CONSUMER'S
 PERSONAL  INFORMATION OCCURRED IN THE STATE, AND NO PERSONAL INFORMATION
 COLLECTED WHILE THE CONSUMER WAS IN THE STATE IS SOLD.
   (B) THE OBLIGATIONS IMPOSED ON  BUSINESSES  BY  SUBDIVISIONS  TWO  AND
 SEVEN  OF  THIS SECTION SHALL NOT APPLY WHERE COMPLIANCE BY THE BUSINESS
 WITH THIS SECTION WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER STATE LAW
 AND SHALL NOT PREVENT A BUSINESS FROM PROVIDING THE PERSONAL INFORMATION
 OF A CONSUMER TO A PERSON COVERED  BY  AN  EVIDENTIARY  PRIVILEGE  UNDER
 STATE LAW AS PART OF A PRIVILEGED COMMUNICATION.
   (C)  THIS SECTION SHALL NOT APPLY TO PROTECTED HEALTH INFORMATION THAT
 IS COLLECTED BY A COVERED ENTITY GOVERNED BY  THE  MEDICAL  PRIVACY  AND
 SECURITY  RULES  ISSUED  BY  THE  FEDERAL DEPARTMENT OF HEALTH AND HUMAN
 SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE  CODE  OF  FEDERAL  REGU-
 LATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY AND
 AVAILABILITY ACT OF 1996 (HIPAA). FOR PURPOSES OF THIS SUBDIVISION,  THE
 DEFINITIONS  OF "PROTECTED HEALTH INFORMATION" AND "COVERED ENTITY" FROM
 THE FEDERAL PRIVACY RULE SHALL APPLY.
   (D) THIS SECTION SHALL NOT APPLY TO THE SALE OF  PERSONAL  INFORMATION
 TO  OR  FROM  A  CONSUMER  REPORTING AGENCY IF THAT INFORMATION IS TO BE
 REPORTED IN, OR USED TO GENERATE, A CONSUMER REPORT AS DEFINED BY SUBDI-
 VISION (D) OF SECTION 1681(A) OF TITLE 15 OF THE UNITED STATES CODE, AND
 USE OF THAT INFORMATION IS LIMITED BY THE FEDERAL FAIR CREDIT  REPORTING
 ACT, 15 U.S.C. § 1681, ET SEQ.
   9.  (A)  A  CONSUMER  WHO HAS SUFFERED A VIOLATION OF THIS SECTION MAY
 BRING AN ACTION FOR STATUTORY DAMAGES. A VIOLATION OF THIS SECTION SHALL
 BE DEEMED TO CONSTITUTE AN INJURY  IN  FACT  TO  THE  CONSUMER  WHO  HAS
 SUFFERED THE VIOLATION, AND THE CONSUMER NEED NOT SUFFER A LOSS OF MONEY
 OR PROPERTY AS A RESULT OF THE VIOLATION IN ORDER TO BRING AN ACTION FOR
 A VIOLATION OF THIS SECTION.
   (B)(1)  ANY  CONSUMER  WHO  SUFFERS AN INJURY IN FACT, AS DESCRIBED IN
 PARAGRAPH (A) OF THIS SUBDIVISION, SHALL RECOVER  STATUTORY  DAMAGES  IN
 THE  AMOUNT  OF  ONE  THOUSAND  DOLLARS  OR ACTUAL DAMAGES, WHICHEVER IS
 GREATER, FOR EACH VIOLATION FROM THE BUSINESS OR PERSON RESPONSIBLE  FOR
 THE  VIOLATION,  EXCEPT  THAT  IN  THE  CASE  OF  A  KNOWING AND WILLFUL
 VIOLATION BY A BUSINESS OR PERSON, AN INDIVIDUAL SHALL RECOVER STATUTORY
 S. 3162                            11
 
 DAMAGES OF NOT LESS THAN ONE THOUSAND DOLLARS AND NOT  MORE  THAN  THREE
 THOUSAND  DOLLARS,  OR  ACTUAL  DAMAGES,  WHICHEVER IS GREATER, FOR EACH
 VIOLATION FROM THE BUSINESS OR PERSON RESPONSIBLE FOR THE VIOLATION.
   (2)  IN  ASSESSING  THE  AMOUNT  OF STATUTORY DAMAGES, THE COURT SHALL
 CONSIDER ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY  ANY
 OF  THE  PARTIES TO THE CASE, INCLUDING, BUT NOT LIMITED TO, THE FOLLOW-
 ING: THE NATURE  AND  SERIOUSNESS  OF  THE  MISCONDUCT,  THE  NUMBER  OF
 VIOLATIONS,  THE  PERSISTENCE OF THE MISCONDUCT, THE LENGTH OF TIME OVER
 WHICH THE  MISCONDUCT  OCCURRED,  THE  WILLFULNESS  OF  THE  DEFENDANT'S
 MISCONDUCT, AND THE DEFENDANT'S ASSETS, LIABILITIES, AND NET WORTH.
   (C)  NOTWITHSTANDING ANY OTHER LAW, WHENEVER A JUDGMENT, INCLUDING ANY
 CONSENT JUDGMENT, DECREE, OR SETTLEMENT AGREEMENT, IS  APPROVED  BY  THE
 COURT  IN  A  CLASS  ACTION BASED ON A VIOLATION OF THIS SECTION, ANY CY
 PRES AWARD, UNPAID CASH RESIDUE, OR UNCLAIMED OR ABANDONED CLASS  MEMBER
 FUNDS  ATTRIBUTABLE  TO A VIOLATION OF THIS SECTION SHALL BE DISTRIBUTED
 EXCLUSIVELY TO ONE OR MORE NONPROFIT ORGANIZATIONS TO  SUPPORT  PROJECTS
 THAT  WILL  BENEFIT THE CLASS OR SIMILARLY SITUATED PERSONS, FURTHER THE
 OBJECTIVES AND PURPOSES OF THE  UNDERLYING  CLASS  ACTION  OR  CAUSE  OF
 ACTION,  OR  PROMOTE THE LAW CONSISTENT WITH THE OBJECTIVES AND PURPOSES
 OF THE UNDERLYING CLASS ACTION OR CAUSE OF ACTION, UNLESS FOR GOOD CAUSE
 SHOWN THE COURT MAKES A SPECIFIC FINDING THAT  AN  ALTERNATIVE  DISTRIB-
 UTION  WOULD  BETTER  SERVE  THE PUBLIC INTEREST OR THE INTERESTS OF THE
 CLASS. IF NOT SPECIFIED IN THE JUDGMENT, THE COURT SHALL SET A DATE WHEN
 THE PARTIES SHALL SUBMIT A REPORT TO THE COURT REGARDING A PLAN FOR  THE
 DISTRIBUTION OF ANY MONEYS PURSUANT TO THIS SUBDIVISION.
   (D)  THE  REMEDIES PROVIDED BY THIS SUBDIVISION ARE CUMULATIVE TO EACH
 OTHER AND TO THE REMEDIES OR PENALTIES AVAILABLE UNDER ALL OTHER LAWS OF
 THE STATE.
   10. (A) ANY BUSINESS OR PERSON THAT VIOLATES  THIS  SECTION  SHALL  BE
 LIABLE  FOR A CIVIL PENALTY IN A CIVIL ACTION BROUGHT IN THE NAME OF THE
 PEOPLE OF THE STATE OF NEW YORK BY THE ATTORNEY GENERAL.
   (B) NOTWITHSTANDING ANY OTHER LAW TO THE CONTRARY, ANY PERSON OR BUSI-
 NESS THAT INTENTIONALLY VIOLATES THIS SECTION MAY BE LIABLE FOR A  CIVIL
 PENALTY OF UP TO SEVEN THOUSAND FIVE HUNDRED DOLLARS FOR EACH VIOLATION.
   (C)  NOTWITHSTANDING  ANY OTHER LAW TO THE CONTRARY, ANY CIVIL PENALTY
 ASSESSED FOR A VIOLATION OF  THIS  SECTION,  AND  THE  PROCEEDS  OF  ANY
 SETTLEMENT OF AN ACTION BROUGHT PURSUANT TO PARAGRAPH (A) OF THIS SUBDI-
 VISION, SHALL BE ALLOCATED AS FOLLOWS:
   (1)  TWENTY  PERCENT TO THE CONSUMER PRIVACY FUND, CREATED PURSUANT TO
 SECTION NINETY-NINE-M OF THE STATE FINANCE LAW, WITH THE INTENT TO FULLY
 OFFSET ANY COSTS INCURRED BY THE STATE COURTS AND THE  ATTORNEY  GENERAL
 IN CONNECTION WITH THIS SECTION; AND
   (2)  EIGHTY  PERCENT  TO  THE  JURISDICTION ON WHOSE BEHALF THE ACTION
 LEADING TO THE CIVIL PENALTY WAS BROUGHT.
   (D) THE LEGISLATURE SHALL ADJUST THE PERCENTAGES  SPECIFIED  IN  PARA-
 GRAPH (C) OF THIS SUBDIVISION AND IN SUBDIVISION ELEVEN OF THIS SECTION,
 AS NECESSARY TO ENSURE THAT ANY CIVIL PENALTIES ASSESSED FOR A VIOLATION
 OF  THIS SECTION FULLY OFFSET ANY COSTS INCURRED BY THE STATE COURTS AND
 THE ATTORNEY GENERAL IN CONNECTION WITH THIS SECTION, INCLUDING A SUFFI-
 CIENT AMOUNT TO COVER ANY DEFICIT FROM A PRIOR FISCAL YEAR. THE LEGISLA-
 TURE SHALL NOT DIRECT A GREATER PERCENTAGE OF ASSESSED  CIVIL  PENALTIES
 TO  THE  CONSUMER PRIVACY FUND THAN REASONABLY NECESSARY TO FULLY OFFSET
 ANY COSTS INCURRED BY THE STATE  COURTS  AND  THE  ATTORNEY  GENERAL  IN
 CONNECTION WITH THIS SECTION.
   11. (A) ANY PERSON WHO BECOMES AWARE, BASED ON NON-PUBLIC INFORMATION,
 THAT  A  PERSON  OR  BUSINESS HAS VIOLATED THIS SECTION MAY FILE A CIVIL
 S. 3162                            12
 
 ACTION FOR CIVIL PENALTIES PURSUANT TO SUBDIVISION TEN OF THIS  SECTION,
 IF  PRIOR  TO  FILING  SUCH  ACTION,  THE PERSON FILES WITH THE ATTORNEY
 GENERAL A WRITTEN REQUEST FOR  THE  ATTORNEY  GENERAL  TO  COMMENCE  THE
 ACTION.  THE  REQUEST SHALL INCLUDE A CLEAR AND CONCISE STATEMENT OF THE
 GROUNDS FOR BELIEVING A CAUSE OF ACTION EXISTS. THE  PERSON  SHALL  MAKE
 THE  NON-PUBLIC  INFORMATION  AVAILABLE  TO  THE  ATTORNEY  GENERAL UPON
 REQUEST.
   (1) IF THE ATTORNEY GENERAL FILES SUIT WITHIN NINETY DAYS FROM RECEIPT
 OF THE WRITTEN REQUEST TO COMMENCE THE ACTION, NO OTHER  ACTION  MAY  BE
 BROUGHT  UNLESS  THE ACTION BROUGHT BY THE ATTORNEY GENERAL IS DISMISSED
 WITHOUT PREJUDICE.
   (2) IF THE ATTORNEY GENERAL DOES NOT FILE SUIT WITHIN NINETY DAYS FROM
 RECEIPT OF THE WRITTEN  REQUEST  TO  COMMENCE  THE  ACTION,  THE  PERSON
 REQUESTING THE ACTION MAY PROCEED TO FILE A CIVIL ACTION.
   (3)  THE  TIME  PERIOD  WITHIN WHICH A CIVIL ACTION SHALL BE COMMENCED
 SHALL BE TOLLED FROM THE DATE OF RECEIPT BY THE ATTORNEY GENERAL OF  THE
 WRITTEN  REQUEST  TO  EITHER THE DATE THAT THE CIVIL ACTION IS DISMISSED
 WITHOUT PREJUDICE, OR FOR ONE HUNDRED FIFTY DAYS,  WHICHEVER  IS  LATER,
 BUT  ONLY  FOR  A  CIVIL  ACTION BROUGHT BY THE PERSON WHO REQUESTED THE
 ATTORNEY GENERAL TO COMMENCE THE ACTION.
   (B) NOTWITHSTANDING PARAGRAPH (C) OF SUBDIVISION TEN OF THIS  SECTION,
 IF  A  JUDGMENT  IS  ENTERED  AGAINST  THE DEFENDANT OR DEFENDANTS IN AN
 ACTION BROUGHT PURSUANT TO THIS SUBDIVISION, OR THE MATTER  IS  SETTLED,
 AMOUNTS  RECEIVED  AS CIVIL PENALTIES OR PURSUANT TO A SETTLEMENT OF THE
 ACTION SHALL BE ALLOCATED AS FOLLOWS:
   (1) IF THE ACTION WAS BROUGHT BY THE ATTORNEY GENERAL UPON  A  REQUEST
 MADE  BY  A  PERSON  PURSUANT  TO PARAGRAPH (A) OF THIS SUBDIVISION, THE
 PERSON WHO MADE THE REQUEST SHALL BE ENTITLED TO FIFTEEN PERCENT OF  THE
 CIVIL  PENALTIES,  AND  THE REMAINING PROCEEDS SHALL BE DEPOSITED IN THE
 CONSUMER PRIVACY FUND PURSUANT TO SECTION  NINETY-NINE-M  OF  THE  STATE
 FINANCE LAW.
   (2)  IF  THE  ACTION  WAS  BROUGHT  BY THE PERSON WHO MADE THE REQUEST
 PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION, THAT PERSON SHALL RECEIVE
 AN AMOUNT THE COURT DETERMINES IS REASONABLE FOR  COLLECTING  THE  CIVIL
 PENALTIES ON BEHALF OF THE GOVERNMENT. THE AMOUNT SHALL BE NOT LESS THAN
 TWENTY-FIVE  PERCENT  AND NOT MORE THAN FIFTY PERCENT OF THE PROCEEDS OF
 THE ACTION AND SHALL BE PAID OUT OF THE PROCEEDS. THE REMAINING PROCEEDS
 SHALL BE DEPOSITED IN THE CONSUMER  PRIVACY  FUND  PURSUANT  TO  SECTION
 NINETY-NINE-M OF THE STATE FINANCE LAW.
   (C)  FOR  PURPOSES  OF  THIS  SECTION,  "NON-PUBLIC INFORMATION" MEANS
 INFORMATION THAT HAS NOT BEEN DISCLOSED IN A CRIMINAL, CIVIL, OR  ADMIN-
 ISTRATIVE  PROCEEDING,  IN A GOVERNMENT INVESTIGATION, REPORT, OR AUDIT,
 OR BY THE NEWS MEDIA OR OTHER PUBLIC SOURCE OF INFORMATION, AND THAT WAS
 NOT OBTAINED IN VIOLATION OF THE LAW.
   12. A BUSINESS THAT SUFFERS A BREACH OF THE  SECURITY  OF  THE  SYSTEM
 INVOLVING  CONSUMERS'  PERSONAL  INFORMATION  SHALL  BE  DEEMED  TO HAVE
 VIOLATED THIS SECTION AND MAY BE  HELD  LIABLE  FOR  SUCH  VIOLATION  OR
 VIOLATIONS  UNDER  SUBDIVISIONS NINE, TEN AND ELEVEN OF THIS SECTION, IF
 THE BUSINESS HAS FAILED TO IMPLEMENT AND  MAINTAIN  REASONABLE  SECURITY
 PROCEDURES  AND PRACTICES, APPROPRIATE TO THE NATURE OF THE INFORMATION,
 TO PROTECT THE PERSONAL INFORMATION FROM UNAUTHORIZED DISCLOSURE.
   13. THIS SECTION IS INTENDED TO FURTHER THE  CONSTITUTIONAL  RIGHT  OF
 PRIVACY  AND TO SUPPLEMENT EXISTING LAWS RELATING TO CONSUMERS' PERSONAL
 INFORMATION. THE PROVISIONS OF THIS SECTION ARE NOT LIMITED TO  INFORMA-
 TION  COLLECTED  ELECTRONICALLY  OR  OVER THE INTERNET, BUT APPLY TO THE
 COLLECTION AND SALE OF ALL PERSONAL INFORMATION COLLECTED BY A  BUSINESS
 S. 3162                            13
 
 FROM  CONSUMERS.  WHEREVER POSSIBLE, EXISTING LAW RELATING TO CONSUMERS'
 PERSONAL  INFORMATION  SHOULD  BE  CONSTRUED  TO  HARMONIZE   WITH   THE
 PROVISIONS  OF THIS SECTION, BUT IN THE EVENT OF CONFLICT BETWEEN EXIST-
 ING  LAW  AND  THE PROVISIONS OF THIS SECTION, THE PROVISIONS OF THE LAW
 THAT AFFORD THE GREATEST PROTECTION FOR THE RIGHT OF PRIVACY FOR CONSUM-
 ERS SHALL CONTROL.
   14. NOTHING IN THIS SECTION SHALL PREVENT A  CITY,  COUNTY,  CITY  AND
 COUNTY,  MUNICIPALITY,  OR  LOCAL AGENCY FROM SAFEGUARDING THE CONSTITU-
 TIONAL RIGHT OF PRIVACY BY IMPOSING  ADDITIONAL  REQUIREMENTS  ON  BUSI-
 NESSES REGARDING THE COLLECTION AND SALE OF CONSUMERS' PERSONAL INFORMA-
 TION  BY  BUSINESSES  PROVIDED  THAT  THE REQUIREMENT DOES NOT PREVENT A
 PERSON OR BUSINESS FROM COMPLYING WITH THIS SECTION.
   15. (A) THE ATTORNEY GENERAL SHALL ADOPT REGULATIONS IN THE  FOLLOWING
 AREAS TO FURTHER THE PURPOSES OF THIS SECTION:
   (1)  ADDING ADDITIONAL CATEGORIES TO THOSE ENUMERATED IN PARAGRAPH (C)
 OF SUBDIVISION SIX AND PARAGRAPH (M) OF SUBDIVISION ONE OF THIS  SECTION
 IN  ORDER  TO  ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION PRACTICES,
 OBSTACLES TO IMPLEMENTATION, AND PRIVACY  CONCERNS.  IN  ADDITION,  UPON
 RECEIPT OF A REQUEST MADE BY A CITY ATTORNEY OR DISTRICT ATTORNEY TO ADD
 A  NEW  CATEGORY  OR CATEGORIES, THE ATTORNEY GENERAL SHALL PROMULGATE A
 REGULATION TO ADD SUCH CATEGORY OR CATEGORIES UNLESS THE ATTORNEY GENER-
 AL CONCLUDES, BASED ON FACTUAL  OR  LEGAL  FINDINGS,  THAT  THERE  IS  A
 COMPELLING  REASON  NOT  TO ADD THE CATEGORY OR CATEGORIES. THE ATTORNEY
 GENERAL MAY ALSO ADD ADDITIONAL CATEGORIES TO THOSE ENUMERATED IN  PARA-
 GRAPH  (C)  OF  SUBDIVISION  SIX AND PARAGRAPH (M) OF SUBDIVISION ONE OF
 THIS SECTION IN RESPONSE TO A PETITION FILED;
   (2) ADDING ADDITIONAL ITEMS TO THE DEFINITION OF "UNIQUE  IDENTIFIERS"
 TO  ADDRESS  CHANGES IN TECHNOLOGY, DATA COLLECTION, OBSTACLES TO IMPLE-
 MENTATION, AND PRIVACY CONCERNS, AND ADDITIONAL CATEGORIES TO THE  DEFI-
 NITION  OF  "DESIGNATED METHODS FOR SUBMITTING REQUESTS" TO FACILITATE A
 CONSUMER'S ABILITY TO OBTAIN INFORMATION FROM  A  BUSINESS  PURSUANT  TO
 SUBDIVISION SIX OF THIS SECTION;
   (3)  ESTABLISHING  ANY  EXCEPTIONS  NECESSARY  TO COMPLY WITH STATE OR
 FEDERAL LAW;
   (4) ESTABLISHING RULES AND PROCEDURES: (A) TO  FACILITATE  AND  GOVERN
 THE SUBMISSION OF A REQUEST BY A CONSUMER, AND BY AN AUTHORIZED AGENT OF
 THE CONSUMER, TO OPT OUT OF THE SALE OF PERSONAL INFORMATION PURSUANT TO
 SUBPARAGRAPH  ONE OF PARAGRAPH (A) OF SUBDIVISION SEVEN OF THIS SECTION;
 (B) TO GOVERN A BUSINESS'S COMPLIANCE WITH A CONSUMER'S OPT OUT REQUEST;
 AND (C) FOR THE DEVELOPMENT AND USE OF A RECOGNIZABLE  AND  UNIFORM  OPT
 OUT  LOGO  OR  BUTTON BY ALL BUSINESSES TO PROMOTE CONSUMER AWARENESS OF
 THE OPPORTUNITY TO OPT OUT OF THE SALE OF PERSONAL INFORMATION;
   (5) ADJUSTING THE MONETARY THRESHOLD IN CLAUSE (A) OF SUBPARAGRAPH ONE
 OF PARAGRAPH (B) OF SUBDIVISION ONE OF THIS SECTION IN JANUARY OF  EVERY
 ODD-NUMBERED YEAR TO REFLECT ANY INCREASE IN THE CONSUMER PRICE INDEX;
   (6)  ESTABLISHING  RULES,  PROCEDURES, AND ANY EXCEPTIONS NECESSARY TO
 ENSURE THAT THE NOTICES AND INFORMATION THAT BUSINESSES ARE REQUIRED  TO
 PROVIDE  PURSUANT  TO  THIS SECTION ARE PROVIDED IN A MANNER SO AS TO BE
 EASILY UNDERSTOOD BY THE AVERAGE CONSUMER, ARE ACCESSIBLE  TO  CONSUMERS
 WITH  DISABILITIES,  AND ARE AVAILABLE IN THE LANGUAGE PRIMARILY USED TO
 INTERACT WITH THE CONSUMER;
   (7) ESTABLISHING RULES AND  PROCEDURES  TO  FURTHER  THE  PURPOSES  OF
 SUBDIVISIONS  TWO  AND THREE OF THIS SECTION AND TO FACILITATE A CONSUM-
 ER'S OR THE CONSUMER'S AUTHORIZED AGENT'S ABILITY TO OBTAIN  INFORMATION
 PURSUANT TO SUBDIVISION SIX OF THIS SECTION, WITH THE GOAL OF MINIMIZING
 THE  ADMINISTRATIVE  BURDEN  ON CONSUMERS, TAKING INTO ACCOUNT AVAILABLE
 S. 3162                            14
 
 TECHNOLOGY, SECURITY CONCERNS, AND THE BURDEN ON THE BUSINESS, TO GOVERN
 A BUSINESS'S DETERMINATION THAT A REQUEST FOR INFORMATION RECEIVED BY  A
 CONSUMER IS A VERIFIABLE REQUEST, INCLUDING TREATING A REQUEST SUBMITTED
 THROUGH A PASSWORD PROTECTED ACCOUNT MAINTAINED BY THE CONSUMER WITH THE
 BUSINESS  WHILE  THE CONSUMER IS LOGGED INTO THE ACCOUNT AS A VERIFIABLE
 REQUEST AND PROVIDING A MECHANISM FOR A CONSUMER WHO DOES  NOT  MAINTAIN
 AN  ACCOUNT  WITH  THE BUSINESS TO REQUEST INFORMATION THROUGH THE BUSI-
 NESS'S AUTHENTICATION OF THE CONSUMER'S IDENTITY;
   (8) DEFINING THE TERM "VALUABLE CONSIDERATION" AS USED IN SUBPARAGRAPH
 ONE OF PARAGRAPH (Q) OF SUBDIVISION ONE OF THIS SECTION TO ENSURE THAT A
 BUSINESS THAT DISCLOSES, EXCEPT AS PERMITTED BY THIS SECTION, A  CONSUM-
 ER'S  PERSONAL  INFORMATION TO A THIRD PARTY, INCLUDING THROUGH A SERIES
 OF TRANSACTIONS INVOLVING MULTIPLE THIRD PARTIES, IN  EXCHANGE  FOR  ANY
 ECONOMIC  BENEFIT  IS  SUBJECT  TO THIS SECTION, AND TO INCLUDE BUSINESS
 PRACTICES INVOLVING THE DISCLOSURE OF PERSONAL INFORMATION  IN  EXCHANGE
 FOR  SOMETHING  OF  VALUE.  VALUABLE  CONSIDERATION DOES NOT INCLUDE THE
 EXCHANGE OF VALUE IN A TRANSACTION INVOLVING NON-COMMERCIAL SPEECH, SUCH
 AS JOURNALISM AND POLITICAL SPEECH; AND
   (9)  FURTHER  INTERPRET  THE  TERMS  "DE-IDENTIFIED",  "SELL",  "THIRD
 PARTY",  AND  "BUSINESS PURPOSE" AS SET FORTH IN SUBDIVISION ONE OF THIS
 SECTION, TO ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION, OBSTACLES TO
 IMPLEMENTATION, AND PRIVACY CONCERNS AND TO ENSURE COMPLIANCE  WITH  THE
 PURPOSES  OF  THIS SECTION, PROVIDED THAT SUCH REGULATIONS DO NOT REDUCE
 CONSUMER PRIVACY OR THE ABILITY OF CONSUMERS TO STOP THE SALE  OF  THEIR
 PERSONAL INFORMATION.
   (B)  THE ATTORNEY GENERAL SHALL BE PRECLUDED FROM ADOPTING REGULATIONS
 THAT LIMIT OR REDUCE THE NUMBER  OR  SCOPE  OF  CATEGORIES  OF  PERSONAL
 INFORMATION ENUMERATED IN PARAGRAPH (C) OF SUBDIVISION SIX AND PARAGRAPH
 (M)  OF  SUBDIVISION  ONE  OF  THIS SECTION, OR THAT LIMIT OR REDUCE THE
 NUMBER OR SCOPE OF CATEGORIES ADDED  PURSUANT  TO  SUBPARAGRAPH  ONE  OF
 PARAGRAPH  (A)  OF  THIS SUBDIVISION, EXCEPT AS NECESSARY TO COMPLY WITH
 SUBPARAGRAPH THREE OF PARAGRAPH (A) OF THIS  SUBDIVISION.  THE  ATTORNEY
 GENERAL  SHALL  ALSO  BE  PRECLUDED FROM REDUCING THE SCOPE OF THE DEFI-
 NITION OF "UNIQUE IDENTIFIERS",  EXCEPT  AS  NECESSARY  TO  COMPLY  WITH
 SUBPARAGRAPH THREE OF PARAGRAPH (A) OF THIS SUBDIVISION.
   (C) TO THE EXTENT THE ATTORNEY GENERAL DETERMINES THAT IT IS NECESSARY
 TO  ADOPT  CERTAIN  REGULATIONS  IN ORDER TO IMPLEMENT THIS SECTION, THE
 ATTORNEY GENERAL SHALL ADOPT ANY SUCH REGULATIONS WITHIN SIX  MONTHS  OF
 THE DATE THIS SECTION IS ADOPTED.
   (D) THE ATTORNEY GENERAL MAY ADOPT ADDITIONAL REGULATIONS AS NECESSARY
 TO FURTHER THE PURPOSES OF THIS SECTION.
   16.  IF  A  SERIES  OF STEPS OR TRANSACTIONS WERE COMPONENT PARTS OF A
 SINGLE TRANSACTION INTENDED FROM THE BEGINNING  TO  BE  TAKEN  WITH  THE
 INTENTION  OF  AVOIDING THE REACH OF THIS SECTION, INCLUDING THE DISCLO-
 SURE OF INFORMATION BY A BUSINESS TO A THIRD PARTY IN ORDER TO AVOID THE
 DEFINITION OF "SELL", A COURT SHALL DISREGARD THE INTERMEDIATE STEPS  OR
 TRANSACTIONS FOR PURPOSES OF EFFECTUATING THE PURPOSES OF THIS SECTION.
   17. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY KIND THAT PURPORTS
 TO  WAIVE  OR  LIMIT  IN ANY WAY A CONSUMER'S RIGHTS UNDER THIS SECTION,
 INCLUDING BUT NOT LIMITED TO ANY RIGHT TO A REMEDY OR MEANS OF  ENFORCE-
 MENT,  SHALL  BE  DEEMED CONTRARY TO PUBLIC POLICY AND SHALL BE VOID AND
 UNENFORCEABLE. THIS SECTION SHALL NOT PREVENT A CONSUMER FROM:   DECLIN-
 ING  TO  REQUEST  INFORMATION FROM A BUSINESS; DECLINING TO OPT OUT OF A
 BUSINESS'S SALE OF THE CONSUMER'S PERSONAL INFORMATION; OR AUTHORIZING A
 BUSINESS TO SELL THE CONSUMER'S PERSONAL  INFORMATION  AFTER  PREVIOUSLY
 OPTING OUT.
 S. 3162                            15
 
   18. IF ANY PROVISION OF THIS SECTION SHALL BE ADJUDGED BY ANY COURT OF
 COMPETENT  JURISDICTION  TO  BE INVALID, SUCH JUDGMENT SHALL NOT AFFECT,
 IMPAIR OR INVALIDATE THE REMAINDER THEREOF, BUT SHALL BE CONFINED IN ITS
 OPERATION TO THE PROVISION DIRECTLY INVOLVED IN THE CONTROVERSY IN WHICH
 SUCH JUDGMENT SHALL HAVE BEEN RENDERED.
   §  3. The state finance law is amended by adding a new section 99-m to
 read as follows:
   § 99-M. CONSUMER PRIVACY FUND. 1. THERE IS HEREBY ESTABLISHED  IN  THE
 JOINT  CUSTODY OF THE STATE COMPTROLLER AND THE COMMISSIONER OF TAXATION
 AND FINANCE AN ACCOUNT WITHIN THE  GENERAL  FUND  TO  BE  KNOWN  AS  THE
 "CONSUMER PRIVACY FUND".
   2. SUCH ACCOUNT SHALL CONSIST OF ALL PENALTIES RECEIVED BY THE DEPART-
 MENT  OF  STATE  PURSUANT TO SECTION EIGHT HUNDRED NINETY-NINE-CC OF THE
 GENERAL BUSINESS LAW AND ANY ADDITIONAL MONIES APPROPRIATED, CREDITED OR
 TRANSFERRED TO SUCH ACCOUNT BY THE LEGISLATURE. ANY INTEREST  EARNED  BY
 THE INVESTMENT OF MONIES IN SUCH ACCOUNT SHALL BE ADDED TO SUCH ACCOUNT,
 BECOME  PART  OF  SUCH  ACCOUNT,  AND  BE  USED FOR THE PURPOSES OF SUCH
 ACCOUNT.
   3. MONIES IN THE ACCOUNT SHALL BE AVAILABLE TO  THE  OFFICE  OF  COURT
 ADMINISTRATION  AND THE ATTORNEY GENERAL TO OFFSET ANY COSTS INCURRED BY
 THE STATE COURTS IN CONNECTION WITH ACTIONS BROUGHT TO  ENFORCE  SECTION
 EIGHT  HUNDRED  NINETY-NINE-CC OF THE GENERAL BUSINESS LAW AND ANY COSTS
 INCURRED BY THE ATTORNEY GENERAL IN CARRYING OUT HIS OR HER DUTIES UNDER
 SUCH SECTION OF LAW.
   4. MONIES IN THE ACCOUNT SHALL BE PAID OUT OF THE ACCOUNT ON THE AUDIT
 AND WARRANT OF THE STATE COMPTROLLER ON VOUCHERS CERTIFIED  OR  APPROVED
 BY THE OFFICE OF COURT ADMINISTRATION AND/OR THE ATTORNEY GENERAL.
   § 4. This act shall take effect on the one hundred eightieth day after
 it  shall have become a law. Effective immediately, the addition, amend-
 ment and/or repeal of any rule or regulation necessary for the implemen-
 tation of this act on its effective date are authorized to be  made  and
 completed on or before such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.