Senate Bill S9088A

2025-2026 Legislative Session

Requires the registration of data brokers and establishing a data deletion mechanism for consumers

download bill text pdf

Current Bill Status - Passed Senate

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jun 03, 2026	delivered to assembly passed senate ordered to third reading cal.1644 committee discharged and committed to rules
May 29, 2026	print number 9088a
May 29, 2026	amend and recommit to consumer protection
Jan 30, 2026	referred to consumer protection

Votes

- Jun 3, 2026 - Floor Vote
  S9088A
  
  Aye
  
  51
  
  Nay
  
  10
  
  Absent
  
  1
  
  Excused
  
  1
  
  Abstained
  
  0
  - - Floor Vote: Jun 3, 2026
      
      aye (51)
      
      Addabbo Jr.
      
      Ashby
      
      Bailey
      
      Baskin
      
      Bottcher
      
      Brisport
      
      Brouk
      
      Bynoe
      
      Canzoneri-Fitzpatrick
      
      Cleare
      
      Comrie
      
      Fahy
      
      Fernandez
      
      Gallivan
      
      Gianaris
      
      Gonzalez
      
      Gounardes
      
      Harckham
      
      Hinchey
      
      Jackson
      
      Kavanagh
      
      Krueger
      
      Liu
      
      Martinez
      
      Martins
      
      Mattera
      
      May
      
      Mayer
      
      Murray
      
      Myrie
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Persaud
      
      Ramos
      
      Rhoads
      
      Rivera
      
      Rolison
      
      Ryan
      
      Salazar
      
      Sanders Jr.
      
      Scarcella-Spanton
      
      Sepúlveda
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Sutton
      
      Webb
      
      Zellner
      
      nay (10)
      
      Borrello
      
      Chan
      
      Griffo
      
      Helming
      
      Lanza
      
      O'Mara
      
      Tedisco
      
      Walczyk
      
      Weber
      
      Weik
      
      absent (1)
      
      Parker
      
      excused (1)
      
      Cooney
      
      The following Member(s) participated via videoconferencing: Stavisky Krueger Brouk

Bill Amendments

Original

A (Active)

2025-S9088 - Details

See Assembly Version of this Bill:: A9642
Law Section:: General Business Law
Laws Affected:: Add Art 42-A §§1150 - 1158, Gen Bus L

2025-S9088 - Summary

Requires the registration of data brokers; imposes regulations upon data brokers; establishes a data deletion mechanism for consumers; imposes penalties upon data brokers for violations of the law.

2025-S9088 - Sponsor Memo

                                 
BILL NUMBER: S9088

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the general business law, in relation to requiring the
registration of data brokers and establishing a data deletion mechanism
for consumers

 
PURPOSE OR GENERAL IDEA OF BILL:

To protect New York consumers' privacy by requiring data brokers to
register with the Attorney General and by creating a centralized, acces-
sible mechanism that allows consumer to delete their personal informa-
tion held by data brokers.

 
SUMMARY OF PROVISIONS:

This bill amends the General Business Law by adding a new Article 42-A
to regulate data brokers operating in New York State.

Section 1 amends the General Business Law by adding a new Article 42-A,

entitled "Data Brokers," to establish requirements for the registration
of data brokers with the Attorney General, create a statewide data
deletion mechanism for consumers, mandate compliance audits, and provide
enforcement authority and civil penalties for violations.

Section 2 sets the effective date.

 
JUSTIFICATION:

Data brokers collect and sell vast amounts of personal information about
New Yorkers-often without consumers' knowledge or consent. This informa-
tion can include sensitive data such as precise location, biometric
identifiers, health information, immigration status, and other deeply
personal details. The unchecked sale and sharing of this data poses
serious risks to privacy, consumer safety, and civil rights.

While consumers are increasingly concerned about how their data is used,
there is currently no centralized or effective way for New Yorkers to
identify data brokers or to request deletion of their personal informa-
tion across the industry. This bill addresses that gap by establishing
transparency through registration and accountability through a uniform
deletion process.

By empowering the Attorney General to oversee data brokers and by giving
consumers meaningful control over their personal data, this legislation
strengthens privacy protections, reduces the risk of data misuse, and
aligns New York with emerging national standards for consumer
protection.

 
PRIOR LEGISLATIVE HISTORY:

New bill

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

The bill allows the Attorney General to collect reasonable registration
and access fees from data brokers to offset the costs of establishing
and maintaining the registry and data deletion mechanism. No significant
additional costs to the state are anticipated.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2025-S9088 - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   9088
 
                             I N  S E N A T E
 
                             January 30, 2026
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Consumer Protection
 
 AN ACT to amend the general business law, in relation to  requiring  the
   registration  of  data  brokers and establishing a data deletion mech-
   anism for consumers
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42-A to read as follows:
                               ARTICLE 42-A
                               DATA BROKERS
 SECTION 1150. DEFINITIONS.
         1151. REGISTRATION OF DATA BROKERS.
         1152. DATA DELETION MECHANISM.
         1153. AUDIT.
         1154. ENFORCEMENT.
   §  1150.  DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY THROUGHOUT THIS
 ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1. "ARTIFICIAL INTELLIGENCE  SYSTEM  OR  MODEL"  MEANS  AN  ARTIFICIAL
 INTELLIGENCE  THAT  CAN  GENERATE  DERIVED  SYNTHETIC CONTENT, INCLUDING
 TEXT, IMAGES, VIDEO, AND AUDIO, THAT EMULATES THE STRUCTURE AND  CHARAC-
 TERISTICS OF THE SYSTEM'S TRAINING DATA.
   2.  "BIOMETRIC  DATA" MEANS ANY PERSONAL DATA GENERATED FROM THE MEAS-
 UREMENT OR SPECIFIC  TECHNOLOGICAL  PROCESSING  OF  A  NATURAL  PERSON'S
 BIOLOGICAL,  PHYSICAL,  OR  PHYSIOLOGICAL CHARACTERISTICS THAT ALLOWS OR
 CONFIRMS THE UNIQUE IDENTIFICATION OF A NATURAL PERSON, INCLUDING  FING-
 ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
 AND GAIT. "BIOMETRIC DATA" DOES NOT INCLUDE A DIGITAL OR PHYSICAL PHOTO-
 GRAPH, AN AUDIO OR VIDEO RECORDING, OR ANY DATA GENERATED FROM A DIGITAL
 OR PHYSICAL PHOTOGRAPH, OR AN AUDIO OR VIDEO RECORDING, UNLESS SUCH DATA
 IS GENERATED TO IDENTIFY A SPECIFIC INDIVIDUAL.
   3. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
 ONLY  IN  AN  INDIVIDUAL  OR  HOUSEHOLD  CONTEXT.  IT DOES NOT INCLUDE A
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD14455-01-6

 S. 9088                             2
 
 NATURAL PERSON KNOWN TO  BE  ACTING  IN  A  PROFESSIONAL  OR  EMPLOYMENT
 CONTEXT.
   4.  "DARK  PATTERNS"  MEANS  USER  INTERFACES  THAT  SUBVERT OR IMPAIR
 CONSUMERS' AUTONOMY, DECISION MAKING, OR  CHOICE  WHEN  ASSERTING  THEIR
 PRIVACY RIGHTS OR CONSENTING.
   5.  "DATA  BROKER"  MEANS A PERSON OR BUSINESS THAT KNOWINGLY COLLECTS
 AND SELLS TO THIRD PARTIES THE PERSONAL INFORMATION OF A  CONSUMER  WITH
 WHOM THE PERSON OR BUSINESS DOES NOT HAVE A DIRECT RELATIONSHIP.
   6. "FOREIGN ACTOR" MEANS EITHER:
   (A) THE GOVERNMENT OF A FOREIGN ADVERSARY COUNTRY.
   (B)  A  PARTNERSHIP,  ASSOCIATION, CORPORATION, ORGANIZATION, OR OTHER
 COMBINATION OF PERSONS ORGANIZED UNDER THE LAWS OF OR HAVING ITS PRINCI-
 PAL PLACE OF BUSINESS IN A FOREIGN ADVERSARY COUNTRY.
   7. "FOREIGN ADVERSARY  COUNTRY"  HAS  THE  SAME  MEANING  AS  "COVERED
 NATION"  AS  DEFINED  IN  SECTION  4872 OF TITLE 10 OF THE UNITED STATES
 CODE.
   8. "MINOR" MEANS A NATURAL PERSON UNDER THE AGE OF EIGHTEEN.
   9. "PERSONAL INFORMATION" MEANS ANY  DATA  THAT  IDENTIFIES  OR  COULD
 REASONABLY  BE  LINKED,  DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL
 PERSON, OR HOUSEHOLD. "PERSONAL INFORMATION" DOES NOT INCLUDE  DEIDENTI-
 FIED  DATA,  INFORMATION  THAT  IS LAWFULLY MADE PUBLICLY AVAILABLE FROM
 FEDERAL, STATE OR  LOCAL  GOVERNMENT  RECORDS,  OR  INFORMATION  THAT  A
 CONTROLLER  HAS A REASONABLE BASIS TO BELIEVE IS LAWFULLY MADE AVAILABLE
 TO THE GENERAL PUBLIC BY THE CONSUMER OR FROM WIDELY DISTRIBUTED MEDIA.
   10. "PRECISE GEOLOCATION DATA" MEANS INFORMATION DERIVED FROM TECHNOL-
 OGY, INCLUDING, BUT NOT LIMITED  TO,  GLOBAL  POSITIONING  SYSTEM  LEVEL
 LATITUDE  AND  LONGITUDE  COORDINATES OR OTHER MECHANISMS, THAT DIRECTLY
 IDENTIFIES THE SPECIFIC LOCATION OF AN  INDIVIDUAL  WITH  PRECISION  AND
 ACCURACY  WITHIN  A  RADIUS  OF  ONE  THOUSAND SEVEN HUNDRED FIFTY FEET,
 EXCEPT AS PRESCRIBED BY REGULATIONS. PRECISE GEOLOCATION DATA  DOES  NOT
 INCLUDE  THE  CONTENT  OF  COMMUNICATIONS  OR  ANY  DATA GENERATED BY OR
 CONNECTED TO ADVANCE UTILITY METERING INFRASTRUCTURE SYSTEMS  OR  EQUIP-
 MENT FOR USE BY A UTILITY.
   11. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   § 1151. REGISTRATION OF DATA BROKERS. 1. EACH DATA BROKER SHALL:
   (A)  ON  OR  BEFORE  JANUARY  THIRTY-FIRST FOLLOWING A YEAR IN WHICH A
 PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
   (I) REGISTER WITH THE ATTORNEY GENERAL;
   (II) PAY A REGISTRATION FEE OF ONE HUNDRED  DOLLARS  OR  AS  OTHERWISE
 DETERMINED  BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY
 GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT  TO  EXCEED  THE
 REASONABLE  COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (III) PROVIDE THE FOLLOWING INFORMATION TO THE ATTORNEY GENERAL:
   (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
 OF THE DATA BROKER.
   (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
 THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
 BROKER.
   (C) THE NUMBER OF REQUESTS RECEIVED AND THE NUMBER  OF  SUCH  REQUESTS
 COMPLIED  WITH,  COMPLIED  WITH  IN PART, OR DENIED UNDER SECTION ELEVEN
 HUNDRED FIFTY-TWO OF THIS ARTICLE.
 S. 9088                             3
 
   (D) THE MEDIAN AND THE MEAN NUMBER  OF  DAYS  WITHIN  WHICH  THE  DATA
 BROKER  RESPONDED  TO REQUESTS UNDER SECTION ELEVEN HUNDRED FIFTY-TWO OF
 THIS ARTICLE.
   (E) WHETHER THE DATA BROKER COLLECTED PERSONAL INFORMATION OF MINORS.
   (F) WHETHER THE DATA BROKER COLLECTS CONSUMERS' NAMES, DATES OF BIRTH,
 ZIP CODES, EMAIL ADDRESSES, OR PHONE NUMBERS.
   (G)  WHETHER  THE  DATA  BROKER  COLLECTS  CONSUMERS' ACCOUNT LOGIN OR
 ACCOUNT NUMBER IN COMBINATION WITH ANY REQUIRED  SECURITY  CODE,  ACCESS
 CODE,  OR PASSWORD THAT WOULD PERMIT ACCESS TO A CONSUMER'S ACCOUNT WITH
 A THIRD PARTY.
   (H) WHETHER THE  DATA  BROKER  COLLECTS  CONSUMERS'  DRIVERS'  LICENSE
 NUMBER,  STATE  IDENTIFICATION  CARD  NUMBER, TAX IDENTIFICATION NUMBER,
 SOCIAL SECURITY NUMBER, PASSPORT NUMBER, MILITARY IDENTIFICATION NUMBER,
 OR OTHER UNIQUE IDENTIFICATION NUMBER ISSUED ON  A  GOVERNMENT  DOCUMENT
 COMMONLY USED TO VERIFY THE IDENTITY OF A SPECIFIC INDIVIDUAL.
   (I)  WHETHER  THE  DATA  BROKER COLLECTS CONSUMERS' MOBILE ADVERTISING
 IDENTIFICATION NUMBERS, CONNECTED TELEVISION IDENTIFICATION NUMBERS,  OR
 VEHICLE IDENTIFICATION NUMBERS (VIN).
   (J)  WHETHER  THE  DATA  BROKER  COLLECTS CONSUMERS' CITIZENSHIP DATA,
 INCLUDING IMMIGRATION STATUS.
   (K) WHETHER THE  DATA  BROKER  COLLECTS  CONSUMERS'  UNION  MEMBERSHIP
 STATUS.
   (L)  WHETHER  THE  DATA  BROKER COLLECTS CONSUMERS' SEXUAL ORIENTATION
 STATUS.
   (M) WHETHER THE DATA BROKER COLLECTS CONSUMERS'  GENDER  IDENTITY  AND
 GENDER EXPRESSION DATA.
   (N) WHETHER THE DATA BROKER COLLECTS CONSUMERS' BIOMETRIC DATA.
   (O) WHETHER THE DATA BROKER COLLECTS CONSUMERS' PRECISE GEOLOCATION.
   (P)  WHETHER  THE  DATA BROKER COLLECTS CONSUMERS' REPRODUCTIVE HEALTH
 CARE DATA.
   (Q) WHETHER THE  DATA  BROKER  COLLECTS  CONSUMERS'  PROTECTED  HEALTH
 INFORMATION.
   (R)  WHETHER  THE  DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO A
 FOREIGN ACTOR IN THE PAST YEAR.
   (S) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO  THE
 FEDERAL GOVERNMENT IN THE PAST YEAR.
   (T)  WHETHER  THE  DATA  BROKER  HAS SHARED OR SOLD CONSUMERS' DATA TO
 OTHER STATE GOVERNMENTS IN THE PAST YEAR.
   (U) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO  LAW
 ENFORCEMENT  IN THE PAST YEAR, UNLESS THAT DATA WAS SHARED PURSUANT TO A
 SUBPOENA OR COURT ORDER.
   (V) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS'  DATA  TO  A
 DEVELOPER  OF  AN  ARTIFICIAL  INTELLIGENCE  SYSTEM OR MODEL IN THE PAST
 YEAR.
   (W) UP TO THREE, BUT NO FEWER THAN ONE, OF THE MOST  COMMON  TYPES  OF
 PERSONAL INFORMATION THAT THE DATA BROKER COLLECTS.
   (X)  BEGINNING  JANUARY  FIRST,  TWO THOUSAND THIRTY, WHETHER THE DATA
 BROKER HAS UNDERGONE AN AUDIT UNDER THIS ARTICLE, AND, IF SO,  THE  MOST
 RECENT  YEAR  THAT THE DATA BROKER HAS SUBMITTED A REPORT RESULTING FROM
 THE AUDIT AND ANY RELATED MATERIALS TO THE ATTORNEY GENERAL.
   (Y) A LINK TO A PAGE ON THE DATA BROKER'S INTERNET WEBSITE THAT:
   (I) DETAILS HOW CONSUMERS MAY EXERCISE THEIR PRIVACY RIGHTS  BY  DOING
 ALL OF THE FOLLOWING:
   A. DELETING PERSONAL INFORMATION.
   B. CORRECTING INACCURATE PERSONAL INFORMATION.
 S. 9088                             4

   C.  LEARNING  WHAT  PERSONAL INFORMATION IS BEING COLLECTED AND HOW TO
 ACCESS THAT PERSONAL INFORMATION.
   D.  LEARNING  WHAT PERSONAL INFORMATION IS BEING SOLD OR SHARED AND TO
 WHOM.
   E. LEARNING HOW TO OPT OUT OF THE SALE OR SHARING OF PERSONAL INFORMA-
 TION.
   F. LEARNING HOW TO LIMIT THE USE AND DISCLOSURE OF SENSITIVE  PERSONAL
 INFORMATION.
   (II) DOES NOT MAKE USE OF ANY DARK PATTERNS.
   (Z)  WHETHER  AND TO WHAT EXTENT THE DATA BROKER OR ANY OF ITS SUBSID-
 IARIES IS REGULATED BY ANY OF THE FOLLOWING:
   (I) THE FEDERAL FAIR CREDIT REPORTING ACT  (15  U.S.C.  SEC.  1681  ET
 SEQ.).
   (II)  THE GRAMM-LEACH-BLILEY ACT (PUBLIC LAW 106-102) AND IMPLEMENTING
 REGULATIONS.
   (III) ANY OTHER LAW, RULE, OR REGULATION GOVERNING DATA BROKERS OR ANY
 OF ITS SUBSIDIARIES.
   (AA) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   (B) BE SUBJECT TO ANY RULES AND  REGULATIONS  PROMULGATED  UNDER  THIS
 ARTICLE.
   2.  THE  ATTORNEY  GENERAL SHALL CREATE A WEBPAGE ON THE STATE WEBSITE
 WHICH INCLUDES ALL INFORMATION REGARDING  ALL  DATA  BROKERS  REGISTERED
 WITHIN THE STATE AND THE DELETION MECHANISM CREATED UNDER SECTION ELEVEN
 HUNDRED FIFTY-TWO OF THIS ARTICLE.
   § 1152. DATA DELETION MECHANISM. 1. THE ATTORNEY GENERAL SHALL DEVELOP
 A  DATA DELETION MECHANISM WITHIN ONE YEAR OF THE EFFECTIVE DATE OF THIS
 SECTION. SUCH DATA DELETION MECHANISM SHALL:
   (A) IMPLEMENT AND MAINTAIN REASONABLE SECURITY  PROCEDURES  AND  PRAC-
 TICES,  INCLUDING,  BUT  NOT  LIMITED  TO, ADMINISTRATIVE, PHYSICAL, AND
 TECHNICAL SAFEGUARDS APPROPRIATE TO THE NATURE OF  THE  INFORMATION  AND
 THE  PURPOSES  FOR  WHICH  THE  PERSONAL INFORMATION WILL BE USED AND TO
 PROTECT CONSUMERS' PERSONAL INFORMATION FROM UNAUTHORIZED  USE,  DISCLO-
 SURE, ACCESS, DESTRUCTION, OR MODIFICATION.
   (B) ALLOW A CONSUMER, THROUGH A SINGLE VERIFIABLE CONSUMER REQUEST, TO
 REQUEST  THAT  EVERY DATA BROKER THAT MAINTAINS ANY PERSONAL INFORMATION
 DELETE ANY PERSONAL INFORMATION RELATED TO THAT  CONSUMER  HELD  BY  THE
 DATA BROKER OR ASSOCIATED SERVICE PROVIDER, CONTRACTOR, OR SUBSIDIARY.
   (C) ALLOW A CONSUMER TO SELECTIVELY EXCLUDE SPECIFIC DATA BROKERS FROM
 A REQUEST MADE UNDER PARAGRAPH (B) OF THIS SUBDIVISION.
   (D)  ALLOW  A  CONSUMER  TO MAKE A REQUEST TO ALTER A PREVIOUS REQUEST
 MADE UNDER THIS SECTION AFTER AT LEAST FORTY-FIVE DAYS HAVE PASSED SINCE
 THE CONSUMER LAST MADE A REQUEST UNDER THIS SECTION.
   (E) ALLOW A CONSUMER TO REQUEST THE DELETION OF ALL PERSONAL  INFORMA-
 TION RELATED TO THAT CONSUMER THROUGH A SINGLE DELETION REQUEST.
   (F)  PERMIT  A  CONSUMER TO SECURELY SUBMIT INFORMATION IN ONE OR MORE
 PRIVACY-PROTECTING WAYS DETERMINED BY THE ATTORNEY GENERAL TO AID IN THE
 DELETION REQUEST.
   (G) ALLOW DATA BROKERS REGISTERED WITH THE ATTORNEY GENERAL TO  DETER-
 MINE  WHETHER  AN INDIVIDUAL HAS SUBMITTED A VERIFIABLE CONSUMER REQUEST
 TO DELETE THE PERSONAL INFORMATION RELATED TO THAT  CONSUMER  AND  SHALL
 NOT ALLOW THE DISCLOSURE OF ANY ADDITIONAL PERSONAL INFORMATION WHEN THE
 DATA  BROKER ACCESSES THE ACCESSIBLE DELETION MECHANISM UNLESS OTHERWISE
 SPECIFIED IN THIS ARTICLE.
   (H) ALLOW A CONSUMER TO MAKE A REQUEST UNDER  THIS  SECTION  USING  AN
 INTERNET SERVICE OPERATED BY THE ATTORNEY GENERAL.
 S. 9088                             5
 
   (I) NOT CHARGE A CONSUMER TO MAKE A REQUEST UNDER THIS SECTION.
   (J)  ALLOW  A  CONSUMER  TO  MAKE  A REQUEST UNDER THIS SECTION IN ANY
 LANGUAGE SPOKEN BY ANY CONSUMER FOR WHOM PERSONAL INFORMATION  HAS  BEEN
 COLLECTED BY DATA BROKERS.
   (K) BE READILY ACCESSIBLE AND USABLE BY CONSUMERS WITH DISABILITIES.
   (L)  SUPPORT  THE  ABILITY OF A CONSUMER'S AUTHORIZED AGENTS TO AID IN
 THE DELETION REQUEST.
   (M) ALLOW THE CONSUMER, OR  THEIR  AUTHORIZED  AGENT,  TO  VERIFY  THE
 STATUS OF THE CONSUMER'S DELETION REQUEST.
   (N) PROVIDE A DESCRIPTION OF:
   (I) THE DELETION PERMITTED BY THIS SECTION;
   (II)  THE  PROCESS  FOR SUBMITTING A DELETION REQUEST PURSUANT TO THIS
 SECTION; AND
   (III) EXAMPLES OF THE TYPES OF INFORMATION THAT MAY BE DELETED.
   2. SIX MONTHS AFTER THE CREATION OF THE DATA DELETION MECHANISM,  EACH
 DATA BROKER SHALL, AT LEAST ONCE EVERY FORTY-FIVE DAYS:
   (A)  PROCESS  ALL  DELETION REQUESTS MADE PURSUANT TO THIS SECTION AND
 DELETE ALL PERSONAL INFORMATION RELATED  TO  THE  CONSUMERS  MAKING  THE
 REQUESTS  CONSISTENT WITH THE REQUIREMENTS OF THIS SECTION WITHIN FORTY-
 FIVE DAYS OF RECEIVING SUCH REQUESTS AND DIRECT ALL  SERVICE  PROVIDERS,
 CONTRACTORS,  AND SUBSIDIARIES ASSOCIATED WITH THE DATA BROKER TO DELETE
 ALL PERSONAL INFORMATION IN THEIR POSSESSION RELATED  TO  THE  CONSUMERS
 MAKING SUCH REQUEST.
   (B) WHERE A DATA BROKER DENIES A CONSUMER REQUEST TO DELETE UNDER THIS
 SECTION  BECAUSE  THE REQUEST CANNOT BE VERIFIED, PROCESS THE REQUEST AS
 AN OPT-OUT OF THE SALE OR SHARING OF THE CONSUMER'S PERSONAL INFORMATION
 WITHIN FORTY-FIVE DAYS OF RECEIVING SUCH REQUEST AND DIRECT ALL  SERVICE
 PROVIDERS, CONTRACTORS, AND SUBSIDIARIES ASSOCIATED WITH THE DATA BROKER
 TO  PROCESS  THE  REQUEST  AS  AN  OPT-OUT OF THE SALE OR SHARING OF THE
 CONSUMER'S PERSONAL INFORMATION.
   3. (A) NOTWITHSTANDING ANY OTHER PROVISION OF  THIS  SECTION,  A  DATA
 BROKER SHALL NOT BE REQUIRED TO DELETE A CONSUMER'S PERSONAL INFORMATION
 IF SUCH PERSONAL INFORMATION IS REQUIRED TO:
   (I)  COMPLETE  THE  TRANSACTION FOR WHICH THE PERSONAL INFORMATION WAS
 COLLECTED, FULFILL THE TERMS OF A WRITTEN  WARRANTY  OR  PRODUCT  RECALL
 CONDUCTED  IN  ACCORDANCE  WITH  FEDERAL  LAW, PROVIDE A GOOD OR SERVICE
 REQUESTED BY THE CONSUMER, OR REASONABLY  ANTICIPATED  BY  THE  CONSUMER
 WITHIN  THE  CONTEXT  OF A BUSINESSES ONGOING BUSINESS RELATIONSHIP WITH
 THE CONSUMER, OR OTHERWISE PERFORM A CONTRACT BETWEEN THE  BUSINESS  AND
 THE CONSUMER.
   (II)  HELP  TO  ENSURE SECURITY AND INTEGRITY TO THE EXTENT THE USE OF
 THE CONSUMER'S PERSONAL INFORMATION IS REASONABLY NECESSARY AND  PROPOR-
 TIONATE FOR THOSE PURPOSES.
   (III)  DEBUG  TO  IDENTIFY  AND  REPAIR  ERRORS  THAT  IMPAIR EXISTING
 INTENDED FUNCTIONALITY.
   (IV) EXERCISE FREE SPEECH, ENSURE THE RIGHT  OF  ANOTHER  CONSUMER  TO
 EXERCISE THAT CONSUMER'S RIGHT OF FREE SPEECH, OR EXERCISE ANOTHER RIGHT
 PROVIDED FOR BY LAW.
   (V)  ENGAGE  IN  PUBLIC  OR  PEER-REVIEWED  SCIENTIFIC, HISTORICAL, OR
 STATISTICAL RESEARCH THAT CONFORMS OR ADHERES TO  ALL  OTHER  APPLICABLE
 ETHICS AND PRIVACY LAWS, WHEN THE BUSINESSES DELETION OF THE INFORMATION
 IS  LIKELY  TO  RENDER  IMPOSSIBLE  OR  SERIOUSLY  IMPAIR THE ABILITY TO
 COMPLETE SUCH RESEARCH, IF THE CONSUMER HAS PROVIDED INFORMED CONSENT.
   (VI) TO ENABLE SOLELY INTERNAL USES THAT ARE REASONABLY  ALIGNED  WITH
 THE  EXPECTATIONS  OF  THE CONSUMER BASED ON THE CONSUMER'S RELATIONSHIP
 S. 9088                             6
 
 WITH THE BUSINESS AND COMPATIBLE WITH THE CONTEXT IN WHICH THE  CONSUMER
 PROVIDED THE INFORMATION.
   (VII) COMPLY WITH A LEGAL OBLIGATION.
   (B)  PERSONAL  INFORMATION  NOT REQUIRED TO BE DELETED UNDER PARAGRAPH
 (A) OF THIS SUBDIVISION SHALL ONLY BE USED FOR PURPOSES DIRECTLY RELATED
 TO SUCH EXCEPTIONS AND SHALL NOT BE USED  OR  DISCLOSED  FOR  ANY  OTHER
 PURPOSE.
   4. WHERE A CONSUMER HAS SUBMITTED A DELETION REQUEST AND A DATA BROKER
 HAS  DELETED  THE  CONSUMER'S  DATA  PURSUANT  TO THIS SECTION, THE DATA
 BROKER SHALL:
   (A) DELETE ALL PERSONAL INFORMATION OF  THE  CONSUMER  AT  LEAST  ONCE
 EVERY  FORTY-FIVE  DAYS  PURSUANT  TO  THIS  SECTION UNLESS THE CONSUMER
 REQUESTS OTHERWISE OR THE DELETION IS NOT REQUIRED PURSUANT TO  SUBDIVI-
 SION THREE OF THIS SECTION; AND
   (B)  NOT SELL OR SHARE NEW PERSONAL INFORMATION OF THE CONSUMER UNLESS
 THE CONSUMER REQUESTS  OTHERWISE  UNLESS  SUCH  SELLING  OR  SHARING  IS
 PERMITTED UNDER ANOTHER SECTION OF LAW.
   5. THE ATTORNEY GENERAL MAY CHARGE AN ACCESS FEE TO A DATA BROKER WHEN
 THE  DATA  BROKER  ACCESSES  THE  DATA  DELETION MECHANISM THAT DOES NOT
 EXCEED THE REASONABLE COSTS OF PROVIDING THAT ACCESS.
   § 1153. AUDIT. THREE YEARS AFTER THE EFFECTIVE DATE  OF  THIS  SECTION
 AND  EVERY  THREE  YEARS  THEREAFTER,  EACH DATA BROKER SHALL UNDERGO AN
 AUDIT BY AN INDEPENDENT THIRD PARTY TO DETERMINE  COMPLIANCE  WITH  THIS
 ARTICLE.    EACH  DATA  BROKER  SHALL SUBMIT A REPORT RESULTING FROM THE
 AUDIT WRITTEN BY SUCH INDEPENDENT THIRD PARTY IN A  FORM  DETERMINED  BY
 THE  ATTORNEY  GENERAL  AND ANY OTHER MATERIALS REQUIRED BY THE ATTORNEY
 GENERAL TO THE ATTORNEY GENERAL WITHIN FIVE BUSINESS DAYS OF  A  WRITTEN
 REQUEST  BY  THE  ATTORNEY  GENERAL.  DATA  BROKERS  SHALL MAINTAIN SUCH
 REPORTS AND ANY REQUIRED MATERIALS FOR SIX YEARS.
   § 1154. ENFORCEMENT. 1. A DATA BROKER THAT  FAILS  TO  REGISTER  UNDER
 THIS ARTICLE SHALL BE SUBJECT TO:
   (A)  A  CIVIL  PENALTY  OF  TWO  HUNDRED DOLLARS FOR EACH DAY THE DATA
 BROKER FAILS TO REGISTER AS REQUIRED BY THIS ARTICLE;
   (B) A CIVIL PENALTY EQUAL TO THE AMOUNT  OF  REGISTRATION  FEES  WHICH
 WOULD HAVE BEEN PAID IF THE DATA BROKER HAD REGISTERED; AND
   (C)  A CIVIL PENALTY EQUAL TO THE COSTS INCURRED BY THE STATE TO BRING
 SUCH CIVIL ACTION.
   2. A DATA BROKER THAT VIOLATES ANY PROVISION OF THIS  ARTICLE  OR  ANY
 RULES  AND  REGULATIONS PROMULGATED THEREUNDER, BESIDES SUBPARAGRAPH (I)
 OF PARAGRAPH (A) OF SUBDIVISION ONE OF SECTION ELEVEN HUNDRED  FIFTY-ONE
 OF THIS ARTICLE, SHALL BE SUBJECT TO:
   (A)  A  CIVIL  PENALTY OF TWO HUNDRED DOLLARS FOR EACH SUCH VIOLATION;
 AND
   (B) A CIVIL PENALTY EQUAL TO THE COSTS INCURRED BY THE STATE TO  BRING
 SUCH CIVIL ACTION.
   § 2. This act shall take effect immediately.

2025-S9088A (ACTIVE) - Details

See Assembly Version of this Bill:: A9642
Law Section:: General Business Law
Laws Affected:: Add Art 42-A §§1150 - 1158, Gen Bus L

2025-S9088A (ACTIVE) - Summary

Requires the registration of data brokers; imposes regulations upon data brokers; establishes a data deletion mechanism for consumers; imposes penalties upon data brokers for violations of the law.

2025-S9088A (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S9088A

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the general business law, in relation to requiring the
registration of data brokers and establishing a data deletion mechanism
for consumers

 
PURPOSE OR GENERAL IDEA OF BILL:

To protect New York consumers' privacy by requiring data brokers to
register with the Attorney General and by creating a centralized, acces-
sible mechanism that allows consumer to delete their personal informa-
tion held by data brokers.

 
SUMMARY OF PROVISIONS:

This bill amends the General Business Law by adding a new Article 42-A
to regulate data brokers operating in New York State.

Section 1 amends the General Business Law by adding a new Article 42-A,

entitled "Data Brokers," to: establish requirements for the registration
of data brokers with the Attorney General, create a statewide data
deletion mechanism for consumers, mandate compliance audits, require
disclosure of certain information on data brokers' websites, set
requirements for a comprehensive information security program, provide
rulemaking authority, provide enforcement authority and civil penalties
for violations, and establish exemptions to this article.

Section 2 is the severability clause.

Section 3 sets the effective date.

 
JUSTIFICATION:

Data brokers collect and sell vast amounts of personal information about
New Yorkers often without consumers' knowledge or consent. This informa-
tion can include sensitive data such as precise location, biometric
identifiers, health information, immigration status, and other deeply
personal details. The unchecked sale and sharing of this data poses
serious risks to privacy, consumer safety, and civil rights.

While consumers are increasingly concerned about how their data is used,
there is currently no centralized or effective way for New Yorkers to
identify data brokers or to request deletion of their personal informa-
tion across the industry. This bill addresses that gap by establishing
transparency through registration and accountability through a uniform
deletion process.

By empowering the Attorney General to oversee data brokers and by giving
consumers meaningful control over their personal data, this legislation
strengthens privacy protections, reduces the risk of data misuse, and
aligns New York with emerging national standards for consumer
protection.

 
PRIOR LEGISLATIVE HISTORY:

New bill
 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

The bill allows the Attorney General to collect reasonable registration
and access fees from data brokers to offset the costs of establishing
and maintaining the registry and data deletion mechanism. No significant
additional costs to the state are anticipated.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2025-S9088A (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  9088--A
 
                             I N  S E N A T E
 
                             January 30, 2026
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee  on  Consumer  Protection  --
   committee  discharged,  bill amended, ordered reprinted as amended and
   recommitted to said committee
 
 AN ACT to amend the general business law, in relation to  requiring  the
   registration  of  data  brokers and establishing a data deletion mech-
   anism for consumers
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The general business law is amended by adding a new article
 42-A to read as follows:
                               ARTICLE 42-A
                               DATA BROKERS
 SECTION 1150. DEFINITIONS.
         1151. REGISTRATION OF DATA BROKERS.
         1152. DATA DELETION MECHANISM.
         1153. AUDIT.
         1154. DATA BROKER WEBSITE DISCLOSURE REQUIREMENTS.
         1155. DATA BROKERS; COMPREHENSIVE INFORMATION SECURITY PROGRAM.
         1156. RULEMAKING.
         1157. ENFORCEMENT.
         1158. EXEMPTIONS.
   §  1150.  DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY THROUGHOUT THIS
 ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1. "ARTIFICIAL INTELLIGENCE  SYSTEM  OR  MODEL"  MEANS  AN  ARTIFICIAL
 INTELLIGENCE  THAT  CAN  GENERATE  DERIVED  SYNTHETIC CONTENT, INCLUDING
 TEXT, IMAGES, VIDEO, AND AUDIO, THAT EMULATES THE STRUCTURE AND  CHARAC-
 TERISTICS OF THE SYSTEM'S TRAINING DATA.
   2.  "AGGREGATE CONSUMER INFORMATION" MEANS INFORMATION THAT RELATES TO
 A GROUP OR CATEGORY OF CONSUMERS, FROM WHICH INDIVIDUAL CONSUMER IDENTI-
 TIES HAVE BEEN REMOVED, THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY
 CONSUMER OR HOUSEHOLD, INCLUDING  VIA  A  DEVICE.  THE  TERM  "AGGREGATE
 CONSUMER  INFORMATION" SHALL NOT INCLUDE ONE OR MORE INDIVIDUAL CONSUMER
 RECORDS THAT HAVE BEEN DEIDENTIFIED.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD14455-04-6
 S. 9088--A                          2
 
   3. "BIOMETRIC DATA" MEANS AN INDIVIDUAL'S  PHYSIOLOGICAL,  BIOLOGICAL,
 OR  BEHAVIORAL  CHARACTERISTICS,  INCLUDING INFORMATION PERTAINING TO AN
 INDIVIDUAL'S DEOXYRIBONUCLEIC  ACID  (DNA),  THAT  CAN  BE  USED  OR  IS
 INTENDED  TO  BE  USED  SINGLY OR IN COMBINATION WITH EACH OTHER OR WITH
 OTHER  IDENTIFYING  DATA,  TO  ESTABLISH  INDIVIDUAL  IDENTITY. THE TERM
 "BIOMETRIC INFORMATION" INCLUDES, BUT IS NOT LIMITED TO, IMAGERY OF  THE
 IRIS,  RETINA,  FINGERPRINT,  FACE, HAND, PALM, VEIN PATTERNS, AND VOICE
 RECORDINGS, FROM WHICH AN IDENTIFIER TEMPLATE, SUCH AS  A  FACEPRINT,  A
 MINUTIAE  TEMPLATE,  OR  A  VOICEPRINT,  CAN BE EXTRACTED, AND KEYSTROKE
 PATTERNS OR RHYTHMS, GAIT PATTERNS OR RHYTHMS,  AND  SLEEP,  HEALTH,  OR
 EXERCISE  DATA  THAT  CONTAIN IDENTIFYING INFORMATION.  "BIOMETRIC DATA"
 DOES NOT INCLUDE A DIGITAL OR PHYSICAL PHOTOGRAPH,  AN  AUDIO  OR  VIDEO
 RECORDING,  OR ANY DATA GENERATED FROM A DIGITAL OR PHYSICAL PHOTOGRAPH,
 OR AN AUDIO OR VIDEO RECORDING, UNLESS SUCH DATA IS GENERATED TO IDENTI-
 FY A SPECIFIC INDIVIDUAL.
   4. "BUSINESS" MEANS:
   (A) A SOLE PROPRIETORSHIP,  PARTNERSHIP,  LIMITED  LIABILITY  COMPANY,
 CORPORATION,  ASSOCIATION,  OR OTHER LEGAL ENTITY, THAT COLLECTS CONSUM-
 ERS' PERSONAL INFORMATION, OR ON THE BEHALF OF WHICH SUCH INFORMATION IS
 COLLECTED AND  THAT  ALONE,  OR  JOINTLY  WITH  OTHERS,  DETERMINES  THE
 PURPOSES AND MEANS OF THE PROCESSING OF CONSUMERS' PERSONAL INFORMATION,
 THAT  DOES  BUSINESS IN THE STATE OF NEW YORK, AND THAT SATISFIES ONE OR
 MORE OF THE FOLLOWING THRESHOLDS:
   (I) AS OF JANUARY FIRST OF THE  RELEVANT  CALENDAR  YEAR,  HAD  ANNUAL
 GROSS  REVENUES IN EXCESS OF TEN MILLION DOLLARS IN THE PRECEDING CALEN-
 DAR YEAR;
   (II) ALONE OR IN COMBINATION, ANNUALLY  BUYS,  SELLS,  OR  SHARES  THE
 PERSONAL INFORMATION OF ONE HUNDRED THOUSAND OR MORE CONSUMERS OR HOUSE-
 HOLDS; OR
   (III)  DERIVES FIFTY PERCENT OR MORE OF ITS ANNUAL REVENUES FROM SELL-
 ING OR SHARING CONSUMERS' PERSONAL INFORMATION;
   (B) (I) ANY ENTITY THAT CONTROLS OR IS CONTROLLED BY  A  BUSINESS,  AS
 DEFINED  IN  PARAGRAPH  (A)  OF THIS SUBDIVISION, AND THAT SHARES COMMON
 BRANDING WITH SUCH BUSINESS AND WITH WHOM SUCH BUSINESS  SHARES  CONSUM-
 ERS' PERSONAL INFORMATION.
   (II)  FOR  THE  PURPOSES  OF THIS PARAGRAPH, THE FOLLOWING TERMS SHALL
 HAVE THE FOLLOWING MEANINGS:
   (1) "CONTROL" OR "CONTROLLED" MEANS THE POSSESSION,  DIRECT  OR  INDI-
 RECT,  OF  THE  POWER TO DIRECT OR CAUSE THE DIRECTION OF THE MANAGEMENT
 AND POLICIES OF AN ENTITY, WHETHER THROUGH THE OWNERSHIP OF VOTING SECU-
 RITIES, BY CONTRACT, OR OTHERWISE;
   (2) "COMMON BRANDING" MEANS A SHARED NAME, SERVICE MARK, OR  TRADEMARK
 THAT THE AVERAGE CONSUMER WOULD UNDERSTAND THAT TWO OR MORE ENTITIES ARE
 COMMONLY OWNED;
   (C)  A  JOINT  VENTURE  OR PARTNERSHIP COMPOSED OF BUSINESSES IN WHICH
 EACH BUSINESS HAS AT LEAST A FORTY PERCENT  INTEREST.  FOR  PURPOSES  OF
 THIS  ARTICLE,  THE  JOINT VENTURE OR PARTNERSHIP AND EACH BUSINESS THAT
 COMPOSES THE JOINT VENTURE OR PARTNERSHIP SHALL SEPARATELY BE CONSIDERED
 A SINGLE BUSINESS, EXCEPT THAT PERSONAL INFORMATION IN THE POSSESSION OF
 EACH BUSINESS AND DISCLOSED TO THE JOINT VENTURE  OR  PARTNERSHIP  SHALL
 NOT BE SHARED WITH THE OTHER BUSINESS; OR
   (D)  A  PERSON  THAT DOES BUSINESS IN NEW YORK, THAT IS NOT COVERED BY
 PARAGRAPH (A), (B), OR (C) OF THIS  SUBDIVISION,  AND  THAT  VOLUNTARILY
 CERTIFIES  TO  THE  ATTORNEY  GENERAL THAT IT IS IN COMPLIANCE WITH, AND
 AGREES TO BE BOUND BY, THIS ARTICLE.
 S. 9088--A                          3
 
   5. "COLLECTS", "COLLECTED", OR  "COLLECTION"  MEANS  BUYING,  RENTING,
 GATHERING,  OBTAINING,  RECEIVING,  SHARING  OR  ACCESSING  ANY PERSONAL
 INFORMATION PERTAINING TO A CONSUMER BY ANY  MEANS,  INCLUDING  BUT  NOT
 LIMITED  TO, RECEIVING INFORMATION FROM THE CONSUMER, EITHER ACTIVELY OR
 PASSIVELY, OR BY OBSERVING THE CONSUMER'S BEHAVIOR.
   6.  "CONSENT" MEANS ANY FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIG-
 UOUS INDICATION OF A CONSUMER'S WISHES BY WHICH SUCH CONSUMER,  OR  SUCH
 CONSUMER'S  LEGAL  GUARDIAN,  A  PERSON  WHO HAS POWER OF ATTORNEY, OR A
 PERSON ACTING AS A CONSERVATOR FOR SUCH CONSUMER, INCLUDING BY A  STATE-
 MENT  OR BY A CLEAR AFFIRMATIVE ACTION, SIGNIFIES AGREEMENT TO THE PROC-
 ESSING OF PERSONAL INFORMATION RELATING TO SUCH CONSUMER FOR A  NARROWLY
 DEFINED  PARTICULAR  PURPOSE.  ACCEPTANCE OF A GENERAL OR BROAD TERMS OF
 USE, OR SIMILAR DOCUMENT, THAT CONTAINS DESCRIPTIONS OF PERSONAL  INFOR-
 MATION  PROCESSING  ALONG  WITH  OTHER, UNRELATED INFORMATION, SHALL NOT
 CONSTITUTE CONSENT. HOVERING OVER, MUTING, PAUSING, OR CLOSING  A  GIVEN
 PIECE  OF  CONTENT  SHALL  NOT  CONSTITUTE  CONSENT.  AGREEMENT OBTAINED
 THROUGH USE OF DARK PATTERNS SHALL NOT CONSTITUTE CONSENT.
   7. "CONSUMER" MEANS A NATURAL PERSON WHO IS AN INDIVIDUAL  WHO  IS  IN
 NEW YORK STATE FOR OTHER THAN A TRANSITORY PURPOSE, AND EVERY INDIVIDUAL
 WHO IS DOMICILED IN NEW YORK STATE WHO IS OUTSIDE THE STATE.
   8.  "CONTRACTOR"  MEANS  A PERSON TO WHOM A BUSINESS MAKES AVAILABLE A
 CONSUMER'S PERSONAL INFORMATION FOR A BUSINESS PURPOSE,  PURSUANT  TO  A
 WRITTEN CONTRACT WITH SUCH BUSINESS, PROVIDED THAT SUCH CONTRACT:
   (A) PROHIBITS THE CONTRACTOR FROM:
   (I) SELLING OR SHARING SUCH PERSONAL INFORMATION;
   (II) RETAINING, USING, OR DISCLOSING SUCH PERSONAL INFORMATION FOR ANY
 PURPOSE OTHER THAN FOR THE BUSINESS PURPOSES SPECIFIED IN SUCH CONTRACT,
 INCLUDING  RETAINING, USING, OR DISCLOSING SUCH PERSONAL INFORMATION FOR
 A COMMERCIAL PURPOSE OTHER THAN THE BUSINESS PURPOSES SPECIFIED IN  SUCH
 CONTRACT, OR AS OTHERWISE PERMITTED BY THIS ARTICLE;
   (III)  RETAINING,  USING,  OR  DISCLOSING  SUCH  PERSONAL  INFORMATION
 OUTSIDE OF THE DIRECT BUSINESS RELATIONSHIP BETWEEN THE  CONTRACTOR  AND
 SUCH BUSINESS; AND
   (IV)  COMBINING SUCH PERSONAL INFORMATION THAT THE CONTRACTOR RECEIVES
 PURSUANT TO A WRITTEN CONTRACT WITH SUCH BUSINESS WITH PERSONAL INFORMA-
 TION THAT IT RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR PERSONS, OR
 COLLECTS FROM ITS OWN INTERACTION WITH THE CONSUMER;
   (B) INCLUDES A CERTIFICATION MADE BY THE CONTRACTOR THAT THE  CONTRAC-
 TOR  UNDERSTANDS  THE RESTRICTIONS PROVIDED FOR IN ACCORDANCE WITH PARA-
 GRAPH (A) OF THIS SUBDIVISION AND WILL COMPLY WITH THEM;
   (C) PERMITS THE BUSINESS TO MONITOR THE CONTRACTOR'S  COMPLIANCE  WITH
 THE  CONTRACT  THROUGH  MEASURES, INCLUDING, BUT NOT LIMITED TO, ONGOING
 MANUAL REVIEWS AND AUTOMATED SCANS AND REGULAR ASSESSMENTS,  AUDITS,  OR
 OTHER  TECHNICAL  AND  OPERATIONAL  TESTING  AT  LEAST ONCE EVERY TWELVE
 MONTHS; AND
   (D) PROVIDES THAT IF THE CONTRACTOR ENGAGES ANY OTHER PERSON TO ASSIST
 IT IN PROCESSING PERSONAL INFORMATION FOR A BUSINESS PURPOSE  ON  BEHALF
 OF  SUCH  BUSINESS,  OR  IF  ANY OTHER PERSON ENGAGED BY SUCH CONTRACTOR
 ENGAGES ANOTHER PERSON TO ASSIST IN PROCESSING PERSONAL INFORMATION  FOR
 SUCH BUSINESS PURPOSE, IT SHALL NOTIFY SUCH BUSINESS OF SUCH ENGAGEMENT,
 AND SUCH ENGAGEMENT SHALL BE PURSUANT TO A WRITTEN CONTRACT BINDING SUCH
 OTHER  PERSON  TO  COMPLY  WITH  ALL  THE REQUIREMENTS SET FORTH IN THIS
 SUBDIVISION.
   9. "CROSS-CONTEXT  BEHAVIORAL  ADVERTISING"  MEANS  THE  TARGETING  OF
 ADVERTISING  AND  MARKETING  TO  A  CONSUMER  BASED  ON  SUCH CONSUMER'S
 PERSONAL INFORMATION OBTAINED FROM SUCH CONSUMER'S ACTIVITY ACROSS BUSI-
 S. 9088--A                          4
 
 NESSES, DISTINCTLY BRANDED INTERNET WEBSITES, APPLICATIONS, OR  SERVICES
 WITH WHICH SUCH CONSUMER INTENTIONALLY INTERACTS.
   10.  "DARK  PATTERNS"  MEANS  A USER INTERFACE DESIGNED OR MANIPULATED
 WITH THE SUBSTANTIAL EFFECT OF SUBVERTING OR  IMPAIRING  USER  AUTONOMY,
 DECISION  MAKING,  OR CHOICE, AS FURTHER DEFINED BY REGULATION ISSUED BY
 THE ATTORNEY GENERAL.
   11. (A) "DATA BROKER" MEANS A BUSINESS  THAT  KNOWINGLY  COLLECTS  AND
 SELLS  TO THIRD PARTIES THE PERSONAL INFORMATION OF A CONSUMER WITH WHOM
 SUCH BUSINESS EITHER:
   (I) DOES NOT HAVE A DIRECT RELATIONSHIP; AND/OR
   (II) COLLECTS, RETAINS OR SELLS PERSONAL INFORMATION  OUTSIDE  OF  THE
 CONSUMER-FACING  BUSINESS WITH WHICH THE CONSUMER INTENDS AND EXPECTS TO
 INTERACT THROUGH INFORMED CONSENT.
   (B) THE TERM "DATA BROKER" SHALL NOT INCLUDE ANY OF THE FOLLOWING:
   (I) A FEDERAL, STATE, TRIBAL, TERRITORIAL, OR LOCAL GOVERNMENTAL ENTI-
 TY, INCLUDING A BODY, AUTHORITY, BOARD,  BUREAU,  COMMISSION,  DISTRICT,
 AGENCY, OR POLITICAL SUBDIVISION OF A GOVERNMENTAL ENTITY; OR
   (II)  AN ENTITY THAT SERVES AS A CONGRESSIONALLY DESIGNATED NONPROFIT,
 NATIONAL RESOURCE CENTER, OR  CLEARINGHOUSE  TO  PROVIDE  ASSISTANCE  TO
 VICTIMS,  FAMILIES,  CHILD-SERVING PROFESSIONALS, AND THE GENERAL PUBLIC
 ON MISSING AND EXPLOITED CHILDREN ISSUES.
   (C) FOR THE PURPOSES OF THIS SUBDIVISION, "DIRECT RELATIONSHIP"  SHALL
 MEAN  A  CONSUMER  HAS INTENTIONALLY AND UNAMBIGUOUSLY INTERACTED WITH A
 BUSINESS FOR THE PURPOSE OF ACCESSING, PURCHASING, USING, REQUESTING, OR
 OBTAINING INFORMATION ABOUT THE BUSINESS'S PRODUCTS OR SERVICES. A BUSI-
 NESS SHALL NOT BE DEEMED TO HAVE A DIRECT RELATIONSHIP WITH  A  CONSUMER
 MERELY BECAUSE THE BUSINESS COLLECTS PERSONAL INFORMATION OF THE CONSUM-
 ER.
   12.  "DEIDENTIFIED"  MEANS  INFORMATION  THAT  CANNOT BE USED TO INFER
 INFORMATION ABOUT, OR OTHERWISE BE LINKED  TO,  A  PARTICULAR  CONSUMER,
 PROVIDED THAT BUSINESSES THAT POSSESS SUCH INFORMATION SHALL:
   (A)  TAKE NECESSARY MEASURES TO ENSURE THAT SUCH INFORMATION CANNOT BE
 ASSOCIATED WITH A CONSUMER OR HOUSEHOLD;
   (B) PUBLICLY, AND WITHIN ANY CONTRACT IN WHICH SUCH BUSINESS  ACQUIRED
 SUCH  INFORMATION, COMMIT TO MAINTAINING AND USING SUCH INFORMATION ONLY
 IN DEIDENTIFIED FORM;
   (C) NOT ATTEMPT TO REIDENTIFY SUCH INFORMATION, EXCEPT THAT SUCH BUSI-
 NESS MAY ATTEMPT TO REIDENTIFY SUCH INFORMATION SOLELY FOR  THE  PURPOSE
 OF  DETERMINING  WHETHER  ITS  DEIDENTIFICATION  PROCESSES  SATISFY  THE
 REQUIREMENTS OF THIS SUBDIVISION; AND
   (D) CONTRACTUALLY (I) PROHIBIT ANY RECIPIENTS OF SUCH INFORMATION FROM
 REIDENTIFYING SUCH INFORMATION, AND (II)  REQUIRE  COMPLIANCE  WITH  ALL
 PROVISIONS OF THIS SUBDIVISION.
   13.  "DESIGNATED  METHODS  FOR  SUBMITTING  DELETION REQUESTS" MEANS A
 MAILING ADDRESS, EMAIL ADDRESS, INTERNET WEB PAGE, INTERNET WEB  PORTAL,
 TOLL-FREE  TELEPHONE  NUMBER,  OR  OTHER APPLICABLE CONTACT INFORMATION,
 WHEREBY CONSUMERS MAY SUBMIT A REQUEST OR DIRECTION UNDER THIS  ARTICLE,
 AND  ANY  NEW,  CONSUMER-FRIENDLY  MEANS  OF  CONTACTING  A BUSINESS, AS
 APPROVED IN WRITING BY THE ATTORNEY GENERAL.
   14. "DEVELOPER OF AN ARTIFICIAL INTELLIGENCE SYSTEM OR MODEL" MEANS  A
 PERSON,  PARTNERSHIP,  CORPORATION,  FIRM,  ORGANIZATION OR OTHER ENTITY
 THAT DESIGNS, CODES, PRODUCES, TRAINS OR SUBSTANTIALLY MODIFIES AN ARTI-
 FICIAL INTELLIGENCE SYSTEM.
   15. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE  OF  CONNECTING
 TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE.
   16. "FOREIGN ACTOR" MEANS EITHER:
 S. 9088--A                          5
 
   (A) THE GOVERNMENT OF A FOREIGN ADVERSARY COUNTRY; OR
   (B)  A  PARTNERSHIP,  ASSOCIATION, CORPORATION, ORGANIZATION, OR OTHER
 COMBINATION OF PERSONS ORGANIZED UNDER THE LAWS OF OR HAVING ITS PRINCI-
 PAL PLACE OF BUSINESS IN A FOREIGN ADVERSARY COUNTRY.
   17. "FOREIGN ADVERSARY COUNTRY"  HAS  THE  SAME  MEANING  AS  "COVERED
 NATION"  AS  DEFINED  IN  SECTION  4872 OF TITLE 10 OF THE UNITED STATES
 CODE.
   18. "HOUSEHOLD" MEANS A GROUP, HOWEVER IDENTIFIED,  OF  CONSUMERS  WHO
 COHABITATE  WITH  ONE  ANOTHER AT THE SAME RESIDENTIAL ADDRESS AND SHARE
 USE OF COMMON SERVICES.
   19. "INFER" OR "INFERENCE" MEANS THE DERIVATION OF INFORMATION,  DATA,
 ASSUMPTIONS,  OR  CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER SOURCE OF
 INFORMATION OR DATA.
   20. "INTENTIONALLY INTERACTS" MEANS WHEN A CONSUMER INTENDS TO  INTER-
 ACT WITH A PERSON, OR DISCLOSE PERSONAL INFORMATION TO A PERSON, VIA ONE
 OR MORE DELIBERATE INTERACTIONS, INCLUDING VISITING SUCH PERSON'S INTER-
 NET  WEBSITE  OR PURCHASING A GOOD OR SERVICE FROM SUCH PERSON. HOVERING
 OVER, MUTING, PAUSING, OR CLOSING A GIVEN PIECE  OF  CONTENT  SHALL  NOT
 CONSTITUTE A CONSUMER'S INTENT TO INTERACT WITH A PERSON.
   21. "MINOR" MEANS A NATURAL PERSON UNDER THE AGE OF EIGHTEEN.
   22.  "PERSON"  MEANS AN INDIVIDUAL, PROPRIETORSHIP, FIRM, PARTNERSHIP,
 JOINT VENTURE, SYNDICATE, BUSINESS TRUST, COMPANY, CORPORATION,  LIMITED
 LIABILITY  COMPANY,  ASSOCIATION, COMMITTEE, AND ANY OTHER ORGANIZATION,
 ENTITY OR GROUP OF PERSONS ACTING IN CONCERT.
   23. (A) "PERSONAL INFORMATION" MEANS INFORMATION, HOWEVER  MAINTAINED,
 THAT  IDENTIFIES,  RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSOCIATED
 WITH, OR COULD BE LINKED, DIRECTLY  OR  INDIRECTLY,  WITH  A  PARTICULAR
 CONSUMER OR HOUSEHOLD, INCLUDING, BUT NOT LIMITED TO, THE FOLLOWING:
   (I)  IDENTIFIERS  SUCH  AS  A REAL NAME, ALIAS, POSTAL ADDRESS, UNIQUE
 PERSONAL IDENTIFIER, ONLINE IDENTIFIER, INTERNET PROTOCOL ADDRESS, EMAIL
 ADDRESS, ACCOUNT NAME, SOCIAL SECURITY NUMBER, DRIVER'S LICENSE  NUMBER,
 PASSPORT NUMBER, OR OTHER SIMILAR IDENTIFIERS;
   (II)  ANY  INFORMATION  THAT  IDENTIFIES, RELATES TO, DESCRIBES, OR IS
 CAPABLE OF BEING ASSOCIATED WITH, A  PARTICULAR  INDIVIDUAL,  INCLUDING,
 BUT  NOT  LIMITED TO, SUCH INDIVIDUAL'S NAME, SIGNATURE, SOCIAL SECURITY
 NUMBER, PHYSICAL  CHARACTERISTICS  OR  DESCRIPTION,  ADDRESS,  TELEPHONE
 NUMBER,  PASSPORT  NUMBER, DRIVER'S LICENSE OR STATE IDENTIFICATION CARD
 NUMBER,  INSURANCE  POLICY  NUMBER,  EDUCATION,  EMPLOYMENT,  EMPLOYMENT
 HISTORY,  BANK ACCOUNT NUMBER, CREDIT CARD NUMBER, DEBIT CARD NUMBER, OR
 ANY OTHER FINANCIAL INFORMATION, MEDICAL INFORMATION, OR  HEALTH  INSUR-
 ANCE INFORMATION;
   (III)  CHARACTERISTICS  OF PROTECTED CLASSIFICATIONS UNDER NEW YORK OR
 FEDERAL LAW;
   (IV) COMMERCIAL INFORMATION, INCLUDING RECORDS OF  PERSONAL  PROPERTY,
 PRODUCTS  OR  SERVICES  PURCHASED,  OBTAINED,  OR  CONSIDERED,  OR OTHER
 PURCHASING OR CONSUMING HISTORIES OR TENDENCIES;
   (V) BIOMETRIC INFORMATION;
   (VI)  INTERNET  OR  OTHER  ELECTRONIC  NETWORK  ACTIVITY  INFORMATION,
 INCLUDING,  BUT  NOT  LIMITED  TO, BROWSING HISTORY, SEARCH HISTORY, AND
 INFORMATION REGARDING A CONSUMER'S INTERACTION WITH AN INTERNET  WEBSITE
 APPLICATION, OR ADVERTISEMENT;
   (VII) GEOLOCATION DATA;
   (VIII)  AUDIO,  ELECTRONIC,  VISUAL,  THERMAL,  OLFACTORY,  OR SIMILAR
 INFORMATION;
   (IX) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
 S. 9088--A                          6
 
   (X) EDUCATION INFORMATION, DEFINED AS INFORMATION THAT IS NOT PUBLICLY
 AVAILABLE PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN  THE  FAMILY
 EDUCATIONAL RIGHTS AND PRIVACY ACT (20 U.S.C. SEC. 1232G; 34 C.F.R. PART
 99);
   (XI)  INFERENCES  DRAWN FROM ANY OF THE INFORMATION IDENTIFIED IN THIS
 SUBDIVISION TO CREATE A PROFILE ABOUT A CONSUMER REFLECTING SUCH CONSUM-
 ER'S PREFERENCES,  CHARACTERISTICS,  PSYCHOLOGICAL  TRENDS,  PREDISPOSI-
 TIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND APTITUDES; AND
   (XII) SENSITIVE PERSONAL INFORMATION;
   (B)  THE TERM "PERSONAL INFORMATION" SHALL NOT INCLUDE PUBLICLY AVAIL-
 ABLE INFORMATION OR LAWFULLY OBTAINED, TRUTHFUL INFORMATION  THAT  IS  A
 MATTER  OF  PUBLIC  CONCERN.  FOR  PURPOSES OF THIS PARAGRAPH, "PUBLICLY
 AVAILABLE" MEANS ANY OF THE FOLLOWING:
   (I) INFORMATION THAT IS LAWFULLY MADE AVAILABLE FROM  FEDERAL,  STATE,
 OR LOCAL GOVERNMENT RECORDS;
   (II)  INFORMATION THAT A BUSINESS HAS A REASONABLE BASIS TO BELIEVE IS
 LAWFULLY AND INTENTIONALLY MADE AVAILABLE TO THE GENERAL PUBLIC  BY  THE
 CONSUMER OR FROM WIDELY DISTRIBUTED MEDIA; OR
   (III)  INFORMATION MADE AVAILABLE BY A PERSON TO WHOM THE CONSUMER HAS
 INTENTIONALLY DISCLOSED SUCH INFORMATION IF SUCH CONSUMER HAS  CONSENTED
 TO SUCH INFORMATION NOT BEING RESTRICTED TO A SPECIFIC AUDIENCE.
   (C) THE TERM "PUBLICLY AVAILABLE" SHALL NOT MEAN BIOMETRIC INFORMATION
 COLLECTED BY A BUSINESS ABOUT A CONSUMER.
   (D) THE TERM "PERSONAL INFORMATION" SHALL NOT INCLUDE:
   (I)  CONSUMER  INFORMATION THAT IS DEIDENTIFIED AND AGGREGATE CONSUMER
 INFORMATION; AND
   (II) INFORMATION THAT WOULD NOT OTHERWISE BE MADE  PUBLIC  BUT  FOR  A
 DATA BREACH.
   (E)  THE  TERM  "PERSONAL  INFORMATION"  MAY EXIST IN VARIOUS FORMATS,
 INCLUDING, BUT NOT LIMITED TO, ALL OF THE FOLLOWING:
   (I) PHYSICAL FORMATS, INCLUDING PAPER DOCUMENTS, PRINTED IMAGES, VINYL
 RECORDS, OR VIDEO TAPES;
   (II) DIGITAL FORMATS, INCLUDING TEXT, IMAGE, AUDIO, OR VIDEO FILES; OR
   (III) ABSTRACT DIGITAL  FORMATS,  INCLUDING  COMPRESSED  OR  ENCRYPTED
 FILES,  METADATA, OR ARTIFICIAL INTELLIGENCE SYSTEMS THAT ARE CAPABLE OF
 OUTPUTTING PERSONAL INFORMATION.
   24. "PRECISE GEOLOCATION DATA" MEANS ANY DATA THAT IS DERIVED  FROM  A
 DEVICE  AND  THAT  IS  USED  OR INTENDED TO BE USED TO LOCATE A CONSUMER
 WITHIN A GEOGRAPHIC AREA THAT IS EQUAL TO OR LESS THAN  THE  AREA  OF  A
 CIRCLE  WITH  A  RADIUS  OF  EIGHTEEN  HUNDRED  FIFTY  FEET,  EXCEPT  AS
 PRESCRIBED BY REGULATIONS.
   25. "PROBABILISTIC IDENTIFIER" MEANS THE IDENTIFICATION OF A  CONSUMER
 OR SUCH CONSUMER'S DEVICE TO A DEGREE OF CERTAINTY OF MORE PROBABLE THAN
 NOT  BASED  ON  ANY  CATEGORIES  OF PERSONAL INFORMATION INCLUDED IN, OR
 SIMILAR TO, THE CATEGORIES ENUMERATED  IN  THE  DEFINITION  OF  PERSONAL
 INFORMATION UNDER SUBDIVISION TWENTY-THREE OF THIS SECTION.
   26.  "PROCESSING"  MEANS  ANY  OPERATION OR SET OF OPERATIONS THAT ARE
 PERFORMED ON PERSONAL INFORMATION OR ON SETS  OF  PERSONAL  INFORMATION,
 WHETHER OR NOT BY AUTOMATED MEANS.
   27. "PROCESSOR" SHALL MEAN A PERSON WHO COLLECTS, PROCESSES, OR TRANS-
 FERS  PERSONAL INFORMATION ON BEHALF OF, AND AT THE DIRECTION OF, A DATA
 BROKER OR ANOTHER PROCESSOR, OR  A  FEDERAL,  STATE,  TRIBAL,  OR  LOCAL
 GOVERNMENT ENTITY.
   28. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
 S. 9088--A                          7
 
   29.  "PSEUDONYMIZE"  OR  "PSEUDONYMIZATION"  MEANS  THE  PROCESSING OF
 PERSONAL INFORMATION IN A MANNER THAT RENDERS SUCH PERSONAL  INFORMATION
 NO  LONGER  ATTRIBUTABLE TO A SPECIFIC CONSUMER WITHOUT THE USE OF ADDI-
 TIONAL INFORMATION, PROVIDED THAT SUCH ADDITIONAL  INFORMATION  IS  KEPT
 SEPARATELY  AND  IS  SUBJECT TO TECHNICAL AND ORGANIZATIONAL MEASURES TO
 ENSURE THAT SUCH PERSONAL INFORMATION IS NOT ATTRIBUTED TO AN IDENTIFIED
 OR IDENTIFIABLE CONSUMER AND SHALL NOT BE REIDENTIFIED  THROUGH  METHODS
 SUCH  AS  INFERENCE, HASHING MANIPULATION, OR ANY OTHER COMPUTATIONAL OR
 ANALYTICAL TECHNIQUE.
   30. "REPRODUCTIVE HEALTH CARE DATA" MEANS ANY OF THE FOLLOWING:
   (A) INFORMATION ABOUT A CONSUMER SEARCHING FOR, ACCESSING,  PROCURING,
 USING,  OR  OTHERWISE INTERACTING WITH GOODS OR SERVICES ASSOCIATED WITH
 THE HUMAN REPRODUCTIVE SYSTEM, WHICH INCLUDES GOODS SUCH  AS  CONTRACEP-
 TION  INCLUDING  BUT NOT LIMITED TO CONDOMS OR BIRTH-CONTROL PILLS, PRE-
 NATAL AND FERTILITY VITAMINS AND SUPPLEMENTS,  MENSTRUAL-TRACKING  APPS,
 AND  HORMONE-REPLACEMENT  THERAPY, AND SHALL FURTHER INCLUDE, BUT NOT BE
 LIMITED TO, SERVICES SUCH AS SPERM- AND EGG-FREEZING, IN VITRO  FERTILI-
 ZATION,  ABORTION CARE, VASECTOMIES, SEXUAL HEALTH COUNSELING; TREATMENT
 OR COUNSELING FOR SEXUALLY TRANSMITTED INFECTIONS, ERECTILE DYSFUNCTION,
 AND REPRODUCTIVE TRACT INFECTIONS; AND PRECISE  GEOLOCATION  INFORMATION
 ABOUT  SUCH  TREATMENTS;  OR  (B)  INFORMATION ABOUT A CONSUMER'S SEXUAL
 HISTORY AND FAMILY PLANNING, WHICH INCLUDES  INFORMATION  SUCH  CONSUMER
 INPUTS  INTO  A  DATING  APP ABOUT THEIR HISTORY OF SEXUALLY TRANSMITTED
 INFECTIONS OR DESIRE TO HAVE CHILDREN.
   31. "SECURITY AND INTEGRITY" MEANS THE ABILITY OF:
   (A) NETWORKS OR INFORMATION SYSTEMS TO DETECT SECURITY INCIDENTS  THAT
 COMPROMISE THE AVAILABILITY, AUTHENTICITY, INTEGRITY, AND CONFIDENTIALI-
 TY OF STORED OR TRANSMITTED PERSONAL INFORMATION;
   (B)  BUSINESSES TO DETECT SECURITY INCIDENTS, RESIST MALICIOUS, DECEP-
 TIVE, FRAUDULENT, OR ILLEGAL ACTIONS AND TO HELP PROSECUTE THOSE RESPON-
 SIBLE FOR THOSE ACTIONS; OR
   (C) BUSINESSES TO ENSURE THE PHYSICAL SAFETY OF NATURAL PERSONS.
   32. (A) "SELL", "SELLING", "SALE", OR "SOLD" MEANS  SELLING,  RENTING,
 RELEASING, DISCLOSING, DISSEMINATING, MAKING AVAILABLE, TRANSFERRING, OR
 OTHERWISE  COMMUNICATING  ORALLY,  IN WRITING, OR BY ELECTRONIC OR OTHER
 MEANS, A CONSUMER'S PERSONAL INFORMATION BY A BUSINESS TO A THIRD  PARTY
 FOR MONETARY OR OTHER VALUABLE CONSIDERATION.
   (B)  FOR  PURPOSES  OF THIS ARTICLE, A BUSINESS SHALL NOT BE DEEMED TO
 SELL PERSONAL INFORMATION WHEN:
   (I) A CONSUMER USES OR DIRECTS SUCH BUSINESS TO INTENTIONALLY:
   (1) DISCLOSE PERSONAL INFORMATION; OR
   (2) INTERACT WITH ONE OR MORE THIRD PARTIES;
   (II) SUCH BUSINESS USES OR SHARES AN IDENTIFIER FOR A CONSUMER WHO HAS
 OPTED OUT OF THE SALE OF SUCH CONSUMER'S PERSONAL INFORMATION OR LIMITED
 THE USE OF SUCH CONSUMER'S SENSITIVE PERSONAL INFORMATION SOLELY FOR THE
 PURPOSES OF ALERTING PERSONS TO OR FOR WHOM SUCH CONSUMER HAS OPTED  OUT
 OF  THE  SALE OF SUCH CONSUMER'S PERSONAL INFORMATION OR LIMITED THE USE
 OF SUCH CONSUMER'S SENSITIVE PERSONAL INFORMATION; PROVIDED SUCH IDENTI-
 FIER DOES NOT DISCLOSE ANY  PERSONAL  INFORMATION  OTHER  THAN  WHAT  IS
 NECESSARY FOR SUCH ALERT; OR
   (III)  SUCH  BUSINESS TRANSFERS TO A THIRD PARTY THE PERSONAL INFORMA-
 TION OF A CONSUMER AS AN ASSET THAT IS PART OF  A  MERGER,  ACQUISITION,
 BANKRUPTCY,  OR  OTHER  TRANSACTION  IN  WHICH  SUCH THIRD PARTY ASSUMES
 CONTROL OF ALL OR PART OF SUCH BUSINESS, PROVIDED THAT AS A CONDITION TO
 SUCH TRANSACTION, THE THIRD PARTY CONTRACTUALLY  AGREES  TO  ASSUME  ALL
 RESPONSIBILITIES  OF  THE  TRANSFERRING  BUSINESS  WITH  RESPECT TO SUCH
 S. 9088--A                          8
 
 PERSONAL INFORMATION, AND COMPLY WITH THIS ARTICLE IN  ALL  RESPECTS.  A
 THIRD PARTY SHALL NOT USE OR SHARE THE PERSONAL INFORMATION OF A CONSUM-
 ER  IN  A MANNER THAT IS INCONSISTENT WITH THE PROMISES MADE AT THE TIME
 OF  COLLECTION. THIS SUBPARAGRAPH SHALL NOT AUTHORIZE A BUSINESS TO MAKE
 RETROACTIVE PRIVACY POLICY CHANGES OR MAKE OTHER CHANGES IN THEIR PRIVA-
 CY POLICY.
   33. "SENSITIVE PERSONAL INFORMATION" MEANS:
   (A) PERSONAL INFORMATION THAT REVEALS:
   (I) A CONSUMER'S SOCIAL SECURITY, DRIVER'S LICENSE, STATE  IDENTIFICA-
 TION CARD, OR PASSPORT NUMBER;
   (II)  A  CONSUMER'S  ACCOUNT LOG-IN, FINANCIAL ACCOUNT, DEBIT CARD, OR
 CREDIT CARD NUMBER IN COMBINATION WITH ANY REQUIRED SECURITY  OR  ACCESS
 CODE, PASSWORD, OR CREDENTIALS ALLOWING ACCESS TO AN ACCOUNT;
   (III) A CONSUMER'S PRECISE GEOLOCATION;
   (IV)  A CONSUMER'S RACIAL OR ETHNIC ORIGIN, CITIZENSHIP OR IMMIGRATION
 STATUS, RELIGIOUS OR PHILOSOPHICAL BELIEFS, OR UNION MEMBERSHIP;
   (V) THE CONTENTS OF A CONSUMER'S MAIL, EMAIL, AND TEXT MESSAGES UNLESS
 THE BUSINESS IS THE INTENDED RECIPIENT OF THE COMMUNICATION;
   (VI) A CONSUMER'S SEXUALITY OR GENDER IDENTITY;
   (VII) REPRODUCTIVE HEALTH CARE DATA;
   (VIII) A CONSUMER'S GENETIC DATA; OR
   (IX) A CONSUMER'S NEURAL DATA, MEANING INFORMATION THAT  IS  GENERATED
 BY MEASURING THE ACTIVITY OF SUCH CONSUMER'S CENTRAL OR PERIPHERAL NERV-
 OUS SYSTEM, AND THAT IS NOT INFERRED FROM NONNEURAL INFORMATION; OR
   (B) THE PROCESSING OF BIOMETRIC INFORMATION FOR THE PURPOSE OF UNIQUE-
 LY IDENTIFYING A CONSUMER, INCLUDING BUT NOT LIMITED TO:
   (I)  PERSONAL  INFORMATION COLLECTED AND ANALYZED CONCERNING A CONSUM-
 ER'S HEALTH; OR
   (II) PERSONAL INFORMATION COLLECTED AND ANALYZED CONCERNING A  CONSUM-
 ER'S SEX LIFE OR SEXUAL ORIENTATION.
   34. "SERVICE" OR "SERVICES" MEANS WORK, LABOR, AND SERVICES, INCLUDING
 SERVICES FURNISHED IN CONNECTION WITH THE SALE OR REPAIR OF GOODS.
   35.  (A)  "SERVICE  PROVIDER"  MEANS  A PERSON THAT PROCESSES PERSONAL
 INFORMATION ON BEHALF OF A BUSINESS AND THAT RECEIVES FROM OR ON  BEHALF
 OF  SUCH  BUSINESS  A  CONSUMER'S  PERSONAL  INFORMATION  FOR A BUSINESS
 PURPOSE PURSUANT TO A WRITTEN  CONTRACT,  PROVIDED  THAT  SUCH  CONTRACT
 PROHIBITS SUCH PERSON FROM:
   (I) SELLING OR SHARING SUCH PERSONAL INFORMATION;
   (II) RETAINING, USING, OR DISCLOSING SUCH PERSONAL INFORMATION FOR ANY
 PURPOSE  OTHER  THAN FOR THE BUSINESS PURPOSES SPECIFIED IN THE CONTRACT
 FOR SUCH  BUSINESS,  INCLUDING  RETAINING,  USING,  OR  DISCLOSING  SUCH
 PERSONAL INFORMATION FOR A COMMERCIAL OR BUSINESS PURPOSE OTHER THAN THE
 BUSINESS  PURPOSES  SPECIFIED  IN THE CONTRACT WITH SUCH BUSINESS, OR AS
 OTHERWISE PERMITTED BY THIS ARTICLE;
   (III) RETAINING, USING, OR DISCLOSING THE INFORMATION OUTSIDE  OF  THE
 DIRECT BUSINESS RELATIONSHIP BETWEEN THE SERVICE PROVIDER AND SUCH BUSI-
 NESS; OR
   (IV)  COMBINING  SUCH  PERSONAL  INFORMATION THAT THE SERVICE PROVIDER
 RECEIVES FROM, OR ON BEHALF OF, SUCH BUSINESS WITH PERSONAL  INFORMATION
 THAT  IT  RECEIVES  FROM, OR ON BEHALF OF, ANOTHER PERSON OR PERSONS, OR
 COLLECTS FROM ITS OWN INTERACTION WITH THE CONSUMER. SUCH CONTRACT SHALL
 PERMIT THE BUSINESS TO MONITOR SUCH SERVICE PROVIDER'S  COMPLIANCE  WITH
 SUCH  CONTRACT  THROUGH MEASURES, INCLUDING, BUT NOT LIMITED TO, ONGOING
 MANUAL REVIEWS AND AUTOMATED SCANS AND REGULAR ASSESSMENTS,  AUDITS,  OR
 OTHER  TECHNICAL  AND  OPERATIONAL  TESTING  AT  LEAST ONCE EVERY TWELVE
 MONTHS.
 S. 9088--A                          9
 
   (B) IF A SERVICE PROVIDER ENGAGES ANY OTHER PERSON  TO  ASSIST  IT  IN
 PROCESSING  PERSONAL INFORMATION FOR A BUSINESS PURPOSE ON BEHALF OF THE
 BUSINESS, OR IF ANY  OTHER  PERSON  ENGAGED  BY  SUCH  SERVICE  PROVIDER
 ENGAGES  ANOTHER PERSON TO ASSIST IN PROCESSING PERSONAL INFORMATION FOR
 SUCH BUSINESS PURPOSE, IT SHALL NOTIFY SUCH BUSINESS OF SUCH ENGAGEMENT,
 AND SUCH ENGAGEMENT SHALL BE PURSUANT TO A WRITTEN CONTRACT BINDING SUCH
 OTHER  PERSON TO COMPLY WITH ALL THE REQUIREMENTS SET FORTH IN PARAGRAPH
 (A) OF THIS SUBDIVISION.
   (C) ANY INFORMATION ACQUIRED BY A SERVICE PROVIDER FOR THE PURPOSE  OF
 PROVIDING  VERIFICATION,  AUTHENTICATION OR SIMILAR SERVICE SHALL NOT BE
 PROCESSED OR USED FOR ANY PURPOSE OTHER THAN VERIFYING THE  IDENTITY  OF
 THE  INDIVIDUAL  AND  SHALL  BE DELETED IMMEDIATELY UPON VERIFICATION OR
 FAILURE TO VERIFY THE INDIVIDUAL.
   36. (A)  "SHARE",  "SHARED",  OR  "SHARING"  MEANS  SHARING,  RENTING,
 RELEASING, DISCLOSING, DISSEMINATING, MAKING AVAILABLE, TRANSFERRING, OR
 OTHERWISE  COMMUNICATING  ORALLY,  IN WRITING, OR BY ELECTRONIC OR OTHER
 MEANS, A CONSUMER'S PERSONAL INFORMATION BY A BUSINESS TO A THIRD  PARTY
 FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING, WHETHER OR NOT FOR MONETARY OR
 OTHER  VALUABLE CONSIDERATION, INCLUDING TRANSACTIONS BETWEEN A BUSINESS
 AND A THIRD PARTY FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING FOR THE BENE-
 FIT OF A BUSINESS IN WHICH NO MONEY IS EXCHANGED.
   (B) FOR PURPOSES OF THIS ARTICLE, A BUSINESS SHALL NOT  BE  DEEMED  TO
 SHARE PERSONAL INFORMATION WHEN:
   (I) A CONSUMER USES OR DIRECTS SUCH BUSINESS TO INTENTIONALLY DISCLOSE
 PERSONAL  INFORMATION  OR  INTENTIONALLY INTERACT WITH ONE OR MORE THIRD
 PARTIES;
   (II) A CONSUMER DIRECTS SUCH BUSINESS TO INTENTIONALLY  INTERACT  WITH
 ONE OR MORE THIRD PARTIES AND SUCH CONSUMER HAS PROVIDED CONSENT FOR THE
 BUSINESS  TO  DISCLOSE  PERSONAL  INFORMATION  TO  SUCH  THIRD  PARTY OR
 PARTIES;
   (III) SUCH BUSINESS USES OR SHARES AN IDENTIFIER FOR  A  CONSUMER  WHO
 HAS  OPTED OUT OF THE SHARING OF SUCH CONSUMER'S PERSONAL INFORMATION OR
 LIMITED THE USE OF SUCH CONSUMER'S SENSITIVE PERSONAL INFORMATION, SOLE-
 LY FOR THE PURPOSES OF ALERTING PERSONS TO OR FOR WHOM SUCH CONSUMER HAS
 OPTED OUT OF THE SHARING OF  SUCH  CONSUMER'S  PERSONAL  INFORMATION  OR
 LIMITED  THE  USE  OF  SUCH  CONSUMER'S  SENSITIVE PERSONAL INFORMATION,
 PROVIDED SUCH IDENTIFIER DOES  NOT  DISCLOSE  ANY  PERSONAL  INFORMATION
 OTHER THAN WHAT IS NECESSARY FOR SUCH ALERT; OR
   (IV) SUCH BUSINESS TRANSFERS TO A THIRD PARTY THE PERSONAL INFORMATION
 OF  A  CONSUMER AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANK-
 RUPTCY, OR OTHER TRANSACTION IN WHICH SUCH THIRD PARTY  ASSUMES  CONTROL
 OF  ALL  OR  PART OF SUCH BUSINESS, PROVIDED THAT AS A CONDITION TO SUCH
 TRANSACTION, THE THIRD PARTY CONTRACTUALLY AGREES TO ASSUME ALL  RESPON-
 SIBILITIES  OF  THE  TRANSFERRING BUSINESS WITH RESPECT TO SUCH PERSONAL
 INFORMATION, AND COMPLY WITH THIS ARTICLE IN  ALL  RESPECTS.    A  THIRD
 PARTY SHALL NOT USE OR SHARE THE PERSONAL INFORMATION OF A CONSUMER IN A
 MANNER  THAT  IS  INCONSISTENT  WITH  THE  PROMISES  MADE AT THE TIME OF
 COLLECTION. THIS SUBPARAGRAPH SHALL NOT AUTHORIZE  A  BUSINESS  TO  MAKE
 RETROACTIVE PRIVACY POLICY CHANGES OR MAKE OTHER CHANGES IN THEIR PRIVA-
 CY POLICY.
   37. "THIRD PARTY" MEANS A PERSON WHO IS NOT ANY OF THE FOLLOWING:
   (A) THE BUSINESS WITH WHOM A CONSUMER INTENTIONALLY INTERACTS AND THAT
 COLLECTS PERSONAL INFORMATION FROM SUCH CONSUMER AS PART OF SUCH CONSUM-
 ER'S CURRENT INTERACTION WITH SUCH BUSINESS UNDER THIS ARTICLE;
   (B) A SERVICE PROVIDER TO THE BUSINESS;
   (C) A CONTRACTOR TO THE BUSINESS; OR
 S. 9088--A                         10

   (D) A PROCESSOR TO THE BUSINESS.
   38.  "UNIQUE  IDENTIFIER"  OR  "UNIQUE  PERSONAL  IDENTIFIER"  MEANS A
 PERSISTENT IDENTIFIER THAT CAN BE USED TO RECOGNIZE A CONSUMER, A HOUSE-
 HOLD, A FAMILY, OR A DEVICE THAT IS LINKED TO A CONSUMER, HOUSEHOLD,  OR
 FAMILY,  OVER  TIME  AND  ACROSS  DIFFERENT SERVICES, INCLUDING, BUT NOT
 LIMITED TO: A DEVICE IDENTIFIER; AN INTERNET  PROTOCOL  ADDRESS;  DEVICE
 FINGERPRINTING;  COOKIES, BEACONS, PIXEL TAGS, MOBILE AD IDENTIFIERS, OR
 SIMILAR TECHNOLOGY; CUSTOMER NUMBER, UNIQUE PSEUDONYM,  OR  USER  ALIAS;
 TELEPHONE NUMBERS, OR OTHER FORMS OF PERSISTENT OR PROBABILISTIC IDENTI-
 FIERS  THAT CAN BE USED TO IDENTIFY A PARTICULAR CONSUMER OR DEVICE THAT
 IS LINKED TO A CONSUMER, HOUSEHOLD  OR  FAMILY.  FOR  PURPOSES  OF  THIS
 SUBDIVISION,  THE TERM "FAMILY" MEANS A CUSTODIAL PARENT OR GUARDIAN AND
 ANY CHILDREN UNDER EIGHTEEN YEARS OF AGE OVER WHICH THE PARENT OR GUARD-
 IAN HAS CUSTODY.
   39. "VERIFIABLE CONSUMER REQUEST" MEANS A REQUEST THAT IS  MADE  BY  A
 CONSUMER,  BY A CONSUMER ON BEHALF OF SUCH CONSUMER'S MINOR CHILD, OR BY
 A PERSON WHO HAS POWER OF ATTORNEY OR IS ACTING  AS  A  CONSERVATOR  FOR
 SUCH  CONSUMER,  AND  THAT  THE  BUSINESS CAN VERIFY, USING COMMERCIALLY
 REASONABLE METHODS, PURSUANT TO ANY REGULATIONS ADOPTED BY THE  ATTORNEY
 GENERAL  TO  BE  SUCH  CONSUMER  ABOUT  WHOM  THE BUSINESS HAS COLLECTED
 PERSONAL INFORMATION.
   40. "AUTHORIZED AGENT" MEANS:
   (A) A PERSON DESIGNATED BY A CONSUMER TO ACT ON THE CONSUMER'S BEHALF;
   (B) A PARENT OR LEGAL GUARDIAN THAT ACTS ON  BEHALF  OF  THE  PARENT'S
 CHILD  OR ON BEHALF OF A CHILD FOR WHOM THE GUARDIAN HAS LEGAL RESPONSI-
 BILITY; OR
   (C) A GUARDIAN OR CONSERVATOR THAT ACTS ON BEHALF OF A  CONSUMER  THAT
 IS  SUBJECT  TO  A  GUARDIANSHIP,  CONSERVATORSHIP,  OR OTHER PROTECTIVE
 ARRANGEMENT.
   § 1151. REGISTRATION OF DATA BROKERS. 1. EACH DATA BROKER SHALL:
   (A) NO LATER THAN SIXTY DAYS AFTER  MEETING  THE  DEFINITION  OF  DATA
 BROKER IN THIS ARTICLE:
   (I) REGISTER WITH THE ATTORNEY GENERAL PURSUANT TO THIS SECTION;
   (II)  PAY  A  REGISTRATION  FEE OF ONE HUNDRED DOLLARS OR AS OTHERWISE
 DETERMINED BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY  AUTHORITY
 GRANTED  TO  THE  ATTORNEY GENERAL UNDER THIS ARTICLE, NOT TO EXCEED THE
 REASONABLE COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND  INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (III)  PROVIDE  THE FOLLOWING INFORMATION TO THE ATTORNEY GENERAL IN A
 FORM AND MANNER DETERMINED BY THE ATTORNEY GENERAL:
   (A) ALL NAMES USED BY THE  DATA  BROKER,  AND  ITS  PRIMARY  PHYSICAL,
 EMAIL, AND INTERNET WEBSITE ADDRESS.
   (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
 THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
 BROKER.
   (C)  THE  NUMBER  OF REQUESTS RECEIVED AND THE NUMBER OF SUCH REQUESTS
 COMPLIED WITH, COMPLIED WITH IN PART, OR  DENIED  UNDER  SECTION  ELEVEN
 HUNDRED FIFTY-TWO OF THIS ARTICLE.
   (D)  THE  MEDIAN  AND  THE  MEAN  NUMBER OF DAYS WITHIN WHICH THE DATA
 BROKER RESPONDED TO REQUESTS UNDER SECTION ELEVEN HUNDRED  FIFTY-TWO  OF
 THIS ARTICLE.
   (E) WHETHER THE DATA BROKER COLLECTED PERSONAL INFORMATION OF MINORS.
   (F) WHETHER THE DATA BROKER COLLECTS OR INFERS CONSUMERS' NAMES, DATES
 OF BIRTH, ZIP CODES, EMAIL ADDRESSES, OR PHONE NUMBERS.
   (G)  WHETHER  THE  DATA  BROKER  COLLECTS OR INFERS CONSUMERS' ACCOUNT
 LOGIN OR ACCOUNT NUMBER IN COMBINATION WITH ANY REQUIRED SECURITY  CODE,
 S. 9088--A                         11

 ACCESS  CODE,  OR  PASSWORD  THAT  WOULD  PERMIT  ACCESS TO A CONSUMER'S
 ACCOUNT WITH A THIRD PARTY.
   (H)  WHETHER  THE  DATA  BROKER COLLECTS OR INFERS CONSUMERS' DRIVERS'
 LICENSE NUMBERS, NEW YORK IDENTIFICATION CARD NUMBERS,  TAX  IDENTIFICA-
 TION  NUMBERS, SOCIAL SECURITY NUMBERS, PASSPORT NUMBERS, MILITARY IDEN-
 TIFICATION NUMBERS, OR OTHER UNIQUE IDENTIFICATION NUMBERS ISSUED  ON  A
 GOVERNMENT  DOCUMENT  COMMONLY USED TO VERIFY THE IDENTITY OF A SPECIFIC
 INDIVIDUAL.
   (I) WHETHER THE DATA  BROKER  COLLECTS  OR  INFERS  CONSUMERS'  MOBILE
 ADVERTISING  IDENTIFICATION NUMBERS, CONNECTED TELEVISION IDENTIFICATION
 NUMBERS, OR VEHICLE IDENTIFICATION NUMBERS (VIN).
   (J) WHETHER THE DATA BROKER COLLECTS OR INFERS CONSUMERS'  CITIZENSHIP
 DATA, INCLUDING IMMIGRATION STATUS.
   (K)  WHETHER  THE  DATA  BROKER  COLLECTS  OR  INFERS CONSUMERS' UNION
 MEMBERSHIP STATUS.
   (L) WHETHER THE DATA  BROKER  COLLECTS  OR  INFERS  CONSUMERS'  SEXUAL
 ORIENTATION STATUS.
   (M) WHETHER THE DATA BROKER COLLECTS OR INFERS CONSUMERS' GENDER IDEN-
 TITY AND GENDER EXPRESSION DATA.
   (N)  WHETHER  THE  DATA BROKER COLLECTS OR INFERS CONSUMERS' BIOMETRIC
 DATA.
   (O) WHETHER THE DATA BROKER  COLLECTS  OR  INFERS  CONSUMERS'  PRECISE
 GEOLOCATION.
   (P) WHETHER THE DATA BROKER COLLECTS OR INFERS CONSUMERS' REPRODUCTIVE
 HEALTH CARE DATA.
   (Q)  WHETHER  THE  DATA BROKER COLLECTS OR INFERS CONSUMERS' PROTECTED
 HEALTH INFORMATION.
   (R) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS'  DATA  TO  A
 FOREIGN ACTOR IN THE PAST FIVE YEARS.
   (S)  WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO THE
 FEDERAL GOVERNMENT IN THE PAST FIVE YEARS.
   (T) WHETHER THE DATA BROKER HAS SHARED  OR  SOLD  CONSUMERS'  DATA  TO
 OTHER STATE GOVERNMENTS IN THE PAST FIVE YEARS.
   (U)  WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS' DATA TO LAW
 ENFORCEMENT IN THE PAST FIVE YEARS, UNLESS THAT DATA WAS SHARED PURSUANT
 TO A SUBPOENA OR COURT ORDER.
   (V) WHETHER THE DATA BROKER HAS SHARED OR SOLD CONSUMERS'  DATA  TO  A
 DEVELOPER OF AN ARTIFICIAL INTELLIGENCE SYSTEM OR MODEL IN THE PAST FIVE
 YEARS.
   (W)  UP  TO  THREE, BUT NO FEWER THAN ONE, OF THE MOST COMMON TYPES OF
 PERSONAL INFORMATION THAT THE DATA BROKER COLLECTS.
   (X) BEGINNING JANUARY FIRST, TWO THOUSAND  THIRTY,  WHETHER  THE  DATA
 BROKER  HAS  UNDERGONE AN AUDIT UNDER THIS ARTICLE, AND, IF SO, THE MOST
 RECENT YEAR THAT THE DATA BROKER HAS SUBMITTED A REPORT  RESULTING  FROM
 THE AUDIT AND ANY RELATED MATERIALS TO THE ATTORNEY GENERAL.
   (Y) A LINK TO A PAGE ON THE DATA BROKER'S INTERNET WEBSITE THAT:
   (I)  DETAILS  HOW CONSUMERS MAY EXERCISE THEIR PRIVACY RIGHTS BY DOING
 ALL OF THE FOLLOWING:
   A. DELETING PERSONAL INFORMATION.
   B. CORRECTING INACCURATE PERSONAL INFORMATION.
   C. LEARNING WHAT PERSONAL INFORMATION IS BEING COLLECTED  AND  HOW  TO
 ACCESS THAT PERSONAL INFORMATION.
   D.  LEARNING  WHAT PERSONAL INFORMATION IS BEING SOLD OR SHARED AND TO
 WHOM.
   E. LEARNING HOW TO OPT OUT OF THE SALE OR SHARING OF PERSONAL INFORMA-
 TION.
 S. 9088--A                         12
 
   F. LEARNING HOW TO LIMIT THE USE AND DISCLOSURE OF SENSITIVE  PERSONAL
 INFORMATION.
   (II) DOES NOT MAKE USE OF ANY DARK PATTERNS.
   (Z)  WHETHER  AND TO WHAT EXTENT THE DATA BROKER OR ANY OF ITS SUBSID-
 IARIES IS REGULATED BY ANY OF THE FOLLOWING:
   (I) THE FEDERAL FAIR CREDIT REPORTING ACT  (15  U.S.C.  SEC.  1681  ET
 SEQ.);
   (II)  THE GRAMM-LEACH-BLILEY ACT (PUBLIC LAW 106-102) AND IMPLEMENTING
 REGULATIONS;
   (III) THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES  ISSUED  BY
 THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND
 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT
 TO  THE  FEDERAL  HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF
 1996 (PUBLIC LAW 104-191); OR
   (IV) ANY OTHER LAW, RULE, OR REGULATION GOVERNING DATA BROKERS OR  ANY
 OF ITS SUBSIDIARIES.
   (AA) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   (B)  BE  SUBJECT  TO  ANY RULES AND REGULATIONS PROMULGATED UNDER THIS
 ARTICLE.
   2. THE ATTORNEY GENERAL SHALL CREATE A WEBPAGE ON  THE  STATE  WEBSITE
 WHICH  INCLUDES  ALL  INFORMATION  REGARDING ALL DATA BROKERS REGISTERED
 WITHIN THE STATE AND THE DELETION MECHANISM CREATED UNDER SECTION ELEVEN
 HUNDRED FIFTY-TWO OF THIS ARTICLE.
   § 1152. DATA DELETION MECHANISM. 1. THE ATTORNEY GENERAL SHALL  ESTAB-
 LISH  A DATA DELETION MECHANISM WITHIN ONE YEAR OF THE EFFECTIVE DATE OF
 THIS SECTION. SUCH DATA DELETION MECHANISM SHALL:
   (A) IMPLEMENT AND MAINTAIN REASONABLE SECURITY  PROCEDURES  AND  PRAC-
 TICES,  INCLUDING,  BUT  NOT  LIMITED  TO, ADMINISTRATIVE, PHYSICAL, AND
 TECHNICAL SAFEGUARDS APPROPRIATE TO THE NATURE OF  THE  INFORMATION  AND
 THE  PURPOSES  FOR  WHICH  THE  PERSONAL INFORMATION WILL BE USED AND TO
 PROTECT CONSUMERS' PERSONAL INFORMATION FROM UNAUTHORIZED  USE,  DISCLO-
 SURE, ACCESS, DESTRUCTION, OR MODIFICATION.
   (B) ALLOW A CONSUMER, THROUGH A SINGLE VERIFIABLE CONSUMER REQUEST, TO
 REQUEST  THAT  EVERY DATA BROKER THAT MAINTAINS ANY PERSONAL INFORMATION
 DELETE ANY PERSONAL INFORMATION RELATED TO THAT  CONSUMER  HELD  BY  THE
 DATA BROKER OR ASSOCIATED SERVICE PROVIDER, CONTRACTOR, OR SUBSIDIARY.
   (C) ALLOW A CONSUMER TO SELECTIVELY EXCLUDE SPECIFIC DATA BROKERS FROM
 A REQUEST MADE UNDER PARAGRAPH (B) OF THIS SUBDIVISION.
   (D)  ALLOW  A  CONSUMER  TO MAKE A REQUEST TO ALTER A PREVIOUS REQUEST
 MADE UNDER THIS SECTION AFTER AT LEAST FORTY-FIVE DAYS HAVE PASSED SINCE
 THE CONSUMER LAST MADE A REQUEST UNDER THIS SECTION.
   (E) ALLOW A CONSUMER TO REQUEST THE DELETION OF ALL PERSONAL  INFORMA-
 TION RELATED TO THAT CONSUMER THROUGH A SINGLE DELETION REQUEST.
   (F)  PERMIT  A  CONSUMER TO SECURELY SUBMIT INFORMATION IN ONE OR MORE
 PRIVACY-PROTECTING WAYS DETERMINED BY THE ATTORNEY GENERAL TO AID IN THE
 DELETION REQUEST.
   (G) ALLOW DATA BROKERS REGISTERED WITH THE ATTORNEY GENERAL TO  DETER-
 MINE  WHETHER  AN INDIVIDUAL HAS SUBMITTED A VERIFIABLE CONSUMER REQUEST
 TO DELETE THE PERSONAL INFORMATION RELATED TO THAT  CONSUMER  AND  SHALL
 NOT ALLOW THE DISCLOSURE OF ANY ADDITIONAL PERSONAL INFORMATION WHEN THE
 DATA  BROKER ACCESSES THE ACCESSIBLE DELETION MECHANISM UNLESS OTHERWISE
 SPECIFIED IN THIS ARTICLE.
   (H) ALLOW A CONSUMER TO MAKE A REQUEST UNDER  THIS  SECTION  USING  AN
 INTERNET SERVICE OPERATED BY THE ATTORNEY GENERAL.
   (I) NOT CHARGE A CONSUMER TO MAKE A REQUEST UNDER THIS SECTION.
 S. 9088--A                         13
 
   (J)  ALLOW  A  CONSUMER TO MAKE A REQUEST UNDER THIS SECTION IN ANY OF
 THE TWELVE MOST COMMONLY SPOKEN LANGUAGES IN NEW YORK STATE,  CONSISTENT
 WITH  SECTION  TWO HUNDRED TWO-A OF THE EXECUTIVE LAW, FOR WHOM PERSONAL
 INFORMATION HAS BEEN COLLECTED BY DATA BROKERS.
   (K)  COMPLY  WITH  SECTION ONE HUNDRED THREE-D OF THE STATE TECHNOLOGY
 LAW.
   (L) BE READILY ACCESSIBLE AND USABLE BY CONSUMERS WITH DISABILITIES.
   (M) SUPPORT THE ABILITY OF A CONSUMER'S AUTHORIZED AGENTS  TO  AID  IN
 THE DELETION REQUEST.
   (N)  ALLOW  THE  CONSUMER,  OR  THEIR  AUTHORIZED AGENT, TO VERIFY THE
 STATUS OF THE CONSUMER'S DELETION REQUEST.
   (O) PROVIDE A DESCRIPTION OF:
   (I) THE DELETION PERMITTED  BY  THIS  SECTION  INCLUDING  THE  ACTIONS
 REQUIRED OF DATA BROKERS DESCRIBED IN THIS SECTION;
   (II)  THE  PROCESS  FOR SUBMITTING A DELETION REQUEST PURSUANT TO THIS
 SECTION; AND
   (III) EXAMPLES OF THE TYPES OF INFORMATION THAT MAY BE DELETED.
   2. BEGINNING SIX MONTHS AFTER THE ESTABLISHMENT OF THE  DATA  DELETION
 MECHANISM, THE ATTORNEY GENERAL SHALL MAKE EACH REQUEST SUBMITTED PURSU-
 ANT  TO  THIS  SECTION  AVAILABLE TO EACH APPLICABLE DATA BROKER WITHOUT
 UNDUE DELAY AND EACH DATA BROKER SHALL ACCESS  THE  ACCESSIBLE  DELETION
 MECHANISM  ESTABLISHED  PURSUANT  TO  SUBDIVISION ONE OF THIS SECTION AT
 LEAST ONCE EVERY FORTY-FIVE DAYS.
   3. BEGINNING SIX MONTHS AFTER THE ESTABLISHMENT OF THE  DATA  DELETION
 MECHANISM, EACH DATA BROKER SHALL:
   (A) AT LEAST ONCE EVERY FORTY-FIVE DAYS, PROCESS ALL DELETION REQUESTS
 MADE  PURSUANT  TO  THIS  SECTION  AND  DELETE  ALL PERSONAL INFORMATION
 RELATED TO THE CONSUMERS MAKING VERIFIABLE CONSUMER REQUESTS  CONSISTENT
 WITH  THE REQUIREMENTS OF THIS SECTION WITHIN FORTY-FIVE DAYS OF RECEIV-
 ING SUCH REQUESTS AND DIRECT ALL  SERVICE  PROVIDERS,  CONTRACTORS,  AND
 SUBSIDIARIES  ASSOCIATED  WITH  THE  DATA  BROKER TO DELETE ALL PERSONAL
 INFORMATION IN THEIR POSSESSION RELATED TO  THE  CONSUMERS  MAKING  SUCH
 VERIFIABLE CONSUMER REQUESTS;
   (B) CEASE ALL PROCESSING ACTIVITIES OF PERSONAL INFORMATION RELATED TO
 THE CONSUMERS MAKING THE VERIFIABLE CONSUMER REQUESTS PROMPTLY AND WITH-
 OUT  REASONABLE  DELAY NOT TO EXCEED FIVE DAYS AFTER RECEIVING A VERIFI-
 ABLE CONSUMER REQUEST; AND
   (C) WHERE A DATA BROKER DENIES A CONSUMER REQUEST TO DELETE UNDER THIS
 SECTION BECAUSE THE REQUEST CANNOT BE VERIFIED, PROCESS THE  REQUEST  AS
 AN OPT-OUT OF THE SALE OR SHARING OF THE CONSUMER'S PERSONAL INFORMATION
 WITHIN  FORTY-FIVE DAYS OF RECEIVING SUCH REQUEST AND DIRECT ALL SERVICE
 PROVIDERS, CONTRACTORS, AND SUBSIDIARIES ASSOCIATED WITH THE DATA BROKER
 TO PROCESS THE REQUEST AS AN OPT-OUT OF  THE  SALE  OR  SHARING  OF  THE
 CONSUMER'S  PERSONAL INFORMATION, REGARDLESS OF WHETHER SUCH DATA BROKER
 HAS AN EXISTING POLICY PROVIDING FOR CONSUMERS TO OPT OUT.
   4. (A) NOTWITHSTANDING ANY OTHER PROVISION OF  THIS  SECTION,  A  DATA
 BROKER SHALL NOT BE REQUIRED TO DELETE A CONSUMER'S PERSONAL INFORMATION
 TO THE EXTENT SUCH PERSONAL INFORMATION IS:
   (I)  USED  BY A CONSUMER REPORTING AGENCY TO FURNISH A CONSUMER REPORT
 PURSUANT TO THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C.  SEC.  1681
 ET SEQ.);
   (II)  STRICTLY  NECESSARY  TO  FULFILL A SPECIFIC LEGAL REQUIREMENT ON
 BEHALF OF A BUSINESS TO WHICH THE DATA BROKER  IS  BOUND  BY  A  WRITTEN
 CONTRACT TO FULFILL THAT LEGAL REQUIREMENT;
   (III)  USED TO PREVENT, DETECT, PROTECT AGAINST OR RESPOND TO SECURITY
 INCIDENTS, IDENTITY THEFT, FRAUD, HARASSMENT, OR TO PRESERVE  THE  PHYS-
 S. 9088--A                         14
 
 ICAL SECURITY AND TECHNICAL INTEGRITY OF SYSTEMS OR INVESTIGATE, REPORT,
 OR PROSECUTE THOSE RESPONSIBLE FOR ANY SUCH ACTION;
   (IV)  STRICTLY  NECESSARY TO INVESTIGATE, ESTABLISH, EXERCISE, PREPARE
 FOR, OR DEFEND A LEGAL CLAIM; OR
   (V) USED TO COMPLY WITH  A  CIVIL,  CRIMINAL  OR  REGULATORY  INQUIRY,
 INVESTIGATION,  SUBPOENA,  OR  SUMMONS  BY FEDERAL, STATE, MUNICIPAL, OR
 OTHER GOVERNMENTAL AUTHORITY, PROVIDED THAT A BUSINESS THAT HAS RECEIVED
 DIRECTION FROM A LAW ENFORCEMENT  AGENCY  NOT  TO  DELETE  THE  PERSONAL
 INFORMATION  OF A CONSUMER WHO HAS REQUESTED DELETION OF SUCH CONSUMER'S
 PERSONAL INFORMATION SHALL NOT USE SUCH CONSUMER'S PERSONAL  INFORMATION
 FOR ANY PURPOSE OTHER THAN RETAINING IT TO PRODUCE TO LAW ENFORCEMENT IN
 RESPONSE  TO  A  COURT-ISSUED  SUBPOENA,  ORDER,  OR WARRANT UNLESS SUCH
 CONSUMER'S DELETION REQUEST IS SUBJECT TO  AN  EXEMPTION  FROM  DELETION
 UNDER THIS ARTICLE.
   (B)  PERSONAL  INFORMATION  NOT REQUIRED TO BE DELETED UNDER PARAGRAPH
 (A) OF THIS SUBDIVISION SHALL BE SEPARATED OR SEGREGATED FROM DATA  USED
 FOR  ANY  OTHER  PURPOSE, DELETED IMMEDIATELY UPON THE EXPIRATION OF THE
 LEGAL OR CONTRACTUAL REQUIREMENT, AND ONLY BE USED FOR PURPOSES DIRECTLY
 RELATED TO SUCH EXCEPTIONS AND SHALL NOT BE USED OR  DISCLOSED  FOR  ANY
 OTHER PURPOSE.
   5. WHERE A CONSUMER HAS SUBMITTED A DELETION REQUEST AND A DATA BROKER
 HAS  DELETED  THE  CONSUMER'S  DATA  PURSUANT  TO THIS SECTION, THE DATA
 BROKER SHALL:
   (A) DELETE ALL PERSONAL INFORMATION OF  THE  CONSUMER  AT  LEAST  ONCE
 EVERY  FORTY-FIVE  DAYS  PURSUANT  TO  THIS  SECTION UNLESS THE CONSUMER
 REQUESTS OTHERWISE OR THE DELETION IS NOT REQUIRED PURSUANT TO  SUBDIVI-
 SION FOUR OF THIS SECTION; AND
   (B)  NOT SELL OR SHARE NEW PERSONAL INFORMATION OF THE CONSUMER UNLESS
 THE CONSUMER REQUESTS  OTHERWISE  UNLESS  SUCH  SELLING  OR  SHARING  IS
 PERMITTED  UNDER  SUBDIVISION FOUR OF THIS SECTION, PROVIDED THAT, WHERE
 SELLING, SHARING OR RETENTION OF PERSONAL INFORMATION IS PERMITTED, SUCH
 CONSUMER SHALL RECEIVE NOTICE OF CONTINUED RETENTION OF PERSONAL  INFOR-
 MATION.
   6. THE ATTORNEY GENERAL MAY CHARGE AN ACCESS FEE TO A DATA BROKER WHEN
 THE  DATA  BROKER  ACCESSES  THE  DATA  DELETION MECHANISM THAT DOES NOT
 EXCEED THE REASONABLE COSTS OF PROVIDING THAT ACCESS.
   7. A REQUEST MADE PURSUANT TO THIS SECTION SHALL BE DEEMED RECEIVED ON
 THE DATE SUCH REQUEST IS MADE AVAILABLE TO THE DATA BROKER  THROUGH  THE
 ACCESSIBLE DELETION MECHANISM ESTABLISHED PURSUANT TO THIS SECTION.
   §  1153.  AUDIT.  THREE YEARS AFTER THE EFFECTIVE DATE OF THIS SECTION
 AND EVERY THREE YEARS THEREAFTER, EACH  DATA  BROKER  SHALL  UNDERGO  AN
 AUDIT  BY  AN  INDEPENDENT THIRD PARTY TO DETERMINE COMPLIANCE WITH THIS
 ARTICLE.  EACH DATA BROKER SHALL SUBMIT  A  REPORT  RESULTING  FROM  THE
 AUDIT  WRITTEN  BY  SUCH INDEPENDENT THIRD PARTY IN A FORM DETERMINED BY
 THE ATTORNEY GENERAL AND ANY OTHER MATERIALS REQUIRED  BY  THE  ATTORNEY
 GENERAL  TO  THE ATTORNEY GENERAL WITHIN FIVE BUSINESS DAYS OF A WRITTEN
 REQUEST BY THE  ATTORNEY  GENERAL.  DATA  BROKERS  SHALL  MAINTAIN  SUCH
 REPORTS AND ANY REQUIRED MATERIALS FOR AT LEAST SIX YEARS.
   §  1154.  DATA BROKER WEBSITE DISCLOSURE REQUIREMENTS. 1. ON OR BEFORE
 JULY FIRST FOLLOWING EACH CALENDAR YEAR, OR BY SUCH OTHER  DATE  AS  THE
 ATTORNEY  GENERAL  MAY ESTABLISH BY REGULATION IN WHICH A BUSINESS MEETS
 THE DEFINITION OF A DATA BROKER AS PROVIDED IN THIS ARTICLE,  THE  BUSI-
 NESS  SHALL CLEARLY AND CONSPICUOUSLY POST THEIR PRIVACY POLICY ON THEIR
 WEBSITE AS WELL AS DO ALL OF THE FOLLOWING:
   (A) DISCLOSE THE NUMBER OF CONSUMER DELETION REQUESTS MADE TO THE DATA
 BROKER PURSUANT TO SECTION ELEVEN HUNDRED FIFTY-TWO OF THIS ARTICLE;
 S. 9088--A                         15
 
   (B) DISCLOSE THE MEDIAN AND THE MEAN NUMBER OF DAYS WITHIN  WHICH  THE
 DATA BROKER SUBSTANTIVELY RESPONDED TO CONSUMER DELETION REQUESTS DURING
 THE PREVIOUS CALENDAR YEAR; AND
   (C)  DISCLOSE  THE METRICS COMPILED PURSUANT TO PARAGRAPHS (A) AND (B)
 OF THIS SUBDIVISION WITHIN THE DATA BROKER'S PRIVACY  POLICY  POSTED  ON
 THEIR  INTERNET  WEBSITE AND ACCESSIBLE FROM A LINK INCLUDED IN THE DATA
 BROKER'S PRIVACY POLICY.
   2. IN ITS DISCLOSURE PURSUANT TO SUBDIVISION ONE OF  THIS  SECTION,  A
 DATA BROKER SHALL DISCLOSE THE NUMBER OF CONSUMER DELETION REQUESTS THAT
 THE DATA BROKER DENIED IN WHOLE OR IN PART BECAUSE OF ANY OF THE FOLLOW-
 ING:
   (A) THE REQUEST WAS NOT VERIFIABLE;
   (B)  THE REQUEST WAS NOT MADE BY A CONSUMER OR A CONSUMER'S AUTHORIZED
 AGENT;
   (C) THE REQUEST CALLED FOR INFORMATION EXEMPT FROM DELETION; OR
   (D) THE REQUEST WAS DENIED ON OTHER GROUNDS.
   3. IN ITS DISCLOSURE PURSUANT TO SUBDIVISION ONE OF  THIS  SECTION,  A
 DATA  BROKER  SHALL  SPECIFY THE NUMBER OF CONSUMER DELETION REQUESTS IN
 WHICH DELETION WAS NOT REQUIRED IN WHOLE, OR IN PART, UNDER  A  RELEVANT
 SECTION OF THIS ARTICLE.
   4. A DATA BROKER SHALL PROVIDE, IN A FORM THAT IS EASILY ACCESSIBLE TO
 CONSUMERS,  AT  LEAST  TWO  OR  MORE  DESIGNATED  METHODS FOR SUBMITTING
 DELETION REQUESTS TO SUCH DATA BROKER DIRECTLY. SUCH FORMS MAY INCLUDE A
 TOLL-FREE TELEPHONE NUMBER, EMAIL OR ELECTRONIC SUBMISSION VIA THE  DATA
 BROKER'S INTERNET WEBSITE.
   § 1155. DATA BROKERS; COMPREHENSIVE INFORMATION SECURITY PROGRAM. 1. A
 DATA  BROKER SHALL DEVELOP, IMPLEMENT, AND MAINTAIN A DOCUMENTED COMPRE-
 HENSIVE INFORMATION SECURITY PROGRAM THAT CONTAINS ADMINISTRATIVE, TECH-
 NICAL, AND PHYSICAL SAFEGUARDS, INCLUDING BUT NOT LIMITED TO THE  CESSA-
 TION  OF COLLECTION ACTIVITIES IN THE INTEREST OF THE CONSUMER, THAT ARE
 APPROPRIATE ACCORDING TO:
   (A) THE SIZE, SCOPE, AND TYPE OF BUSINESS OF THE DATA BROKER;
   (B) THE NATURE OF RESOURCES AVAILABLE TO THE DATA BROKER;
   (C) THE VOLUME AND SENSITIVITY OF STORED DATA; AND
   (D) THE FORESEEABLE RISKS OF UNAUTHORIZED ACCESS, USE,  OR  DISCLOSURE
 OF PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION.
   2.  A  COMPREHENSIVE INFORMATION SECURITY PROGRAM REQUIRED PURSUANT TO
 SUBDIVISION ONE OF THIS SECTION SHALL INCLUDE THE FOLLOWING FEATURES:
   (A) DESIGNATION OF ONE OR MORE EMPLOYEES TO MAINTAIN THE PROGRAM;
   (B) IDENTIFICATION AND ASSESSMENT OF REASONABLY  FORESEEABLE  INTERNAL
 AND  EXTERNAL  RISKS  TO THE SECURITY, CONFIDENTIALITY, AND INTEGRITY OF
 ANY ELECTRONIC, PAPER, OR OTHER RECORDS CONTAINING PERSONAL INFORMATION;
   (C) A PROCESS FOR  EVALUATING  AND  IMPROVING,  WHERE  NECESSARY,  THE
 EFFECTIVENESS OF THE CURRENT SAFEGUARDS FOR LIMITING SUCH RISKS, INCLUD-
 ING MEANS OF DETECTING AND PREVENTING SECURITY SYSTEM FAILURES;
   (D) REASONABLE RESTRICTIONS UPON PHYSICAL ACCESS TO RECORDS CONTAINING
 PERSONAL  INFORMATION  AND  STORAGE  OF  THE  RECORDS AND DATA IN LOCKED
 FACILITIES, STORAGE AREAS, OR CONTAINERS;
   (E) REGULAR MONITORING TO ENSURE THAT  THE  COMPREHENSIVE  INFORMATION
 SECURITY  PROGRAM  IS  OPERATING  IN  A  MANNER REASONABLY CALCULATED TO
 PREVENT UNAUTHORIZED ACCESS TO OR UNAUTHORIZED USE OF PERSONAL  INFORMA-
 TION  AND  UPGRADING INFORMATION SAFEGUARDS AS NECESSARY TO LIMIT RISKS;
 AND
   (F) DOCUMENTATION OF RESPONSIVE ACTIONS TAKEN IN CONNECTION  WITH  ANY
 INCIDENT  INVOLVING  A  BREACH  OF  SECURITY AND MANDATORY POST-INCIDENT
 S. 9088--A                         16
 
 REVIEW OF EVENTS AND ACTIONS TAKEN, IF ANY, TO MAKE CHANGES IN  BUSINESS
 PRACTICES RELATING TO PROTECTION OF PERSONAL INFORMATION.
   3. (A) A COMPREHENSIVE INFORMATION SECURITY PROGRAM PURSUANT TO SUBDI-
 VISION  ONE  OF  THIS SECTION SHALL, TO THE EXTENT TECHNICALLY FEASIBLE,
 INCLUDE THE FOLLOWING TECHNICAL ELEMENTS:
   (I) A SECURE USER AUTHENTICATION PROTOCOL  THAT  HAS:  (1)  CONTROLLED
 MANAGEMENT  OF  USER IDENTIFICATIONS AND CREDENTIALS; (2) SECURE METHODS
 OF ASSIGNING AND SELECTING PASSWORDS, OR USE OF UNIQUE IDENTIFIER  TECH-
 NOLOGIES  SUCH AS BIOMETRICS OR TOKEN DEVICES; (3) CONTROL OF DATA PASS-
 WORDS IN A LOCATION, FORMAT AND MANNER  THAT  DOES  NOT  COMPROMISE  THE
 SECURITY OF THE DATA PROTECTED; AND (4) THE ABILITY TO RESTRICT ACCESS;
   (II) ENCRYPTION AND DE-IDENTIFICATION OF ALL SENSITIVE PERSONAL INFOR-
 MATION  TRANSMITTED ACROSS PUBLIC NETWORKS OR WIRELESSLY PRIOR TO TRANS-
 MISSION;
   (III) REASONABLE MONITORING OF SYSTEMS  FOR  UNAUTHORIZED  USE  OF  OR
 ACCESS TO PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION;
   (IV)  REASONABLY  UP-TO-DATE  FIREWALL PROTECTION AND OPERATING SYSTEM
 SECURITY PATCHES THAT ARE REASONABLY DESIGNED TO MAINTAIN THE  INTEGRITY
 OF THE PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION; AND
   (V)  REASONABLY  CURRENT  SYSTEM  SECURITY SOFTWARE, INCLUDING MALWARE
 PROTECTION AND UP-TO-DATE PATCHES AND VIRUS DEFINITIONS,  CONFIGURED  TO
 RECEIVE SECURITY UPDATES ON A REGULAR BASIS.
   (B)  NOTHING IN THIS SUBDIVISION SHALL PROHIBIT A COMPREHENSIVE INFOR-
 MATION SECURITY PROGRAM FROM PROVIDING A HIGHER DEGREE OF SECURITY  THAN
 THE PROTOCOLS DESCRIBED IN THIS SUBDIVISION.
   §  1156.  RULEMAKING. THE ATTORNEY GENERAL SHALL ADOPT RULES AND REGU-
 LATIONS AS NECESSARY OR  CONVENIENT  TO  IMPLEMENT  AND  EFFECTUATE  THE
 PROVISIONS OF THIS ARTICLE.
   §  1157.  ENFORCEMENT.  1.  A DATA BROKER THAT FAILS TO REGISTER UNDER
 THIS ARTICLE SHALL BE SUBJECT TO:
   (A) A CIVIL PENALTY OF FIVE HUNDRED DOLLARS  FOR  EACH  DAY  THE  DATA
 BROKER  FAILS  TO  REGISTER  OR  FAILS  TO  COMPLY WITH THE REGISTRATION
 REQUIREMENTS AS REQUIRED BY THIS ARTICLE;
   (B) A CIVIL PENALTY EQUAL TO THE AMOUNT  OF  REGISTRATION  FEES  WHICH
 WOULD HAVE BEEN PAID IF THE DATA BROKER HAD REGISTERED;
   (C)  A CIVIL PENALTY OF FIVE HUNDRED DOLLARS FOR EACH DELETION REQUEST
 FOR EACH DAY THE DATA BROKER FAILS TO DELETE INFORMATION AS REQUIRED  BY
 SECTION ELEVEN HUNDRED FIFTY-TWO OF THIS ARTICLE;
   (D) A CIVIL PENALTY OF TWO HUNDRED FIFTY DOLLARS FOR EACH DAY THE DATA
 BROKER  FAILS  TO COMPLY WITH THE WEBSITE DISCLOSURE REQUIREMENTS AS SET
 FORTH IN SECTION ELEVEN HUNDRED FIFTY-FOUR OF THIS ARTICLE; AND
   (E) APPROPRIATE EXPENSES INCURRED  BY  THE  ATTORNEY  GENERAL  IN  THE
 INVESTIGATION  AND  ADMINISTRATION OF THE ACTION, THAT ARE DEEMED APPRO-
 PRIATE BY THE COURT.
   2. AN APPLICATION MAY BE MADE BY THE ATTORNEY GENERAL IN THE  NAME  OF
 THE  PEOPLE OF THE STATE OF NEW YORK TO A COURT OR JUSTICE HAVING JURIS-
 DICTION BY A SPECIAL PROCEEDING TO ISSUE AN INJUNCTION WITH RESPECT TO A
 VIOLATION OF THIS ARTICLE, AND UPON NOTICE TO THE DEFENDANT OF NOT  LESS
 THAN  FIVE  DAYS,  TO  ENJOIN  AND  RESTRAIN  THE  CONTINUANCE  OF  SUCH
 VIOLATION.
   § 1158. EXEMPTIONS. 1. THIS ARTICLE SHALL NOT  APPLY  TO  ANY  OF  THE
 FOLLOWING:  (A)  A COVERED ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND
 BREACH NOTIFICATION RULES ISSUED BY  THE  UNITED  STATES  DEPARTMENT  OF
 HEALTH  AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF
 FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE FEDERAL  HEALTH  INSUR-
 ANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191), TO
 S. 9088--A                         17
 
 THE  EXTENT  THE COVERED ENTITY MAINTAINS, USES, AND DISCLOSES PROTECTED
 HEALTH INFORMATION IN COMPLIANCE WITH THE PRIVACY, SECURITY, AND  BREACH
 NOTIFICATION  RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND
 HUMAN  SERVICES,  PARTS  160  AND 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTA-
 BILITY AND ACCOUNTABILITY ACT OF  1996  (PUBLIC  LAW  104-191)  AND  THE
 FEDERAL  HEALTH  INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH
 ACT, TITLE XIII OF THE FEDERAL AMERICAN RECOVERY AND REINVESTMENT ACT OF
 2009 (PUBLIC LAW 111-5).
   (B) A BUSINESS ASSOCIATE OF A COVERED ENTITY GOVERNED BY THE  PRIVACY,
 SECURITY, AND DATA BREACH NOTIFICATION RULES ISSUED BY THE UNITED STATES
 DEPARTMENT  OF  HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45
 OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE  FEDERAL
 HEALTH  INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW
 104-191) AND THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC  AND
 CLINICAL  HEALTH  ACT,  TITLE  XIII OF THE FEDERAL AMERICAN RECOVERY AND
 REINVESTMENT ACT OF 2009 (PUBLIC LAW 111-5), TO  THE  EXTENT  THAT  SUCH
 BUSINESS  ASSOCIATE  MAINTAINS,  USES,  AND  DISCLOSES  PROTECTED HEALTH
 INFORMATION IN COMPLIANCE WITH THE PRIVACY, SECURITY, AND BREACH NOTIFI-
 CATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND  HUMAN
 SERVICES,  PARTS  160  AND  164 OF TITLE 45 OF THE CODE OF FEDERAL REGU-
 LATIONS, ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE  PORTABIL-
 ITY  AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191) AND THE FEDERAL
 HEALTH INFORMATION TECHNOLOGY FOR  ECONOMIC  AND  CLINICAL  HEALTH  ACT,
 TITLE XIII OF THE FEDERAL AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009
 (PUBLIC LAW 111-5).
   (C)  INFORMATION THAT IS COLLECTED, USED, OR DISCLOSED IN RESEARCH, AS
 DEFINED IN SECTION 164.501 OF TITLE 45 OF  THE  CODE  OF  FEDERAL  REGU-
 LATIONS,  INCLUDING,  BUT  NOT LIMITED TO, A CLINICAL TRIAL, AND THAT IS
 CONDUCTED IN ACCORDANCE WITH APPLICABLE ETHICS, CONFIDENTIALITY,  PRIVA-
 CY,  AND  SECURITY  RULES OF PART 164 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS, THE FEDERAL POLICY FOR THE PROTECTION  OF  HUMAN  SUBJECTS,
 ALSO  KNOWN AS THE COMMON RULE, GOOD CLINICAL PRACTICE GUIDELINES ISSUED
 BY  THE  INTERNATIONAL  COUNCIL  FOR  HARMONIZATION,  OR  HUMAN  SUBJECT
 PROTECTION  REQUIREMENTS  OF  THE  UNITED  STATES FOOD AND DRUG ADMINIS-
 TRATION.
   (D) A HEALTH INFORMATION NETWORK REGULATED UNDER 10  NYCRR  PART  300,
 INCLUDING  THE  DEPARTMENT OF HEALTH'S DESIGNATED CONTRACTOR OR A QUALI-
 FIED ENTITY UNDER 10 NYCRR 300.4 TO THE EXTENT SUCH  HEALTH  INFORMATION
 NETWORK IS IN COMPLIANCE THEREWITH WITH RESPECT TO THE PERSONAL INFORMA-
 TION.
   (E)  PERSONAL  INFORMATION  COLLECTED, PROCESSED, SOLD OR DISCLOSED TO
 THE EXTENT THAT IT IS COVERED BY THE FEDERAL FAIR CREDIT  REPORTING  ACT
 (15 U.S.C. SEC. 1681 ET SEQ.).
   (F)  PERSONAL  INFORMATION COLLECTED, PROCESSED, SOLD, OR DISCLOSED TO
 THE EXTENT THAT IT IS COVERED BY THE GRAMM-LEACH-BLILEY ACT (PUBLIC  LAW
 106-102) AND IMPLEMENTING REGULATIONS.
   (G)  PERSONAL INFORMATION COLLECTED, PROCESSED, USED, DISCLOSED, SOLD,
 SHARED, LICENSED, OR TRANSFERRED BY OR ON BEHALF OF A CANDIDATE, A POLI-
 TICAL COMMITTEE, A PARTY COMMITTEE, A CONSTITUTED COMMITTEE, OR AN INDE-
 PENDENT EXPENDITURE COMMITTEE, AS SUCH TERMS ARE USED IN  ARTICLE  FOUR-
 TEEN  OF  THE ELECTION LAW, INCLUDING AN AUTHORIZED COMMITTEE AS DEFINED
 IN SECTION 14-200-A OF THE ELECTION LAW, OR BY A CONSULTANT,  POLITICAL,
 MEDIA OR FUNDRAISING ADVISOR, VENDOR, CONTRACTOR, OR AGENT THAT HAS BEEN
 COMPENSATED,  REIMBURSED OR RETAINED BY, OR THAT ACTS ON BEHALF OF OR AT
 THE DIRECTION OF, ANY SUCH CANDIDATE OR COMMITTEE, TO  THE  EXTENT  THAT
 S. 9088--A                         18

 SUCH  PERSONAL  INFORMATION  IS  COLLECTED,  PROCESSED, USED, DISCLOSED,
 SOLD, SHARED, LICENSED, OR TRANSFERRED SOLELY IN CONNECTION WITH  ACTIV-
 ITY REGULATED BY THE ELECTION LAW OR TO COMPLY WITH A REQUIREMENT OF THE
 ELECTION LAW.
   2.  FOR  PURPOSES  OF THIS SECTION, THE FOLLOWING TERMS SHALL HAVE THE
 FOLLOWING MEANINGS:
   (A) "BUSINESS ASSOCIATE" HAS THE SAME MEANING AS  DEFINED  IN  SECTION
 160.103 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS.
   (B)  "COVERED  ENTITY"  HAS  THE  SAME  MEANING  AS DEFINED IN SECTION
 160.103 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS.
   (C) "IDENTIFIABLE PRIVATE INFORMATION" HAS THE SAME MEANING AS DEFINED
 IN SECTION 46.102 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS.
   (D) "INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION" HAS THE SAME  MEAN-
 ING  AS  DEFINED  IN  SECTION 160.103 OF TITLE 45 OF THE CODE OF FEDERAL
 REGULATIONS.
   (E) "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS DEFINED  IN
 SECTION 160.103 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS.
   §  2.  Severability.  If any clause, sentence, paragraph, subdivision,
 section or part of this act shall be adjudged by any court of  competent
 jurisdiction  to  be invalid, such judgment shall not affect, impair, or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly involved in the controversy in which such judgment  shall  have
 been rendered. It is hereby declared to be the intent of the legislature
 that  this  act  would have been enacted even if such invalid provisions
 had not been included herein.
   § 3. This act shall take effect immediately.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S9088A

Sponsored By

Current Bill Status - Passed Senate

Actions

Votes

Jun 3, 2026 - Floor Vote

Floor Vote: Jun 3, 2026

Bill Amendments

2025-S9088 - Details

2025-S9088 - Summary

2025-S9088 - Sponsor Memo

2025-S9088 - Bill Text download pdf

2025-S9088A (ACTIVE) - Details

2025-S9088A (ACTIVE) - Summary

2025-S9088A (ACTIVE) - Sponsor Memo

2025-S9088A (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2025-S9088A

Senate Bill S9088A

Share this bill

Sponsored By

Kristen Gonzalez

Current Bill Status - Passed Senate

Actions

Votes

Bill Amendments

2025-S9088 - Details

2025-S9088 - Summary

2025-S9088 - Sponsor Memo

2025-S9088 - Bill Text download pdf

2025-S9088A (ACTIVE) - Details

2025-S9088A (ACTIVE) - Summary

2025-S9088A (ACTIVE) - Sponsor Memo

2025-S9088A (ACTIVE) - Bill Text download pdf

Comments