NY State Senate Bill 2025-S9131

Current Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Feb 05, 2026	referred to internet and technology

2025-S9131 (ACTIVE) - Details

Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Add Art 42-A §§1200 - 1204, Gen Bus L

2025-S9131 (ACTIVE) - Summary

Relates to data broker regulation; prohibits the acquisition of personally identifiable information through fraudulent means; requires a data broker to develop, implement, and maintain a comprehensive information security program; requires data brokers operating in the state of New York to register with the attorney general.

2025-S9131 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S9131

SPONSOR: GONZALEZ
 
TITLE OF BILL:

An act to amend the general business law, in relation to data broker
regulation

 
PURPOSE OR GENERAL IDEA OF BILL:

This bill would require data brokers to establish comprehensive informa-
tion security programs and register with the office of the attorney
general.

 
SUMMARY OF PROVISIONS:

Section one amends the general business law by creating a new article
42-A named "data broker regulation". Under the new article 42-A:

§ 1200 sets out definitions.

§ 1201 prohibits the acquisition of personally identifiable information

through fraudulent means or for the purpose of stalking, harassing,
committing a fraud, or engaging in unlawful discrimination.

§ 1202 requires data brokers to develop, implement, and maintain a
comprehensive information security program that includes features such
as: designating employee roles, identifying and assessing risk, evaluat-
ing the program's effectiveness, and supervision of third party services
providers among other features and elements.

§ 1203 creates a registration program for data brokers, which requires
the payment of a registration fee and disclosure of certain data broker
activities, practices, and policies.

§ 1204 is the enforcement provision. A violation of article 42-A shall
constitute a prohibited practice under § 349 of the general business law
and is subject to the enforcement provisions of general business law
article 22-A.

Section two provides the effective date.

 
JUSTIFICATION:

Technology solutions, which are often crucial to participating in daily
modern life, are also a potent tool for collecting information on the
users of such services. Sometimes the information gathered stays with
the company that collected it, to improve the customer experience and
facilitate future interactions between the business and the consumer.
Other times, the business may choose to sell or share the data collected
outside of the organization that collected it. Even when sensitive data
is not sold or shared outside of the organization that collected it,
retained data can be used for purposes completely unrelated to the
initial interaction. For example, personal data (like gender, age, and
location) shared on a social media network can be used to target adver-
tising toward the consumer.

Use of personal data for targeted advertising represents an unwanted use
of data, but the outcomes can be far more severe. The unfettered
collection, sharing, and selling of data can result in disclosure of
sensitive information, like a consumer's address or health information,
which can be used to disfavor and, in some cases, harm the subject of
such data.

The risks of an unregulated data broker industry are more than hypothet-
ical. On the morning of June 14, 2025, Minnesota state representative
Melissa Hortman and her husband were killed, and Minnesota state senator
John Hoffman and his wife were seriously injured when a shooter attacked
them at their homes. Evidence recovered from the suspect included a
notebook listing data brokerages where home addresses, including those
of the attacked legislators, can be found, leading prosecutors to
conclude that these data brokerages enabled the violent spree.

Even when this data is not sold or shared, it can be made public due to
a security breach of the data owner's systems. Breached data is often
offered for sale on leak sites and other corners of the dark web and can
be used to, for instance, market loans to vulnerable borrowers, black-
mail victims, or conduct a violent attack at a data subject's home.

This bill would prohibit certain uses of personally identifiable infor-
mation, require data brokers to register with the state, and require
such data brokers to develop and implement a policy to secure consumer
information they control.

 
PRIOR LEGISLATIVE HISTORY:

New bill

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

To be determined.

 
EFFECTIVE DATE:
This act shall take effect January 1, 2027

2025-S9131 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   9131
 
                             I N  S E N A T E
 
                             February 5, 2026
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general business law, in  relation  to  data  broker
   regulation
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:

   Section 1. The general business law is amended by adding a new article
 42-A to read as follows:
                               ARTICLE 42-A
                          DATA BROKER REGULATION
 SECTION 1200. DEFINITIONS.
         1201. ACQUISITION OF PERSONALLY IDENTIFIABLE INFORMATION; PROHI-
                 BITION.
         1202. DATA BROKERS; COMPREHENSIVE INFORMATION SECURITY PROGRAM.
         1203. DATA BROKERS; REGISTRATION.
         1204. ENFORCEMENT; CIVIL PENALTIES.
   § 1200. DEFINITIONS. AS USED  IN  THIS  ARTICLE,  UNLESS  THE  CONTEXT
 REQUIRES A DIFFERENT MEANING:
   1.  "ARTIFICIAL  INTELLIGENCE SYSTEM" MEANS ANY MACHINE LEARNING-BASED
 SYSTEM THAT, FOR ANY EXPLICIT OR IMPLICIT  OBJECTIVE,  INFERS  FROM  THE
 INPUTS  SUCH SYSTEM RECEIVES HOW TO GENERATE OUTPUTS, INCLUDING CONTENT,
 DECISIONS, PREDICTIONS, AND RECOMMENDATIONS, THAT CAN INFLUENCE PHYSICAL
 OR VIRTUAL  ENVIRONMENTS.  "ARTIFICIAL  INTELLIGENCE  SYSTEM"  DOES  NOT
 INCLUDE ANY ARTIFICIAL INTELLIGENCE SYSTEM OR GENERAL PURPOSE ARTIFICIAL
 INTELLIGENCE  MODEL  THAT  IS  USED  FOR  DEVELOPMENT,  PROTOTYPING, AND
 RESEARCH ACTIVITIES BEFORE SUCH ARTIFICIAL INTELLIGENCE SYSTEM OR GENER-
 AL PURPOSE ARTIFICIAL INTELLIGENCE MODEL IS MADE AVAILABLE TO  DEPLOYERS
 OR CONSUMERS.
   2.  "BIOMETRIC DATA" MEANS DATA GENERATED BY AUTOMATIC MEASUREMENTS OF
 AN INDIVIDUAL'S  BIOLOGICAL  CHARACTERISTICS,  SUCH  AS  A  FINGERPRINT,
 VOICEPRINT,  EYE RETINAS, IRISES, OR OTHER UNIQUE BIOLOGICAL PATTERNS OR
 CHARACTERISTICS THAT IS USED TO IDENTIFY A SPECIFIC INDIVIDUAL.  "BIOME-
 TRIC DATA" DOES NOT INCLUDE A PHYSICAL OR DIGITAL PHOTOGRAPH, A VIDEO OR
 AUDIO  RECORDING  OR DATA GENERATED THEREFROM, OR INFORMATION COLLECTED,
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD14643-02-6
 S. 9131                             2
 
 USED, OR STORED FOR HEALTH CARE TREATMENT, PAYMENT, OR OPERATIONS  UNDER
 HIPAA.
   3.  "BUSINESS"  MEANS A CORPORATION, PARTNERSHIP, SOLE PROPRIETORSHIP,
 FIRM, ENTERPRISE, FRANCHISE, ASSOCIATION, TRUST OR  FOUNDATION,  OR  ANY
 OTHER INDIVIDUAL OR ENTITY CARRYING ON A BUSINESS OR PROFESSION, WHETHER
 OR NOT FOR PROFIT.  "BUSINESS" DOES NOT INCLUDE A STATE OR LOCAL AGENCY.
   4. "CONSUMER" MEANS A NATURAL PERSON WHO IS A RESIDENT OF THE STATE OF
 NEW  YORK  ACTING ONLY IN AN INDIVIDUAL OR HOUSEHOLD CONTEXT. "CONSUMER"
 DOES NOT INCLUDE A NATURAL PERSON ACTING IN A COMMERCIAL  OR  EMPLOYMENT
 CONTEXT.
   5. "DATA BROKER" MEANS A BUSINESS THAT KNOWINGLY COLLECTS AND CONDUCTS
 THE  SALE  OF PERSONALLY IDENTIFIABLE INFORMATION TO THIRD PARTIES.  THE
 FOLLOWING ACTIVITIES CONDUCTED BY A BUSINESS,  AND  THE  COLLECTION  AND
 SALE  OR  LICENSING OF PERSONALLY IDENTIFIABLE INFORMATION INCIDENTAL TO
 CONDUCTING THESE ACTIVITIES, DO NOT QUALIFY  THE  BUSINESS  AS  A  "DATA
 BROKER":
   (A)  PROVIDING  411  DIRECTORY  ASSISTANCE  OR  DIRECTORY  INFORMATION
 SERVICES, INCLUDING NAME, ADDRESS, AND TELEPHONE NUMBER, ON BEHALF OF OR
 AS A FUNCTION OF A TELECOMMUNICATIONS CARRIER;
   (B) PROVIDING PUBLICLY AVAILABLE INFORMATION RELATED TO  A  CONSUMER'S
 BUSINESS OR PROFESSION; OR
   (C)  PROVIDING  PUBLICLY  AVAILABLE  INFORMATION  THROUGH REAL-TIME OR
 NEAR-REAL-TIME ALERT SERVICES FOR HEALTH OR SAFETY PURPOSES.
   6. "DATA BROKER SECURITY BREACH" MEANS AN UNAUTHORIZED ACQUISITION  OR
 A  REASONABLE  BELIEF  OF  AN  UNAUTHORIZED ACQUISITION OF MORE THAN ONE
 ELEMENT OF PERSONALLY IDENTIFIABLE  INFORMATION  MAINTAINED  BY  A  DATA
 BROKER  WHEN  THE  PERSONALLY IDENTIFIABLE INFORMATION IS NOT DE-IDENTI-
 FIED, REDACTED, OR PROTECTED BY ANOTHER METHOD THAT RENDERS THE INFORMA-
 TION UNREADABLE OR UNUSABLE BY  AN  UNAUTHORIZED  PERSON.  "DATA  BROKER
 SECURITY  BREACH"  DOES NOT INCLUDE GOOD FAITH BUT UNAUTHORIZED ACQUISI-
 TION OF PERSONALLY IDENTIFIABLE INFORMATION BY AN EMPLOYEE OR  AGENT  OF
 THE  DATA  BROKER  FOR A LEGITIMATE PURPOSE OF THE DATA BROKER, PROVIDED
 THAT THE PERSONALLY IDENTIFIABLE INFORMATION IS NOT USED FOR  A  PURPOSE
 UNRELATED  TO THE DATA BROKER'S BUSINESS OR SUBJECT TO FURTHER UNAUTHOR-
 IZED DISCLOSURE. IN DETERMINING WHETHER PERSONALLY IDENTIFIABLE INFORMA-
 TION HAS BEEN ACQUIRED OR IS REASONABLY BELIEVED TO HAVE  BEEN  ACQUIRED
 BY A PERSON WITHOUT VALID AUTHORIZATION, A DATA BROKER MAY CONSIDER:
   (A) INDICATIONS THAT THE PERSONALLY IDENTIFIABLE INFORMATION IS IN THE
 PHYSICAL POSSESSION AND CONTROL OF A PERSON WITHOUT VALID AUTHORIZATION,
 SUCH  AS A LOST OR STOLEN COMPUTER OR OTHER DEVICE CONTAINING PERSONALLY
 IDENTIFIABLE INFORMATION;
   (B) INDICATIONS THAT THE PERSONALLY IDENTIFIABLE INFORMATION HAS  BEEN
 DOWNLOADED OR COPIED;
   (C)  INDICATIONS THAT THE PERSONALLY IDENTIFIABLE INFORMATION WAS USED
 BY AN  UNAUTHORIZED  PERSON,  SUCH  AS  FRAUDULENT  ACCOUNTS  OPENED  OR
 INSTANCES OF IDENTITY THEFT REPORTED; OR
   (D) THAT THE PERSONALLY IDENTIFIABLE INFORMATION HAS BEEN MADE PUBLIC.
   7.  (A)  "DE-IDENTIFIED  DATA"  MEANS  DATA  THAT CANNOT REASONABLY BE
 LINKED TO AN IDENTIFIED OR IDENTIFIABLE  NATURAL  PERSON,  OR  A  DEVICE
 LINKED  TO SUCH PERSON, PROVIDED THAT A CONTROLLER THAT POSSESSES "DE-I-
 DENTIFIED DATA" SHALL:
   (I) TAKE REASONABLE MEASURES TO ENSURE THAT SUCH INFORMATION CANNOT BE
 ASSOCIATED WITH A CONSUMER OR A HOUSEHOLD;
   (II) PUBLICLY COMMIT TO MAINTAINING AND USING DE-IDENTIFIED DATA WITH-
 OUT ATTEMPTING TO RE-IDENTIFY THE DATA; AND
 S. 9131                             3
 
   (III) CONTRACTUALLY OBLIGATE ANY RECIPIENTS OF THE DE-IDENTIFIED  DATA
 TO COMPLY WITH ALL PROVISIONS OF THIS ARTICLE.
   (B)  NOTHING  IN  THIS  ARTICLE  SHALL  BE  CONSTRUED TO (I) REQUIRE A
 CONTROLLER OR PROCESSOR TO RE-IDENTIFY DE-IDENTIFIED DATA  OR  PSEUDONY-
 MOUS  DATA  OR  (II)  MAINTAIN  DATA  IN  IDENTIFIABLE FORM, OR COLLECT,
 OBTAIN, RETAIN, OR ACCESS ANY DATA OR TECHNOLOGY, IN ORDER TO BE CAPABLE
 OF ASSOCIATING AN AUTHENTICATED CONSUMER REQUEST WITH PERSONAL DATA.
   8. "IDENTIFIED OR IDENTIFIABLE NATURAL PERSON" MEANS A PERSON WHO  CAN
 BE READILY IDENTIFIED, DIRECTLY OR INDIRECTLY.
   9.  (A)  "PERSONALLY  IDENTIFIABLE INFORMATION" MEANS INFORMATION THAT
 IDENTIFIES, RELATES TO, DESCRIBES, IS REASONABLY CAPABLE OF BEING  ASSO-
 CIATED  WITH,  OR  COULD REASONABLY BE LINKED, WHETHER DIRECTLY OR INDI-
 RECTLY, WITH A PARTICULAR CONSUMER.   "PERSONALLY IDENTIFIABLE  INFORMA-
 TION" INCLUDES THE FOLLOWING:
   (I)  IDENTIFIERS  SUCH  AS  A REAL NAME, ALIAS, POSTAL ADDRESS, UNIQUE
 PERSONAL IDENTIFIER, ONLINE IDENTIFIER, INTERNET PROTOCOL ADDRESS, EMAIL
 ADDRESS, ACCOUNT NAME, SOCIAL SECURITY NUMBER, DRIVER'S LICENSE  NUMBER,
 PASSPORT NUMBER, OR SIMILAR IDENTIFIER;
   (II)  CHARACTERISTICS  OF  PROTECTED  CLASSIFICATIONS  UNDER  STATE OR
 FEDERAL LAW;
   (III) COMMERCIAL INFORMATION, INCLUDING RECORDS OF PERSONAL  PROPERTY,
 PRODUCT  OR  SERVICE PURCHASES, WHETHER OBTAINED OR CONSIDERED, OR OTHER
 PURCHASING OR CONSUMING HISTORIES OR TENDENCIES;
   (IV) BIOMETRIC DATA;
   (V) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD-
 ING BROWSING  HISTORY,  SEARCH  HISTORY,  AND  INFORMATION  REGARDING  A
 CONSUMER'S  INTERACTION  WITH  AN INTERNET WEBSITE APPLICATION OR ADVER-
 TISEMENT;
   (VI) PRECISE GEOLOCATION DATA;
   (VII) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFOR-
 MATION;
   (VIII) INFORMATION RELATED TO PROFESSION OR EMPLOYMENT;
   (IX) EDUCATION INFORMATION THAT IS NOT PUBLICLY  AVAILABLE  PERSONALLY
 IDENTIFIABLE INFORMATION AS DEFINED IN THE FAMILY EDUCATIONAL RIGHTS AND
 PRIVACY ACT (20 U.S.C. § 1232G);
   (X)  INFERENCES  DRAWN  FROM ANY OF THE INFORMATION IDENTIFIED IN THIS
 DEFINITION TO CREATE A PROFILE ABOUT A CONSUMER REFLECTING  THE  CONSUM-
 ER'S  PREFERENCES,  CHARACTERISTICS,  PSYCHOLOGICAL  TRENDS, PREDISPOSI-
 TIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND APTITUDES; AND
   (XI) SENSITIVE DATA.
   (B) "PERSONALLY IDENTIFIABLE INFORMATION" DOES  NOT  INCLUDE  PUBLICLY
 AVAILABLE  INFORMATION  OR  PERSONALLY IDENTIFIABLE INFORMATION THAT HAS
 BEEN DE-IDENTIFIED.
   10. "PRECISE GEOLOCATION DATA" MEANS INFORMATION DERIVED FROM TECHNOL-
 OGY, INCLUDING BUT NOT LIMITED TO GLOBAL POSITIONING SYSTEM LEVEL  LATI-
 TUDE  AND LONGITUDE COORDINATES OR OTHER MECHANISMS, THAT DIRECTLY IDEN-
 TIFIES THE SPECIFIC LOCATION OF A  NATURAL  PERSON  WITH  PRECISION  AND
 ACCURACY  WITHIN  A  RADIUS  OF  ONE  THOUSAND SEVEN HUNDRED FIFTY FEET.
 "PRECISE GEOLOCATION DATA" DOES NOT  INCLUDE  THE  CONTENT  OF  COMMUNI-
 CATIONS OR ANY DATA GENERATED BY OR CONNECTED TO ADVANCED UTILITY METER-
 ING INFRASTRUCTURE SYSTEMS OR EQUIPMENT FOR USE BY A UTILITY.
   11.  (A)  "PUBLICLY  AVAILABLE INFORMATION" MEANS INFORMATION THAT HAS
 BEEN LAWFULLY MADE AVAILABLE TO THE GENERAL  PUBLIC  FROM  (I)  FEDERAL,
 STATE,  OR  LOCAL GOVERNMENT RECORDS, IF THE PERSON COLLECTS, PROCESSES,
 AND TRANSFERS SUCH INFORMATION IN ACCORDANCE WITH  ANY  RESTRICTIONS  OR
 TERMS  OF USE PLACED ON THE INFORMATION BY THE RELEVANT GOVERNMENT ENTI-
 S. 9131                             4
 
 TY; (II) WIDELY DISTRIBUTED MEDIA; OR (III) A DISCLOSURE TO THE  GENERAL
 PUBLIC AS REQUIRED BY FEDERAL, STATE, OR LOCAL LAW.
   (B)  "PUBLICLY AVAILABLE INFORMATION" DOES NOT INCLUDE (I) ANY OBSCENE
 VISUAL DEPICTION; (II) ANY  INFERENCE  MADE  EXCLUSIVELY  FROM  MULTIPLE
 INDEPENDENT  SOURCES  OF  PUBLICLY  AVAILABLE  INFORMATION  THAT REVEALS
 SENSITIVE DATA WITH RESPECT TO A CONSUMER; (III)  BIOMETRIC  DATA;  (IV)
 PERSONAL  DATA  THAT IS CREATED THROUGH THE COMBINATION OF PERSONAL DATA
 WITH PUBLICLY AVAILABLE INFORMATION; (V) GENETIC DATA, UNLESS  OTHERWISE
 MADE  PUBLICLY  AVAILABLE  BY  THE  INDIVIDUAL  TO  WHOM THE INFORMATION
 PERTAINS; OR (VI) INTIMATE IMAGES, WHETHER AUTHENTIC OR  COMPUTER-GENER-
 ATED, KNOWN TO BE NONCONSENSUAL.
   12.  "SALE  OF PERSONALLY IDENTIFIABLE INFORMATION" MEANS THE EXCHANGE
 OF PERSONALLY IDENTIFIABLE INFORMATION FOR MONETARY  OR  OTHER  VALUABLE
 CONSIDERATION  BY  A  DATA  BROKER TO A THIRD PARTY. "SALE OF PERSONALLY
 IDENTIFIABLE INFORMATION" DOES NOT INCLUDE A ONE-TIME OR OCCASIONAL SALE
 OF ASSETS OF A BUSINESS AS PART OF A TRANSFER OF CONTROL OF THOSE ASSETS
 THAT IS NOT PART OF THE ORDINARY CONDUCT OF THE BUSINESS OR  A  SALE  OF
 PERSONALLY  IDENTIFIABLE  INFORMATION  THAT  IS MERELY INCIDENTAL TO THE
 BUSINESS.
   13. "SENSITIVE DATA" MEANS A CATEGORY OF PERSONAL DATA THAT INCLUDES:
   (A)  PERSONAL  DATA  REVEALING  RACIAL  OR  ETHNIC  ORIGIN,  RELIGIOUS
 BELIEFS,  MENTAL  OR  PHYSICAL  HEALTH DIAGNOSIS, SEXUAL ORIENTATION, OR
 CITIZENSHIP OR IMMIGRATION STATUS;
   (B) THE PROCESSING OF GENETIC OR BIOMETRIC DATA  FOR  THE  PURPOSE  OF
 UNIQUELY IDENTIFYING A NATURAL PERSON;
   (C) THE PERSONAL DATA COLLECTED FROM A KNOWN CHILD; OR
   (D) PRECISE GEOLOCATION DATA.
   §  1201.  ACQUISITION OF PERSONALLY IDENTIFIABLE INFORMATION; PROHIBI-
 TION. 1. NO PERSON SHALL  ACQUIRE  PERSONALLY  IDENTIFIABLE  INFORMATION
 THROUGH FRAUDULENT MEANS.
   2.  NO PERSON SHALL ACQUIRE OR USE PERSONALLY IDENTIFIABLE INFORMATION
 FOR THE PURPOSE OF:
   (A) STALKING OR HARASSING ANOTHER PERSON;
   (B) COMMITTING A FRAUD, INCLUDING IDENTITY THEFT, FINANCIAL FRAUD,  OR
 EMAIL FRAUD; OR
   (C) ENGAGING IN UNLAWFUL DISCRIMINATION, INCLUDING EMPLOYMENT DISCRIM-
 INATION OR HOUSING DISCRIMINATION.
   §  1202.  DATA BROKERS; COMPREHENSIVE INFORMATION SECURITY PROGRAM. 1.
 (A) A DATA BROKER SHALL DEVELOP, IMPLEMENT, AND MAINTAIN A COMPREHENSIVE
 INFORMATION SECURITY PROGRAM THAT IS WRITTEN  IN  ONE  OR  MORE  READILY
 ACCESSIBLE  PARTS  AND  CONTAINS ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
 SAFEGUARDS THAT ARE APPROPRIATE ACCORDING TO:
   (I) THE SIZE, SCOPE, AND TYPE OF BUSINESS OF THE DATA BROKER;
   (II) THE AMOUNT OF RESOURCES AVAILABLE TO THE DATA BROKER;
   (III) THE AMOUNT OF STORED DATA; AND
   (IV) THE NEED FOR SECURITY AND CONFIDENTIALITY OF PERSONALLY IDENTIFI-
 ABLE INFORMATION.
   (B) A DATA BROKER SHALL ADOPT SAFEGUARDS IN THE COMPREHENSIVE SECURITY
 PROGRAM THAT ARE  CONSISTENT  WITH  THE  SAFEGUARDS  FOR  PROTECTION  OF
 PERSONALLY IDENTIFIABLE INFORMATION AND INFORMATION OF A SIMILAR CHARAC-
 TER  SET  FORTH IN OTHER STATE OR FEDERAL LAWS OR REGULATIONS APPLICABLE
 TO THE DATA BROKER.
   2. A COMPREHENSIVE INFORMATION SECURITY PROGRAM REQUIRED  PURSUANT  TO
 SUBDIVISION ONE OF THIS SECTION SHALL INCLUDE THE FOLLOWING FEATURES:
   (A) DESIGNATION OF ONE OR MORE EMPLOYEES TO MAINTAIN THE PROGRAM;
 S. 9131                             5
 
   (B)  IDENTIFICATION  AND ASSESSMENT OF REASONABLY FORESEEABLE INTERNAL
 AND EXTERNAL RISKS TO THE SECURITY, CONFIDENTIALITY,  AND  INTEGRITY  OF
 ANY  ELECTRONIC, PAPER, OR OTHER RECORDS CONTAINING PERSONALLY IDENTIFI-
 ABLE INFORMATION;
   (C)  A  PROCESS  FOR  EVALUATING  AND  IMPROVING, WHERE NECESSARY, THE
 EFFECTIVENESS OF THE CURRENT SAFEGUARDS FOR LIMITING SUCH RISKS, INCLUD-
 ING (I) ONGOING EMPLOYEE TRAINING, INCLUDING TRAINING FOR TEMPORARY  AND
 CONTRACT  EMPLOYEES;  (II)  EMPLOYEE COMPLIANCE WITH POLICIES AND PROCE-
 DURES; AND (III) MEANS OF DETECTING AND PREVENTING SECURITY SYSTEM FAIL-
 URES;
   (D) SECURITY POLICIES FOR EMPLOYEES RELATING TO THE  STORAGE,  ACCESS,
 AND  TRANSPORTATION OF RECORDS CONTAINING PERSONALLY IDENTIFIABLE INFOR-
 MATION OUTSIDE BUSINESS PREMISES;
   (E) DISCIPLINARY MEASURES FOR VIOLATIONS OF THE COMPREHENSIVE INFORMA-
 TION SECURITY PROGRAM RULES;
   (F) MEASURES THAT PREVENT TERMINATED EMPLOYEES FROM ACCESSING  RECORDS
 CONTAINING PERSONALLY IDENTIFIABLE INFORMATION;
   (G)  SUPERVISION OF THIRD-PARTY SERVICE PROVIDERS BY TAKING REASONABLE
 STEPS TO SELECT AND RETAIN SUCH PROVIDERS THAT ARE CAPABLE OF  MAINTAIN-
 ING  APPROPRIATE  SECURITY  MEASURES  TO PROTECT PERSONALLY IDENTIFIABLE
 INFORMATION CONSISTENT WITH APPLICABLE LAW AND BY REQUIRING SUCH PROVID-
 ERS BY CONTRACT TO IMPLEMENT AND MAINTAIN APPROPRIATE SECURITY  MEASURES
 FOR PERSONALLY IDENTIFIABLE INFORMATION;
   (H) REASONABLE RESTRICTIONS UPON PHYSICAL ACCESS TO RECORDS CONTAINING
 PERSONALLY  IDENTIFIABLE INFORMATION AND STORAGE OF THE RECORDS AND DATA
 IN LOCKED FACILITIES, STORAGE AREAS, OR CONTAINERS;
   (I) REGULAR MONITORING TO ENSURE THAT  THE  COMPREHENSIVE  INFORMATION
 SECURITY  PROGRAM  IS  OPERATING  IN  A  MANNER REASONABLY CALCULATED TO
 PREVENT UNAUTHORIZED ACCESS TO OR UNAUTHORIZED USE OF  PERSONALLY  IDEN-
 TIFIABLE  INFORMATION  AND UPGRADING INFORMATION SAFEGUARDS AS NECESSARY
 TO LIMIT RISKS;
   (J) REVIEW OF THE SCOPE OF THE SECURITY MEASURES (I) AT LEAST  ANNUAL-
 LY;  AND  (II) WHENEVER THERE IS A MATERIAL CHANGE IN BUSINESS PRACTICES
 THAT MAY REASONABLY IMPLICATE  THE  SECURITY  OR  INTEGRITY  OF  RECORDS
 CONTAINING PERSONALLY IDENTIFIABLE INFORMATION; AND
   (K)  DOCUMENTATION  OF RESPONSIVE ACTIONS TAKEN IN CONNECTION WITH ANY
 INCIDENT INVOLVING A BREACH  OF  SECURITY  AND  MANDATORY  POST-INCIDENT
 REVIEW  OF EVENTS AND ACTIONS TAKEN, IF ANY, TO MAKE CHANGES IN BUSINESS
 PRACTICES RELATING TO PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION.
   3. (A) A COMPREHENSIVE INFORMATION SECURITY PROGRAM REQUIRED  PURSUANT
 TO  SUBDIVISION  ONE  OF  THIS  SECTION SHALL, TO THE EXTENT TECHNICALLY
 FEASIBLE, INCLUDE THE FOLLOWING TECHNICAL ELEMENTS:
   (I) A SECURE USER AUTHENTICATION PROTOCOL THAT HAS (A) THE CONTROL  OF
 USER  IDENTIFICATIONS  AND  OTHER  IDENTIFIERS;  (B) A REASONABLY SECURE
 METHOD OF ASSIGNING AND SELECTING PASSWORDS OR USE OF UNIQUE  IDENTIFIER
 TECHNOLOGIES,  SUCH  AS BIOMETRICS OR TOKEN DEVICES; (C) CONTROL OF DATA
 SECURITY PASSWORDS TO ENSURE THAT SUCH PASSWORDS ARE KEPT IN A  LOCATION
 AND FORMAT THAT DO NOT COMPROMISE THE SECURITY OF THE DATA THEY PROTECT;
 (D)  THE ABILITY TO RESTRICT ACCESS TO ONLY ACTIVE USERS AND ACTIVE USER
 ACCOUNTS; AND (E) THE ABILITY TO BLOCK  ACCESS  TO  USER  IDENTIFICATION
 AFTER MULTIPLE UNSUCCESSFUL ATTEMPTS TO GAIN ACCESS;
   (II)  SECURE  ACCESS  CONTROL MEASURES THAT RESTRICT ACCESS TO RECORDS
 AND FILES CONTAINING PERSONALLY IDENTIFIABLE INFORMATION  TO  THOSE  WHO
 NEED  SUCH  INFORMATION  TO  PERFORM THEIR JOB DUTIES AND ASSIGN TO EACH
 PERSON WITH COMPUTER ACCESS UNIQUE IDENTIFICATIONS PLUS  PASSWORDS  THAT
 ARE  NOT  VENDOR-SUPPLIED  DEFAULT  PASSWORDS  AND  THAT  ARE REASONABLY
 S. 9131                             6

 DESIGNED TO MAINTAIN  THE  INTEGRITY  OF  THE  SECURITY  OF  THE  ACCESS
 CONTROLS;
   (III)  A MECHANISM THAT ENSURES THAT ALL TRANSMITTED RECORDS AND FILES
 CONTAINING PERSONALLY IDENTIFIABLE INFORMATION THAT WILL  TRAVEL  ACROSS
 PUBLIC NETWORKS AND ALL DATA CONTAINING PERSONALLY IDENTIFIABLE INFORMA-
 TION  TO BE TRANSMITTED WIRELESSLY SHALL BE TRANSFORMED TO DE-IDENTIFIED
 DATA PRIOR TO SUCH TRAVEL OR TRANSMISSION;
   (IV) REASONABLE MONITORING OF  SYSTEMS  FOR  UNAUTHORIZED  USE  OF  OR
 ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION;
   (V) A MECHANISM THAT ENSURES THAT ALL PERSONALLY IDENTIFIABLE INFORMA-
 TION  STORED ON LAPTOPS OR OTHER PORTABLE DEVICES IS DE-IDENTIFIED PRIOR
 TO SUCH STORAGE;
   (VI) FOR FILES CONTAINING PERSONALLY  IDENTIFIABLE  INFORMATION  ON  A
 SYSTEM THAT IS CONNECTED TO THE INTERNET, REASONABLY UP-TO-DATE FIREWALL
 PROTECTION  AND  OPERATING  SYSTEM  SECURITY PATCHES THAT ARE REASONABLY
 DESIGNED TO MAINTAIN THE INTEGRITY OF THE PERSONALLY IDENTIFIABLE INFOR-
 MATION;
   (VII) REASONABLY UP-TO-DATE VERSIONS OF SYSTEM SECURITY AGENT SOFTWARE
 THAT SHALL INCLUDE MALWARE PROTECTION AND REASONABLY UP-TO-DATE  PATCHES
 AND  VIRUS  DEFINITIONS, OR A VERSION OF SUCH SOFTWARE THAT CAN STILL BE
 SUPPORTED WITH UP-TO-DATE PATCHES AND VIRUS DEFINITIONS AND  IS  SET  TO
 RECEIVE THE MOST CURRENT SECURITY UPDATES ON A REGULAR BASIS; AND
   (VIII)  EDUCATION  AND  TRAINING OF EMPLOYEES IN THE PROPER USE OF THE
 COMPUTER SECURITY SYSTEM AND THE IMPORTANCE OF  PERSONALLY  IDENTIFIABLE
 INFORMATION SECURITY.
   (B)  NOTHING IN THIS SUBDIVISION SHALL PROHIBIT A COMPREHENSIVE INFOR-
 MATION SECURITY PROGRAM FROM PROVIDING A HIGHER DEGREE OF SECURITY  THAN
 THE PROTOCOLS DESCRIBED IN THIS SUBDIVISION.
   §  1203.  DATA  BROKERS; REGISTRATION. 1. BEGINNING ON DECEMBER FIRST,
 TWO THOUSAND TWENTY-SEVEN, AND ANNUALLY THEREAFTER, A DATA BROKER  OPER-
 ATING  IN  THE  STATE  OF NEW YORK SHALL REGISTER WITH THE OFFICE OF THE
 ATTORNEY GENERAL BY PAYING A REGISTRATION FEE OF  ONE  HUNDRED  THOUSAND
 DOLLARS AND PROVIDING THE FOLLOWING INFORMATION:
   (A)  THE  NAME  AND PRIMARY PHYSICAL, EMAIL, AND INTERNET ADDRESSES OF
 THE DATA BROKER;
   (B) IF THE DATA BROKER PERMITS A  CONSUMER  TO  OPT-OUT  OF  THE  DATA
 BROKER'S  COLLECTION  OF PERSONALLY IDENTIFIABLE INFORMATION, OPT-OUT OF
 ITS DATABASES, OR OPT-OUT OF CERTAIN SALES OF DATA, (I) THE  METHOD  FOR
 REQUESTING  AN  OPT-OUT;  (II)  WHICH  ACTIVITIES  OR  SALES THE OPT-OUT
 APPLIES TO, IF THE OPT-OUT APPLIES ONLY TO CERTAIN ACTIVITIES OR  SALES;
 AND  (III)  WHETHER  THE  DATA  BROKER PERMITS A CONSUMER TO AUTHORIZE A
 THIRD PARTY TO PERFORM THE OPT-OUT ON THE CONSUMER'S BEHALF;
   (C) A STATEMENT SPECIFYING THE DATA COLLECTION,  DATABASES,  OR  SALES
 ACTIVITIES FROM WHICH A CONSUMER MAY NOT OPT-OUT;
   (D) A STATEMENT STATING WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER
 CREDENTIALING PROCESS;
   (E)  THE  NUMBER OF DATA BROKER SECURITY BREACHES THAT THE DATA BROKER
 EXPERIENCED DURING THE PRIOR YEAR, AND, IF KNOWN, THE  TOTAL  NUMBER  OF
 CONSUMERS AFFECTED BY SUCH BREACHES;
   (F)  WHERE  THE DATA BROKER HAS ACTUAL KNOWLEDGE THAT IT POSSESSES THE
 PERSONALLY IDENTIFIABLE INFORMATION  OF  MINORS,  A  SEPARATE  STATEMENT
 DETAILING  THE  DATA  COLLECTION PRACTICES, DATABASES, SALES ACTIVITIES,
 AND OPT-OUT POLICIES THAT ARE APPLICABLE TO THE PERSONALLY  IDENTIFIABLE
 INFORMATION OF MINORS;
   (G) WHETHER THE DATA BROKER COLLECTS:
   (I) PRECISE GEOLOCATION DATA;
 S. 9131                             7
 
   (II) REPRODUCTIVE HEALTH CARE DATA;
   (III) BIOMETRIC DATA;
   (IV) DATA RELATED TO IMMIGRATION STATUS;
   (V) DATA RELATED TO SEXUAL ORIENTATION;
   (VI) DATA RELATED TO UNION MEMBERSHIP;
   (VII) DATA RELATED TO NAME, DATE OF BIRTH, ZIP CODE, EMAIL ADDRESS, OR
 PHONE NUMBER;
   (VIII)  ACCOUNT  LOGIN  DATA IN COMBINATION WITH ANY REQUIRED SECURITY
 CODE, ACCESS CODE, OR PASSWORD THAT WOULD PERMIT ACCESS TO A  CONSUMER'S
 ACCOUNT BY A THIRD PARTY;
   (IX)  DATA  RELATED  TO  DRIVER'S LICENSE NUMBER, STATE IDENTIFICATION
 CARD NUMBER, TAX IDENTIFICATION NUMBER, SOCIAL SECURITY NUMBER, PASSPORT
 NUMBER, MILITARY IDENTIFICATION NUMBER, OR OTHER  UNIQUE  IDENTIFICATION
 NUMBER ISSUED ON A GOVERNMENT DOCUMENT COMMONLY USED TO VERIFY THE IDEN-
 TITY OF AN INDIVIDUAL; OR
   (X)   DATA   RELATED  TO  MOBILE  ADVERTISING  IDENTIFICATION  NUMBER,
 CONNECTED TELEVISION IDENTIFICATION NUMBER,  OR  VEHICLE  IDENTIFICATION
 NUMBER;
   (H)  WHETHER  THE  DATA BROKER HAS SHARED OR SOLD CONSUMER DATA IN THE
 PAST YEAR WITH OR TO:
   (I) A FOREIGN BUSINESS OR GOVERNMENT;
   (II) THE FEDERAL GOVERNMENT;
   (III) A STATE GOVERNMENT;
   (IV) ANY LAW ENFORCEMENT AGENCY, UNLESS SUCH DATA WAS SHARED  PURSUANT
 TO A SUBPOENA OR COURT ORDER; OR
   (V) A DEVELOPER OF AN ARTIFICIAL INTELLIGENCE SYSTEM;
   (I)  BETWEEN ONE AND THREE OF THE MOST COMMON CATEGORIES OF PERSONALLY
 IDENTIFIABLE INFORMATION THAT THE DATA BROKER COLLECTS; AND
   (J) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER  CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   2.  THE  OFFICE  OF THE ATTORNEY GENERAL SHALL POST ON ITS WEBSITE THE
 REGISTRATION INFORMATION PROVIDED BY DATA BROKERS AS DESCRIBED  IN  THIS
 SECTION.
   §  1204.  ENFORCEMENT;  CIVIL PENALTIES. ANY VIOLATION OF THIS ARTICLE
 SHALL CONSTITUTE A PROHIBITED PRACTICE UNDER THE PROVISIONS  OF  SECTION
 THREE HUNDRED FORTY-NINE OF THIS CHAPTER AND SHALL BE SUBJECT TO ANY AND
 ALL  OF THE ENFORCEMENT PROVISIONS OF ARTICLE TWENTY-TWO-A OF THIS CHAP-
 TER.
   § 2. This act shall take effect January 1, 2027.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S9131

Sponsored By

Current Bill Status - In Senate Committee Internet And Technology Committee

Actions

2025-S9131 (ACTIVE) - Details

2025-S9131 (ACTIVE) - Summary

2025-S9131 (ACTIVE) - Sponsor Memo

2025-S9131 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2025-S9131

Senate Bill S9131

Share this bill

Sponsored By

Kristen Gonzalez

Current Bill Status - In Senate Committee Internet And Technology Committee

Actions

2025-S9131 (ACTIVE) - Details

2025-S9131 (ACTIVE) - Summary

2025-S9131 (ACTIVE) - Sponsor Memo

2025-S9131 (ACTIVE) - Bill Text download pdf

Comments