S T A T E O F N E W Y O R K
________________________________________________________________________
1854
2009-2010 Regular Sessions
I N S E N A T E
February 9, 2009
___________
Introduced by Sen. KLEIN -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to protecting the
privacy of internet users
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. Short title. This act shall be known and may be cited as
"New York state internet privacy law".
S 2. Legislative intent. 1. The legislature finds that the internet is
becoming a major part of the personal and commercial lives of Americans.
The internet brings with it much good, such as increased personal know-
ledge and communications, and increased and more efficient commercial
opportunities.
2. The privacy of personal information flowing over the internet is of
concern. Vast amounts of personal information about individual internet
users are collected on the internet and sold or otherwise transferred to
third parties. Polls consistently show that individual internet users
are highly troubled over their lack of control over their personal
information. In fact, concern over personal privacy is one of the
biggest factors holding back even greater commercial development of the
internet.
3. The right to privacy is a personal and fundamental right worthy of
protection through appropriate legislation. Industry has developed
several self-policing schemes, but none of them are enforceable in a
meaningful way. Meaningful, enforceable internet privacy rules would
protect New York citizens and would foster the growth of electronic
commerce in New York.
4. The legislature intends to establish strong privacy rules to which
an operator of a website or online service may voluntarily choose to
submit. The incentive for the operator to submit will be that it may
publicize that it complies with the New York state internet privacy law.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD02645-01-9
S. 1854 2
Any operator who does so advertise may be subject to an enforcement
action.
S 3. Article 40 and sections 900 and 901 of the general business law,
as renumbered by chapter 407 of the laws of 1973, are renumbered article
41 and sections 1000 and 1001 and a new article 40 is added to read as
follows:
ARTICLE 40
NEW YORK STATE INTERNET PRIVACY LAW
SECTION 900. DEFINITIONS.
901. APPLICABILITY OF ARTICLE.
902. DISCLOSURE OF PERSONAL INFORMATION.
903. THIRD PARTIES.
904. USER'S RIGHT TO INSPECT AND CORRECT INFORMATION.
905. DURATION OF OPERATOR'S RESPONSIBILITY.
906. ENFORCEMENT.
907. SEPARABILITY CLAUSE.
S 900. DEFINITIONS. AS USED IN THIS ARTICLE:
1. THE TERM "INTERNET" MEANS COLLECTIVELY THE MYRIAD OF COMPUTER AND
TELECOMMUNICATIONS FACILITIES, INCLUDING EQUIPMENT AND OPERATING SOFT-
WARE, WHICH COMPRISE THE INTERCONNECTED WORLD-WIDE NETWORK OF NETWORKS
THAT EMPLOY THE TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL, OR ANY
PREDECESSOR OR SUCCESSOR PROTOCOLS TO SUCH PROTOCOL, TO COMMUNICATE
INFORMATION OF ALL KINDS BY WIRE OR RADIO.
2. THE TERM "OPERATOR" MEANS ANY PERSON WHO OPERATES A WEBSITE LOCATED
ON THE INTERNET OR AN ONLINE SERVICE AND WHO COLLECTS OR MAINTAINS
PERSONAL INFORMATION FROM OR ABOUT THE USERS OF OR VISITORS TO SUCH
WEBSITE OR ONLINE SERVICE, OR ON WHOSE BEHALF SUCH INFORMATION IS
COLLECTED OR MAINTAINED, WHERE SUCH WEBSITE OR ONLINE SERVICE IS OPER-
ATED FOR COMMERCIAL PURPOSES, INCLUDING ANY PERSON OFFERING PRODUCTS OR
SERVICES FOR SALE THROUGH THAT WEBSITE OR ONLINE SERVICE, INVOLVING
COMMERCE.
3. THE TERM "USER" MEANS A PERSON WHO USES AN ONLINE SERVICE OR VISITS
A WEBSITE.
4. THE TERM "PERSONAL INFORMATION" MEANS INDIVIDUALLY IDENTIFIABLE
INFORMATION ABOUT AN INDIVIDUAL COLLECTED ONLINE, INCLUDING:
(A) A FIRST AND LAST NAME;
(B) A HOME OR OTHER PHYSICAL ADDRESS INCLUDING STREET NAME AND NAME OF
A CITY OR TOWN;
(C) AN E-MAIL ADDRESS;
(D) A TELEPHONE NUMBER;
(E) A SOCIAL SECURITY NUMBER;
(F) ANY OTHER IDENTIFIER THAT PERMITS THE PHYSICAL OR ONLINE CONTACT-
ING OF A SPECIFIC INDIVIDUAL; OR
(G) INFORMATION CONCERNING A CHILD OR THE PARENTS OF THAT CHILD THAT
THE OPERATOR COLLECTS ONLINE FROM THE CHILD AND COMBINES WITH ANOTHER
IDENTIFIER SET FORTH IN THIS SUBDIVISION.
5. THE TERM "DISCLOSURE" MEANS, WITH RESPECT TO PERSONAL INFORMATION:
(A) THE RELEASE OF PERSONAL INFORMATION COLLECTED IN IDENTIFIABLE FORM
BY AN OPERATOR FOR ANY PURPOSE, EXCEPT WHERE SUCH INFORMATION IS
PROVIDED TO A PERSON OTHER THAN THE OPERATOR WHO PROVIDES SUPPORT FOR
THE INTERNAL OPERATIONS OF THE WEBSITE AND DOES NOT DISCLOSE OR USE THAT
INFORMATION FOR ANY OTHER PURPOSE; AND
(B) MAKING PERSONAL INFORMATION COLLECTED FROM A CHILD BY A WEBSITE OR
ONLINE SERVICE DIRECTED TO CHILDREN OR WITH ACTUAL KNOWLEDGE THAT SUCH
INFORMATION WAS COLLECTED FROM A CHILD, PUBLICLY AVAILABLE IN IDENTIFI-
S. 1854 3
ABLE FORM, BY ANY MEANS INCLUDING BY A PUBLIC POSTING, THROUGH THE
INTERNET, OR THROUGH:
(I) A HOME PAGE OF A WEBSITE;
(II) A PEN PAL SERVICE;
(III) AN ELECTRONIC MAIL SERVICE;
(IV) A MESSAGE BOARD; OR
(V) A CHAT ROOM.
6. THE TERM "THIRD PARTY" MEANS A PERSON OTHER THAN THE USER OR THE
OPERATOR, OR AN EMPLOYEE OF THE OPERATOR.
S 901. APPLICABILITY OF ARTICLE. AN OPERATOR IS SUBJECT TO THIS ARTI-
CLE IF IT ADVERTISES OR OTHERWISE PUBLICLY STATES THAT IT COMPLIES WITH
THE "NEW YORK STATE INTERNET PRIVACY LAW".
S 902. DISCLOSURE OF PERSONAL INFORMATION. 1. AN OPERATOR SHALL NOT
DISCLOSE TO A THIRD PARTY ANY PERSONALLY IDENTIFIABLE INFORMATION
OBTAINED FROM A USER WITHOUT THE USER'S PRIOR INFORMED, AFFIRMATIVE
WRITTEN CONSENT.
2. INFORMED CONSENT REQUIRES THAT THE OPERATOR NOTIFY THE USER OF THE
IDENTITY OF ANY THIRD PARTY WHICH WILL RECEIVE HIS OR HER PERSONAL
INFORMATION, AND FOR WHAT PURPOSE THE INFORMATION WILL BE USED.
3. INFORMED WRITTEN CONSENT MAY BE OBTAINED ONLY UPON NOTICE TO A USER
OF HIS OR HER RIGHTS UNDER THIS LAW. SUCH NOTICE MUST BE IN WRITING,
CLEAR AND CONSPICUOUS, AND IN PLAIN ENGLISH.
4. AN OPERATOR SHALL PERMIT A PERSON TO REVOKE THE CONSENT GRANTED
UNDER SUBDIVISION ONE OF THIS SECTION AT ANY TIME, AND UPON SUCH REVOCA-
TION, SUCH OPERATOR SHALL CEASE DISCLOSING SUCH INFORMATION TO A THIRD
PARTY.
5. AN OPERATOR OR AN EMPLOYEE OF SUCH OPERATOR SHALL NOT KNOWINGLY
DISCLOSE TO A THIRD PARTY ANY PERSONALLY IDENTIFIABLE INFORMATION
PROVIDED BY A SUBSCRIBER TO SUCH SERVICE THAT SUCH SERVICE, OR SUCH
EMPLOYEE, HAS KNOWINGLY FALSIFIED.
6. NOTWITHSTANDING THE PROVISIONS OF SUBDIVISION ONE OF THIS SECTION,
NEITHER AN OPERATOR NOR THE OPERATOR'S AGENT SHALL BE HELD TO BE LIABLE
FOR ANY DISCLOSURE MADE IN GOOD FAITH AND FOLLOWING REASONABLE PROCE-
DURES IN RESPONDING TO A REQUEST FOR DISCLOSURE OF PERSONAL INFORMATION
UNDER THE FEDERAL CHILDREN'S ONLINE PRIVACY PROTECTION ACT TO THE PARENT
OF A CHILD.
7. NOTWITHSTANDING THE PROVISIONS OF SUBDIVISION ONE OF THIS SECTION,
AN OPERATOR MAY DISCLOSE PERSONAL INFORMATION, WITHOUT NOTICE TO THE
USER, WHEN NECESSARY TO RESPOND TO A COURT ORDER, SUBPOENA, OR OTHER
LEGAL PROCESS.
S 903. THIRD PARTIES. 1. PRIOR TO DISCLOSING PERSONAL INFORMATION TO A
THIRD PARTY, AN OPERATOR SHALL INFORM THE THIRD PARTY OF THE PROVISIONS
OF THIS ARTICLE, AND OBTAIN FROM THE THIRD PARTY A WRITTEN CERTIFICATION
THAT THE THIRD PARTY WILL COMPLY WITH THIS ARTICLE.
2. A THIRD PARTY WHICH RECEIVES PERSONAL INFORMATION PURSUANT TO THIS
ARTICLE MAY USE SUCH INFORMATION ONLY FOR THE PURPOSE OF WHICH THE USER
HAS BEEN NOTIFIED.
S 904. USER'S RIGHT TO INSPECT AND CORRECT INFORMATION. 1. UPON
REQUEST AN OPERATOR SHALL (A) PROVIDE A PERSON WITH HIS OR HER PERSONAL
INFORMATION MAINTAINED BY THE OPERATOR; (B) PERMIT THE USER TO VERIFY
SUCH INFORMATION MAINTAINED BY THE SERVICE; AND (C) PERMIT THE USER TO
CORRECT ANY ERROR IN SUCH INFORMATION.
2. UPON REQUEST, AN OPERATOR SHALL PROVIDE TO THE USER THE IDENTITY OF
THE THIRD PARTY RECIPIENTS OF HIS OF HER PERSONAL INFORMATION.
3. AN OPERATOR SHALL NOT CHARGE A FEE FOR ONE ANNUAL REQUEST THAT A
PERSON MAKES FOR THE INFORMATION SET FORTH IN SUBDIVISION FOUR OR FIVE
S. 1854 4
OF SECTION NINE HUNDRED OF THIS ARTICLE. FOR ADDITIONAL REQUESTS, AN
OPERATOR MAY CHARGE A FEE CONSISTING OF THE OPERATOR'S ACTUAL COST OF
PROVIDING THE INFORMATION. AN OPERATOR SHALL PROVIDE AN ABILITY FOR A
USER TO ELECTRONICALLY REQUEST AND RECEIVE THE INFORMATION SET FORTH IN
THIS SECTION.
S 905. DURATION OF OPERATOR'S RESPONSIBILITY. ANY PERSONAL INFORMATION
WHICH AN OPERATOR OBTAINS WITHIN THIRTY DAYS OF THE OPERATOR'S LAST
ADVERTISEMENT OR PUBLIC STATEMENT PURSUANT TO SECTION NINE HUNDRED ONE
OF THIS ARTICLE SHALL BE SUBJECT TO THIS ARTICLE.
S 906. ENFORCEMENT. 1. ANY PERSON FOUND TO HAVE VIOLATED THIS ARTICLE,
KNOWINGLY OR RECKLESSLY, SHALL BE LIABLE TO THE AGGRIEVED USER FOR ALL
ACTUAL DAMAGES SUSTAINED BY SUCH USER AS A DIRECT RESULT OF THE
VIOLATION, PROVIDED THAT ANY SUBSCRIBER WHO PREVAILS OR SUBSTANTIALLY
PREVAILS IN ANY ACTION BROUGHT UNDER THIS SECTION SHALL RECEIVE NOT LESS
THAN FIVE HUNDRED DOLLARS IN DAMAGES, REGARDLESS OF THE AMOUNT OF ACTUAL
DAMAGE PROVED, PLUS COSTS, DISBURSEMENTS AND REASONABLE ATTORNEY'S FEES.
AN ACTION BROUGHT PURSUANT TO THIS SECTION MAY BE MAINTAINED AS A CLASS
ACTION.
2. WHENEVER THERE SHALL BE A VIOLATION OF THIS ARTICLE, AN APPLICATION
MAY BE MADE BY THE ATTORNEY GENERAL IN THE NAME OF THE PEOPLE OF THE
STATE OF NEW YORK TO A COURT OR JUSTICE HAVING JURISDICTION BY A SPECIAL
PROCEEDING TO ISSUE AN INJUNCTION, AND UPON NOTICE TO THE DEFENDANT OF
NOT LESS THAN FIVE DAYS, TO ENJOIN AND RESTRAIN THE CONTINUATION OF SUCH
VIOLATION; AND IF IT SHALL APPEAR TO THE SATISFACTION OF THE COURT OR
JUSTICE THAT THE DEFENDANT HAS, IN FACT, VIOLATED THIS ARTICLE, AN
INJUNCTION MAY BE ISSUED BY SUCH COURT OR JUSTICE, ENJOINING AND
RESTRAINING ANY FURTHER VIOLATION, WITHOUT REQUIRING PROOF THAT ANY
PERSON HAS, IN FACT, BEEN INJURED OR DAMAGED THEREBY. IN ANY SUCH
PROCEEDING, THE COURT MAY MAKE ALLOWANCES TO THE ATTORNEY GENERAL AS
PROVIDED IN PARAGRAPH SIX OF SUBDIVISION (A) OF SECTION EIGHTY-THREE
HUNDRED THREE OF THE CIVIL PRACTICE LAW AND RULES AND DIRECT RESTITU-
TION. WHENEVER THE COURT SHALL DETERMINE THAT A GROSSLY NEGLIGENT
VIOLATION OF THIS ARTICLE HAS OCCURRED, THE COURT MAY IMPOSE A CIVIL
PENALTY OF NOT MORE THAN ONE THOUSAND DOLLARS FOR SUCH VIOLATION. IN
CONNECTION WITH ANY SUCH PROPOSED APPLICATION, THE ATTORNEY GENERAL IS
AUTHORIZED TO TAKE PROOF AND MAKE A DETERMINATION OF THE RELEVANT FACTS
AND TO ISSUE SUBPOENAS IN ACCORDANCE WITH THE CIVIL PRACTICE LAW AND
RULES.
3. THE REMEDIES PROVIDED BY THIS ARTICLE SHALL BE IN ADDITION TO ANY
OTHER LAWFUL REMEDY AVAILABLE TO A SUBSCRIBER.
4. NO ACTION MAY BE BROUGHT UNDER THE PROVISIONS OF THIS SECTION
UNLESS SUCH ACTION IS COMMENCED WITHIN THE TWO YEARS FROM THE DATE OF
THE ACT COMPLAINED OF OR THE DATE OF DISCOVERY OF SUCH ACT.
S 907. SEPARABILITY CLAUSE. IF ANY CLAUSE, PARAGRAPH, SECTION OR PART
OF THIS ARTICLE SHALL BE ADJUDGED BY ANY COURT OF COMPETENT JURISDICTION
TO BE INVALID OR UNCONSTITUTIONAL, SUCH JUDGMENT SHALL NOT AFFECT,
IMPAIR OR INVALIDATE THE REMAINDER THEREOF, BUT SHALL BE CONFINED IN ITS
OPERATION TO THE CLAUSE, SENTENCE, PARAGRAPH, SECTION OR PART THEREOF
DIRECTLY INVOLVED IN THE CONTROVERSY IN WHICH SUCH JUDGMENT SHALL HAVE
BEEN RENDERED.
S 4. This act shall take effect on the one hundred eightieth day after
it shall have become a law.