[ ] is old law to be omitted.
LBD01311-02-9
S. 224 2
from mobile phones, financial institutions, social media sites, and
other online and brick and mortar companies.
Some mobile applications are sharing personal information, such as
location information, unique phone identification numbers, and age,
gender, and other personal details with third-party companies.
Consumers need to know the ways that their personal information is
being collected by companies and then shared or sold to third parties in
order to properly protect their privacy, personal safety, and financial
security.
§ 3. The article heading of article 39-F of the general business law,
as added by chapter 442 of the laws of 2005, is amended to read as
follows:
[NOTIFICATION OF UNAUTHORIZED] ACQUISITION AND USE
OF PRIVATE INFORMATION
§ 4. The general business law is amended by adding a new section 899-
bb to read as follows:
§ 899-BB. DISCLOSURE OF A CUSTOMER'S PERSONAL INFORMATION TO A THIRD
PARTY. 1. (A) A BUSINESS THAT RETAINS A CUSTOMER'S PERSONAL INFORMATION
SHALL MAKE AVAILABLE TO THE CUSTOMER FREE OF CHARGE ACCESS TO, OR COPIES
OF, ALL OF THE CUSTOMER'S PERSONAL INFORMATION RETAINED BY THE BUSINESS.
(B) A BUSINESS THAT DISCLOSES A CUSTOMER'S PERSONAL INFORMATION TO A
THIRD PARTY SHALL MAKE THE FOLLOWING INFORMATION AVAILABLE TO THE
CUSTOMER FREE OF CHARGE:
(1) ALL CATEGORIES OF THE CUSTOMER'S PERSONAL INFORMATION THAT WERE
DISCLOSED, INCLUDING THE CATEGORIES SET FORTH IN PARAGRAPH (B) OF SUBDI-
VISION FOUR OF THIS SECTION.
(2) THE NAMES AND CONTACT INFORMATION OF ALL OF THE THIRD PARTIES THAT
RECEIVED THE CUSTOMER'S PERSONAL INFORMATION FROM THE BUSINESS, INCLUD-
ING THE THIRD PARTY'S DESIGNATED REQUEST ADDRESS OR ADDRESSES IF AVAIL-
ABLE.
2. A BUSINESS REQUIRED TO COMPLY WITH SUBDIVISION ONE OF THIS SECTION
SHALL MAKE THE REQUIRED INFORMATION AVAILABLE BY ONE OR MORE OF THE
FOLLOWING MEANS:
(A) BY PROVIDING A DESIGNATED REQUEST ADDRESS AND, UPON RECEIPT OF A
REQUEST UNDER THIS SECTION TO THE DESIGNATED REQUEST ADDRESS, PROVIDING
THE CUSTOMER WITHIN THIRTY DAYS WITH THE REQUIRED INFORMATION FOR ALL
DISCLOSURES OCCURRING IN THE PRIOR TWELVE MONTHS, PROVIDED THAT:
(1) IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY, THAT POLICY INCLUDES
A DESCRIPTION OF A CUSTOMER'S RIGHTS PURSUANT TO THIS SECTION ACCOMPA-
NIED BY ONE OR MORE DESIGNATED REQUEST ADDRESSES; PROVIDED THAT A BUSI-
NESS WITH MULTIPLE ONLINE PRIVACY POLICIES MUST INCLUDE THIS INFORMATION
IN THE POLICY OF EACH PRODUCT OR SERVICE THAT COLLECTS PERSONAL INFORMA-
TION THAT MAY BE DISCLOSED TO A THIRD PARTY;
(2) THE BUSINESS ENSURES THAT ALL PERSONS RESPONSIBLE FOR HANDLING
CUSTOMER INQUIRIES ABOUT THE BUSINESS' PRIVACY PRACTICES OR THE BUSI-
NESS' COMPLIANCE WITH THIS SECTION ARE INFORMED OF ALL DESIGNATED
REQUEST ADDRESSES; AND
(3) THE BUSINESS PROVIDES INFORMATION PERTAINING TO THE SPECIFIC
CUSTOMER IF THAT INFORMATION IS REASONABLY AVAILABLE TO THE BUSINESS,
AND PROVIDES INFORMATION IN STANDARDIZED FORMAT IF INFORMATION PERTAIN-
ING TO THE SPECIFIC CUSTOMER IS NOT REASONABLY AVAILABLE.
(B) FOR INFORMATION REQUIRED TO BE PROVIDED BY PARAGRAPH (B) OF SUBDI-
VISION ONE OF THIS SECTION, BY PROVIDING THE CUSTOMER WITH NOTICE
INCLUDING THE REQUIRED INFORMATION PRIOR TO OR IMMEDIATELY FOLLOWING A
DISCLOSURE.
S. 224 3
(C) BY PROVIDING THE CUSTOMER THE DISCLOSURE REQUIRED BY SECTION 6803
OF TITLE 15 OF THE UNITED STATES CODE, BUT ONLY IF THE DISCLOSURE ALSO
COMPLIES WITH THIS SECTION.
3. (A) A BUSINESS IS NOT OBLIGATED TO PROVIDE MORE THAN ONE NOTICE
UNDER PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION TO THE SAME
CUSTOMER IN A TWELVE-MONTH PERIOD ABOUT THE DISCLOSURE OF THE SAME
PERSONAL INFORMATION TO THE SAME THIRD PARTY AND IS NOT OBLIGATED UNDER
PARAGRAPH (A) OF SUBDIVISION TWO OF THIS SECTION TO RESPOND TO A REQUEST
BY THE SAME CUSTOMER MORE THAN ONCE WITHIN A GIVEN TWELVE-MONTH PERIOD.
(B) A BUSINESS IS NOT OBLIGATED TO PROVIDE INFORMATION TO THE CUSTOMER
PURSUANT TO SUBDIVISION ONE OF THIS SECTION IF THE BUSINESS CANNOT
REASONABLY VERIFY THAT THE INDIVIDUAL MAKING THE REQUEST IS THE CUSTOM-
ER.
4. FOR PURPOSES OF THIS SECTION, THE FOLLOWING TERMS HAVE THE FOLLOW-
ING MEANINGS:
(A) "BUSINESS" MEANS ANY PERSON, PROPRIETORSHIP, FIRM, PARTNERSHIP,
ASSOCIATION, COOPERATIVE, NONPROFIT ORGANIZATION OR CORPORATION ORGAN-
IZED OR EXISTING UNDER THE LAWS OF THIS STATE OR ANY OTHER STATE, AND
DOING BUSINESS IN THIS STATE, EXCLUSIVE OF PUBLIC CORPORATIONS AS
DEFINED PURSUANT TO ARTICLE TWO-A OF THE GENERAL CONSTRUCTION LAW.
(B) "CATEGORIES OF PERSONAL INFORMATION" INCLUDES, BUT IS NOT LIMITED
TO, THE FOLLOWING:
(1) IDENTITY INFORMATION INCLUDING, BUT NOT LIMITED TO, REAL NAME,
ALIAS, NICKNAME, AND USER NAME.
(2) ADDRESS INFORMATION, INCLUDING, BUT NOT LIMITED TO, POSTAL ADDRESS
OR E-MAIL.
(3) TELEPHONE NUMBER.
(4) ACCOUNT NAME.
(5) SOCIAL SECURITY NUMBER OR OTHER GOVERNMENT-ISSUED IDENTIFICATION
NUMBER, INCLUDING, BUT NOT LIMITED TO, SOCIAL SECURITY NUMBER, DRIVER'S
LICENSE NUMBER, IDENTIFICATION CARD NUMBER, AND PASSPORT NUMBER.
(6) BIRTHDATE OR AGE.
(7) PHYSICAL CHARACTERISTIC INFORMATION, INCLUDING, BUT NOT LIMITED
TO, HEIGHT AND WEIGHT.
(8) SEXUAL INFORMATION, INCLUDING, BUT NOT LIMITED TO, SEXUAL ORIEN-
TATION, SEX, GENDER STATUS, GENDER IDENTITY, AND GENDER EXPRESSION.
(9) RACE OR ETHNICITY.
(10) RELIGIOUS AFFILIATION OR ACTIVITY.
(11) POLITICAL AFFILIATION OR ACTIVITY.
(12) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION.
(13) EDUCATIONAL INFORMATION.
(14) MEDICAL INFORMATION, INCLUDING, BUT NOT LIMITED TO, MEDICAL
CONDITIONS OR DRUGS, THERAPIES, MENTAL HEALTH, OR MEDICAL PRODUCTS OR
EQUIPMENT USED.
(15) FINANCIAL INFORMATION, INCLUDING, BUT NOT LIMITED TO, CREDIT,
DEBIT, OR ACCOUNT NUMBERS, ACCOUNT BALANCES, PAYMENT HISTORY, OR INFOR-
MATION RELATED TO ASSETS, LIABILITIES, OR GENERAL CREDITWORTHINESS.
(16) COMMERCIAL INFORMATION, INCLUDING, BUT NOT LIMITED TO, RECORDS OF
PROPERTY, PRODUCTS OR SERVICES PROVIDED, OBTAINED, OR CONSIDERED, OR
OTHER PURCHASING OR CONSUMER HISTORIES OR TENDENCIES.
(17) LOCATION INFORMATION.
(18) INTERNET OR MOBILE ACTIVITY INFORMATION, INCLUDING, BUT NOT
LIMITED TO, INTERNET PROTOCOL ADDRESSES OR INFORMATION CONCERNING THE
ACCESS OR USE OF ANY INTERNET OR MOBILE-BASED SITE OR SERVICE.
(19) CONTENT, INCLUDING TEXT, PHOTOGRAPHS, AUDIO OR VIDEO RECORDINGS,
OR OTHER MATERIAL GENERATED BY OR PROVIDED BY THE CUSTOMER.
S. 224 4
(20) ANY OF THE ABOVE CATEGORIES OF INFORMATION AS THEY PERTAIN TO THE
CHILDREN OF THE CUSTOMER.
(C) (1) "CUSTOMER" MEANS AN INDIVIDUAL WHO IS A RESIDENT OF NEW YORK
STATE WHO PROVIDES PERSONAL INFORMATION TO A BUSINESS, WITH OR WITHOUT
AN EXCHANGE OF CONSIDERATION, IN THE COURSE OF PURCHASING, VIEWING,
ACCESSING, RENTING, LEASING, OR OTHERWISE USING REAL OR PERSONAL PROPER-
TY, OR ANY INTEREST THEREIN, OR OBTAINING A PRODUCT OR SERVICE FROM THE
BUSINESS INCLUDING ADVERTISING OR ANY OTHER CONTENT.
(2) AN INDIVIDUAL IS ALSO THE CUSTOMER OF A BUSINESS IF THAT BUSINESS
OBTAINED THE PERSONAL INFORMATION OF THAT INDIVIDUAL FROM ANY OTHER
BUSINESS.
(D) "DESIGNATED REQUEST ADDRESS" MEANS A MAILING ADDRESS, E-MAIL
ADDRESS, WEB PAGE, TOLL-FREE TELEPHONE NUMBER, OR OTHER APPLICABLE
CONTACT INFORMATION, WHEREBY CUSTOMERS MAY REQUEST OR OBTAIN THE INFOR-
MATION REQUIRED TO BE PROVIDED UNDER SUBDIVISION ONE OF THIS SECTION.
(E) (1) "DISCLOSE" MEANS TO DISCLOSE, RELEASE, SHARE, TRANSFER,
DISSEMINATE, MAKE AVAILABLE, OR OTHERWISE COMMUNICATE ORALLY, IN WRIT-
ING, OR BY ELECTRONIC OR ANY OTHER MEANS TO ANY THIRD PARTY AS DEFINED
IN THIS SECTION.
(2) "DISCLOSE" DOES NOT INCLUDE:
(A) DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
PURSUANT TO A WRITTEN CONTRACT AUTHORIZING THE THIRD PARTY TO UTILIZE
THE PERSONAL INFORMATION TO PERFORM SERVICES ON BEHALF OF THE BUSINESS,
INCLUDING MAINTAINING OR SERVICING ACCOUNTS, PROVIDING CUSTOMER SERVICE,
PROCESSING OR FULFILLING ORDERS AND TRANSACTIONS, VERIFYING CUSTOMER
INFORMATION, PROCESSING PAYMENTS, PROVIDING FINANCING, OR SIMILAR
SERVICES, BUT ONLY IF (I) THE CONTRACT PROHIBITS THE THIRD PARTY FROM
USING THE PERSONAL INFORMATION FOR ANY REASON OTHER THAN PERFORMING THE
SPECIFIED SERVICE OR SERVICES ON BEHALF OF THE BUSINESS AND FROM
DISCLOSING ANY SUCH PERSONAL INFORMATION TO ADDITIONAL THIRD PARTIES AND
(II) THE BUSINESS EFFECTIVELY ENFORCES THESE PROHIBITIONS.
(B) DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
BASED ON A GOOD-FAITH BELIEF THAT DISCLOSURE IS REQUIRED TO COMPLY WITH
APPLICABLE LAW, REGULATION, LEGAL PROCESS, OR COURT ORDER.
(C) DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
THAT IS REASONABLY NECESSARY TO ADDRESS FRAUD, SECURITY, OR TECHNICAL
ISSUES; TO PROTECT THE DISCLOSING BUSINESS' RIGHTS OR PROPERTY; OR TO
PROTECT CUSTOMERS OR THE PUBLIC FROM ILLEGAL ACTIVITIES AS REQUIRED OR
PERMITTED BY LAW.
(D) DISCLOSURE OF PERSONAL INFORMATION BY A BUSINESS TO A THIRD PARTY
THAT IS OTHERWISE LAWFULLY AVAILABLE TO THE GENERAL PUBLIC, PROVIDED
THAT THE BUSINESS DID NOT DIRECT THE THIRD PARTY TO THE PERSONAL INFOR-
MATION.
(F) "PERSONAL INFORMATION" MEANS:
(1) ANY INFORMATION THAT IDENTIFIES OR REFERENCES A PARTICULAR INDI-
VIDUAL OR ELECTRONIC DEVICE, INCLUDING, BUT NOT LIMITED TO, A REAL NAME,
ALIAS, POSTAL ADDRESS, TELEPHONE NUMBER, ELECTRONIC MAIL ADDRESS, INTER-
NET PROTOCOL ADDRESS, ACCOUNT NAME, SOCIAL SECURITY NUMBER, DRIVER'S
LICENSE NUMBER, PASSPORT NUMBER, OR ANY OTHER IDENTIFIER INTENDED OR
ABLE TO BE UNIQUELY ASSOCIATED WITH A PARTICULAR INDIVIDUAL OR DEVICE.
(2) ANY INFORMATION THAT RELATES TO OR DESCRIBES AN INDIVIDUAL IF SUCH
INFORMATION IS DISCLOSED IN CONNECTION WITH ANY IDENTIFYING OR REFERENC-
ING INFORMATION AS DEFINED IN SUBPARAGRAPH ONE OF THIS PARAGRAPH.
(G) (1) "RETAINS" MEANS TO STORE OR OTHERWISE HOLD INFORMATION, WHETH-
ER THE INFORMATION IS COLLECTED OR OBTAINED DIRECTLY FROM THE SUBJECT OF
THE INFORMATION OR FROM ANY THIRD PARTY.
S. 224 5
(2) "RETAINS" DOES NOT INCLUDE INFORMATION THAT IS STORED OR OTHERWISE
HELD SOLELY FOR ONE OR MORE OF THE FOLLOWING PURPOSES, SO LONG AS THE
INFORMATION IS DELETED AS SOON AS IT IS NO LONGER NEEDED FOR THOSE
PURPOSES:
(A) TO PERFORM A SERVICE OR COMPLETE A TRANSACTION INITIATED BY OR ON
BEHALF OF THE CUSTOMER, INCLUDING MAINTAINING OR SERVICING ACCOUNTS,
PROVIDING CUSTOMER SERVICE, PROCESSING OR FULFILLING ORDERS AND TRANS-
ACTIONS, VERIFYING CUSTOMER INFORMATION, PROCESSING PAYMENTS, PROVIDING
FINANCING, OR SIMILAR SERVICES.
(B) TO ADDRESS FRAUD, SECURITY, OR TECHNICAL ISSUES; TO PROTECT THE
DISCLOSING BUSINESS' RIGHTS OR PROPERTY; OR TO PROTECT CUSTOMERS OR THE
PUBLIC FROM ILLEGAL ACTIVITIES AS REQUIRED OR PERMITTED BY LAW.
(C) TO COMPLY WITH APPLICABLE LAW OR REGULATION OR WITH A COURT ORDER
OR OTHER LEGAL PROCESS WHERE THE BUSINESS HAS A GOOD-FAITH BELIEF THAT
THE LAW, REGULATION, COURT ORDER, OR LEGAL PROCESS REQUIRES THE INFORMA-
TION TO BE STORED OR HELD.
(H) "THIRD PARTY" OR "THIRD PARTIES" MEANS ONE OR MORE OF THE FOLLOW-
ING:
(1) A BUSINESS THAT IS A SEPARATE LEGAL ENTITY FROM THE BUSINESS THAT
HAS DISCLOSED PERSONAL INFORMATION.
(2) A BUSINESS THAT DOES NOT SHARE COMMON OWNERSHIP OR COMMON CORPO-
RATE CONTROL WITH THE BUSINESS THAT HAS DISCLOSED PERSONAL INFORMATION.
(3) A BUSINESS THAT DOES NOT SHARE A BRAND NAME OR COMMON BRANDING
WITH THE BUSINESS THAT HAS DISCLOSED PERSONAL INFORMATION SUCH THAT THE
AFFILIATE RELATIONSHIP IS CLEAR TO THE CUSTOMER.
5. THE PROVISIONS OF THIS SECTION ARE SEVERABLE. IF ANY PROVISION OF
THIS SECTION OR ITS APPLICATION IS HELD INVALID, THAT INVALIDITY SHALL
NOT AFFECT OTHER PROVISIONS OR APPLICATIONS THAT CAN BE GIVEN EFFECT
WITHOUT THE INVALID PROVISION OR APPLICATION.
6. A VIOLATION OF THIS SECTION CONSTITUTES AN INJURY TO A CUSTOMER. A
CIVIL ACTION TO RECOVER PENALTIES MAY BE BROUGHT BY A CUSTOMER, THE
ATTORNEY GENERAL, A DISTRICT ATTORNEY, A CITY ATTORNEY, OR A CITY PROSE-
CUTOR, IN A COURT OF COMPETENT JURISDICTION.
§ 5. This act shall take effect immediately.