NY State Senate Bill 2025-S6922

Current Bill Status - In Senate Committee Consumer Protection Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Mar 27, 2025	referred to consumer protection

2025-S6922 (ACTIVE) - Details

See Assembly Version of this Bill:: A257
Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Amd Art 39-F Art Head, add §899-cc, Gen Bus L
Versions Introduced in Other Legislative Sessions:: 2013-2014: S5171
2015-2016: S68, A2134
2017-2018: S72, A5220, A8097, A10571
2019-2020: S224, A3739
2021-2022: S1349, A400
2023-2024: S3163, A417

2025-S6922 (ACTIVE) - Summary

Restricts the disclosure of personal information by businesses; provides that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.

2025-S6922 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S6922

SPONSOR: HOYLMAN-SIGAL
 
TITLE OF BILL:

An act to amend the general business law, in relation to restricting the
disclosure of personal information by businesses

 
SUMMARY OF PROVISIONS:

Section One states that this Act shall be known and cited as the "Right
to Know Act of 2018."

Section Two states the legislative intent.

Section Three changes the article heading of article 39-F of the General
Business Law from "Notification of Unauthorized Acquisition of Private
Information" to "Acquisition and Use of Private Information."

Section Four of the bill amends the General Business Law to add a new
section 899-bb which states that a business that retains a customer's
personal information shall make available to the customer free of charge
access to, or copies of, all of the customer's personal information

retained by the business.

A business that discloses a customer's personal information to a third
party shall make the following information available to the customer
free of charge:

*All categories of the customer's personal information that were
disclosed; and

*The names and contact information of all third parties that received
the customer's personal information from the business, including the
third party's designated request address or addresses if available.

*A business required to comply with this Act shall make the required
information available by one or more of the following means:

*By providing a designated request address and, upon receipt of a
request, providing the customer within thirty days with the required
information for all disclosures occurring in the prior twelve months,
provided that:

*If the business has an online privacy policy, that policy includes a
description of a customer's right, accompanied by one or more designated
request addresses;-provided that a business with multiple online privacy
policies must include this information in the policy of each product or
service that collects personal information that may be disclosed to a
third party;

>The business ensures that all persons responsible for handling customer
inquires about the business' privacy practices or the business' compli-
ance with this section are informed of all designated request addresses;
and

>The business provides information pertaining to the specific customer
if that information is reasonably available to the business, and

provides information in standardized format if information pertaining to
the specific customer is not reasonably available.

For information required to be provided under this Act, the business
must provide the customer with notice including the required information
prior to or immediately following a disclosure.

A business is not obligated to provide more than one notice to the same
customer in a twelve-month period about the disclosure of the same
personal information to the same third party and in not obligated to
respond to a request by the same customer more than once within a
twelve-month period.

A business in not obligated to provide information to the customer if
the business cannot reasonably verify that the individual making the
request is the customer.

"Business" is defined as any person, proprietorship, firm, partnership,
association, cooperative, nonprofit organization or corporation organ-
ized or existing under the laws of this state or any other state, and
doing business in this state, exclusive of public corporations as
defined pursuant to article two-A of the general construction law.

"Categories of information" is defined as:

*Identity information, including but not limited to real name, alias,
nickname or user name;

*Address information, including but not limited to postal address or
email;

*Telephone number; *Account name;

*Social Security number or other government-issued identification
number, including but not limited to social security number, driver's
license number, identification card number and passport number;

*Birthdate or age;

*Physical characteristic information, including but not limited to
height and weight;

*Sexual information, including but not limited to sexual orientation,
sex, gender status, gender identity or expression;

*Race or ethnicity;

*Religious affiliation or activity; *Political affiliation or activity;

*Professional or employment-related information;

*Educational information;

*Medical information, including but not limited to medical conditions or
drugs, therapies, mental health or medical products or equipment used;



*Financial information, including but not limited to credit, debit, or
account numbers, account balances, payment history or information
related to assets, liabilities or general creditworthiness;

*Commercial information, including but not limited to records of proper-
ty, products or services provided, obtained or considered or other
purchasing or consuming histories or tendencies;

*Location information;

*Internet or mobile activity information, including but not limited to
Internet protocol addresses or information concerning the access or use
of any Internet or mobile-based site or service;

*Content, including text, photographs, audio or visual recordings or
other material generated or provided by the customer.

The legislation further provides a definitional section.

A violation of the Act constitutes a right to a civil action to recover
penalties by the customer, the Attorney General, a District Attorney, a
City Attorney, or a City Prosecutor in a court of competent jurisdic-
tion.

 
JUSTIFICATION:

The Right to Know Act will modernize current privacy law and give New
York consumers an effective tool to monitor how their personal informa-
tion, including information about their health, finances, location,
politics, religious, sexual orientation, buying habits, and more is
being collected and disclosed in unexpected and possibly harmful ways.

Many websites incorporate scores of tracking tools that collect informa-
tion about visitors like age, gender, race, income, health concerns and
recent purchases for advertising and marketing companies.  Many mobile
applications (apps) share location, age, gender, phone numbers, and
other personal details of both adults and children with third party
companies - which can lead to potential danger for the consumer involved
in the transaction. And Facebook apps used by a consumer's "friend" can
often access sensitive information about that consumer, including reli-
gious, political, and sexual preferences.

Facebook has come under some scrutiny for this issue recently, pertain-
ing to the wrongful disclosure of personal information of 50 million
people to third party Cambridge Analytica, which works with political
campaigns.

There are numerous other examples of companies that collect information
about consumer activities inadvertently exposing sensitive personal
information such as pregnancy status or sexual orientation. Data brokers
are engaged in the widespread buying, selling, and trading of personal
information obtained from mobile phones, banks, social media sites, and
stores creating a secondary market for confidential consumer data. When
this information is incorrect, it can impact credit scores, hurting an
individual at their place of employment or being denied credit. More-
over, scanners are using data broker lists to target vulnerable popu-
lations, such as senior citizens.

 
LEGISLATIVE HISTORY:

S.3163 of 2023-2024 (Hoylman-Sigal): Died in Consumer Protection

A.417 of 2023-2024 (Rozic): Died in Consumer Affairs and Protection

S,1349 of 2021-2022 (Hoylman): Died in Consumer Protection

A.0400 of 2021-2022 (Rozic): Died in Consumer Affairs and Protection

S.0224 of 2019-2020 (Hoylman): Died in Consumer Protection

A.3739-A of 2019-2020 (Rozic): Died in Consumer Affairs and Protection

S.0072-A of 2017-2018 (Hoylman): Died in Consumer Protection

S.68-A of 2015-2016 (Hoylman): Died in Consumer Protection

A.2134-A of 2015-2016 (Dinowitz): Died in Consumer Affairs and
Protection

S.5171-A of 2013-2014 (Hoylman): Died in Consumer Protection

 
FISCAL IMPLICATIONS:

Minimal

 
EFFECTIVE DATE:
This act shall take effect immediately.

2025-S6922 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6922
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                              March 27, 2025
                                ___________
 
 Introduced  by Sen. HOYLMAN-SIGAL -- read twice and ordered printed, and
   when printed to be committed to the Committee on Consumer Protection
 
 AN ACT to amend the general business law, in relation to restricting the
   disclosure of personal information by businesses
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  This act shall be known and may be cited as the "right to
 know act".
   § 2. The legislature hereby finds  and  declares  that  the  right  to
 privacy  is  a  personal  and  fundamental right protected by the United
 States Constitution. All individuals have a right of privacy in informa-
 tion pertaining to them.
   This state recognizes the importance of providing consumers with tran-
 sparency about how their personal information has been shared  by  busi-
 nesses.  For  free  market  forces to have a role in shaping the privacy
 practices and for "opt-in"  and  "opt-out"  remedies  to  be  effective,
 consumers must be more than vaguely informed that a business might share
 personal  information  with  third  parties.  Consumers  must  be better
 informed about what kinds of personal information are purchased by busi-
 nesses for direct marketing purposes. With  these  specifics,  consumers
 can knowledgeably choose to opt-in or opt-out or choose among businesses
 that disclose information to third parties for direct marketing purposes
 on the basis of how protective the business is of consumers' privacy.
   Businesses  are  now  collecting  personal information and sharing and
 selling it in ways not contemplated or properly covered by  the  current
 law. Some web sites are installing up to one hundred tracking tools when
 consumers  visit web pages and sending very personal information such as
 age, gender, race, income, health  concerns,  and  recent  purchases  to
 third-party advertising and marketing companies. Third-party data broker
 companies are buying, selling, and trading personal information obtained
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD01360-01-5
 S. 6922                             2

 
 from  mobile  phones,  financial  institutions,  social media sites, and
 other online and brick and mortar companies.
   Some  mobile  applications  are  sharing personal information, such as
 location information, unique  phone  identification  numbers,  and  age,
 gender, and other personal details with third-party companies.
   Consumers  need  to  know  the ways that their personal information is
 being collected by companies and then shared or sold to third parties in
 order to properly protect their privacy, personal safety, and  financial
 security.
   §  3. The article heading of article 39-F of the general business law,
 as amended by chapter 117 of the laws of 2019, is  amended  to  read  as
 follows:
             [NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND USE
                                OF PRIVATE
                  INFORMATION; DATA SECURITY PROTECTIONS
   §  4. The general business law is amended by adding a new section 899-
 cc to read as follows:
   § 899-CC. DISCLOSURE OF A CUSTOMER'S PERSONAL INFORMATION TO  A  THIRD
 PARTY.  1. (A) A BUSINESS THAT RETAINS A CUSTOMER'S PERSONAL INFORMATION
 SHALL MAKE AVAILABLE TO THE CUSTOMER FREE OF CHARGE ACCESS TO, OR COPIES
 OF, ALL OF THE CUSTOMER'S PERSONAL INFORMATION RETAINED BY THE BUSINESS.
   (B) A BUSINESS THAT DISCLOSES A CUSTOMER'S PERSONAL INFORMATION  TO  A
 THIRD  PARTY  SHALL  MAKE  THE  FOLLOWING  INFORMATION  AVAILABLE TO THE
 CUSTOMER FREE OF CHARGE:
   (1) ALL CATEGORIES OF THE CUSTOMER'S PERSONAL  INFORMATION  THAT  WERE
 DISCLOSED, INCLUDING THE CATEGORIES SET FORTH IN PARAGRAPH (B) OF SUBDI-
 VISION FOUR OF THIS SECTION.
   (2) THE NAMES AND CONTACT INFORMATION OF ALL OF THE THIRD PARTIES THAT
 RECEIVED  THE CUSTOMER'S PERSONAL INFORMATION FROM THE BUSINESS, INCLUD-
 ING THE THIRD PARTY'S DESIGNATED REQUEST ADDRESS OR ADDRESSES IF  AVAIL-
 ABLE.
   2.  A BUSINESS REQUIRED TO COMPLY WITH SUBDIVISION ONE OF THIS SECTION
 SHALL MAKE THE REQUIRED INFORMATION AVAILABLE BY  ONE  OR  MORE  OF  THE
 FOLLOWING MEANS:
   (A)  BY  PROVIDING A DESIGNATED REQUEST ADDRESS AND, UPON RECEIPT OF A
 REQUEST UNDER THIS SECTION TO THE DESIGNATED REQUEST ADDRESS,  PROVIDING
 THE  CUSTOMER  WITHIN  THIRTY DAYS WITH THE REQUIRED INFORMATION FOR ALL
 DISCLOSURES OCCURRING IN THE PRIOR TWELVE MONTHS, PROVIDED THAT:
   (1) IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY, THAT POLICY INCLUDES
 A DESCRIPTION OF A CUSTOMER'S RIGHTS PURSUANT TO THIS  SECTION  ACCOMPA-
 NIED  BY ONE OR MORE DESIGNATED REQUEST ADDRESSES; PROVIDED THAT A BUSI-
 NESS WITH MULTIPLE ONLINE PRIVACY POLICIES MUST INCLUDE THIS INFORMATION
 IN THE POLICY OF EACH PRODUCT OR SERVICE THAT COLLECTS PERSONAL INFORMA-
 TION THAT MAY BE DISCLOSED TO A THIRD PARTY;
   (2) THE BUSINESS ENSURES THAT ALL  PERSONS  RESPONSIBLE  FOR  HANDLING
 CUSTOMER  INQUIRIES  ABOUT  THE BUSINESS' PRIVACY PRACTICES OR THE BUSI-
 NESS' COMPLIANCE WITH  THIS  SECTION  ARE  INFORMED  OF  ALL  DESIGNATED
 REQUEST ADDRESSES; AND
   (3)  THE  BUSINESS  PROVIDES  INFORMATION  PERTAINING  TO THE SPECIFIC
 CUSTOMER IF THAT INFORMATION IS REASONABLY AVAILABLE  TO  THE  BUSINESS,
 AND  PROVIDES INFORMATION IN STANDARDIZED FORMAT IF INFORMATION PERTAIN-
 ING TO THE SPECIFIC CUSTOMER IS NOT REASONABLY AVAILABLE.
   (B) FOR INFORMATION REQUIRED TO BE PROVIDED BY PARAGRAPH (B) OF SUBDI-
 VISION ONE OF THIS  SECTION,  BY  PROVIDING  THE  CUSTOMER  WITH  NOTICE
 INCLUDING  THE  REQUIRED INFORMATION PRIOR TO OR IMMEDIATELY FOLLOWING A
 DISCLOSURE.
 S. 6922                             3
 
   (C) BY PROVIDING THE CUSTOMER THE DISCLOSURE REQUIRED BY SECTION  6803
 OF  TITLE  15 OF THE UNITED STATES CODE, BUT ONLY IF THE DISCLOSURE ALSO
 COMPLIES WITH THIS SECTION.
   3.  (A)  A  BUSINESS  IS NOT OBLIGATED TO PROVIDE MORE THAN ONE NOTICE
 UNDER PARAGRAPH (B) OF SUBDIVISION TWO  OF  THIS  SECTION  TO  THE  SAME
 CUSTOMER  IN  A  TWELVE-MONTH  PERIOD  ABOUT  THE DISCLOSURE OF THE SAME
 PERSONAL INFORMATION TO THE SAME THIRD PARTY AND IS NOT OBLIGATED  UNDER
 PARAGRAPH (A) OF SUBDIVISION TWO OF THIS SECTION TO RESPOND TO A REQUEST
 BY THE SAME CUSTOMER MORE THAN ONCE WITHIN A GIVEN TWELVE-MONTH PERIOD.
   (B) A BUSINESS IS NOT OBLIGATED TO PROVIDE INFORMATION TO THE CUSTOMER
 PURSUANT  TO  SUBDIVISION  ONE  OF  THIS  SECTION IF THE BUSINESS CANNOT
 REASONABLY VERIFY THAT THE INDIVIDUAL MAKING THE REQUEST IS THE  CUSTOM-
 ER.
   4.  FOR PURPOSES OF THIS SECTION, THE FOLLOWING TERMS HAVE THE FOLLOW-
 ING MEANINGS:
   (A) "BUSINESS" MEANS ANY PERSON,  PROPRIETORSHIP,  FIRM,  PARTNERSHIP,
 ASSOCIATION,  COOPERATIVE,  NONPROFIT ORGANIZATION OR CORPORATION ORGAN-
 IZED OR EXISTING UNDER THE LAWS OF THIS STATE OR ANY  OTHER  STATE,  AND
 DOING  BUSINESS  IN  THIS  STATE,  EXCLUSIVE  OF  PUBLIC CORPORATIONS AS
 DEFINED PURSUANT TO ARTICLE TWO-A OF THE GENERAL CONSTRUCTION LAW.
   (B) "CATEGORIES OF PERSONAL INFORMATION" INCLUDES, BUT IS NOT  LIMITED
 TO, THE FOLLOWING:
   (1)  IDENTITY  INFORMATION  INCLUDING,  BUT NOT LIMITED TO, REAL NAME,
 ALIAS, NICKNAME, AND USER NAME.
   (2) ADDRESS INFORMATION, INCLUDING, BUT NOT LIMITED TO, POSTAL ADDRESS
 OR E-MAIL.
   (3) TELEPHONE NUMBER.
   (4) ACCOUNT NAME.
   (5) SOCIAL SECURITY NUMBER OR OTHER  GOVERNMENT-ISSUED  IDENTIFICATION
 NUMBER,  INCLUDING, BUT NOT LIMITED TO, SOCIAL SECURITY NUMBER, DRIVER'S
 LICENSE NUMBER, IDENTIFICATION CARD NUMBER, AND PASSPORT NUMBER.
   (6) BIRTHDATE OR AGE.
   (7) PHYSICAL CHARACTERISTIC INFORMATION, INCLUDING,  BUT  NOT  LIMITED
 TO, HEIGHT AND WEIGHT.
   (8)  SEXUAL  INFORMATION, INCLUDING, BUT NOT LIMITED TO, SEXUAL ORIEN-
 TATION, SEX, GENDER STATUS, GENDER IDENTITY, AND GENDER EXPRESSION.
   (9) RACE OR ETHNICITY.
   (10) RELIGIOUS AFFILIATION OR ACTIVITY.
   (11) POLITICAL AFFILIATION OR ACTIVITY.
   (12) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION.
   (13) EDUCATIONAL INFORMATION.
   (14) MEDICAL INFORMATION,  INCLUDING,  BUT  NOT  LIMITED  TO,  MEDICAL
 CONDITIONS  OR  DRUGS,  THERAPIES, MENTAL HEALTH, OR MEDICAL PRODUCTS OR
 EQUIPMENT USED.
   (15) FINANCIAL INFORMATION, INCLUDING, BUT  NOT  LIMITED  TO,  CREDIT,
 DEBIT,  OR ACCOUNT NUMBERS, ACCOUNT BALANCES, PAYMENT HISTORY, OR INFOR-
 MATION RELATED TO ASSETS, LIABILITIES, OR GENERAL CREDITWORTHINESS.
   (16) COMMERCIAL INFORMATION, INCLUDING, BUT NOT LIMITED TO, RECORDS OF
 PROPERTY, PRODUCTS OR SERVICES PROVIDED,  OBTAINED,  OR  CONSIDERED,  OR
 OTHER PURCHASING OR CONSUMER HISTORIES OR TENDENCIES.
   (17) LOCATION INFORMATION.
   (18)  INTERNET  OR  MOBILE  ACTIVITY  INFORMATION,  INCLUDING, BUT NOT
 LIMITED TO, INTERNET PROTOCOL ADDRESSES OR  INFORMATION  CONCERNING  THE
 ACCESS OR USE OF ANY INTERNET OR MOBILE-BASED SITE OR SERVICE.
   (19)  CONTENT, INCLUDING TEXT, PHOTOGRAPHS, AUDIO OR VIDEO RECORDINGS,
 OR OTHER MATERIAL GENERATED BY OR PROVIDED BY THE CUSTOMER.
 S. 6922                             4
 
   (20) ANY OF THE ABOVE CATEGORIES OF INFORMATION AS THEY PERTAIN TO THE
 CHILDREN OF THE CUSTOMER.
   (C)  (1)  "CUSTOMER" MEANS AN INDIVIDUAL WHO IS A RESIDENT OF NEW YORK
 STATE WHO PROVIDES PERSONAL INFORMATION TO A BUSINESS, WITH  OR  WITHOUT
 AN  EXCHANGE  OF  CONSIDERATION,  IN  THE COURSE OF PURCHASING, VIEWING,
 ACCESSING, RENTING, LEASING, OR OTHERWISE USING REAL OR PERSONAL PROPER-
 TY, OR ANY INTEREST THEREIN, OR OBTAINING A PRODUCT OR SERVICE FROM  THE
 BUSINESS INCLUDING ADVERTISING OR ANY OTHER CONTENT.
   (2)  AN INDIVIDUAL IS ALSO THE CUSTOMER OF A BUSINESS IF THAT BUSINESS
 OBTAINED THE PERSONAL INFORMATION OF  THAT  INDIVIDUAL  FROM  ANY  OTHER
 BUSINESS.
   (D)  "DESIGNATED  REQUEST  ADDRESS"  MEANS  A  MAILING ADDRESS, E-MAIL
 ADDRESS, WEB PAGE,  TOLL-FREE  TELEPHONE  NUMBER,  OR  OTHER  APPLICABLE
 CONTACT  INFORMATION, WHEREBY CUSTOMERS MAY REQUEST OR OBTAIN THE INFOR-
 MATION REQUIRED TO BE PROVIDED UNDER SUBDIVISION ONE OF THIS SECTION.
   (E) (1)  "DISCLOSE"  MEANS  TO  DISCLOSE,  RELEASE,  SHARE,  TRANSFER,
 DISSEMINATE,  MAKE  AVAILABLE, OR OTHERWISE COMMUNICATE ORALLY, IN WRIT-
 ING, OR BY ELECTRONIC OR ANY OTHER MEANS TO ANY THIRD PARTY  AS  DEFINED
 IN THIS SECTION.
   (2) "DISCLOSE" DOES NOT INCLUDE:
   (A)  DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
 PURSUANT TO A WRITTEN CONTRACT AUTHORIZING THE THIRD  PARTY  TO  UTILIZE
 THE  PERSONAL INFORMATION TO PERFORM SERVICES ON BEHALF OF THE BUSINESS,
 INCLUDING MAINTAINING OR SERVICING ACCOUNTS, PROVIDING CUSTOMER SERVICE,
 PROCESSING OR FULFILLING ORDERS  AND  TRANSACTIONS,  VERIFYING  CUSTOMER
 INFORMATION,   PROCESSING  PAYMENTS,  PROVIDING  FINANCING,  OR  SIMILAR
 SERVICES, BUT ONLY IF (I) THE CONTRACT PROHIBITS THE  THIRD  PARTY  FROM
 USING  THE PERSONAL INFORMATION FOR ANY REASON OTHER THAN PERFORMING THE
 SPECIFIED SERVICE OR  SERVICES  ON  BEHALF  OF  THE  BUSINESS  AND  FROM
 DISCLOSING ANY SUCH PERSONAL INFORMATION TO ADDITIONAL THIRD PARTIES AND
 (II) THE BUSINESS EFFECTIVELY ENFORCES THESE PROHIBITIONS.
   (B)  DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
 BASED ON A GOOD-FAITH BELIEF THAT DISCLOSURE IS REQUIRED TO COMPLY  WITH
 APPLICABLE LAW, REGULATION, LEGAL PROCESS, OR COURT ORDER.
   (C)  DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
 THAT IS REASONABLY NECESSARY TO ADDRESS FRAUD,  SECURITY,  OR  TECHNICAL
 ISSUES;  TO  PROTECT  THE DISCLOSING BUSINESS' RIGHTS OR PROPERTY; OR TO
 PROTECT CUSTOMERS OR THE PUBLIC FROM ILLEGAL ACTIVITIES AS  REQUIRED  OR
 PERMITTED BY LAW.
   (D)  DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
 THAT IS OTHERWISE LAWFULLY AVAILABLE TO  THE  GENERAL  PUBLIC,  PROVIDED
 THAT  THE BUSINESS DID NOT DIRECT THE THIRD PARTY TO THE PERSONAL INFOR-
 MATION.
   (F) "PERSONAL INFORMATION" MEANS:
   (1) ANY INFORMATION THAT IDENTIFIES OR REFERENCES A  PARTICULAR  INDI-
 VIDUAL OR ELECTRONIC DEVICE, INCLUDING, BUT NOT LIMITED TO, A REAL NAME,
 ALIAS, POSTAL ADDRESS, TELEPHONE NUMBER, ELECTRONIC MAIL ADDRESS, INTER-
 NET  PROTOCOL  ADDRESS,  ACCOUNT  NAME, SOCIAL SECURITY NUMBER, DRIVER'S
 LICENSE NUMBER, PASSPORT NUMBER, OR ANY  OTHER  IDENTIFIER  INTENDED  OR
 ABLE TO BE UNIQUELY ASSOCIATED WITH A PARTICULAR INDIVIDUAL OR DEVICE.
   (2) ANY INFORMATION THAT RELATES TO OR DESCRIBES AN INDIVIDUAL IF SUCH
 INFORMATION IS DISCLOSED IN CONNECTION WITH ANY IDENTIFYING OR REFERENC-
 ING INFORMATION AS DEFINED IN SUBPARAGRAPH ONE OF THIS PARAGRAPH.
   (G) (1) "RETAINS" MEANS TO STORE OR OTHERWISE HOLD INFORMATION, WHETH-
 ER THE INFORMATION IS COLLECTED OR OBTAINED DIRECTLY FROM THE SUBJECT OF
 THE INFORMATION OR FROM ANY THIRD PARTY.
 S. 6922                             5

   (2) "RETAINS" DOES NOT INCLUDE INFORMATION THAT IS STORED OR OTHERWISE
 HELD  SOLELY  FOR  ONE OR MORE OF THE FOLLOWING PURPOSES, SO LONG AS THE
 INFORMATION IS DELETED AS SOON AS IT  IS  NO  LONGER  NEEDED  FOR  THOSE
 PURPOSES:
   (A)  TO PERFORM A SERVICE OR COMPLETE A TRANSACTION INITIATED BY OR ON
 BEHALF OF THE CUSTOMER, INCLUDING  MAINTAINING  OR  SERVICING  ACCOUNTS,
 PROVIDING  CUSTOMER  SERVICE, PROCESSING OR FULFILLING ORDERS AND TRANS-
 ACTIONS, VERIFYING CUSTOMER INFORMATION, PROCESSING PAYMENTS,  PROVIDING
 FINANCING, OR SIMILAR SERVICES.
   (B)  TO  ADDRESS  FRAUD, SECURITY, OR TECHNICAL ISSUES; TO PROTECT THE
 DISCLOSING BUSINESS' RIGHTS OR PROPERTY; OR TO PROTECT CUSTOMERS OR  THE
 PUBLIC FROM ILLEGAL ACTIVITIES AS REQUIRED OR PERMITTED BY LAW.
   (C)  TO COMPLY WITH APPLICABLE LAW OR REGULATION OR WITH A COURT ORDER
 OR OTHER LEGAL PROCESS WHERE THE BUSINESS HAS A GOOD-FAITH  BELIEF  THAT
 THE LAW, REGULATION, COURT ORDER, OR LEGAL PROCESS REQUIRES THE INFORMA-
 TION TO BE STORED OR HELD.
   (H)  "THIRD PARTY" OR "THIRD PARTIES" MEANS ONE OR MORE OF THE FOLLOW-
 ING:
   (1) A BUSINESS THAT IS A SEPARATE LEGAL ENTITY FROM THE BUSINESS  THAT
 HAS DISCLOSED PERSONAL INFORMATION.
   (2)  A  BUSINESS THAT DOES NOT SHARE COMMON OWNERSHIP OR COMMON CORPO-
 RATE CONTROL WITH THE BUSINESS THAT HAS DISCLOSED PERSONAL INFORMATION.
   (3) A BUSINESS THAT DOES NOT SHARE A BRAND  NAME  OR  COMMON  BRANDING
 WITH  THE BUSINESS THAT HAS DISCLOSED PERSONAL INFORMATION SUCH THAT THE
 AFFILIATE RELATIONSHIP IS CLEAR TO THE CUSTOMER.
   5. THE PROVISIONS OF THIS SECTION ARE SEVERABLE. IF ANY  PROVISION  OF
 THIS  SECTION  OR ITS APPLICATION IS HELD INVALID, THAT INVALIDITY SHALL
 NOT AFFECT OTHER PROVISIONS OR APPLICATIONS THAT  CAN  BE  GIVEN  EFFECT
 WITHOUT THE INVALID PROVISION OR APPLICATION.
   6. A VIOLATION OF THIS SECTION CONSTITUTES AN INJURY TO A CUSTOMER.  A
 CIVIL  ACTION  TO  RECOVER  PENALTIES  MAY BE BROUGHT BY A CUSTOMER, THE
 ATTORNEY GENERAL, A DISTRICT ATTORNEY, A CITY ATTORNEY, OR A CITY PROSE-
 CUTOR, IN A COURT OF COMPETENT JURISDICTION.
   § 5. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S6922

Sponsored By

Current Bill Status - In Senate Committee Consumer Protection Committee

Actions

2025-S6922 (ACTIVE) - Details

2025-S6922 (ACTIVE) - Summary

2025-S6922 (ACTIVE) - Sponsor Memo

2025-S6922 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2025-S6922

Senate Bill S6922

Share this bill

Sponsored By

Brad Hoylman-Sigal

Current Bill Status - In Senate Committee Consumer Protection Committee

Actions

2025-S6922 (ACTIVE) - Details

2025-S6922 (ACTIVE) - Summary

2025-S6922 (ACTIVE) - Sponsor Memo

2025-S6922 (ACTIVE) - Bill Text download pdf

Comments