S. 3162 2
(1) A SOLE-PROPRIETORSHIP, PARTNERSHIP, LIMITED-LIABILITY COMPANY,
CORPORATION, ASSOCIATION, OR OTHER LEGAL ENTITY THAT IS ORGANIZED OR
OPERATED FOR THE PROFIT OR FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR
OTHER OWNERS, THAT COLLECTS CONSUMERS' PERSONAL INFORMATION, THAT DOES
BUSINESS IN THE STATE, AND THAT SATISFIES ONE OR MORE OF THE FOLLOWING
THRESHOLDS: (A) HAS ANNUAL GROSS REVENUES IN EXCESS OF FIFTY MILLION
DOLLARS, AS ADJUSTED PURSUANT TO SUBPARAGRAPH FIVE OF PARAGRAPH (A) OF
SUBDIVISION FIFTEEN OF THIS SECTION; OR (B) ANNUALLY SELLS, ALONE OR IN
COMBINATION, THE PERSONAL INFORMATION OF ONE HUNDRED THOUSAND OR MORE
CONSUMERS OR DEVICES; OR (C) DERIVES FIFTY PERCENT OR MORE OF ITS ANNUAL
REVENUES FROM SELLING CONSUMERS' PERSONAL INFORMATION; AND
(2) ANY ENTITY THAT CONTROLS OR IS CONTROLLED BY A BUSINESS, AS
DEFINED IN PARAGRAPH ONE OF THIS SUBDIVISION, AND THAT SHARES COMMON
BRANDING WITH THE BUSINESS. "CONTROL" OR "CONTROLLED" MEANS OWNERSHIP
OF, OR THE POWER TO VOTE, MORE THAN FIFTY PERCENT OF THE OUTSTANDING
SHARES OF ANY CLASS OF VOTING SECURITY OF A BUSINESS; CONTROL IN ANY
MANNER OVER THE ELECTION OF A MAJORITY OF THE DIRECTORS, OR OF INDIVID-
UALS EXERCISING SIMILAR FUNCTIONS; OR THE POWER TO EXERCISE, DIRECTLY OR
INDIRECTLY, A CONTROLLING INFLUENCE OVER THE MANAGEMENT OR POLICIES OF A
COMPANY. "COMMON BRANDING" MEANS A SHARED NAME, SERVICEMARK, OR TRADE-
MARK.
(C) "BUSINESS PURPOSE" MEANS THE USE OF PERSONAL INFORMATION FOR THE
BUSINESS'S OPERATIONAL PURPOSES, PROVIDED THAT THE USE OF PERSONAL
INFORMATION SHALL BE REASONABLY NECESSARY AND PROPORTIONATE TO ACHIEVE
THE OPERATIONAL PURPOSE FOR WHICH IT IS SPECIFICALLY PERMITTED. UNREA-
SONABLE OR DISPROPORTIONATE USE SHALL NOT BE CONSIDERED A "BUSINESS
PURPOSE". BUSINESS PURPOSES ARE:
(1) AUDITING RELATED TO A CURRENT INTERACTION WITH THE CONSUMER AND
CONCURRENT TRANSACTIONS, INCLUDING BUT NOT LIMITED TO, COUNTING AD
IMPRESSIONS TO UNIQUE VISITORS, VERIFYING POSITIONING AND QUALITY OF AD
IMPRESSIONS AND AUDITING COMPLIANCE WITH THIS SPECIFICATION AND OTHER
STANDARDS;
(2) DETECTING SECURITY INCIDENTS, PROTECTING AGAINST MALICIOUS, DECEP-
TIVE, FRAUDULENT, OR ILLEGAL ACTIVITY, AND PROSECUTING THOSE RESPONSIBLE
FOR SUCH ACTIVITY;
(3) DEBUGGING TO IDENTIFY AND REPAIR ERRORS THAT IMPAIR EXISTING
INTENDED FUNCTIONALITY;
(4) SHORT-TERM, TRANSIENT USE, PROVIDED THE PERSONAL INFORMATION IS
NOT DISCLOSED TO ANOTHER PERSON AND IS NOT USED TO BUILD A PROFILE ABOUT
A CONSUMER OR OTHERWISE ALTER AN INDIVIDUAL CONSUMER'S EXPERIENCE
OUTSIDE THE CURRENT INTERACTION, INCLUDING BUT NOT LIMITED TO, THE
CONTEXTUAL CUSTOMIZATION OF ADS SHOWN AS PART OF THE SAME INTERACTION;
AND
(5) PERFORMING SERVICES ON BEHALF OF THE BUSINESS, INCLUDING MAINTAIN-
ING OR SERVICING ACCOUNTS, PROVIDING CUSTOMER SERVICE, PROCESSING OR
FULFILLING ORDERS AND TRANSACTIONS, VERIFYING CUSTOMER INFORMATION,
PROCESSING PAYMENTS, PROVIDING FINANCING, PROVIDING ADVERTISING OR
MARKETING SERVICES, PROVIDING ANALYTICAL SERVICES, OR PROVIDING SIMILAR
SERVICES ON BEHALF OF THE BUSINESS.
(D) "CLEAR AND CONSPICUOUS" MEANS (1) IN A COLOR THAT CONTRASTS WITH
THE BACKGROUND COLOR OR IS OTHERWISE DISTINGUISHABLE; (2) WRITTEN IN
LARGER TYPE THAN THE SURROUNDING TEXT AND IN A FASHION THAT CALLS ATTEN-
TION TO THE LANGUAGE; AND (3) PROMINENTLY DISPLAYED SO THAT A REASONABLE
VIEWER WOULD BE ABLE TO NOTICE, READ, AND UNDERSTAND IT.
(E) "COMMERCIAL PURPOSES" MEANS TO ADVANCE A PERSON'S COMMERCIAL OR
ECONOMIC INTERESTS, SUCH AS BY INDUCING ANOTHER PERSON TO BUY, RENT,
S. 3162 3
LEASE, JOIN, SUBSCRIBE TO, PROVIDE, OR EXCHANGE PRODUCTS, GOODS, PROPER-
TY, INFORMATION, OR SERVICES, OR ENABLING OR EFFECTING, DIRECTLY OR
INDIRECTLY, A COMMERCIAL TRANSACTION. "COMMERCIAL PURPOSES" DOES NOT
INCLUDE FOR THE PURPOSE OF ENGAGING IN SPEECH THAT STATE OR FEDERAL
COURTS HAVE RECOGNIZED AS NON-COMMERCIAL SPEECH, INCLUDING POLITICAL
SPEECH AND JOURNALISM.
(F) "COLLECTS", "COLLECTED" OR "COLLECTION" MEANS BUYING, RENTING,
GATHERING, OBTAINING, STORING, USING, MONITORING, ACCESSING, OR MAKING
INFERENCES BASED UPON, ANY PERSONAL INFORMATION PERTAINING TO A CONSUMER
BY ANY MEANS.
(G) "CONSUMER" MEANS A NATURAL PERSON WHO IS A RESIDENT OF THE STATE.
(H) "DE-IDENTIFIED" MEANS INFORMATION THAT CANNOT REASONABLY IDENTIFY,
RELATE TO, DESCRIBE, REFERENCE, BE CAPABLE OF BEING ASSOCIATED WITH, OR
BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR CONSUMER OR DEVICE,
PROVIDED THAT A BUSINESS THAT USES DE-IDENTIFIED INFORMATION: (1) HAS
IMPLEMENTED TECHNICAL SAFEGUARDS THAT PROHIBIT RE-IDENTIFICATION OF THE
CONSUMER OR CONSUMERS TO WHOM THE INFORMATION MAY PERTAIN; (2) HAS
IMPLEMENTED BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT RE-IDENTIFICA-
TION OF THE INFORMATION; (3) HAS IMPLEMENTED BUSINESS PROCESSES TO
PREVENT INADVERTENT RELEASE OF DE-IDENTIFIED INFORMATION; AND (4) MAKES
NO ATTEMPT TO RE-IDENTIFY THE INFORMATION.
(I) "DESIGNATED METHODS FOR SUBMITTING REQUESTS" MEANS A MAILING
ADDRESS, E-MAIL ADDRESS, WEB PAGE, WEB PORTAL, TOLL-FREE TELEPHONE
NUMBER, OR OTHER APPLICABLE CONTACT INFORMATION, WHEREBY CONSUMERS MAY
SUBMIT A REQUEST OR DIRECTION UNDER THIS SECTION. IF THE CONSUMER DOES
NOT MAINTAIN AN ACCOUNT WITH THE BUSINESS, THE BUSINESS SHALL PROVIDE AN
OPPORTUNITY FOR THE CONSUMER TO DESIGNATE WHETHER THE CONSUMER WISHES TO
RECEIVE THE INFORMATION REQUIRED TO BE DISCLOSED PURSUANT TO SUBDIVI-
SIONS TWO AND THREE OF THIS SECTION BY MAIL OR ELECTRONICALLY, AT THE
CONSUMER'S OPTION.
(J) "HOMEPAGE" MEANS THE INTRODUCTORY PAGE OF A WEBSITE AND ANY
WEBPAGE WHERE PERSONAL INFORMATION IS COLLECTED. IN THE CASE OF AN
ONLINE SERVICE, SUCH AS A MOBILE APPLICATION, HOMEPAGE MEANS THE APPLI-
CATION'S PLATFORM PAGE, A LINK WITHIN THE APPLICATION, SUCH AS FROM THE
APPLICATION CONFIGURATION, "ABOUT", "INFORMATION", OR SETTINGS PAGE, AND
ANY OTHER LOCATION THAT ALLOWS CONSUMERS TO REVIEW THE NOTICE REQUIRED
BY PARAGRAPH (A) OF SUBDIVISION SEVEN OF THIS SECTION, INCLUDING BUT NOT
LIMITED TO, BEFORE DOWNLOADING THE APPLICATION.
(K) "INFER" OR "INFERENCE" MEANS THE DERIVATION OF INFORMATION, DATA,
ASSUMPTIONS, OR CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER SOURCE OF
INFORMATION OR DATA.
(L) "PERSON" MEANS AN INDIVIDUAL, PROPRIETORSHIP, FIRM, PARTNERSHIP,
JOINT VENTURE, SYNDICATE, BUSINESS TRUST, COMPANY, CORPORATION, LIMITED
LIABILITY COMPANY, ASSOCIATION, COMMITTEE, AND ANY OTHER ORGANIZATION OR
GROUP OF PERSONS ACTING IN CONCERT.
(M) (1)"PERSONAL INFORMATION" MEANS INFORMATION THAT IDENTIFIES,
RELATES TO, DESCRIBES, REFERENCES, IS CAPABLE OF BEING ASSOCIATED WITH,
OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A PARTICULAR
CONSUMER OR DEVICE, INCLUDING, BUT NOT LIMITED TO:
(A) ANY INFORMATION THAT IDENTIFIES, RELATES TO, DESCRIBES, OR IS
CAPABLE OF BEING ASSOCIATED WITH, A PARTICULAR INDIVIDUAL, INCLUDING,
BUT NOT LIMITED TO, HIS OR HER NAME, ALIAS, SIGNATURE, SOCIAL SECURITY
NUMBER, PHYSICAL CHARACTERISTICS OR DESCRIPTION, ADDRESS, ELECTRONIC
MAIL ADDRESS, INTERNET PROTOCOL ADDRESS, UNIQUE IDENTIFIER, ACCOUNT
NAME, TELEPHONE NUMBER, PASSPORT NUMBER, DRIVER'S LICENSE OR STATE IDEN-
TIFICATION CARD NUMBER, INSURANCE POLICY NUMBER, EDUCATION, EMPLOYMENT,
S. 3162 4
EMPLOYMENT HISTORY, BANK ACCOUNT NUMBER, CREDIT CARD NUMBER, DEBIT CARD
NUMBER, OR ANY OTHER FINANCIAL INFORMATION, MEDICAL INFORMATION, OR
HEALTH INSURANCE INFORMATION;
(B) CHARACTERISTICS OF PROTECTED CLASSIFICATIONS UNDER STATE OR FEDER-
AL LAW;
(C) COMMERCIAL INFORMATION, INCLUDING RECORDS OF PROPERTY, PRODUCTS OR
SERVICES PROVIDED, OBTAINED, OR CONSIDERED, OR OTHER PURCHASING OR
CONSUMING HISTORIES OR TENDENCIES;
(D) BIOMETRIC DATA;
(E) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD-
ING BUT NOT LIMITED TO, BROWSING HISTORY, SEARCH HISTORY, AND INFORMA-
TION REGARDING A CONSUMER'S INTERACTION WITH A WEBSITE, APPLICATION, OR
ADVERTISEMENT;
(F) GEOLOCATION DATA;
(G) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFORMA-
TION;
(H) PSYCHOMETRIC INFORMATION;
(I) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
(J) INFERENCES DRAWN FROM ANY OF THE INFORMATION IDENTIFIED ABOVE; AND
(K) ANY OF THE CATEGORIES OF INFORMATION SET FORTH IN THIS SUBDIVISION
AS THEY PERTAIN TO THE MINOR CHILDREN OF THE CONSUMER.
(2) "PERSONAL INFORMATION" DOES NOT INCLUDE INFORMATION THAT IS
PUBLICLY AVAILABLE OR THAT IS DE-IDENTIFIED.
(N) "PROBABILISTIC IDENTIFIER" MEANS THE IDENTIFICATION OF A CONSUMER
OR A DEVICE TO A DEGREE OF CERTAINTY OF MORE PROBABLE THAN NOT BASED ON
ANY CATEGORIES OF PERSONAL INFORMATION INCLUDED IN, OR SIMILAR TO, THE
CATEGORIES ENUMERATED IN SUBPARAGRAPH ONE OF PARAGRAPH (M) OF THIS
SUBDIVISION.
(O) "PSYCHOMETRIC INFORMATION" MEANS INFORMATION DERIVED OR CREATED
FROM THE USE OR APPLICATION OF PSYCHOMETRIC THEORY OR PSYCHOMETRICS,
WHEREBY THROUGH THE USE OF ANY METHOD, MODEL, TOOL, OR FORMULA, OBSERVA-
BLE PHENOMENA, SUCH AS ACTIONS OR EVENTS, ARE CONNECTED, MEASURED,
ASSESSED, OR RELATED TO A CONSUMER'S ATTRIBUTES, INCLUDING, BUT NOT
LIMITED TO, PSYCHOLOGICAL TRENDS, PREFERENCES, PREDISPOSITIONS, BEHAV-
IOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND APTITUDES.
(P) "PUBLICLY AVAILABLE" MEANS INFORMATION THAT IS LAWFULLY MADE
AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS. "PUBLICLY
AVAILABLE" DOES NOT MEAN BIOMETRIC INFORMATION COLLECTED BY A BUSINESS
ABOUT A CONSUMER WITHOUT THE CONSUMER'S KNOWLEDGE.
(Q)(1) "SELL", "SELLING", "SALE" OR "SOLD" MEANS: (A) SELLING, RENT-
ING, RELEASING, DISCLOSING, DISSEMINATING, MAKING AVAILABLE, TRANS-
FERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC
OR OTHER MEANS, A CONSUMER'S PERSONAL INFORMATION BY THE BUSINESS TO A
THIRD PARTY FOR VALUABLE CONSIDERATION; OR (B) SHARING ORALLY, IN WRIT-
ING, OR BY ELECTRONIC OR OTHER MEANS, A CONSUMER'S PERSONAL INFORMATION
WITH A THIRD PARTY, WHETHER FOR VALUABLE CONSIDERATION OR FOR NO CONSID-
ERATION, FOR THE THIRD PARTY'S COMMERCIAL PURPOSES.
(2) FOR PURPOSES OF THIS SECTION, A BUSINESS DOES NOT SELL PERSONAL
INFORMATION WHEN:
(A) A CONSUMER USES THE BUSINESS: (I) TO INTENTIONALLY DISCLOSE
PERSONAL INFORMATION, OR (II) TO INTENTIONALLY INTERACT WITH A THIRD
PARTY. AN INTENTIONAL INTERACTION OCCURS WHEN THE CONSUMER INTENDS TO
INTERACT WITH THE THIRD PARTY VIA ONE OR MORE DELIBERATE INTERACTIONS.
HOVERING OVER, MUTING, PAUSING, OR CLOSING A GIVEN PIECE OF CONTENT DOES
NOT CONSTITUTE A CONSUMER'S INTENT TO INTERACT WITH A THIRD PARTY; OR
S. 3162 5
(B) THE BUSINESS USES AN IDENTIFIER FOR A CONSUMER WHO HAS OPTED OUT
OF THE SALE OF THE CONSUMER'S PERSONAL INFORMATION FOR THE PURPOSES OF
ALERTING THIRD PARTIES THAT THE CONSUMER HAS OPTED OUT OF THE SALE OF
THE CONSUMER'S PERSONAL INFORMATION.
(R) "SERVICE" OR "SERVICES" MEANS WORK, LABOR, AND SERVICES, INCLUDING
SERVICES FURNISHED IN CONNECTION WITH THE SALE OR REPAIR OF GOODS.
(S) "THIRD PARTY" MEANS ANY PERSON WHO IS NOT:
(1) THE BUSINESS THAT COLLECTS PERSONAL INFORMATION FROM CONSUMERS
UNDER THIS SECTION; OR
(2) A PERSON TO WHOM THE BUSINESS DISCLOSES A CONSUMER'S PERSONAL
INFORMATION FOR A BUSINESS PURPOSE PURSUANT TO A WRITTEN CONTRACT,
PROVIDED THAT THE CONTRACT:
(A) PROHIBITS THE PERSON RECEIVING THE PERSONAL INFORMATION FROM: (I)
SELLING THE PERSONAL INFORMATION; (II) RETAINING, USING, OR DISCLOSING
THE PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN FOR THE SPECIFIC
PURPOSE OF PERFORMING THE SERVICES SPECIFIED IN THE CONTRACT, INCLUDING
RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR A COMMER-
CIAL PURPOSE OTHER THAN PROVIDING THE SERVICES SPECIFIED IN THE
CONTRACT; AND (III) RETAINING, USING, OR DISCLOSING THE INFORMATION
OUTSIDE OF THE DIRECT BUSINESS RELATIONSHIP BETWEEN THE PERSON AND THE
BUSINESS; AND
(B) INCLUDES A CERTIFICATION MADE BY THE PERSON RECEIVING THE PERSONAL
INFORMATION THAT THE PERSON UNDERSTANDS THE RESTRICTIONS IN CLAUSE (A)
OF THIS SUBPARAGRAPH AND WILL COMPLY WITH THEM. A PERSON COVERED BY THIS
SUBPARAGRAPH THAT VIOLATES ANY OF THE RESTRICTIONS SET FORTH IN THIS
SECTION SHALL BE LIABLE FOR SUCH VIOLATIONS UNDER THIS SECTION. A BUSI-
NESS THAT DISCLOSES PERSONAL INFORMATION TO A PERSON COVERED BY THIS
SUBPARAGRAPH IN COMPLIANCE WITH SUCH SUBPARAGRAPH SHALL NOT BE LIABLE
UNDER THIS SECTION IF THE PERSON RECEIVING THE PERSONAL INFORMATION USES
IT IN VIOLATION OF THE RESTRICTIONS SET FORTH IN THIS SECTION, PROVIDED
THAT, AT THE TIME OF DISCLOSING THE PERSONAL INFORMATION, THE BUSINESS
DOES NOT HAVE ACTUAL KNOWLEDGE, OR REASON TO BELIEVE, THAT THE PERSON
INTENDS TO COMMIT SUCH A VIOLATION.
(T) "UNIQUE IDENTIFIER" MEANS A PERSISTENT IDENTIFIER THAT CAN BE USED
TO RECOGNIZE A CONSUMER OR A DEVICE OVER TIME AND ACROSS DIFFERENT
SERVICES, INCLUDING BUT NOT LIMITED TO, A DEVICE IDENTIFIER; INTERNET
PROTOCOL ADDRESS; COOKIES, BEACONS, PIXEL TAGS, MOBILE AD IDENTIFIERS,
OR SIMILAR TECHNOLOGY; CUSTOMER NUMBER, UNIQUE PSEUDONYM, OR USER ALIAS;
AND TELEPHONE NUMBERS, OR OTHER FORMS OF PERSISTENT OR PROBABILISTIC
IDENTIFIERS THAT CAN BE USED TO IDENTIFY A PARTICULAR CONSUMER OR
DEVICE.
(U) "VERIFIABLE REQUEST" MEANS A REQUEST THAT: (1) IS MADE BY A
CONSUMER, BY A CONSUMER ON BEHALF OF THE CONSUMER'S MINOR CHILD, OR BY A
PERSON AUTHORIZED BY THE CONSUMER TO ACT ON THE CONSUMER'S BEHALF; AND
(2) THE BUSINESS HAS VERIFIED, PURSUANT TO REGULATIONS ADOPTED BY THE
ATTORNEY GENERAL PURSUANT TO SUBPARAGRAPH SEVEN OF PARAGRAPH (A) OF
SUBDIVISION FIFTEEN OF THIS SECTION, TO BE THE CONSUMER ABOUT WHOM THE
BUSINESS HAS COLLECTED PERSONAL INFORMATION. A BUSINESS IS NOT OBLIGATED
TO PROVIDE INFORMATION TO THE CONSUMER PURSUANT TO SUBDIVISIONS TWO AND
THREE OF THIS SECTION IF THE BUSINESS CANNOT VERIFY, PURSUANT TO THIS
SUBDIVISION AND REGULATIONS ADOPTED BY THE ATTORNEY GENERAL PURSUANT TO
SUBPARAGRAPH SEVEN OF PARAGRAPH (A) OF SUBDIVISION FIFTEEN OF THIS
SECTION, THAT THE CONSUMER MAKING THE REQUEST IS THE CONSUMER ABOUT WHOM
THE BUSINESS HAS COLLECTED INFORMATION.
2. (A) A CONSUMER SHALL HAVE THE RIGHT TO REQUEST THAT A BUSINESS THAT
COLLECTS PERSONAL INFORMATION ABOUT THE CONSUMER DISCLOSE TO THE CONSUM-
S. 3162 6
ER THE CATEGORIES OF PERSONAL INFORMATION IT HAS COLLECTED ABOUT THAT
CONSUMER.
(B) A BUSINESS THAT COLLECTS PERSONAL INFORMATION ABOUT A CONSUMER
SHALL DISCLOSE TO THE CONSUMER, PURSUANT TO SUBPARAGRAPH THREE OF PARA-
GRAPH (A) OF SUBDIVISION SIX OF THIS SECTION, THE INFORMATION SPECIFIED
IN PARAGRAPH (A) OF SUBDIVISION ONE OF THIS SECTION UPON RECEIPT OF A
VERIFIABLE REQUEST FROM THE CONSUMER.
(C) A BUSINESS THAT COLLECTS PERSONAL INFORMATION ABOUT CONSUMERS
SHALL DISCLOSE, PURSUANT TO CLAUSE (B) OF SUBPARAGRAPH FIVE OF PARAGRAPH
(A) OF SUBDIVISION SIX OF THIS SECTION, THE CATEGORIES OF PERSONAL
INFORMATION IT HAS COLLECTED ABOUT CONSUMERS.
3. (A) A CONSUMER SHALL HAVE THE RIGHT TO REQUEST THAT A BUSINESS THAT
SELLS THE CONSUMER'S PERSONAL INFORMATION, OR THAT DISCLOSES IT FOR A
BUSINESS PURPOSE, DISCLOSE TO THAT CONSUMER: (1) THE CATEGORIES OF
PERSONAL INFORMATION THAT THE BUSINESS SOLD ABOUT THE CONSUMER AND THE
IDENTITY OF THE THIRD PARTIES TO WHOM SUCH PERSONAL INFORMATION WAS
SOLD, BY CATEGORY OR CATEGORIES OF PERSONAL INFORMATION FOR EACH THIRD
PARTY TO WHOM SUCH PERSONAL INFORMATION WAS SOLD; AND (2) THE CATEGORIES
OF PERSONAL INFORMATION THAT THE BUSINESS DISCLOSED ABOUT THE CONSUMER
FOR A BUSINESS PURPOSE AND THE IDENTITY OF THE PERSONS TO WHOM SUCH
PERSONAL INFORMATION WAS DISCLOSED FOR A BUSINESS PURPOSE, BY CATEGORY
OR CATEGORIES OF PERSONAL INFORMATION FOR EACH PERSON TO WHOM SUCH
PERSONAL INFORMATION WAS DISCLOSED FOR A BUSINESS PURPOSE.
(B) A BUSINESS THAT SELLS PERSONAL INFORMATION ABOUT A CONSUMER, OR
THAT DISCLOSES A CONSUMER'S PERSONAL INFORMATION FOR A BUSINESS PURPOSE,
SHALL DISCLOSE, PURSUANT TO SUBPARAGRAPH FOUR OF PARAGRAPH (A) OF SUBDI-
VISION SIX OF THIS SECTION, THE INFORMATION SPECIFIED IN PARAGRAPH (A)
OF THIS SUBDIVISION TO THE CONSUMER UPON RECEIPT OF A VERIFIABLE REQUEST
FROM THE CONSUMER.
(C) A BUSINESS THAT SELLS CONSUMERS' PERSONAL INFORMATION, OR THAT
DISCLOSES CONSUMERS' PERSONAL INFORMATION FOR A BUSINESS PURPOSE, SHALL
DISCLOSE, PURSUANT TO CLAUSE (C) OF SUBPARAGRAPH FIVE OF PARAGRAPH (A)
OF SUBDIVISION SIX OF THIS SECTION: (1) THE CATEGORY OR CATEGORIES OF
CONSUMERS' PERSONAL INFORMATION IT HAS SOLD; OR IF THE BUSINESS HAS NOT
SOLD CONSUMERS' PERSONAL INFORMATION, IT SHALL DISCLOSE THAT FACT; AND
(2) THE CATEGORY OR CATEGORIES OF CONSUMERS' PERSONAL INFORMATION IT HAS
DISCLOSED FOR A BUSINESS PURPOSE; OR IF THE BUSINESS HAS NOT DISCLOSED
CONSUMERS' PERSONAL INFORMATION FOR A BUSINESS PURPOSE, IT SHALL
DISCLOSE THAT FACT.
4. (A) A CONSUMER SHALL HAVE THE RIGHT, AT ANY TIME, TO DIRECT A BUSI-
NESS THAT SELLS PERSONAL INFORMATION ABOUT THE CONSUMER NOT TO SELL THE
CONSUMER'S PERSONAL INFORMATION. THIS RIGHT MAY BE REFERRED TO AS THE
RIGHT TO OPT OUT.
(B) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, A BUSINESS
SHALL NOT SELL THE PERSONAL INFORMATION OF CONSUMERS IF THE BUSINESS HAS
ACTUAL KNOWLEDGE, OR WILLFULLY DISREGARDS, THAT THE CONSUMER IS LESS
THAN SIXTEEN YEARS OF AGE, UNLESS THE CONSUMER, IN THE CASE OF CONSUMERS
THIRTEEN, FOURTEEN AND FIFTEEN YEARS OF AGE, OR THE CONSUMER'S PARENT OR
GUARDIAN, IN THE CASE OF CONSUMERS WHO ARE LESS THAN THIRTEEN YEARS OF
AGE, HAS AFFIRMATIVELY AUTHORIZED THE SALE OF THE CONSUMER'S PERSONAL
INFORMATION. THIS RIGHT MAY BE REFERRED TO AS THE RIGHT TO OPT IN.
(C) A BUSINESS THAT SELLS CONSUMERS' PERSONAL INFORMATION SHALL
PROVIDE NOTICE TO CONSUMERS, PURSUANT TO PARAGRAPH (A) OF SUBDIVISION
SEVEN OF THIS SECTION, THAT SUCH INFORMATION MAY BE SOLD AND THAT
CONSUMERS HAVE THE RIGHT TO OPT OUT OF THE SALE OF THEIR PERSONAL INFOR-
MATION.
S. 3162 7
(D) A BUSINESS THAT HAS RECEIVED DIRECTION FROM A CONSUMER NOT TO SELL
THE CONSUMER'S PERSONAL INFORMATION, OR, IN THE CASE OF A MINOR CONSUM-
ER'S PERSONAL INFORMATION, HAS NOT RECEIVED CONSENT TO SELL THE MINOR
CONSUMER'S PERSONAL INFORMATION, SHALL BE PROHIBITED, PURSUANT TO
SUBPARAGRAPH FOUR OF PARAGRAPH (A) OF SUBDIVISION SEVEN OF THIS SECTION,
FROM SELLING THE CONSUMER'S PERSONAL INFORMATION AFTER ITS RECEIPT OF
THE CONSUMER'S DIRECTION, UNLESS THE CONSUMER SUBSEQUENTLY PROVIDES
EXPRESS AUTHORIZATION FOR THE SALE OF THE CONSUMER'S PERSONAL INFORMA-
TION.
5. A BUSINESS SHALL BE PROHIBITED FROM DISCRIMINATING AGAINST A
CONSUMER BECAUSE THE CONSUMER REQUESTED INFORMATION PURSUANT TO SUBDIVI-
SIONS TWO AND THREE OF THIS SECTION, OR BECAUSE THE CONSUMER DIRECTED
THE BUSINESS NOT TO SELL THE CONSUMER'S PERSONAL INFORMATION PURSUANT TO
SUBDIVISION FOUR OF THIS SECTION, OR BECAUSE THE CONSUMER OTHERWISE
EXERCISED RIGHTS UNDER THIS TITLE, OR EXERCISED THE CONSUMER'S RIGHTS TO
ENFORCE THIS SECTION, INCLUDING BUT NOT LIMITED TO, BY: (A) DENYING
GOODS OR SERVICES TO THE CONSUMER; (B) CHARGING DIFFERENT PRICES OR
RATES FOR GOODS OR SERVICES, INCLUDING THROUGH THE USE OF DISCOUNTS OR
OTHER BENEFITS OR IMPOSING PENALTIES; (C) PROVIDING A DIFFERENT LEVEL OR
QUALITY OF GOODS OR SERVICES TO THE CONSUMER; OR (D) SUGGESTING THAT THE
CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR GOODS OR SERVICES,
OR A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES, IF THE CONSUMER
EXERCISES THE CONSUMER'S RIGHTS UNDER THIS SECTION.
6. (A) IN ORDER TO COMPLY WITH SUBDIVISIONS TWO, THREE AND FIVE OF
THIS SECTION, A BUSINESS SHALL:
(1) MAKE AVAILABLE TO CONSUMERS TWO OR MORE DESIGNATED METHODS FOR
SUBMITTING REQUESTS FOR INFORMATION REQUIRED TO BE DISCLOSED PURSUANT TO
SUBDIVISIONS TWO AND THREE OF THIS SECTION, INCLUDING, AT A MINIMUM, A
TOLL-FREE TELEPHONE NUMBER, AND IF THE BUSINESS MAINTAINS A WEBSITE, A
WEBSITE ADDRESS.
(2) DISCLOSE AND DELIVER THE REQUIRED INFORMATION TO A CONSUMER FREE
OF CHARGE WITHIN FORTY-FIVE DAYS OF RECEIVING A VERIFIABLE REQUEST FROM
THE CONSUMER. THE BUSINESS SHALL PROMPTLY TAKE STEPS TO DETERMINE WHETH-
ER THE REQUEST IS A VERIFIABLE REQUEST, BUT THIS SHALL NOT EXTEND THE
BUSINESS'S DUTY TO DISCLOSE AND DELIVER THE INFORMATION WITHIN FORTY-
FIVE DAYS OF RECEIPT OF THE CONSUMER'S REQUEST. THE DISCLOSURE SHALL
COVER THE TWELVE-MONTH PERIOD PRECEDING THE BUSINESS'S RECEIPT OF THE
VERIFIABLE REQUEST AND SHALL BE MADE IN WRITING AND DELIVERED THROUGH
THE CONSUMER'S ACCOUNT WITH THE BUSINESS, IF THE CONSUMER MAINTAINS AN
ACCOUNT WITH THE BUSINESS, OR BY MAIL OR ELECTRONICALLY AT THE CONSUM-
ER'S OPTION IF THE CONSUMER DOES NOT MAINTAIN AN ACCOUNT WITH THE BUSI-
NESS. THE BUSINESS SHALL NOT REQUIRE THE CONSUMER TO CREATE AN ACCOUNT
WITH THE BUSINESS IN ORDER TO MAKE A VERIFIABLE REQUEST.
(3) FOR PURPOSES OF PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION:
(A) IDENTIFY THE CONSUMER, ASSOCIATE THE INFORMATION PROVIDED BY THE
CONSUMER IN THE VERIFIABLE REQUEST TO ANY PERSONAL INFORMATION PREVIOUS-
LY COLLECTED BY THE BUSINESS ABOUT THE CONSUMER; AND (B) IDENTIFY BY
CATEGORY OR CATEGORIES THE PERSONAL INFORMATION COLLECTED ABOUT THE
CONSUMER IN THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED
CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF THIS SUBDIVISION THAT MOST
CLOSELY DESCRIBES THE PERSONAL INFORMATION COLLECTED.
(4) FOR PURPOSES OF PARAGRAPH (B) OF SUBDIVISION THREE OF THIS
SECTION: (A) IDENTIFY THE CONSUMER, ASSOCIATE THE INFORMATION PROVIDED
BY THE CONSUMER IN THE VERIFIABLE REQUEST TO ANY PERSONAL INFORMATION
PREVIOUSLY COLLECTED BY THE BUSINESS ABOUT THE CONSUMER; (B) IDENTIFY BY
CATEGORY OR CATEGORIES THE PERSONAL INFORMATION OF THE CONSUMER THAT THE
S. 3162 8
BUSINESS SOLD IN THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMER-
ATED CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF THIS SUBDIVISION THAT
MOST CLOSELY DESCRIBES THE PERSONAL INFORMATION, AND PROVIDE ACCURATE
NAMES AND CONTACT INFORMATION FOR THE THIRD PARTIES TO WHOM THE CONSUM-
ER'S PERSONAL INFORMATION WAS SOLD IN THE PRECEDING TWELVE MONTHS BY
REFERENCE TO THE ENUMERATED CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF
THIS SUBDIVISION THAT MOST CLOSELY DESCRIBES THE PERSONAL INFORMATION
SOLD FOR EACH THIRD PARTY; AND (C) IDENTIFY BY CATEGORY OR CATEGORIES
THE PERSONAL INFORMATION OF THE CONSUMER THAT THE BUSINESS DISCLOSED FOR
A BUSINESS PURPOSE IN THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE
ENUMERATED CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF THIS SUBDIVISION
THAT MOST CLOSELY DESCRIBES THE PERSONAL INFORMATION, AND PROVIDE ACCU-
RATE NAMES AND CONTACT INFORMATION FOR THE PERSONS TO WHOM THE CONSUM-
ER'S PERSONAL INFORMATION WAS DISCLOSED FOR A BUSINESS PURPOSE IN THE
PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED CATEGORY OR CATE-
GORIES IN PARAGRAPH (C) OF THIS SUBDIVISION OF THIS SECTION THAT MOST
CLOSELY DESCRIBES THE PERSONAL INFORMATION DISCLOSED FOR EACH PERSON.
THE BUSINESS SHALL DISCLOSE THE INFORMATION REQUIRED BY CLAUSES (B) AND
(C) OF THIS SUBPARAGRAPH IN TWO SEPARATE LISTS.
(5) DISCLOSE THE FOLLOWING INFORMATION IN ITS ONLINE PRIVACY POLICY OR
POLICIES IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY OR POLICIES AND IN
ANY NEW YORK-SPECIFIC DESCRIPTION OF CONSUMERS' PRIVACY RIGHTS, OR IF
THE BUSINESS DOES NOT MAINTAIN SUCH POLICIES, ON ITS WEBSITE, AND UPDATE
SUCH INFORMATION AT LEAST ONCE EVERY TWELVE MONTHS:
(A) A DESCRIPTION OF A CONSUMER'S RIGHTS PURSUANT TO SUBDIVISIONS TWO,
THREE AND FIVE OF THIS SECTION, AND ONE OR MORE DESIGNATED METHODS FOR
SUBMITTING REQUESTS;
(B) FOR PURPOSES OF PARAGRAPH (C) OF SUBDIVISION TWO OF THIS SECTION,
A LIST OF THE CATEGORIES OF PERSONAL INFORMATION IT HAS COLLECTED ABOUT
CONSUMERS IN THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED
CATEGORY OR CATEGORIES IN PARAGRAPH (C) OF THIS SUBDIVISION THAT MOST
CLOSELY DESCRIBES THE PERSONAL INFORMATION COLLECTED; AND
(C) FOR PURPOSES OF SUBPARAGRAPHS ONE AND TWO OF PARAGRAPH (C) OF
SUBDIVISION THREE OF THIS SECTION, TWO SEPARATE LISTS: (I) A LIST OF THE
CATEGORIES OF PERSONAL INFORMATION IT HAS SOLD ABOUT CONSUMERS IN THE
PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED CATEGORY OR CATE-
GORIES IN PARAGRAPH (C) OF THIS SUBDIVISION THAT MOST CLOSELY DESCRIBES
THE PERSONAL INFORMATION SOLD, OR IF THE BUSINESS HAS NOT SOLD CONSUM-
ERS' PERSONAL INFORMATION IN THE PRECEDING TWELVE MONTHS, THE BUSINESS
SHALL DISCLOSE THAT FACT; AND (II) A LIST OF THE CATEGORIES OF PERSONAL
INFORMATION IT HAS DISCLOSED ABOUT CONSUMERS FOR A BUSINESS PURPOSE IN
THE PRECEDING TWELVE MONTHS BY REFERENCE TO THE ENUMERATED CATEGORY OR
CATEGORIES IN PARAGRAPH (C) OF THIS SUBDIVISION THAT MOST CLOSELY
DESCRIBES THE PERSONAL INFORMATION DISCLOSED, OR IF THE BUSINESS HAS NOT
DISCLOSED CONSUMERS' PERSONAL INFORMATION FOR A BUSINESS PURPOSE IN THE
PRECEDING TWELVE MONTHS, THE BUSINESS SHALL DISCLOSE THAT FACT.
(6) ENSURE THAT ALL INDIVIDUALS RESPONSIBLE FOR HANDLING CONSUMER
INQUIRIES ABOUT THE BUSINESS'S PRIVACY PRACTICES OR THE BUSINESS'S
COMPLIANCE WITH THIS SECTION ARE INFORMED OF ALL REQUIREMENTS IN THIS
SUBDIVISION, AS WELL AS IN SUBDIVISIONS TWO, THREE AND FIVE OF THIS
SECTION, AND HOW TO DIRECT CONSUMERS TO EXERCISE THEIR RIGHTS UNDER
THOSE SECTIONS; AND
(7) USE ANY PERSONAL INFORMATION COLLECTED FROM THE CONSUMER IN
CONNECTION WITH THE BUSINESS'S VERIFICATION OF THE CONSUMER'S REQUEST
SOLELY FOR THE PURPOSES OF VERIFICATION.
S. 3162 9
(B) A BUSINESS IS NOT OBLIGATED TO PROVIDE THE INFORMATION REQUIRED BY
SUBDIVISIONS TWO AND THREE OF THIS SECTION TO THE SAME CONSUMER MORE
THAN ONCE IN A TWELVE-MONTH PERIOD.
(C) THE CATEGORIES OF PERSONAL INFORMATION REQUIRED TO BE DISCLOSED
PURSUANT TO SUBDIVISIONS TWO AND THREE OF THIS SECTION ARE ALL OF THE
FOLLOWING:
(1) IDENTIFIERS SUCH AS A REAL NAME, ALIAS, POSTAL ADDRESS, UNIQUE
IDENTIFIER, INTERNET PROTOCOL ADDRESS, ELECTRONIC MAIL ADDRESS, ACCOUNT
NAME, SOCIAL SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT NUMBER,
OR OTHER SIMILAR IDENTIFIERS;
(2) ALL CATEGORIES OF PERSONAL INFORMATION ENUMERATED IN PARAGRAPH (A)
OF SUBDIVISION ONE OF THIS SECTION;
(3) ALL CATEGORIES OF PERSONAL INFORMATION RELATING TO CHARACTERISTICS
OF PROTECTED CLASSIFICATIONS UNDER STATE OR FEDERAL LAW, WITH SPECIFIC
REFERENCE TO THE CATEGORY OF INFORMATION THAT HAS BEEN COLLECTED, SUCH
AS RACE, ETHNICITY, OR GENDER;
(4) COMMERCIAL INFORMATION, INCLUDING RECORDS OF PROPERTY, PRODUCTS OR
SERVICES PROVIDED, OBTAINED, OR CONSIDERED, OR OTHER PURCHASING OR
CONSUMING HISTORIES OR TENDENCIES;
(5) BIOMETRIC DATA;
(6) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD-
ING BUT NOT LIMITED TO, BROWSING HISTORY, SEARCH HISTORY, AND INFORMA-
TION REGARDING A CONSUMER'S INTERACTION WITH A WEBSITE, APPLICATION, OR
ADVERTISEMENT;
(7) GEOLOCATION DATA;
(8) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFORMA-
TION;
(9) PSYCHOMETRIC INFORMATION;
(10) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
(11) INFERENCES DRAWN FROM ANY OF THE INFORMATION IDENTIFIED ABOVE;
AND
(12) ANY OF THE CATEGORIES OF INFORMATION SET FORTH IN THIS PARAGRAPH
AS THEY PERTAIN TO THE MINOR CHILDREN OF THE CONSUMER.
7. (A) A BUSINESS THAT IS REQUIRED TO COMPLY WITH SUBDIVISION FOUR OF
THIS SECTION SHALL:
(1) PROVIDE A CLEAR AND CONSPICUOUS LINK ON THE BUSINESS'S HOMEPAGE,
TITLED "DO NOT SELL MY PERSONAL INFORMATION", TO A WEBPAGE THAT ENABLES
A CONSUMER, OR A PERSON AUTHORIZED BY THE CONSUMER, TO OPT OUT OF THE
SALE OF THE CONSUMER'S PERSONAL INFORMATION. A BUSINESS SHALL NOT
REQUIRE A CONSUMER TO CREATE AN ACCOUNT IN ORDER TO DIRECT THE BUSINESS
NOT TO SELL THE CONSUMER'S PERSONAL INFORMATION;
(2) INCLUDE A DESCRIPTION OF A CONSUMER'S RIGHTS PURSUANT TO SUBDIVI-
SION FOUR OF THIS SECTION, ALONG WITH A SEPARATE LINK TO THE "DO NOT
SELL MY PERSONAL INFORMATION" WEBPAGE IN: (A) ITS ONLINE PRIVACY POLICY
OR POLICIES IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY OR POLICIES,
AND (B) ANY STATE SPECIFIC DESCRIPTION OF CONSUMERS' PRIVACY RIGHTS;
(3) ENSURE THAT ALL INDIVIDUALS RESPONSIBLE FOR HANDLING CONSUMER
INQUIRIES ABOUT THE BUSINESS'S PRIVACY PRACTICES OR THE BUSINESS'S
COMPLIANCE WITH THIS SECTION ARE INFORMED OF ALL REQUIREMENTS IN THIS
SUBDIVISION AS WELL AS SUBDIVISION FOUR OF THIS SECTION, AND HOW TO
DIRECT CONSUMERS TO EXERCISE THEIR RIGHTS UNDER THOSE SECTIONS;
(4) FOR CONSUMERS WHO EXERCISE THEIR RIGHT TO OPT OUT OF THE SALE OF
THEIR PERSONAL INFORMATION, REFRAIN FROM SELLING PERSONAL INFORMATION
COLLECTED BY THE BUSINESS ABOUT THE CONSUMER;
(5) FOR A CONSUMER WHO HAS OPTED OUT OF THE SALE OF THE CONSUMER'S
PERSONAL INFORMATION, RESPECT THE CONSUMER'S DECISION TO OPT OUT FOR AT
S. 3162 10
LEAST TWELVE MONTHS BEFORE REQUESTING THAT THE CONSUMER AUTHORIZE THE
SALE OF THE CONSUMER'S PERSONAL INFORMATION; AND
(6) USE ANY PERSONAL INFORMATION COLLECTED FROM THE CONSUMER IN
CONNECTION WITH THE SUBMISSION OF THE CONSUMER'S OPT OUT REQUEST SOLELY
FOR THE PURPOSES OF COMPLYING WITH THE OPT OUT REQUEST.
(B) A CONSUMER MAY AUTHORIZE ANOTHER PERSON TO OPT OUT ON THE CONSUM-
ER'S BEHALF, AND A BUSINESS SHALL COMPLY WITH AN OPT OUT REQUEST
RECEIVED FROM A PERSON AUTHORIZED BY THE CONSUMER TO ACT ON THE CONSUM-
ER'S BEHALF.
8. (A) THE OBLIGATIONS IMPOSED ON BUSINESSES BY SUBDIVISIONS TWO AND
SEVEN OF THIS SECTION SHALL NOT RESTRICT A BUSINESS'S ABILITY TO:
(1) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS;
(2) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INVESTIGATION OR
SUBPOENA OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES;
(3) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR
ACTIVITY THAT THE BUSINESS REASONABLY AND IN GOOD FAITH BELIEVES MAY
VIOLATE FEDERAL, STATE, OR LOCAL LAW; OR
(4) COLLECT AND SELL A CONSUMER'S PERSONAL INFORMATION IF EVERY ASPECT
OF SUCH COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE OF THE STATE. FOR
PURPOSES OF THIS SECTION, COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE
OF THE STATE IF THE BUSINESS COLLECTED SUCH INFORMATION WHILE THE
CONSUMER WAS OUTSIDE OF THE STATE, NO PART OF THE SALE OF THE CONSUMER'S
PERSONAL INFORMATION OCCURRED IN THE STATE, AND NO PERSONAL INFORMATION
COLLECTED WHILE THE CONSUMER WAS IN THE STATE IS SOLD.
(B) THE OBLIGATIONS IMPOSED ON BUSINESSES BY SUBDIVISIONS TWO AND
SEVEN OF THIS SECTION SHALL NOT APPLY WHERE COMPLIANCE BY THE BUSINESS
WITH THIS SECTION WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER STATE LAW
AND SHALL NOT PREVENT A BUSINESS FROM PROVIDING THE PERSONAL INFORMATION
OF A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVILEGE UNDER
STATE LAW AS PART OF A PRIVILEGED COMMUNICATION.
(C) THIS SECTION SHALL NOT APPLY TO PROTECTED HEALTH INFORMATION THAT
IS COLLECTED BY A COVERED ENTITY GOVERNED BY THE MEDICAL PRIVACY AND
SECURITY RULES ISSUED BY THE FEDERAL DEPARTMENT OF HEALTH AND HUMAN
SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGU-
LATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND
AVAILABILITY ACT OF 1996 (HIPAA). FOR PURPOSES OF THIS SUBDIVISION, THE
DEFINITIONS OF "PROTECTED HEALTH INFORMATION" AND "COVERED ENTITY" FROM
THE FEDERAL PRIVACY RULE SHALL APPLY.
(D) THIS SECTION SHALL NOT APPLY TO THE SALE OF PERSONAL INFORMATION
TO OR FROM A CONSUMER REPORTING AGENCY IF THAT INFORMATION IS TO BE
REPORTED IN, OR USED TO GENERATE, A CONSUMER REPORT AS DEFINED BY SUBDI-
VISION (D) OF SECTION 1681(A) OF TITLE 15 OF THE UNITED STATES CODE, AND
USE OF THAT INFORMATION IS LIMITED BY THE FEDERAL FAIR CREDIT REPORTING
ACT, 15 U.S.C. § 1681, ET SEQ.
9. (A) A CONSUMER WHO HAS SUFFERED A VIOLATION OF THIS SECTION MAY
BRING AN ACTION FOR STATUTORY DAMAGES. A VIOLATION OF THIS SECTION SHALL
BE DEEMED TO CONSTITUTE AN INJURY IN FACT TO THE CONSUMER WHO HAS
SUFFERED THE VIOLATION, AND THE CONSUMER NEED NOT SUFFER A LOSS OF MONEY
OR PROPERTY AS A RESULT OF THE VIOLATION IN ORDER TO BRING AN ACTION FOR
A VIOLATION OF THIS SECTION.
(B)(1) ANY CONSUMER WHO SUFFERS AN INJURY IN FACT, AS DESCRIBED IN
PARAGRAPH (A) OF THIS SUBDIVISION, SHALL RECOVER STATUTORY DAMAGES IN
THE AMOUNT OF ONE THOUSAND DOLLARS OR ACTUAL DAMAGES, WHICHEVER IS
GREATER, FOR EACH VIOLATION FROM THE BUSINESS OR PERSON RESPONSIBLE FOR
THE VIOLATION, EXCEPT THAT IN THE CASE OF A KNOWING AND WILLFUL
VIOLATION BY A BUSINESS OR PERSON, AN INDIVIDUAL SHALL RECOVER STATUTORY
S. 3162 11
DAMAGES OF NOT LESS THAN ONE THOUSAND DOLLARS AND NOT MORE THAN THREE
THOUSAND DOLLARS, OR ACTUAL DAMAGES, WHICHEVER IS GREATER, FOR EACH
VIOLATION FROM THE BUSINESS OR PERSON RESPONSIBLE FOR THE VIOLATION.
(2) IN ASSESSING THE AMOUNT OF STATUTORY DAMAGES, THE COURT SHALL
CONSIDER ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY
OF THE PARTIES TO THE CASE, INCLUDING, BUT NOT LIMITED TO, THE FOLLOW-
ING: THE NATURE AND SERIOUSNESS OF THE MISCONDUCT, THE NUMBER OF
VIOLATIONS, THE PERSISTENCE OF THE MISCONDUCT, THE LENGTH OF TIME OVER
WHICH THE MISCONDUCT OCCURRED, THE WILLFULNESS OF THE DEFENDANT'S
MISCONDUCT, AND THE DEFENDANT'S ASSETS, LIABILITIES, AND NET WORTH.
(C) NOTWITHSTANDING ANY OTHER LAW, WHENEVER A JUDGMENT, INCLUDING ANY
CONSENT JUDGMENT, DECREE, OR SETTLEMENT AGREEMENT, IS APPROVED BY THE
COURT IN A CLASS ACTION BASED ON A VIOLATION OF THIS SECTION, ANY CY
PRES AWARD, UNPAID CASH RESIDUE, OR UNCLAIMED OR ABANDONED CLASS MEMBER
FUNDS ATTRIBUTABLE TO A VIOLATION OF THIS SECTION SHALL BE DISTRIBUTED
EXCLUSIVELY TO ONE OR MORE NONPROFIT ORGANIZATIONS TO SUPPORT PROJECTS
THAT WILL BENEFIT THE CLASS OR SIMILARLY SITUATED PERSONS, FURTHER THE
OBJECTIVES AND PURPOSES OF THE UNDERLYING CLASS ACTION OR CAUSE OF
ACTION, OR PROMOTE THE LAW CONSISTENT WITH THE OBJECTIVES AND PURPOSES
OF THE UNDERLYING CLASS ACTION OR CAUSE OF ACTION, UNLESS FOR GOOD CAUSE
SHOWN THE COURT MAKES A SPECIFIC FINDING THAT AN ALTERNATIVE DISTRIB-
UTION WOULD BETTER SERVE THE PUBLIC INTEREST OR THE INTERESTS OF THE
CLASS. IF NOT SPECIFIED IN THE JUDGMENT, THE COURT SHALL SET A DATE WHEN
THE PARTIES SHALL SUBMIT A REPORT TO THE COURT REGARDING A PLAN FOR THE
DISTRIBUTION OF ANY MONEYS PURSUANT TO THIS SUBDIVISION.
(D) THE REMEDIES PROVIDED BY THIS SUBDIVISION ARE CUMULATIVE TO EACH
OTHER AND TO THE REMEDIES OR PENALTIES AVAILABLE UNDER ALL OTHER LAWS OF
THE STATE.
10. (A) ANY BUSINESS OR PERSON THAT VIOLATES THIS SECTION SHALL BE
LIABLE FOR A CIVIL PENALTY IN A CIVIL ACTION BROUGHT IN THE NAME OF THE
PEOPLE OF THE STATE OF NEW YORK BY THE ATTORNEY GENERAL.
(B) NOTWITHSTANDING ANY OTHER LAW TO THE CONTRARY, ANY PERSON OR BUSI-
NESS THAT INTENTIONALLY VIOLATES THIS SECTION MAY BE LIABLE FOR A CIVIL
PENALTY OF UP TO SEVEN THOUSAND FIVE HUNDRED DOLLARS FOR EACH VIOLATION.
(C) NOTWITHSTANDING ANY OTHER LAW TO THE CONTRARY, ANY CIVIL PENALTY
ASSESSED FOR A VIOLATION OF THIS SECTION, AND THE PROCEEDS OF ANY
SETTLEMENT OF AN ACTION BROUGHT PURSUANT TO PARAGRAPH (A) OF THIS SUBDI-
VISION, SHALL BE ALLOCATED AS FOLLOWS:
(1) TWENTY PERCENT TO THE CONSUMER PRIVACY FUND, CREATED PURSUANT TO
SECTION NINETY-NINE-M OF THE STATE FINANCE LAW, WITH THE INTENT TO FULLY
OFFSET ANY COSTS INCURRED BY THE STATE COURTS AND THE ATTORNEY GENERAL
IN CONNECTION WITH THIS SECTION; AND
(2) EIGHTY PERCENT TO THE JURISDICTION ON WHOSE BEHALF THE ACTION
LEADING TO THE CIVIL PENALTY WAS BROUGHT.
(D) THE LEGISLATURE SHALL ADJUST THE PERCENTAGES SPECIFIED IN PARA-
GRAPH (C) OF THIS SUBDIVISION AND IN SUBDIVISION ELEVEN OF THIS SECTION,
AS NECESSARY TO ENSURE THAT ANY CIVIL PENALTIES ASSESSED FOR A VIOLATION
OF THIS SECTION FULLY OFFSET ANY COSTS INCURRED BY THE STATE COURTS AND
THE ATTORNEY GENERAL IN CONNECTION WITH THIS SECTION, INCLUDING A SUFFI-
CIENT AMOUNT TO COVER ANY DEFICIT FROM A PRIOR FISCAL YEAR. THE LEGISLA-
TURE SHALL NOT DIRECT A GREATER PERCENTAGE OF ASSESSED CIVIL PENALTIES
TO THE CONSUMER PRIVACY FUND THAN REASONABLY NECESSARY TO FULLY OFFSET
ANY COSTS INCURRED BY THE STATE COURTS AND THE ATTORNEY GENERAL IN
CONNECTION WITH THIS SECTION.
11. (A) ANY PERSON WHO BECOMES AWARE, BASED ON NON-PUBLIC INFORMATION,
THAT A PERSON OR BUSINESS HAS VIOLATED THIS SECTION MAY FILE A CIVIL
S. 3162 12
ACTION FOR CIVIL PENALTIES PURSUANT TO SUBDIVISION TEN OF THIS SECTION,
IF PRIOR TO FILING SUCH ACTION, THE PERSON FILES WITH THE ATTORNEY
GENERAL A WRITTEN REQUEST FOR THE ATTORNEY GENERAL TO COMMENCE THE
ACTION. THE REQUEST SHALL INCLUDE A CLEAR AND CONCISE STATEMENT OF THE
GROUNDS FOR BELIEVING A CAUSE OF ACTION EXISTS. THE PERSON SHALL MAKE
THE NON-PUBLIC INFORMATION AVAILABLE TO THE ATTORNEY GENERAL UPON
REQUEST.
(1) IF THE ATTORNEY GENERAL FILES SUIT WITHIN NINETY DAYS FROM RECEIPT
OF THE WRITTEN REQUEST TO COMMENCE THE ACTION, NO OTHER ACTION MAY BE
BROUGHT UNLESS THE ACTION BROUGHT BY THE ATTORNEY GENERAL IS DISMISSED
WITHOUT PREJUDICE.
(2) IF THE ATTORNEY GENERAL DOES NOT FILE SUIT WITHIN NINETY DAYS FROM
RECEIPT OF THE WRITTEN REQUEST TO COMMENCE THE ACTION, THE PERSON
REQUESTING THE ACTION MAY PROCEED TO FILE A CIVIL ACTION.
(3) THE TIME PERIOD WITHIN WHICH A CIVIL ACTION SHALL BE COMMENCED
SHALL BE TOLLED FROM THE DATE OF RECEIPT BY THE ATTORNEY GENERAL OF THE
WRITTEN REQUEST TO EITHER THE DATE THAT THE CIVIL ACTION IS DISMISSED
WITHOUT PREJUDICE, OR FOR ONE HUNDRED FIFTY DAYS, WHICHEVER IS LATER,
BUT ONLY FOR A CIVIL ACTION BROUGHT BY THE PERSON WHO REQUESTED THE
ATTORNEY GENERAL TO COMMENCE THE ACTION.
(B) NOTWITHSTANDING PARAGRAPH (C) OF SUBDIVISION TEN OF THIS SECTION,
IF A JUDGMENT IS ENTERED AGAINST THE DEFENDANT OR DEFENDANTS IN AN
ACTION BROUGHT PURSUANT TO THIS SUBDIVISION, OR THE MATTER IS SETTLED,
AMOUNTS RECEIVED AS CIVIL PENALTIES OR PURSUANT TO A SETTLEMENT OF THE
ACTION SHALL BE ALLOCATED AS FOLLOWS:
(1) IF THE ACTION WAS BROUGHT BY THE ATTORNEY GENERAL UPON A REQUEST
MADE BY A PERSON PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION, THE
PERSON WHO MADE THE REQUEST SHALL BE ENTITLED TO FIFTEEN PERCENT OF THE
CIVIL PENALTIES, AND THE REMAINING PROCEEDS SHALL BE DEPOSITED IN THE
CONSUMER PRIVACY FUND PURSUANT TO SECTION NINETY-NINE-M OF THE STATE
FINANCE LAW.
(2) IF THE ACTION WAS BROUGHT BY THE PERSON WHO MADE THE REQUEST
PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION, THAT PERSON SHALL RECEIVE
AN AMOUNT THE COURT DETERMINES IS REASONABLE FOR COLLECTING THE CIVIL
PENALTIES ON BEHALF OF THE GOVERNMENT. THE AMOUNT SHALL BE NOT LESS THAN
TWENTY-FIVE PERCENT AND NOT MORE THAN FIFTY PERCENT OF THE PROCEEDS OF
THE ACTION AND SHALL BE PAID OUT OF THE PROCEEDS. THE REMAINING PROCEEDS
SHALL BE DEPOSITED IN THE CONSUMER PRIVACY FUND PURSUANT TO SECTION
NINETY-NINE-M OF THE STATE FINANCE LAW.
(C) FOR PURPOSES OF THIS SECTION, "NON-PUBLIC INFORMATION" MEANS
INFORMATION THAT HAS NOT BEEN DISCLOSED IN A CRIMINAL, CIVIL, OR ADMIN-
ISTRATIVE PROCEEDING, IN A GOVERNMENT INVESTIGATION, REPORT, OR AUDIT,
OR BY THE NEWS MEDIA OR OTHER PUBLIC SOURCE OF INFORMATION, AND THAT WAS
NOT OBTAINED IN VIOLATION OF THE LAW.
12. A BUSINESS THAT SUFFERS A BREACH OF THE SECURITY OF THE SYSTEM
INVOLVING CONSUMERS' PERSONAL INFORMATION SHALL BE DEEMED TO HAVE
VIOLATED THIS SECTION AND MAY BE HELD LIABLE FOR SUCH VIOLATION OR
VIOLATIONS UNDER SUBDIVISIONS NINE, TEN AND ELEVEN OF THIS SECTION, IF
THE BUSINESS HAS FAILED TO IMPLEMENT AND MAINTAIN REASONABLE SECURITY
PROCEDURES AND PRACTICES, APPROPRIATE TO THE NATURE OF THE INFORMATION,
TO PROTECT THE PERSONAL INFORMATION FROM UNAUTHORIZED DISCLOSURE.
13. THIS SECTION IS INTENDED TO FURTHER THE CONSTITUTIONAL RIGHT OF
PRIVACY AND TO SUPPLEMENT EXISTING LAWS RELATING TO CONSUMERS' PERSONAL
INFORMATION. THE PROVISIONS OF THIS SECTION ARE NOT LIMITED TO INFORMA-
TION COLLECTED ELECTRONICALLY OR OVER THE INTERNET, BUT APPLY TO THE
COLLECTION AND SALE OF ALL PERSONAL INFORMATION COLLECTED BY A BUSINESS
S. 3162 13
FROM CONSUMERS. WHEREVER POSSIBLE, EXISTING LAW RELATING TO CONSUMERS'
PERSONAL INFORMATION SHOULD BE CONSTRUED TO HARMONIZE WITH THE
PROVISIONS OF THIS SECTION, BUT IN THE EVENT OF CONFLICT BETWEEN EXIST-
ING LAW AND THE PROVISIONS OF THIS SECTION, THE PROVISIONS OF THE LAW
THAT AFFORD THE GREATEST PROTECTION FOR THE RIGHT OF PRIVACY FOR CONSUM-
ERS SHALL CONTROL.
14. NOTHING IN THIS SECTION SHALL PREVENT A CITY, COUNTY, CITY AND
COUNTY, MUNICIPALITY, OR LOCAL AGENCY FROM SAFEGUARDING THE CONSTITU-
TIONAL RIGHT OF PRIVACY BY IMPOSING ADDITIONAL REQUIREMENTS ON BUSI-
NESSES REGARDING THE COLLECTION AND SALE OF CONSUMERS' PERSONAL INFORMA-
TION BY BUSINESSES PROVIDED THAT THE REQUIREMENT DOES NOT PREVENT A
PERSON OR BUSINESS FROM COMPLYING WITH THIS SECTION.
15. (A) THE ATTORNEY GENERAL SHALL ADOPT REGULATIONS IN THE FOLLOWING
AREAS TO FURTHER THE PURPOSES OF THIS SECTION:
(1) ADDING ADDITIONAL CATEGORIES TO THOSE ENUMERATED IN PARAGRAPH (C)
OF SUBDIVISION SIX AND PARAGRAPH (M) OF SUBDIVISION ONE OF THIS SECTION
IN ORDER TO ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION PRACTICES,
OBSTACLES TO IMPLEMENTATION, AND PRIVACY CONCERNS. IN ADDITION, UPON
RECEIPT OF A REQUEST MADE BY A CITY ATTORNEY OR DISTRICT ATTORNEY TO ADD
A NEW CATEGORY OR CATEGORIES, THE ATTORNEY GENERAL SHALL PROMULGATE A
REGULATION TO ADD SUCH CATEGORY OR CATEGORIES UNLESS THE ATTORNEY GENER-
AL CONCLUDES, BASED ON FACTUAL OR LEGAL FINDINGS, THAT THERE IS A
COMPELLING REASON NOT TO ADD THE CATEGORY OR CATEGORIES. THE ATTORNEY
GENERAL MAY ALSO ADD ADDITIONAL CATEGORIES TO THOSE ENUMERATED IN PARA-
GRAPH (C) OF SUBDIVISION SIX AND PARAGRAPH (M) OF SUBDIVISION ONE OF
THIS SECTION IN RESPONSE TO A PETITION FILED;
(2) ADDING ADDITIONAL ITEMS TO THE DEFINITION OF "UNIQUE IDENTIFIERS"
TO ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION, OBSTACLES TO IMPLE-
MENTATION, AND PRIVACY CONCERNS, AND ADDITIONAL CATEGORIES TO THE DEFI-
NITION OF "DESIGNATED METHODS FOR SUBMITTING REQUESTS" TO FACILITATE A
CONSUMER'S ABILITY TO OBTAIN INFORMATION FROM A BUSINESS PURSUANT TO
SUBDIVISION SIX OF THIS SECTION;
(3) ESTABLISHING ANY EXCEPTIONS NECESSARY TO COMPLY WITH STATE OR
FEDERAL LAW;
(4) ESTABLISHING RULES AND PROCEDURES: (A) TO FACILITATE AND GOVERN
THE SUBMISSION OF A REQUEST BY A CONSUMER, AND BY AN AUTHORIZED AGENT OF
THE CONSUMER, TO OPT OUT OF THE SALE OF PERSONAL INFORMATION PURSUANT TO
SUBPARAGRAPH ONE OF PARAGRAPH (A) OF SUBDIVISION SEVEN OF THIS SECTION;
(B) TO GOVERN A BUSINESS'S COMPLIANCE WITH A CONSUMER'S OPT OUT REQUEST;
AND (C) FOR THE DEVELOPMENT AND USE OF A RECOGNIZABLE AND UNIFORM OPT
OUT LOGO OR BUTTON BY ALL BUSINESSES TO PROMOTE CONSUMER AWARENESS OF
THE OPPORTUNITY TO OPT OUT OF THE SALE OF PERSONAL INFORMATION;
(5) ADJUSTING THE MONETARY THRESHOLD IN CLAUSE (A) OF SUBPARAGRAPH ONE
OF PARAGRAPH (B) OF SUBDIVISION ONE OF THIS SECTION IN JANUARY OF EVERY
ODD-NUMBERED YEAR TO REFLECT ANY INCREASE IN THE CONSUMER PRICE INDEX;
(6) ESTABLISHING RULES, PROCEDURES, AND ANY EXCEPTIONS NECESSARY TO
ENSURE THAT THE NOTICES AND INFORMATION THAT BUSINESSES ARE REQUIRED TO
PROVIDE PURSUANT TO THIS SECTION ARE PROVIDED IN A MANNER SO AS TO BE
EASILY UNDERSTOOD BY THE AVERAGE CONSUMER, ARE ACCESSIBLE TO CONSUMERS
WITH DISABILITIES, AND ARE AVAILABLE IN THE LANGUAGE PRIMARILY USED TO
INTERACT WITH THE CONSUMER;
(7) ESTABLISHING RULES AND PROCEDURES TO FURTHER THE PURPOSES OF
SUBDIVISIONS TWO AND THREE OF THIS SECTION AND TO FACILITATE A CONSUM-
ER'S OR THE CONSUMER'S AUTHORIZED AGENT'S ABILITY TO OBTAIN INFORMATION
PURSUANT TO SUBDIVISION SIX OF THIS SECTION, WITH THE GOAL OF MINIMIZING
THE ADMINISTRATIVE BURDEN ON CONSUMERS, TAKING INTO ACCOUNT AVAILABLE
S. 3162 14
TECHNOLOGY, SECURITY CONCERNS, AND THE BURDEN ON THE BUSINESS, TO GOVERN
A BUSINESS'S DETERMINATION THAT A REQUEST FOR INFORMATION RECEIVED BY A
CONSUMER IS A VERIFIABLE REQUEST, INCLUDING TREATING A REQUEST SUBMITTED
THROUGH A PASSWORD PROTECTED ACCOUNT MAINTAINED BY THE CONSUMER WITH THE
BUSINESS WHILE THE CONSUMER IS LOGGED INTO THE ACCOUNT AS A VERIFIABLE
REQUEST AND PROVIDING A MECHANISM FOR A CONSUMER WHO DOES NOT MAINTAIN
AN ACCOUNT WITH THE BUSINESS TO REQUEST INFORMATION THROUGH THE BUSI-
NESS'S AUTHENTICATION OF THE CONSUMER'S IDENTITY;
(8) DEFINING THE TERM "VALUABLE CONSIDERATION" AS USED IN SUBPARAGRAPH
ONE OF PARAGRAPH (Q) OF SUBDIVISION ONE OF THIS SECTION TO ENSURE THAT A
BUSINESS THAT DISCLOSES, EXCEPT AS PERMITTED BY THIS SECTION, A CONSUM-
ER'S PERSONAL INFORMATION TO A THIRD PARTY, INCLUDING THROUGH A SERIES
OF TRANSACTIONS INVOLVING MULTIPLE THIRD PARTIES, IN EXCHANGE FOR ANY
ECONOMIC BENEFIT IS SUBJECT TO THIS SECTION, AND TO INCLUDE BUSINESS
PRACTICES INVOLVING THE DISCLOSURE OF PERSONAL INFORMATION IN EXCHANGE
FOR SOMETHING OF VALUE. VALUABLE CONSIDERATION DOES NOT INCLUDE THE
EXCHANGE OF VALUE IN A TRANSACTION INVOLVING NON-COMMERCIAL SPEECH, SUCH
AS JOURNALISM AND POLITICAL SPEECH; AND
(9) FURTHER INTERPRET THE TERMS "DE-IDENTIFIED", "SELL", "THIRD
PARTY", AND "BUSINESS PURPOSE" AS SET FORTH IN SUBDIVISION ONE OF THIS
SECTION, TO ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION, OBSTACLES TO
IMPLEMENTATION, AND PRIVACY CONCERNS AND TO ENSURE COMPLIANCE WITH THE
PURPOSES OF THIS SECTION, PROVIDED THAT SUCH REGULATIONS DO NOT REDUCE
CONSUMER PRIVACY OR THE ABILITY OF CONSUMERS TO STOP THE SALE OF THEIR
PERSONAL INFORMATION.
(B) THE ATTORNEY GENERAL SHALL BE PRECLUDED FROM ADOPTING REGULATIONS
THAT LIMIT OR REDUCE THE NUMBER OR SCOPE OF CATEGORIES OF PERSONAL
INFORMATION ENUMERATED IN PARAGRAPH (C) OF SUBDIVISION SIX AND PARAGRAPH
(M) OF SUBDIVISION ONE OF THIS SECTION, OR THAT LIMIT OR REDUCE THE
NUMBER OR SCOPE OF CATEGORIES ADDED PURSUANT TO SUBPARAGRAPH ONE OF
PARAGRAPH (A) OF THIS SUBDIVISION, EXCEPT AS NECESSARY TO COMPLY WITH
SUBPARAGRAPH THREE OF PARAGRAPH (A) OF THIS SUBDIVISION. THE ATTORNEY
GENERAL SHALL ALSO BE PRECLUDED FROM REDUCING THE SCOPE OF THE DEFI-
NITION OF "UNIQUE IDENTIFIERS", EXCEPT AS NECESSARY TO COMPLY WITH
SUBPARAGRAPH THREE OF PARAGRAPH (A) OF THIS SUBDIVISION.
(C) TO THE EXTENT THE ATTORNEY GENERAL DETERMINES THAT IT IS NECESSARY
TO ADOPT CERTAIN REGULATIONS IN ORDER TO IMPLEMENT THIS SECTION, THE
ATTORNEY GENERAL SHALL ADOPT ANY SUCH REGULATIONS WITHIN SIX MONTHS OF
THE DATE THIS SECTION IS ADOPTED.
(D) THE ATTORNEY GENERAL MAY ADOPT ADDITIONAL REGULATIONS AS NECESSARY
TO FURTHER THE PURPOSES OF THIS SECTION.
16. IF A SERIES OF STEPS OR TRANSACTIONS WERE COMPONENT PARTS OF A
SINGLE TRANSACTION INTENDED FROM THE BEGINNING TO BE TAKEN WITH THE
INTENTION OF AVOIDING THE REACH OF THIS SECTION, INCLUDING THE DISCLO-
SURE OF INFORMATION BY A BUSINESS TO A THIRD PARTY IN ORDER TO AVOID THE
DEFINITION OF "SELL", A COURT SHALL DISREGARD THE INTERMEDIATE STEPS OR
TRANSACTIONS FOR PURPOSES OF EFFECTUATING THE PURPOSES OF THIS SECTION.
17. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY KIND THAT PURPORTS
TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS UNDER THIS SECTION,
INCLUDING BUT NOT LIMITED TO ANY RIGHT TO A REMEDY OR MEANS OF ENFORCE-
MENT, SHALL BE DEEMED CONTRARY TO PUBLIC POLICY AND SHALL BE VOID AND
UNENFORCEABLE. THIS SECTION SHALL NOT PREVENT A CONSUMER FROM: DECLIN-
ING TO REQUEST INFORMATION FROM A BUSINESS; DECLINING TO OPT OUT OF A
BUSINESS'S SALE OF THE CONSUMER'S PERSONAL INFORMATION; OR AUTHORIZING A
BUSINESS TO SELL THE CONSUMER'S PERSONAL INFORMATION AFTER PREVIOUSLY
OPTING OUT.
S. 3162 15
18. IF ANY PROVISION OF THIS SECTION SHALL BE ADJUDGED BY ANY COURT OF
COMPETENT JURISDICTION TO BE INVALID, SUCH JUDGMENT SHALL NOT AFFECT,
IMPAIR OR INVALIDATE THE REMAINDER THEREOF, BUT SHALL BE CONFINED IN ITS
OPERATION TO THE PROVISION DIRECTLY INVOLVED IN THE CONTROVERSY IN WHICH
SUCH JUDGMENT SHALL HAVE BEEN RENDERED.
§ 3. The state finance law is amended by adding a new section 99-m to
read as follows:
§ 99-M. CONSUMER PRIVACY FUND. 1. THERE IS HEREBY ESTABLISHED IN THE
JOINT CUSTODY OF THE STATE COMPTROLLER AND THE COMMISSIONER OF TAXATION
AND FINANCE AN ACCOUNT WITHIN THE GENERAL FUND TO BE KNOWN AS THE
"CONSUMER PRIVACY FUND".
2. SUCH ACCOUNT SHALL CONSIST OF ALL PENALTIES RECEIVED BY THE DEPART-
MENT OF STATE PURSUANT TO SECTION EIGHT HUNDRED NINETY-NINE-CC OF THE
GENERAL BUSINESS LAW AND ANY ADDITIONAL MONIES APPROPRIATED, CREDITED OR
TRANSFERRED TO SUCH ACCOUNT BY THE LEGISLATURE. ANY INTEREST EARNED BY
THE INVESTMENT OF MONIES IN SUCH ACCOUNT SHALL BE ADDED TO SUCH ACCOUNT,
BECOME PART OF SUCH ACCOUNT, AND BE USED FOR THE PURPOSES OF SUCH
ACCOUNT.
3. MONIES IN THE ACCOUNT SHALL BE AVAILABLE TO THE OFFICE OF COURT
ADMINISTRATION AND THE ATTORNEY GENERAL TO OFFSET ANY COSTS INCURRED BY
THE STATE COURTS IN CONNECTION WITH ACTIONS BROUGHT TO ENFORCE SECTION
EIGHT HUNDRED NINETY-NINE-CC OF THE GENERAL BUSINESS LAW AND ANY COSTS
INCURRED BY THE ATTORNEY GENERAL IN CARRYING OUT HIS OR HER DUTIES UNDER
SUCH SECTION OF LAW.
4. MONIES IN THE ACCOUNT SHALL BE PAID OUT OF THE ACCOUNT ON THE AUDIT
AND WARRANT OF THE STATE COMPTROLLER ON VOUCHERS CERTIFIED OR APPROVED
BY THE OFFICE OF COURT ADMINISTRATION AND/OR THE ATTORNEY GENERAL.
§ 4. This act shall take effect on the one hundred eightieth day after
it shall have become a law. Effective immediately, the addition, amend-
ment and/or repeal of any rule or regulation necessary for the implemen-
tation of this act on its effective date are authorized to be made and
completed on or before such effective date.