Senate Bill S9088

2025-2026 Legislative Session

Requires the registration of data brokers and establishing a data deletion mechanism for consumers

download bill text pdf

Current Bill Status - In Senate Committee Consumer Protection Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 30, 2026	referred to consumer protection

2025-S9088 (ACTIVE) - Details

See Assembly Version of this Bill:: A9642
Current Committee:: Senate Consumer Protection
Law Section:: General Business Law
Laws Affected:: Add Art 42-A §§1150 - 1154, Gen Bus L

2025-S9088 (ACTIVE) - Summary

Requires the registration of data brokers; imposes regulations upon data brokers; establishes a data deletion mechanism for consumers; imposes penalties upon data brokers for violations of the law.

2025-S9088 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S9088

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the general business law, in relation to requiring the
registration of data brokers and establishing a data deletion mechanism
for consumers

 
PURPOSE OR GENERAL IDEA OF BILL:

To protect New York consumers' privacy by requiring data brokers to
register with the Attorney General and by creating a centralized, acces-
sible mechanism that allows consumer to delete their personal informa-
tion held by data brokers.

 
SUMMARY OF PROVISIONS:

This bill amends the General Business Law by adding a new Article 42-A
to regulate data brokers operating in New York State.

Section 1 amends the General Business Law by adding a new Article 42-A,

entitled "Data Brokers," to establish requirements for the registration
of data brokers with the Attorney General, create a statewide data
deletion mechanism for consumers, mandate compliance audits, and provide
enforcement authority and civil penalties for violations.

Section 2 sets the effective date.

 
JUSTIFICATION:

Data brokers collect and sell vast amounts of personal information about
New Yorkers-often without consumers' knowledge or consent. This informa-
tion can include sensitive data such as precise location, biometric
identifiers, health information, immigration status, and other deeply
personal details. The unchecked sale and sharing of this data poses
serious risks to privacy, consumer safety, and civil rights.

While consumers are increasingly concerned about how their data is used,
there is currently no centralized or effective way for New Yorkers to
identify data brokers or to request deletion of their personal informa-
tion across the industry. This bill addresses that gap by establishing
transparency through registration and accountability through a uniform
deletion process.

By empowering the Attorney General to oversee data brokers and by giving
consumers meaningful control over their personal data, this legislation
strengthens privacy protections, reduces the risk of data misuse, and
aligns New York with emerging national standards for consumer
protection.

 
PRIOR LEGISLATIVE HISTORY:

New bill

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

The bill allows the Attorney General to collect reasonable registration
and access fees from data brokers to offset the costs of establishing
and maintaining the registry and data deletion mechanism. No significant
additional costs to the state are anticipated.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2025-S9088 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   9088
 
                             I N  S E N A T E
 
                             January 30, 2026
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Consumer Protection
 
 AN ACT to amend the general business law, in relation to  requiring  the
   registration  of  data  brokers and establishing a data deletion mech-
   anism for consumers
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42-A to read as follows:
                               ARTICLE 42-A
                               DATA BROKERS
 SECTION 1150. DEFINITIONS.
         1151. REGISTRATION OF DATA BROKERS.
         1152. DATA DELETION MECHANISM.
         1153. AUDIT.
         1154. ENFORCEMENT.
   §  1150.  DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY THROUGHOUT THIS
 ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1. "ARTIFICIAL INTELLIGENCE  SYSTEM  OR  MODEL"  MEANS  AN  ARTIFICIAL
 INTELLIGENCE  THAT  CAN  GENERATE  DERIVED  SYNTHETIC CONTENT, INCLUDING
 TEXT, IMAGES, VIDEO, AND AUDIO, THAT EMULATES THE STRUCTURE AND  CHARAC-
 TERISTICS OF THE SYSTEM'S TRAINING DATA.
   2.  "BIOMETRIC  DATA" MEANS ANY PERSONAL DATA GENERATED FROM THE MEAS-
 UREMENT OR SPECIFIC  TECHNOLOGICAL  PROCESSING  OF  A  NATURAL  PERSON'S
 BIOLOGICAL,  PHYSICAL,  OR  PHYSIOLOGICAL CHARACTERISTICS THAT ALLOWS OR
 CONFIRMS THE UNIQUE IDENTIFICATION OF A NATURAL PERSON, INCLUDING  FING-
 ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
 AND GAIT. "BIOMETRIC DATA" DOES NOT INCLUDE A DIGITAL OR PHYSICAL PHOTO-
 GRAPH, AN AUDIO OR VIDEO RECORDING, OR ANY DATA GENERATED FROM A DIGITAL
 OR PHYSICAL PHOTOGRAPH, OR AN AUDIO OR VIDEO RECORDING, UNLESS SUCH DATA
 IS GENERATED TO IDENTIFY A SPECIFIC INDIVIDUAL.
   3. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
 ONLY  IN  AN  INDIVIDUAL  OR  HOUSEHOLD  CONTEXT.  IT DOES NOT INCLUDE A
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD14455-01-6

 S. 9088                             2
 
 NATURAL PERSON KNOWN TO  BE  ACTING  IN  A  PROFESSIONAL  OR  EMPLOYMENT
 CONTEXT.
   4.  "DARK  PATTERNS"  MEANS  USER  INTERFACES  THAT  SUBVERT OR IMPAIR
 CONSUMERS' AUTONOMY, DECISION MAKING, OR  CHOICE  WHEN  ASSERTING  THEIR
 PRIVACY RIGHTS OR CONSENTING.
   5.  "DATA  BROKER"  MEANS A PERSON OR BUSINESS THAT KNOWINGLY COLLECTS
 AND SELLS TO THIRD PARTIES THE PERSONAL INFORMATION OF A  CONSUMER  WITH
 WHOM THE PERSON OR BUSINESS DOES NOT HAVE A DIRECT RELATIONSHIP.
   6. "FOREIGN ACTOR" MEANS EITHER:
   (A) THE GOVERNMENT OF A FOREIGN ADVERSARY COUNTRY.
   (B)  A  PARTNERSHIP,  ASSOCIATION, CORPORATION, ORGANIZATION, OR OTHER
 COMBINATION OF PERSONS ORGANIZED UNDER THE LAWS OF OR HAVING ITS PRINCI-
 PAL PLACE OF BUSINESS IN A FOREIGN ADVERSARY COUNTRY.
   7. "FOREIGN ADVERSARY  COUNTRY"  HAS  THE  SAME  MEANING  AS  "COVERED
 NATION"  AS  DEFINED  IN  SECTION  4872 OF TITLE 10 OF THE UNITED STATES
 CODE.
   8. "MINOR" MEANS A NATURAL PERSON UNDER THE AGE OF EIGHTEEN.
   9. "PERSONAL INFORMATION" MEANS ANY  DATA  THAT  IDENTIFIES  OR  COULD
 REASONABLY  BE  LINKED,  DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL
 PERSON, OR HOUSEHOLD. "PERSONAL INFORMATION" DOES NOT INCLUDE  DEIDENTI-
 FIED  DATA,  INFORMATION  THAT  IS LAWFULLY MADE PUBLICLY AVAILABLE FROM
 FEDERAL, STATE OR  LOCAL  GOVERNMENT  RECORDS,  OR  INFORMATION  THAT  A
 CONTROLLER  HAS A REASONABLE BASIS TO BELIEVE IS LAWFULLY MADE AVAILABLE
 TO THE GENERAL PUBLIC BY THE CONSUMER OR FROM WIDELY DISTRIBUTED MEDIA.
   10. "PRECISE GEOLOCATION DATA" MEANS INFORMATION DERIVED FROM TECHNOL-
 OGY, INCLUDING, BUT NOT LIMITED  TO,  GLOBAL  POSITIONING  SYSTEM  LEVEL
 LATITUDE  AND  LONGITUDE  COORDINATES OR OTHER MECHANISMS, THAT DIRECTLY
 IDENTIFIES THE SPECIFIC LOCATION OF AN  INDIVIDUAL  WITH  PRECISION  AND
 ACCURACY  WITHIN  A  RADIUS  OF  ONE  THOUSAND SEVEN HUNDRED FIFTY FEET,
 EXCEPT AS PRESCRIBED BY REGULATIONS. PRECISE GEOLOCATION DATA  DOES  NOT
 INCLUDE  THE  CONTENT  OF  COMMUNICATIONS  OR  ANY  DATA GENERATED BY OR
 CONNECTED TO ADVANCE UTILITY METERING INFRASTRUCTURE SYSTEMS  OR  EQUIP-
 MENT FOR USE BY A UTILITY.
   11. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   § 1151. REGISTRATION OF DATA BROKERS. 1. EACH DATA BROKER SHALL:
   (A)  ON  OR  BEFORE  JANUARY  THIRTY-FIRST FOLLOWING A YEAR IN WHICH A
 PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
   (I) REGISTER WITH THE ATTORNEY GENERAL;
   (II) PAY A REGISTRATION FEE OF ONE HUNDRED  DOLLARS  OR  AS  OTHERWISE
 DETERMINED  BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY
 GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT  TO  EXCEED  THE
 REASONABLE  COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (III) PROVIDE THE FOLLOWING INFORMATION TO THE ATTORNEY GENERAL:
   (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
 OF THE DATA BROKER.
   (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
 THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
 BROKER.
   (C) THE NUMBER OF REQUESTS RECEIVED AND THE NUMBER  OF  SUCH  REQUESTS
 COMPLIED  WITH,  COMPLIED  WITH  IN PART, OR DENIED UNDER SECTION ELEVEN
 HUNDRED FIFTY-TWO OF THIS ARTICLE.
 S. 9088                             3
 
   (D) THE MEDIAN AND THE MEAN NUMBER  OF  DAYS  WITHIN  WHICH  THE  DATA
 BROKER  RESPONDED  TO REQUESTS UNDER SECTION ELEVEN HUNDRED FIFTY-TWO OF
 THIS ARTICLE.
   (E) WHETHER THE DATA BROKER COLLECTED PERSONAL INFORMATION OF MINORS.
   (F) WHETHER THE DATA BROKER COLLECTS CONSUMERS' NAMES, DATES OF BIRTH,
 ZIP CODES, EMAIL ADDRESSES, OR PHONE NUMBERS.
   (G)  WHETHER  THE  DATA  BROKER  COLLECTS  CONSUMERS' ACCOUNT LOGIN OR
 ACCOUNT NUMBER IN COMBINATION WITH ANY REQUIRED  SECURITY  CODE,  ACCESS
 CODE,  OR PASSWORD THAT WOULD PERMIT ACCESS TO A CONSUMER'S ACCOUNT WITH
 A THIRD PARTY.
   (H) WHETHER THE  DATA  BROKER  COLLECTS  CONSUMERS'  DRIVERS'  LICENSE
 NUMBER,  STATE  IDENTIFICATION  CARD  NUMBER, TAX IDENTIFICATION NUMBER,
 SOCIAL SECURITY NUMBER, PASSPORT NUMBER, MILITARY IDENTIFICATION NUMBER,
 OR OTHER UNIQUE IDENTIFICATION NUMBER ISSUED ON  A  GOVERNMENT  DOCUMENT
 COMMONLY USED TO VERIFY THE IDENTITY OF A SPECIFIC INDIVIDUAL.
   (I)  WHETHER  THE  DATA  BROKER COLLECTS CONSUMERS' MOBILE ADVERTISING
 IDENTIFICATION NUMBERS, CONNECTED TELEVISION IDENTIFICATION NUMBERS,  OR
 VEHICLE IDENTIFICATION NUMBERS (VIN).
   (J)  WHETHER  THE  DATA  BROKER  COLLECTS CONSUMERS' CITIZENSHIP DATA,
 INCLUDING IMMIGRATION STATUS.
   (K) WHETHER THE  DATA  BROKER  COLLECTS  CONSUMERS'  UNION  MEMBERSHIP
 STATUS.
   (L)  WHETHER  THE  DATA  BROKER COLLECTS CONSUMERS' SEXUAL ORIENTATION
 STATUS.
   (M) WHETHER THE DATA BROKER COLLECTS CONSUMERS'  GENDER  IDENTITY  AND
 GENDER EXPRESSION DATA.
   (N) WHETHER THE DATA BROKER COLLECTS CONSUMERS' BIOMETRIC DATA.
   (O) WHETHER THE DATA BROKER COLLECTS CONSUMERS' PRECISE GEOLOCATION.
   (P)  WHETHER  THE  DATA BROKER COLLECTS CONSUMERS' REPRODUCTIVE HEALTH
 CARE DATA.
   (Q) WHETHER THE  DATA  BROKER  COLLECTS  CONSUMERS'  PROTECTED  HEALTH
 INFORMATION.
   (R)  WHETHER  THE  DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO A
 FOREIGN ACTOR IN THE PAST YEAR.
   (S) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO  THE
 FEDERAL GOVERNMENT IN THE PAST YEAR.
   (T)  WHETHER  THE  DATA  BROKER  HAS SHARED OR SOLD CONSUMERS' DATA TO
 OTHER STATE GOVERNMENTS IN THE PAST YEAR.
   (U) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO  LAW
 ENFORCEMENT  IN THE PAST YEAR, UNLESS THAT DATA WAS SHARED PURSUANT TO A
 SUBPOENA OR COURT ORDER.
   (V) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS'  DATA  TO  A
 DEVELOPER  OF  AN  ARTIFICIAL  INTELLIGENCE  SYSTEM OR MODEL IN THE PAST
 YEAR.
   (W) UP TO THREE, BUT NO FEWER THAN ONE, OF THE MOST  COMMON  TYPES  OF
 PERSONAL INFORMATION THAT THE DATA BROKER COLLECTS.
   (X)  BEGINNING  JANUARY  FIRST,  TWO THOUSAND THIRTY, WHETHER THE DATA
 BROKER HAS UNDERGONE AN AUDIT UNDER THIS ARTICLE, AND, IF SO,  THE  MOST
 RECENT  YEAR  THAT THE DATA BROKER HAS SUBMITTED A REPORT RESULTING FROM
 THE AUDIT AND ANY RELATED MATERIALS TO THE ATTORNEY GENERAL.
   (Y) A LINK TO A PAGE ON THE DATA BROKER'S INTERNET WEBSITE THAT:
   (I) DETAILS HOW CONSUMERS MAY EXERCISE THEIR PRIVACY RIGHTS  BY  DOING
 ALL OF THE FOLLOWING:
   A. DELETING PERSONAL INFORMATION.
   B. CORRECTING INACCURATE PERSONAL INFORMATION.
 S. 9088                             4

   C.  LEARNING  WHAT  PERSONAL INFORMATION IS BEING COLLECTED AND HOW TO
 ACCESS THAT PERSONAL INFORMATION.
   D.  LEARNING  WHAT PERSONAL INFORMATION IS BEING SOLD OR SHARED AND TO
 WHOM.
   E. LEARNING HOW TO OPT OUT OF THE SALE OR SHARING OF PERSONAL INFORMA-
 TION.
   F. LEARNING HOW TO LIMIT THE USE AND DISCLOSURE OF SENSITIVE  PERSONAL
 INFORMATION.
   (II) DOES NOT MAKE USE OF ANY DARK PATTERNS.
   (Z)  WHETHER  AND TO WHAT EXTENT THE DATA BROKER OR ANY OF ITS SUBSID-
 IARIES IS REGULATED BY ANY OF THE FOLLOWING:
   (I) THE FEDERAL FAIR CREDIT REPORTING ACT  (15  U.S.C.  SEC.  1681  ET
 SEQ.).
   (II)  THE GRAMM-LEACH-BLILEY ACT (PUBLIC LAW 106-102) AND IMPLEMENTING
 REGULATIONS.
   (III) ANY OTHER LAW, RULE, OR REGULATION GOVERNING DATA BROKERS OR ANY
 OF ITS SUBSIDIARIES.
   (AA) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   (B) BE SUBJECT TO ANY RULES AND  REGULATIONS  PROMULGATED  UNDER  THIS
 ARTICLE.
   2.  THE  ATTORNEY  GENERAL SHALL CREATE A WEBPAGE ON THE STATE WEBSITE
 WHICH INCLUDES ALL INFORMATION REGARDING  ALL  DATA  BROKERS  REGISTERED
 WITHIN THE STATE AND THE DELETION MECHANISM CREATED UNDER SECTION ELEVEN
 HUNDRED FIFTY-TWO OF THIS ARTICLE.
   § 1152. DATA DELETION MECHANISM. 1. THE ATTORNEY GENERAL SHALL DEVELOP
 A  DATA DELETION MECHANISM WITHIN ONE YEAR OF THE EFFECTIVE DATE OF THIS
 SECTION. SUCH DATA DELETION MECHANISM SHALL:
   (A) IMPLEMENT AND MAINTAIN REASONABLE SECURITY  PROCEDURES  AND  PRAC-
 TICES,  INCLUDING,  BUT  NOT  LIMITED  TO, ADMINISTRATIVE, PHYSICAL, AND
 TECHNICAL SAFEGUARDS APPROPRIATE TO THE NATURE OF  THE  INFORMATION  AND
 THE  PURPOSES  FOR  WHICH  THE  PERSONAL INFORMATION WILL BE USED AND TO
 PROTECT CONSUMERS' PERSONAL INFORMATION FROM UNAUTHORIZED  USE,  DISCLO-
 SURE, ACCESS, DESTRUCTION, OR MODIFICATION.
   (B) ALLOW A CONSUMER, THROUGH A SINGLE VERIFIABLE CONSUMER REQUEST, TO
 REQUEST  THAT  EVERY DATA BROKER THAT MAINTAINS ANY PERSONAL INFORMATION
 DELETE ANY PERSONAL INFORMATION RELATED TO THAT  CONSUMER  HELD  BY  THE
 DATA BROKER OR ASSOCIATED SERVICE PROVIDER, CONTRACTOR, OR SUBSIDIARY.
   (C) ALLOW A CONSUMER TO SELECTIVELY EXCLUDE SPECIFIC DATA BROKERS FROM
 A REQUEST MADE UNDER PARAGRAPH (B) OF THIS SUBDIVISION.
   (D)  ALLOW  A  CONSUMER  TO MAKE A REQUEST TO ALTER A PREVIOUS REQUEST
 MADE UNDER THIS SECTION AFTER AT LEAST FORTY-FIVE DAYS HAVE PASSED SINCE
 THE CONSUMER LAST MADE A REQUEST UNDER THIS SECTION.
   (E) ALLOW A CONSUMER TO REQUEST THE DELETION OF ALL PERSONAL  INFORMA-
 TION RELATED TO THAT CONSUMER THROUGH A SINGLE DELETION REQUEST.
   (F)  PERMIT  A  CONSUMER TO SECURELY SUBMIT INFORMATION IN ONE OR MORE
 PRIVACY-PROTECTING WAYS DETERMINED BY THE ATTORNEY GENERAL TO AID IN THE
 DELETION REQUEST.
   (G) ALLOW DATA BROKERS REGISTERED WITH THE ATTORNEY GENERAL TO  DETER-
 MINE  WHETHER  AN INDIVIDUAL HAS SUBMITTED A VERIFIABLE CONSUMER REQUEST
 TO DELETE THE PERSONAL INFORMATION RELATED TO THAT  CONSUMER  AND  SHALL
 NOT ALLOW THE DISCLOSURE OF ANY ADDITIONAL PERSONAL INFORMATION WHEN THE
 DATA  BROKER ACCESSES THE ACCESSIBLE DELETION MECHANISM UNLESS OTHERWISE
 SPECIFIED IN THIS ARTICLE.
   (H) ALLOW A CONSUMER TO MAKE A REQUEST UNDER  THIS  SECTION  USING  AN
 INTERNET SERVICE OPERATED BY THE ATTORNEY GENERAL.
 S. 9088                             5
 
   (I) NOT CHARGE A CONSUMER TO MAKE A REQUEST UNDER THIS SECTION.
   (J)  ALLOW  A  CONSUMER  TO  MAKE  A REQUEST UNDER THIS SECTION IN ANY
 LANGUAGE SPOKEN BY ANY CONSUMER FOR WHOM PERSONAL INFORMATION  HAS  BEEN
 COLLECTED BY DATA BROKERS.
   (K) BE READILY ACCESSIBLE AND USABLE BY CONSUMERS WITH DISABILITIES.
   (L)  SUPPORT  THE  ABILITY OF A CONSUMER'S AUTHORIZED AGENTS TO AID IN
 THE DELETION REQUEST.
   (M) ALLOW THE CONSUMER, OR  THEIR  AUTHORIZED  AGENT,  TO  VERIFY  THE
 STATUS OF THE CONSUMER'S DELETION REQUEST.
   (N) PROVIDE A DESCRIPTION OF:
   (I) THE DELETION PERMITTED BY THIS SECTION;
   (II)  THE  PROCESS  FOR SUBMITTING A DELETION REQUEST PURSUANT TO THIS
 SECTION; AND
   (III) EXAMPLES OF THE TYPES OF INFORMATION THAT MAY BE DELETED.
   2. SIX MONTHS AFTER THE CREATION OF THE DATA DELETION MECHANISM,  EACH
 DATA BROKER SHALL, AT LEAST ONCE EVERY FORTY-FIVE DAYS:
   (A)  PROCESS  ALL  DELETION REQUESTS MADE PURSUANT TO THIS SECTION AND
 DELETE ALL PERSONAL INFORMATION RELATED  TO  THE  CONSUMERS  MAKING  THE
 REQUESTS  CONSISTENT WITH THE REQUIREMENTS OF THIS SECTION WITHIN FORTY-
 FIVE DAYS OF RECEIVING SUCH REQUESTS AND DIRECT ALL  SERVICE  PROVIDERS,
 CONTRACTORS,  AND SUBSIDIARIES ASSOCIATED WITH THE DATA BROKER TO DELETE
 ALL PERSONAL INFORMATION IN THEIR POSSESSION RELATED  TO  THE  CONSUMERS
 MAKING SUCH REQUEST.
   (B) WHERE A DATA BROKER DENIES A CONSUMER REQUEST TO DELETE UNDER THIS
 SECTION  BECAUSE  THE REQUEST CANNOT BE VERIFIED, PROCESS THE REQUEST AS
 AN OPT-OUT OF THE SALE OR SHARING OF THE CONSUMER'S PERSONAL INFORMATION
 WITHIN FORTY-FIVE DAYS OF RECEIVING SUCH REQUEST AND DIRECT ALL  SERVICE
 PROVIDERS, CONTRACTORS, AND SUBSIDIARIES ASSOCIATED WITH THE DATA BROKER
 TO  PROCESS  THE  REQUEST  AS  AN  OPT-OUT OF THE SALE OR SHARING OF THE
 CONSUMER'S PERSONAL INFORMATION.
   3. (A) NOTWITHSTANDING ANY OTHER PROVISION OF  THIS  SECTION,  A  DATA
 BROKER SHALL NOT BE REQUIRED TO DELETE A CONSUMER'S PERSONAL INFORMATION
 IF SUCH PERSONAL INFORMATION IS REQUIRED TO:
   (I)  COMPLETE  THE  TRANSACTION FOR WHICH THE PERSONAL INFORMATION WAS
 COLLECTED, FULFILL THE TERMS OF A WRITTEN  WARRANTY  OR  PRODUCT  RECALL
 CONDUCTED  IN  ACCORDANCE  WITH  FEDERAL  LAW, PROVIDE A GOOD OR SERVICE
 REQUESTED BY THE CONSUMER, OR REASONABLY  ANTICIPATED  BY  THE  CONSUMER
 WITHIN  THE  CONTEXT  OF A BUSINESSES ONGOING BUSINESS RELATIONSHIP WITH
 THE CONSUMER, OR OTHERWISE PERFORM A CONTRACT BETWEEN THE  BUSINESS  AND
 THE CONSUMER.
   (II)  HELP  TO  ENSURE SECURITY AND INTEGRITY TO THE EXTENT THE USE OF
 THE CONSUMER'S PERSONAL INFORMATION IS REASONABLY NECESSARY AND  PROPOR-
 TIONATE FOR THOSE PURPOSES.
   (III)  DEBUG  TO  IDENTIFY  AND  REPAIR  ERRORS  THAT  IMPAIR EXISTING
 INTENDED FUNCTIONALITY.
   (IV) EXERCISE FREE SPEECH, ENSURE THE RIGHT  OF  ANOTHER  CONSUMER  TO
 EXERCISE THAT CONSUMER'S RIGHT OF FREE SPEECH, OR EXERCISE ANOTHER RIGHT
 PROVIDED FOR BY LAW.
   (V)  ENGAGE  IN  PUBLIC  OR  PEER-REVIEWED  SCIENTIFIC, HISTORICAL, OR
 STATISTICAL RESEARCH THAT CONFORMS OR ADHERES TO  ALL  OTHER  APPLICABLE
 ETHICS AND PRIVACY LAWS, WHEN THE BUSINESSES DELETION OF THE INFORMATION
 IS  LIKELY  TO  RENDER  IMPOSSIBLE  OR  SERIOUSLY  IMPAIR THE ABILITY TO
 COMPLETE SUCH RESEARCH, IF THE CONSUMER HAS PROVIDED INFORMED CONSENT.
   (VI) TO ENABLE SOLELY INTERNAL USES THAT ARE REASONABLY  ALIGNED  WITH
 THE  EXPECTATIONS  OF  THE CONSUMER BASED ON THE CONSUMER'S RELATIONSHIP
 S. 9088                             6
 
 WITH THE BUSINESS AND COMPATIBLE WITH THE CONTEXT IN WHICH THE  CONSUMER
 PROVIDED THE INFORMATION.
   (VII) COMPLY WITH A LEGAL OBLIGATION.
   (B)  PERSONAL  INFORMATION  NOT REQUIRED TO BE DELETED UNDER PARAGRAPH
 (A) OF THIS SUBDIVISION SHALL ONLY BE USED FOR PURPOSES DIRECTLY RELATED
 TO SUCH EXCEPTIONS AND SHALL NOT BE USED  OR  DISCLOSED  FOR  ANY  OTHER
 PURPOSE.
   4. WHERE A CONSUMER HAS SUBMITTED A DELETION REQUEST AND A DATA BROKER
 HAS  DELETED  THE  CONSUMER'S  DATA  PURSUANT  TO THIS SECTION, THE DATA
 BROKER SHALL:
   (A) DELETE ALL PERSONAL INFORMATION OF  THE  CONSUMER  AT  LEAST  ONCE
 EVERY  FORTY-FIVE  DAYS  PURSUANT  TO  THIS  SECTION UNLESS THE CONSUMER
 REQUESTS OTHERWISE OR THE DELETION IS NOT REQUIRED PURSUANT TO  SUBDIVI-
 SION THREE OF THIS SECTION; AND
   (B)  NOT SELL OR SHARE NEW PERSONAL INFORMATION OF THE CONSUMER UNLESS
 THE CONSUMER REQUESTS  OTHERWISE  UNLESS  SUCH  SELLING  OR  SHARING  IS
 PERMITTED UNDER ANOTHER SECTION OF LAW.
   5. THE ATTORNEY GENERAL MAY CHARGE AN ACCESS FEE TO A DATA BROKER WHEN
 THE  DATA  BROKER  ACCESSES  THE  DATA  DELETION MECHANISM THAT DOES NOT
 EXCEED THE REASONABLE COSTS OF PROVIDING THAT ACCESS.
   § 1153. AUDIT. THREE YEARS AFTER THE EFFECTIVE DATE  OF  THIS  SECTION
 AND  EVERY  THREE  YEARS  THEREAFTER,  EACH DATA BROKER SHALL UNDERGO AN
 AUDIT BY AN INDEPENDENT THIRD PARTY TO DETERMINE  COMPLIANCE  WITH  THIS
 ARTICLE.    EACH  DATA  BROKER  SHALL SUBMIT A REPORT RESULTING FROM THE
 AUDIT WRITTEN BY SUCH INDEPENDENT THIRD PARTY IN A  FORM  DETERMINED  BY
 THE  ATTORNEY  GENERAL  AND ANY OTHER MATERIALS REQUIRED BY THE ATTORNEY
 GENERAL TO THE ATTORNEY GENERAL WITHIN FIVE BUSINESS DAYS OF  A  WRITTEN
 REQUEST  BY  THE  ATTORNEY  GENERAL.  DATA  BROKERS  SHALL MAINTAIN SUCH
 REPORTS AND ANY REQUIRED MATERIALS FOR SIX YEARS.
   § 1154. ENFORCEMENT. 1. A DATA BROKER THAT  FAILS  TO  REGISTER  UNDER
 THIS ARTICLE SHALL BE SUBJECT TO:
   (A)  A  CIVIL  PENALTY  OF  TWO  HUNDRED DOLLARS FOR EACH DAY THE DATA
 BROKER FAILS TO REGISTER AS REQUIRED BY THIS ARTICLE;
   (B) A CIVIL PENALTY EQUAL TO THE AMOUNT  OF  REGISTRATION  FEES  WHICH
 WOULD HAVE BEEN PAID IF THE DATA BROKER HAD REGISTERED; AND
   (C)  A CIVIL PENALTY EQUAL TO THE COSTS INCURRED BY THE STATE TO BRING
 SUCH CIVIL ACTION.
   2. A DATA BROKER THAT VIOLATES ANY PROVISION OF THIS  ARTICLE  OR  ANY
 RULES  AND  REGULATIONS PROMULGATED THEREUNDER, BESIDES SUBPARAGRAPH (I)
 OF PARAGRAPH (A) OF SUBDIVISION ONE OF SECTION ELEVEN HUNDRED  FIFTY-ONE
 OF THIS ARTICLE, SHALL BE SUBJECT TO:
   (A)  A  CIVIL  PENALTY OF TWO HUNDRED DOLLARS FOR EACH SUCH VIOLATION;
 AND
   (B) A CIVIL PENALTY EQUAL TO THE COSTS INCURRED BY THE STATE TO  BRING
 SUCH CIVIL ACTION.
   § 2. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S9088

Sponsored By

Current Bill Status - In Senate Committee Consumer Protection Committee

Actions

2025-S9088 (ACTIVE) - Details

2025-S9088 (ACTIVE) - Summary

2025-S9088 (ACTIVE) - Sponsor Memo

2025-S9088 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2025-S9088

Senate Bill S9088

Share this bill

Sponsored By

Kristen Gonzalez

Current Bill Status - In Senate Committee Consumer Protection Committee

Actions

2025-S9088 (ACTIVE) - Details

2025-S9088 (ACTIVE) - Summary

2025-S9088 (ACTIVE) - Sponsor Memo

2025-S9088 (ACTIVE) - Bill Text download pdf

Comments