Assembly Actions -
Lowercase Senate Actions - UPPERCASE |
|
---|---|
Jan 07, 2022 |
print number 680b |
Jan 07, 2022 |
amend and recommit to consumer affairs and protection |
Jan 05, 2022 |
referred to consumer affairs and protection |
May 27, 2021 |
print number 680a |
May 27, 2021 |
amend and recommit to consumer affairs and protection |
Jan 06, 2021 |
referred to consumer affairs and protection |
Assembly Bill A680B
2021-2022 Legislative Session
Relates to enacting the NY privacy act
download bill text pdfSponsored By
ROSENTHAL L
Archive: Last Bill Status - In Assembly Committee
- Introduced
-
- In Committee Assembly
- In Committee Senate
-
- On Floor Calendar Assembly
- On Floor Calendar Senate
-
- Passed Assembly
- Passed Senate
- Delivered to Governor
- Signed By Governor
Actions
Bill Amendments
co-Sponsors
Dan Quart
David Weprin
Daniel Rosenthal
Jo Anne Simon
2021-A680 - Details
2021-A680 - Bill Text download pdf
S T A T E O F N E W Y O R K ________________________________________________________________________ 680 2021-2022 Regular Sessions I N A S S E M B L Y (PREFILED) January 6, 2021 ___________ Introduced by M. of A. L. ROSENTHAL, QUART, WEPRIN, D. ROSENTHAL -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to the management and oversight of personal data THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. Short title. This act may be known and cited as the "New York privacy act". § 2. The general business law is amended by adding a new article 42 to read as follows: ARTICLE 42 NEW YORK PRIVACY ACT SECTION 1100. DEFINITIONS. 1101. JURISDICTIONAL SCOPE. 1102. DATA FIDUCIARY. 1103. CONSUMER RIGHTS. 1104. TRANSPARENCY. 1105. RESPONSIBILITY ACCORDING TO ROLE. 1106. DE-IDENTIFIED DATA. 1107. EXEMPTIONS. 1108. LIABILITY. 1109. ENFORCEMENT. 1110. PREEMPTION. § 1100. DEFINITIONS. THE DEFINITIONS IN THIS ARTICLE APPLY UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE: 1. "AFFILIATE" MEANS A LEGAL ENTITY THAT CONTROLS, IS CONTROLLED BY, OR IS UNDER COMMON CONTROL WITH, ANOTHER LEGAL ENTITY, WHERE THE ENTITY HOLDS ITSELF OUT AS AFFILIATED OR UNDER COMMON OWNERSHIP SUCH THAT A CONSUMER ACTING REASONABLY UNDER THE CIRCUMSTANCES WOULD ANTICIPATE THEIR PERSONAL DATA BEING PROVIDED TO AN AFFILIATE. EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted. LBD00516-01-1 A. 680 2 2. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT ESTABLISHING A FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT TO THE PROCESSING OF PERSONAL DATA RELATING TO THE CONSUMER, SUCH AS BY A WRITTEN STATEMENT OR OTHER CLEAR AFFIRMATIVE ACTION. 3. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT. IT DOES NOT INCLUDE AN EMPLOYEE OR CONTRACTOR OF A BUSINESS ACTING IN THEIR ROLE AS AN EMPLOYEE OR CONTRACTOR. 4. "CONTROLLER" MEANS THE NATURAL OR LEGAL PERSON WHO, ALONE OR JOINT- LY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA. 5. "DATA BROKER" MEANS A BUSINESS, OR UNIT OR UNITS OF A BUSINESS, SEPARATELY OR TOGETHER, THAT EARNS ITS PRIMARY REVENUE FROM SUPPLYING DATA OR INFERENCES ABOUT PEOPLE GATHERED MAINLY FROM SOURCES OTHER THAN THE DATA SOURCES THEMSELVES. 6. "DE-IDENTIFIED DATA" MEANS: (A) DATA THAT CANNOT BE LINKED TO A KNOWN NATURAL PERSON WITHOUT ADDI- TIONAL INFORMATION NOT AVAILABLE TO THE CONTROLLER; OR (B) DATA (I) THAT HAS BEEN MODIFIED TO A DEGREE THAT THE RISK OF RE-I- DENTIFICATION IS SMALL AS DETERMINED BY A PERSON WITH APPROPRIATE KNOW- LEDGE OF AND EXPERIENCE WITH GENERALLY ACCEPTED STATISTICAL AND SCIEN- TIFIC PRINCIPLES AND METHODS FOR DE-IDENTIFYING DATA, (II) THAT IS SUBJECT TO A PUBLIC COMMITMENT BY THE CONTROLLER NOT TO ATTEMPT TO RE-I- DENTIFY THE DATA, AND (III) TO WHICH ONE OR MORE ENFORCEABLE CONTROLS TO PREVENT RE-IDENTIFICATION HAS BEEN APPLIED. ENFORCEABLE CONTROLS TO PREVENT RE-IDENTIFICATION MAY INCLUDE LEGAL, ADMINISTRATIVE, TECHNICAL, OR CONTRACTUAL CONTROLS. 7. "DEVELOPER" MEANS A PERSON WHO CREATES OR MODIFIES THE SET OF INSTRUCTIONS OR PROGRAMS INSTRUCTING A COMPUTER OR DEVICE TO PERFORM TASKS. 8. "IDENTIFIED OR IDENTIFIABLE NATURAL PERSON" MEANS A PERSON WHO CAN BE IDENTIFIED, DIRECTLY OR INDIRECTLY, IN PARTICULAR BY REFERENCE TO SPECIFIC INFORMATION INCLUDING, BUT NOT LIMITED TO, A NAME, AN IDENTIFI- CATION NUMBER, SPECIFIC GEOLOCATION DATA, OR AN ONLINE IDENTIFIER. 9. "MINOR" MEANS ANY PERSON UNDER EIGHTEEN YEARS OF AGE. 10. "PERSONAL DATA" MEANS INFORMATION RELATING TO AN IDENTIFIED OR IDENTIFIABLE NATURAL PERSON. (A) "PERSONAL DATA" INCLUDES: (I) AN IDENTIFIER SUCH AS A REAL NAME, ALIAS, SIGNATURE, DATE OF BIRTH, GENDER IDENTITY, SEXUAL ORIENTATION, MARITAL STATUS, PHYSICAL CHARACTERISTIC OR DESCRIPTION, POSTAL ADDRESS, TELEPHONE NUMBER, UNIQUE PERSONAL IDENTIFIER, MILITARY IDENTIFICATION NUMBER, ONLINE IDENTIFIER, INTERNET PROTOCOL ADDRESS, EMAIL ADDRESS, ACCOUNT NAME, MOTHER'S MAIDEN NAME, SOCIAL SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT NUMBER, OR OTHER SIMILAR IDENTIFIER; (II) INFORMATION SUCH AS EMPLOYMENT, EMPLOYMENT HISTORY, BANK ACCOUNT NUMBER, CREDIT CARD NUMBER, DEBIT CARD NUMBER, INSURANCE POLICY NUMBER, OR ANY OTHER FINANCIAL INFORMATION, MEDICAL INFORMATION, MENTAL HEALTH INFORMATION, OR HEALTH INSURANCE INFORMATION; (III) COMMERCIAL INFORMATION, INCLUDING A RECORD OF PERSONAL PROPERTY, INCOME, ASSETS, LEASES, RENTALS, PRODUCTS OR SERVICES PURCHASED, OBTAINED, OR CONSIDERED, OR OTHER PURCHASING OR CONSUMING HISTORY; (IV) BIOMETRIC INFORMATION, INCLUDING A RETINA OR IRIS SCAN, FINGER- PRINT, VOICEPRINT, OR SCAN OF HAND OR FACE GEOMETRY; (V) INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION, INCLUD- ING BROWSING HISTORY, SEARCH HISTORY, CONTENT, INCLUDING TEXT, PHOTO- GRAPHS, AUDIO OR VIDEO RECORDINGS, OR OTHER USER GENERATED-CONTENT, A. 680 3 NON-PUBLIC COMMUNICATIONS, AND INFORMATION REGARDING AN INDIVIDUAL'S INTERACTION WITH AN INTERNET WEBSITE, MOBILE APPLICATION, OR ADVERTISE- MENT; (VI) HISTORICAL OR REAL-TIME GEOLOCATION DATA; (VII) AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY, OR SIMILAR INFOR- MATION; (VIII) EDUCATION RECORDS, AS DEFINED IN SECTION THIRTY-THREE HUNDRED TWO OF THE EDUCATION LAW; (IX) POLITICAL INFORMATION OR INFORMATION ON CRIMINAL CONVICTIONS OR ARRESTS; (X) ANY REQUIRED SECURITY CODE, ACCESS CODE, PASSWORD, OR USERNAME NECESSARY TO PERMIT ACCESS TO THE ACCOUNT OF AN INDIVIDUAL; (XI) CHARACTERISTICS OF PROTECTED CLASSES UNDER THE HUMAN RIGHTS LAW, INCLUDING RACE, COLOR, NATIONAL ORIGIN, RELIGION, SEX, AGE, OR DISABILI- TY; OR (XII) AN INFERENCE DRAWN FROM ANY OF THE INFORMATION DESCRIBED IN THIS PARAGRAPH TO CREATE A PROFILE ABOUT AN INDIVIDUAL REFLECTING THE INDI- VIDUAL'S PREFERENCES, CHARACTERISTICS, PSYCHOLOGICAL TRENDS, PREFER- ENCES, PREDISPOSITIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, OR APTITUDES. (B) THE TERM PERSONAL DATA DOES NOT INCLUDE PUBLICLY AVAILABLE INFOR- MATION. "PUBLICLY AVAILABLE INFORMATION": (I) MEANS INFORMATION THAT IS LAWFULLY MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS; AND (II) DOES NOT INCLUDE BIOMETRIC INFORMATION COLLECTED BY A COVERED ENTITY ABOUT AN INDIVIDUAL WITHOUT THE INDIVIDUAL'S KNOWLEDGE, OR INFOR- MATION USED FOR A PURPOSE THAT IS NOT COMPATIBLE WITH THE PURPOSE FOR WHICH THE INFORMATION IS MAINTAINED AND MADE AVAILABLE IN GOVERNMENT RECORDS. (C) PERSONAL DATA DOES NOT INCLUDE DE-IDENTIFIED DATA. 11. "PROCESS" OR "PROCESSING" MEANS ANY OPERATION OR SET OF OPERATIONS THAT IS PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS, SUCH AS COLLECTION, RECORDING, ORGANIZATION, STRUCTURING, STORAGE, ADAPTATION OR ALTERATION, RETRIEVAL, CONSULTATION, USE, DISCLOSURE BY TRANSMISSION, DISSEMINATION OR OTHERWISE MAKING AVAILABLE, ALIGNMENT OR COMBINATION, RESTRICTION, DELETION, OR DESTRUCTION. 12. "PROCESSOR" MEANS A NATURAL OR LEGAL PERSON WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROLLER. 13. "PROFILING" MEANS ANY FORM OF AUTOMATED PROCESSING OF PERSONAL DATA CONSISTING OF THE USE OF PERSONAL DATA TO EVALUATE CERTAIN PERSONAL ASPECTS RELATING TO A NATURAL PERSON, IN PARTICULAR TO ANALYZE OR PREDICT ASPECTS CONCERNING THAT NATURAL PERSON'S ECONOMIC SITUATION, HEALTH, PERSONAL PREFERENCES, INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS. 14. "RESTRICTION OF PROCESSING" MEANS THE MARKING OF STORED PERSONAL DATA WITH THE AIM OF LIMITING THE PROCESSING OF SUCH PERSONAL DATA IN THE FUTURE. 15.(A) "SALE", "SELL" OR "SOLD" MEANS THE EXCHANGE OF PERSONAL DATA FOR CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY. (B) "SALE" DOES NOT INCLUDE THE FOLLOWING: (I) THE DISCLOSURE OF PERSONAL DATA TO A PROCESSOR WHO PROCESSES THE PERSONAL DATA ON BEHALF OF THE CONTROLLER; (II) THE DISCLOSURE OF PERSONAL DATA TO A THIRD PARTY WITH WHOM THE CONSUMER HAS A DIRECT RELATIONSHIP FOR PURPOSES OF PROVID- ING A PRODUCT OR SERVICE REQUESTED BY THE CONSUMER OR OTHERWISE IN A MANNER THAT IS CONSISTENT WITH A CONSUMER'S REASONABLE EXPECTATIONS A. 680 4 CONSIDERING THE CONTEXT IN WHICH THE CONSUMER PROVIDED THE PERSONAL DATA TO THE CONTROLLER; (III) THE DISCLOSURE OR TRANSFER OF PERSONAL DATA TO AN AFFILIATE OF THE CONTROLLER; OR (IV) THE DISCLOSURE OR TRANSFER OF PERSONAL DATA TO A THIRD PARTY AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES CONTROL OF ALL OR PART OF THE CONTROLLER'S ASSETS, IF CONSUMERS ARE NOTIFIED OF THE TRANSFER OF THEIR DATA AND OF THEIR RIGHTS UNDER THIS ARTICLE AND AFFIRMATIVELY CONSENT TO THE DISCLOSURE AND TRANSFER OF DATA. 16. "TARGETED ADVERTISING" MEANS DISPLAYING ADVERTISEMENTS TO A CONSUMER WHERE THE ADVERTISEMENT IS SELECTED BASED ON PERSONAL DATA OBTAINED OR INFERRED OVER TIME FROM A CONSUMER'S ACTIVITIES ACROSS WEB SITES, APPLICATIONS OR ONLINE SERVICES. IT DOES NOT INCLUDE ADVERTISING TO A CONSUMER BASED UPON THE CONSUMER'S CURRENT VISIT TO A WEB SITE, APPLICATION, OR ONLINE SERVICE, OR IN RESPONSE TO THE CONSUMER'S REQUEST FOR INFORMATION OR FEEDBACK. 17. "OPT-IN" MEANS AFFIRMATIVE, EXPRESS CONSENT OF AN INDIVIDUAL FOR A COVERED ENTITY TO USE, DISCLOSE, OR PERMIT ACCESS TO THE INDIVIDUAL'S PERSONAL DATA AFTER THE INDIVIDUAL HAS RECEIVED EXPLICIT NOTIFICATION OF THE REQUEST OF THE COVERED ENTITY WITH RESPECT TO THAT DATA. § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL ENTI- TIES THAT CONDUCT BUSINESS IN NEW YORK STATE OR PRODUCE PRODUCTS OR SERVICES THAT ARE INTENTIONALLY TARGETED TO RESIDENTS OF NEW YORK STATE. 2. THIS ARTICLE DOES NOT APPLY TO: (A) STATE AND LOCAL GOVERNMENTS; (B) PERSONAL DATA SETS TO THE EXTENT THAT THEY ARE REGULATED BY THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT, OR THE GRAMM-LEACH-BLILEY ACT OF 1999; OR (C) DATA SETS MAINTAINED FOR EMPLOYMENT RECORDS PURPOSES. § 1102. DATA FIDUCIARY. 1. PERSONAL DATA OF CONSUMERS SHALL NOT BE USED, PROCESSED OR TRANSFERRED TO A THIRD PARTY, UNLESS THE CONSUMER PROVIDES EXPRESS AND DOCUMENTED CONSENT. EVERY LEGAL ENTITY, OR ANY AFFILIATE OF SUCH ENTITY, AND EVERY CONTROLLER AND DATA BROKER, WHICH COLLECTS, SELLS OR LICENSES PERSONAL INFORMATION OF CONSUMERS, SHALL EXERCISE THE DUTY OF CARE, LOYALTY AND CONFIDENTIALITY EXPECTED OF A FIDUCIARY WITH RESPECT TO SECURING THE PERSONAL DATA OF A CONSUMER AGAINST A PRIVACY RISK; AND SHALL ACT IN THE BEST INTERESTS OF THE CONSUMER, WITHOUT REGARD TO THE INTERESTS OF THE ENTITY, CONTROLLER OR DATA BROKER, IN A MANNER EXPECTED BY A REASONABLE CONSUMER UNDER THE CIRCUMSTANCES. (A) EVERY LEGAL ENTITY, OR AFFILIATE OF SUCH ENTITY, AND EVERY CONTROLLER AND DATA BROKER TO WHICH THIS ARTICLE APPLIES SHALL: (I) REASONABLY SECURE PERSONAL DATA FROM UNAUTHORIZED ACCESS; AND (II) PROMPTLY INFORM A CONSUMER OF ANY BREACH OF THE DUTY DESCRIBED IN THIS PARAGRAPH WITH RESPECT TO PERSONAL DATA OF SUCH CONSUMER. (B) A LEGAL ENTITY, AN AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER MAY NOT USE PERSONAL DATA, OR DATA DERIVED FROM PERSONAL DATA, IN ANY WAY THAT: (I) WILL BENEFIT THE ONLINE SERVICE PROVIDER TO THE DETRIMENT OF AN END USER; AND (II) (A) WILL RESULT IN REASONABLY FORESEEABLE AND MATERIAL PHYSICAL OR FINANCIAL HARM TO A CONSUMER; OR (B) WOULD BE UNEXPECTED AND HIGHLY OFFENSIVE TO A REASONABLE CONSUMER. (C) A LEGAL ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER: A. 680 5 (I) MAY NOT DISCLOSE OR SELL PERSONAL DATA TO, OR SHARE PERSONAL DATA WITH, ANY OTHER PERSON EXCEPT AS CONSISTENT WITH THE DUTIES OF CARE AND LOYALTY UNDER PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION; (II) MAY NOT DISCLOSE OR SELL PERSONAL DATA TO, OR SHARE PERSONAL DATA WITH, ANY OTHER PERSON UNLESS THAT PERSON ENTERS INTO A CONTRACT THAT IMPOSES THE SAME DUTIES OF CARE, LOYALTY, AND CONFIDENTIALLY TOWARD THE CONSUMER AS ARE IMPOSED UNDER THIS SECTION; AND (III) SHALL TAKE REASONABLE STEPS TO ENSURE THAT THE PRACTICES OF ANY PERSON TO WHOM THE ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER DISCLOSES OR SELLS, OR WITH WHOM THE ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER SHARES. PERSONAL DATA FULFILLS THE DUTIES OF CARE, LOYALTY, AND CONFIDENTIALITY ASSUMED BY THE PERSON UNDER THE CONTRACT DESCRIBED IN SUBPARAGRAPH (II) OF THIS PARAGRAPH, INCLUDING BY AUDITING, ON A REGULAR BASIS, THE DATA SECURITY AND DATA INFORMATION PRACTICES OF ANY SUCH ENTITY, OR AFFILIATE OF SUCH ENTITY, CONTROLLER OR DATA BROKER. 2. FOR THE PURPOSES OF THIS SECTION THE TERM "PRIVACY RISK" MEANS POTENTIAL ADVERSE CONSEQUENCES TO CONSUMERS AND SOCIETY ARISING FROM THE PROCESSING OF PERSONAL DATA, INCLUDING, BUT NOT LIMITED TO: (A) DIRECT OR INDIRECT FINANCIAL LOSS OR ECONOMIC HARM; (B) PHYSICAL HARM; (C) PSYCHOLOGICAL HARM, INCLUDING ANXIETY, EMBARRASSMENT, FEAR, AND OTHER DEMONSTRABLE MENTAL TRAUMA; (D) SIGNIFICANT INCONVENIENCE OR EXPENDITURE OF TIME; (E) ADVERSE OUTCOMES OR DECISIONS WITH RESPECT TO AN INDIVIDUAL'S ELIGIBILITY FOR RIGHTS, BENEFITS OR PRIVILEGES IN EMPLOYMENT (INCLUDING, BUT NOT LIMITED TO, HIRING, FIRING, PROMOTION, DEMOTION, COMPENSATION), CREDIT AND INSURANCE (INCLUDING, BUT NOT LIMITED TO, DENIAL OF AN APPLI- CATION OR OBTAINING LESS FAVORABLE TERMS), HOUSING, EDUCATION, PROFES- SIONAL CERTIFICATION, OR THE PROVISION OF HEALTH CARE AND RELATED SERVICES; (F) STIGMATIZATION OR REPUTATIONAL HARM; (G) DISRUPTION AND INTRUSION FROM UNWANTED COMMERCIAL COMMUNICATIONS OR CONTACTS; (H) PRICE DISCRIMINATION; (I) EFFECTS ON AN INDIVIDUAL THAT ARE NOT REASONABLY FORESEEABLE, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE PERSONAL DATA RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEABLE, CONTEMPLATED BY, OR EXPECTED BY THE CONTROLLER ASSESSING PRIVACY RISK, THAT: (A) ALTERS THAT INDIVIDUAL'S EXPERIENCES; (B) LIMITS THAT INDIVIDUAL'S CHOICES; (C) INFLUENCES THAT INDIVIDUAL'S RESPONSES; OR (D) PREDETERMINES RESULTS; OR (J) OTHER ADVERSE CONSEQUENCES THAT AFFECT AN INDIVIDUAL'S PRIVATE LIFE, INCLUDING PRIVATE FAMILY MATTERS, ACTIONS AND COMMUNICATIONS WITH- IN AN INDIVIDUAL'S HOME OR SIMILAR PHYSICAL, ONLINE, OR DIGITAL LOCATION, WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION THAT PERSONAL DATA WILL NOT BE COLLECTED OR USED. 3. THE FIDUCIARY DUTY OWED TO A CONSUMER UNDER THIS SECTION SHALL SUPERSEDE ANY DUTY OWED TO OWNERS OR SHAREHOLDERS OF A LEGAL ENTITY OR AFFILIATE THEREOF, CONTROLLER OR DATA BROKER, TO WHOM THIS ARTICLE APPLES. § 1103. CONSUMER RIGHTS. ANY ENTITY SUBJECT TO THE PROVISIONS OF THIS ARTICLE SHALL PROVIDE NOTICE TO CONSUMERS OF THEIR RIGHTS UNDER THIS ARTICLE AND SHALL PROVIDE CONSUMERS THE OPPORTUNITY TO OPT IN OR OPT OUT OF PROCESSING THEIR PERSONAL DATA IN SUCH A MANNER THAT THE CONSUMER A. 680 6 MUST SELECT AND CLEARLY INDICATE THEIR CONSENT OR DENIAL OF CONSENT. CONTROLLERS SHALL FACILITATE REQUESTS TO EXERCISE THE CONSUMER RIGHTS SET FORTH IN SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION. 1. ON REQUEST FROM A CONSUMER, A CONTROLLER SHALL CONFIRM WHETHER OR NOT PERSONAL DATA CONCERNING THE CONSUMER IS BEING PROCESSED BY THE CONTROL- LER, INCLUDING WHETHER SUCH PERSONAL DATA IS SOLD TO DATA BROKERS, AND, WHERE PERSONAL DATA CONCERNING THE CONSUMER IS BEING PROCESSED BY THE CONTROLLER, PROVIDE ACCESS TO SUCH PERSONAL DATA CONCERNING THE CONSUMER AND THE NAMES OF THIRD PARTIES TO WHOM PERSONAL DATA IS SOLD OR LICENSED. ON REQUEST FROM A CONSUMER, A CONTROLLER SHALL PROVIDE A COPY OF THE PERSONAL DATA UNDERGOING PROCESSING FREE OF CHARGE, UP TO TWICE ANNUALLY. FOR ANY FURTHER COPIES REQUESTED BY THE CONSUMER, THE CONTROL- LER MAY CHARGE A REASONABLE FEE BASED ON ADMINISTRATIVE COSTS. WHERE THE CONSUMER MAKES THE REQUEST BY ELECTRONIC MEANS, AND UNLESS OTHERWISE REQUESTED BY THE CONSUMER, THE INFORMATION SHALL BE PROVIDED IN A COMMONLY USED ELECTRONIC FORM. 2. ON REQUEST FROM A CONSUMER, THE CONTROLLER, WITHOUT UNDUE DELAY, SHALL CORRECT INACCURATE PERSONAL DATA CONCERNING THE CONSUMER. TAKING INTO ACCOUNT THE PURPOSES OF THE PROCESSING, THE CONTROLLER SHALL COMPLETE INCOMPLETE PERSONAL DATA, INCLUDING BY MEANS OF PROVIDING A SUPPLEMENTARY STATEMENT. 3. (A) ON REQUEST FROM A CONSUMER, A CONTROLLER SHALL DELETE THE CONSUMER'S PERSONAL DATA WITHOUT UNDUE DELAY WHERE ONE OF THE FOLLOWING GROUNDS APPLIES: (I) THE PERSONAL DATA IS NO LONGER NECESSARY IN RELATION TO THE PURPOSES FOR WHICH THE PERSONAL DATA WAS COLLECTED OR OTHERWISE PROC- ESSED; (II) FOR PROCESSING THAT REQUIRES CONSENT UNDER SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE, THE CONSUMER WITHDRAWS CONSENT TO PROCESSING; (III) THE PERSONAL DATA HAS BEEN UNLAWFULLY PROCESSED; (IV) TO COMPLY WITH A LEGAL OBLIGATION UNDER FEDERAL, STATE, OR LOCAL LAW TO WHICH THE CONTROLLER IS SUBJECT; OR (V) THE CONSUMER OTHERWISE REQUESTS THAT THE DATA BE DELETED. (B) WHERE THE CONTROLLER IS OBLIGED TO DELETE PERSONAL DATA UNDER THIS SECTION THAT HAS BEEN DISCLOSED TO THIRD PARTIES BY THE CONTROLLER, INCLUDING DATA BROKERS THAT RECEIVED THE DATA THROUGH A SALE, THE CONTROLLER SHALL TAKE REASONABLE STEPS, WHICH MAY INCLUDE TECHNICAL MEASURES, TO INFORM OTHER CONTROLLERS THAT ARE PROCESSING THE PERSONAL DATA THAT THE CONSUMER HAS REQUESTED THE DELETION BY THE OTHER CONTROL- LERS OF ANY LINKS TO, OR COPY OR REPLICATION OF, THE PERSONAL DATA. COMPLIANCE WITH THIS OBLIGATION SHALL TAKE INTO ACCOUNT AVAILABLE TECH- NOLOGY AND COST OF IMPLEMENTATION. (C) THIS SUBDIVISION DOES NOT APPLY TO THE EXTENT PROCESSING IS NECES- SARY: (I) FOR EXERCISING THE RIGHT OF FREE SPEECH; (II) FOR COMPLIANCE WITH A LEGAL OBLIGATION THAT REQUIRES PROCESSING BY FEDERAL, STATE, OR LOCAL LAW TO WHICH THE CONTROLLER IS SUBJECT OR FOR THE PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTEREST OR IN THE EXERCISE OF OFFICIAL AUTHORITY VESTED IN THE CONTROLLER; (III) FOR REASONS OF PUBLIC INTEREST IN THE AREA OF PUBLIC HEALTH, WHERE THE PROCESSING (A) IS SUBJECT TO SUITABLE AND SPECIFIC MEASURES TO SAFEGUARD THE RIGHTS OF THE CONSUMER; AND (B) IS PROCESSED BY OR UNDER THE RESPONSIBILITY OF A PROFESSIONAL SUBJECT TO CONFIDENTIALITY OBLI- GATIONS UNDER FEDERAL, STATE, OR LOCAL LAW; (IV) FOR ARCHIVING PURPOSES IN THE PUBLIC INTEREST, SCIENTIFIC OR HISTORICAL RESEARCH PURPOSES, OR STATISTICAL PURPOSES, WHERE THE A. 680 7 DELETION OF SUCH PERSONAL DATA IS LIKELY TO RENDER IMPOSSIBLE OR SERI- OUSLY IMPAIR THE ACHIEVEMENT OF THE OBJECTIVES OF THE PROCESSING; OR (V) FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS. 4. (A) THE CONTROLLER SHALL CEASE PROCESSING IF ONE OF THE FOLLOWING GROUNDS APPLIES: (I) THE ACCURACY OF THE PERSONAL DATA IS CONTESTED BY THE CONSUMER, FOR A PERIOD ENABLING THE CONTROLLER TO VERIFY THE ACCURACY OF THE PERSONAL DATA; (II) THE PROCESSING IS UNLAWFUL AND THE CONSUMER OPPOSES THE DELETION OF THE PERSONAL DATA AND REQUESTS THE RESTRICTION OF PROCESSING INSTEAD; (III) THE CONTROLLER NO LONGER NEEDS THE PERSONAL DATA FOR THE PURPOSES OF THE PROCESSING, BUT SUCH PERSONAL DATA IS REQUIRED BY THE CONSUMER FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS; OR (IV) THE CONSUMER OTHERWISE REQUESTS THAT THE CONTROLLER CEASE PROC- ESSING. (B) WHERE PERSONAL DATA IS SUBJECT TO A RESTRICTION OR PROCESSING UNDER THIS SUBDIVISION, THE PERSONAL DATA SHALL, WITH THE EXCEPTION OF STORAGE, ONLY BE PROCESSED (I) WITH THE CONSUMER'S CONSENT; (II) FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS; OR (III) FOR REASONS OF IMPORTANT PUBLIC INTEREST UNDER FEDERAL, STATE, OR LOCAL LAW. (C) WHERE A CONSUMER HAS TAKEN STEPS BY THE ONLINE SELECTION OF OPTIONS RELATED TO SHARING PERSONAL DATA A CONTROLLER IS OBLIGATED TO ADHERE TO SUCH SELECTIONS. 5. (A) ON REQUEST FROM A CONSUMER, THE CONTROLLER SHALL PROVIDE THE CONSUMER ANY PERSONAL DATA CONCERNING SUCH CONSUMER THAT SUCH CONSUMER HAS PROVIDED TO THE CONTROLLER IN A STRUCTURED, COMMONLY USED, AND MACHINE-READABLE FORMAT IF (I)(A) THE PROCESSING OF SUCH PERSONAL DATA REQUIRES CONSENT UNDER SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE, (B) THE PROCESSING OF SUCH PERSONAL DATA IS NECESSARY FOR THE PERFORMANCE OF A CONTRACT TO WHICH THE CONSUMER IS A PARTY, OR (C) IN ORDER TO TAKE STEPS AT THE REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT; AND (II) THE PROCESSING IS CARRIED OUT BY AUTOMATED MEANS. (B) CONTROLLERS SHALL TRANSMIT THE PERSONAL DATA REQUESTED UNDER THIS SUBDIVISION DIRECTLY FROM ONE CONTROLLER TO ANOTHER, WHERE TECHNICALLY FEASIBLE, AND TRANSMIT THE PERSONAL DATA TO ANOTHER CONTROLLER WITHOUT HINDRANCE FROM THE CONTROLLER TO WHICH THE PERSONAL DATA WAS PROVIDED. (C) REQUESTS FOR PERSONNEL DATA UNDER THIS SUBDIVISION SHALL BE WITH- OUT PREJUDICE TO SUBDIVISION THREE OF THIS SECTION. (D) THE RIGHTS PROVIDED IN THIS SUBDIVISION DO NOT APPLY TO PROCESSING NECESSARY FOR THE PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTER- EST AND SHALL NOT ADVERSELY AFFECT THE RIGHTS OF CONSUMERS. 6. A CONSUMER SHALL NOT BE SUBJECT TO A DECISION BASED SOLELY ON PROFILING WHICH PRODUCES LEGAL EFFECTS CONCERNING SUCH CONSUMER OR SIMI- LARLY SIGNIFICANTLY AFFECTS THE CONSUMER. LEGAL OR SIMILARLY SIGNIFICANT EFFECTS INCLUDE, BUT ARE NOT LIMITED TO, DENIAL OF CONSEQUENTIAL SERVICES OR SUPPORT, SUCH AS FINANCIAL AND LENDING SERVICES, HOUSING, INSURANCE, EDUCATION ENROLLMENT, CRIMINAL JUSTICE, EMPLOYMENT OPPORTU- NITIES, AND HEALTH CARE SERVICES. (A) THIS SUBDIVISION DOES NOT APPLY IF THE DECISION IS AUTHORIZED BY FEDERAL OR STATE LAW TO WHICH THE CONTROLLER IS SUBJECT AND WHICH INCOR- PORATES SUITABLE MEASURES TO SAFEGUARD THE CONSUMER'S RIGHTS AND LEGITI- MATE INTERESTS, AS INDICATED BY THE RISK ASSESSMENTS REQUIRED BY SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE. (B) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, THE CONTROLLER SHALL IMPLEMENT SUITABLE MEASURES TO SAFEGUARD CONSUMER'S RIGHTS AND LEGITIMATE INTERESTS WITH RESPECT TO DECISIONS BASED SOLELY ON PROFIL- A. 680 8 ING, INCLUDING PROVIDING HUMAN REVIEW OF THE DECISION, TO EXPRESS THE CONSUMER'S POINT OF VIEW WITH RESPECT TO THE DECISION, AND TO CONTEST THE DECISION. 7. A CONTROLLER SHALL COMMUNICATE ANY CORRECTION, DELETION, OR RESTRICTION OF PROCESSING CARRIED OUT IN ACCORDANCE WITH SUBDIVISIONS TWO, THREE OR FOUR OF THIS SECTION TO EACH THIRD-PARTY RECIPIENT TO WHOM THE PERSONAL DATA HAS BEEN DISCLOSED, INCLUDING THIRD PARTIES THAT RECEIVED THE DATA THROUGH A SALE, UNLESS THIS PROVES IMPOSSIBLE. THE CONTROLLER SHALL INFORM THE CONSUMER ABOUT SUCH THIRD-PARTY RECIPIENTS, IF ANY, IF THE CONSUMER REQUESTS SUCH INFORMATION. 8. A CONTROLLER SHALL PROVIDE INFORMATION ON ACTION TAKEN ON A REQUEST UNDER SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN THIRTY DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED BY SIXTY ADDITIONAL DAYS WHERE NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER SHALL INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN THIRTY DAYS OF RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHERE THE CONSUMER MAKES THE REQUEST BY ELECTRONIC MEANS, THE INFORMATION SHALL BE PROVIDED BY ELECTRONIC MEANS WHERE POSSIBLE, UNLESS OTHERWISE REQUESTED BY THE CONSUMER. (A) IF A CONTROLLER DOES NOT TAKE ACTION ON THE REQUEST OF A CONSUMER, THE CONTROLLER SHALL INFORM THE CONSUMER WITHOUT UNDUE DELAY AND AT THE LATEST WITHIN THIRTY DAYS OF RECEIPT OF THE REQUEST OF THE REASONS FOR NOT TAKING ACTION AND ANY POSSIBILITY FOR INTERNAL REVIEW OF THE DECI- SION BY THE CONTROLLER. (B) INFORMATION PROVIDED UNDER THIS SECTION MUST BE PROVIDED BY THE CONTROLLER FREE OF CHARGE TO THE CONSUMER. WHERE REQUESTS FROM A CONSUM- ER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR BECAUSE OF THEIR REPETITIVE CHARACTER, THE CONTROLLER MAY EITHER: (I) CHARGE A REASONABLE FEE TAKING INTO ACCOUNT THE ADMINISTRATIVE COSTS OF PROVIDING THE INFOR- MATION OR COMMUNICATION OR TAKING THE ACTION REQUESTED; OR (II) REFUSE TO ACT ON THE REQUEST. THE CONTROLLER BEARS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE CHARACTER OF THE REQUEST. (C) WHERE THE CONTROLLER HAS REASONABLE DOUBTS CONCERNING THE IDENTITY OF THE CONSUMER MAKING A REQUEST UNDER SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION, THE CONTROLLER MAY REQUEST THE PROVISION OF ADDITIONAL INFORMATION NECESSARY TO CONFIRM THE IDENTITY OF THE CONSUMER. (D) A CONTROLLER SHALL CONDUCT AN INTERNAL REVIEW ON ANY ACTION TAKEN UPON REQUEST OF A CONSUMER UNDER SUBDIVISIONS ONE THROUGH SIX OF THIS SECTION. § 1104. TRANSPARENCY. 1. CONTROLLERS SHALL BE TRANSPARENT AND ACCOUNT- ABLE FOR THEIR PROCESSING OF PERSONAL DATA, BY MAKING AVAILABLE IN A FORM THAT IS REASONABLY ACCESSIBLE TO CONSUMERS A CLEAR, MEANINGFUL PRIVACY NOTICE THAT IS EASILY UNDERSTOOD AND WHICH INCLUDES: (A) THE CATEGORIES OF PERSONAL DATA COLLECTED BY THE CONTROLLER; (B) THE PURPOSES FOR WHICH THE CATEGORIES OF PERSONAL DATA IS USED AND DISCLOSED TO THIRD PARTIES, IF ANY; (C) THE RIGHTS THAT CONSUMERS MAY EXERCISE PURSUANT TO SECTION ELEVEN HUNDRED THREE OF THIS ARTICLE, IF ANY; (D) THE CATEGORIES OF PERSONAL DATA THAT THE CONTROLLER SHARES WITH THIRD PARTIES, IF ANY; AND (E) THE NAMES AND CATEGORIES OF THIRD PARTIES, IF ANY, WITH WHOM THE CONTROLLER SHARES PERSONAL DATA. 2. CONTROLLERS THAT ENGAGE IN PROFILING SHALL DISCLOSE SUCH PROFILING TO THE CONSUMER AT OR BEFORE THE TIME PERSONAL DATA IS OBTAINED, INCLUD- A. 680 9 ING MEANINGFUL INFORMATION ABOUT THE LOGIC INVOLVED AND THE SIGNIFICANCE AND ENVISAGED CONSEQUENCES OF THE PROFILING. 3. IF A CONTROLLER SELLS PERSONAL DATA TO DATA BROKERS OR PROCESSES PERSONAL DATA FOR DIRECT MARKETING PURPOSES, INCLUDING TARGETED MARKET- ING AND PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING, IT SHALL DISCLOSE SUCH PROCESSING, AS WELL AS THE MANNER IN WHICH A CONSUMER MAY EXERCISE THE RIGHT TO OBJECT TO SUCH PROCESSING, IN A CLEAR AND PROMINENT MANNER. § 1105. RESPONSIBILITY ACCORDING TO ROLE. 1. CONTROLLERS AND BROKERS SHALL BE RESPONSIBLE FOR MEETING THE OBLIGATIONS SET FORTH UNDER THIS ARTICLE. 2. PROCESSORS AND BROKERS ARE RESPONSIBLE UNDER THIS ARTICLE FOR ADHERING TO THE INSTRUCTIONS OF THE CONTROLLER AND ASSISTING THE CONTROLLER TO MEET ITS OBLIGATIONS UNDER THIS ARTICLE. 3. PROCESSING BY A PROCESSOR SHALL BE GOVERNED BY A CONTRACT BETWEEN THE CONTROLLER AND THE PROCESSOR THAT IS BINDING ON THE PROCESSOR AND THAT SETS OUT THE PROCESSING INSTRUCTIONS TO WHICH THE PROCESSOR IS BOUND. § 1106. DE-IDENTIFIED DATA. A CONTROLLER OR PROCESSOR THAT USES DE-I- DENTIFIED DATA SHALL EXERCISE REASONABLE OVERSIGHT TO MONITOR COMPLIANCE WITH ANY CONTRACTUAL COMMITMENTS TO WHICH THE DE-IDENTIFIED DATA IS SUBJECT, AND SHALL TAKE APPROPRIATE STEPS TO ADDRESS ANY BREACHES OF CONTRACTUAL COMMITMENTS. § 1107. EXEMPTIONS. 1. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESS- OR'S ABILITY TO: (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS; (B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI- GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN- MENTAL AUTHORITIES; (C) DISCLOSE PERSONAL DATA TO A LAW ENFORCEMENT AGENCY IF SUCH INFOR- MATION: (I) WAS INADVERTENTLY OBTAINED BY THE CONTROLLER OR DATA BROKER; AND (II) APPEARS TO PERTAIN TO THE COMMISSION OF A CRIME; (D) COOPERATE WITH A GOVERNMENTAL ENTITY IF THE CONTROLLER OR DATA BROKER, IN GOOD FAITH, BELIEVES THAT AN EMERGENCY INVOLVING DANGER OF DEATH OR SERIOUS PHYSICAL INJURY TO ANY PERSON REQUIRES DISCLOSURE OF PERSONAL DATA WITHOUT DELAY; (E) INVESTIGATE, EXERCISE, OR DEFEND LEGAL CLAIMS; OR (F) PREVENT OR DETECT IDENTITY THEFT, FRAUD, OR OTHER CRIMINAL ACTIV- ITY OR VERIFY IDENTITIES. 2. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI- LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION. 3. A CONTROLLER OR PROCESSOR THAT DISCLOSES PERSONAL DATA TO A THIRD- PARTY CONTROLLER OR PROCESSOR IN COMPLIANCE WITH THE REQUIREMENTS OF THIS ARTICLE IS NOT IN VIOLATION OF THIS ARTICLE, INCLUDING UNDER SECTION ELEVEN HUNDRED EIGHT OF THIS ARTICLE, IF THE THIRD-PARTY RECIPI- ENT PROCESSES SUCH PERSONAL DATA IN VIOLATION OF THIS ARTICLE, PROVIDED THAT, AT THE TIME OF DISCLOSING THE PERSONAL DATA, THE DISCLOSING CONTROLLER OR PROCESSOR DID NOT HAVE ACTUAL KNOWLEDGE THAT THE THIRD- PARTY RECIPIENT INTENDED TO COMMIT A VIOLATION. A THIRD-PARTY RECIPIENT RECEIVING PERSONAL DATA FROM A CONTROLLER OR PROCESSOR IS LIKEWISE NOT A. 680 10 LIABLE UNDER THIS ARTICLE, INCLUDING UNDER SECTION ELEVEN HUNDRED EIGHT OF THIS ARTICLE, FOR THE OBLIGATIONS OF A CONTROLLER OR PROCESSOR TO WHOM IT PROVIDES SERVICES. 4. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER OR PROCESSOR TO DO THE FOLLOWING: (A) RE-IDENTIFY DE-IDENTIFIED DATA; (B) RETAIN PERSONAL DATA CONCERNING A CONSUMER THAT HE OR SHE WOULD NOT OTHERWISE RETAIN IN THE ORDINARY COURSE OF BUSINESS; OR (C) COMPLY WITH A REQUEST TO EXERCISE ANY OF THE RIGHTS UNDER SUBDIVI- SIONS ONE THROUGH SIX OF SECTION ELEVEN HUNDRED THREE OF THIS ARTICLE IF THE CONTROLLER IS UNABLE TO VERIFY, USING COMMERCIALLY REASONABLE EFFORTS, THE IDENTITY OF THE CONSUMER MAKING THE REQUEST. 5. OBLIGATIONS IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS ARTI- CLE DO NOT APPLY TO THE PROCESSING OF PERSONAL DATA BY A NATURAL PERSON IN THE COURSE OF A PURELY PERSONAL OR HOUSEHOLD ACTIVITY. § 1108. LIABILITY. WHERE MORE THAN ONE CONTROLLER OR PROCESSOR, OR BOTH A CONTROLLER AND A PROCESSOR, INVOLVED IN THE SAME PROCESSING, IS IN VIOLATION OF THIS ARTICLE, THE LIABILITY SHALL BE ALLOCATED AMONG THE PARTIES ACCORDING TO PRINCIPLES OF COMPARATIVE FAULT, UNLESS SUCH LIABILITY IS OTHERWISE ALLOCATED BY CONTRACT AMONG THE PARTIES. § 1109. ENFORCEMENT. 1. THE LEGISLATURE FINDS THAT THE PRACTICES COVERED BY THIS ARTICLE ARE MATTERS VITALLY AFFECTING THE PUBLIC INTER- EST FOR THE PURPOSE OF PROVIDING CONSUMER PROTECTION FROM DECEPTIVE ACTS AND PRACTICES UNDER ARTICLE TWENTY-TWO-A OF THIS CHAPTER. A VIOLATION OF THIS ARTICLE IS NOT REASONABLE IN RELATION TO THE DEVELOPMENT AND PRES- ERVATION OF BUSINESS AND IS AN UNFAIR OR DECEPTIVE ACT IN TRADE OR COMMERCE AND AN UNFAIR METHOD OF COMPETITION FOR THE PURPOSE OF APPLYING ARTICLE TWENTY-TWO-A OF THIS CHAPTER. 2. THE ATTORNEY GENERAL MAY BRING AN ACTION IN THE NAME OF THE STATE, OR AS PARENS PATRIAE ON BEHALF OF PERSONS RESIDING IN THE STATE, TO ENFORCE THIS ARTICLE. 3. IN ADDITION TO ANY RIGHT OF ACTION GRANTED TO ANY GOVERNMENTAL BODY PURSUANT TO THIS SECTION, ANY PERSON WHO HAS BEEN INJURED BY REASON OF A VIOLATION OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH UNLAWFUL ACT, OR TO RECOVER HIS OR HER ACTUAL DAMAGES, OR BOTH SUCH ACTIONS. THE COURT MAY AWARD REASONABLE ATTORNEY'S FEES TO A PREVAILING PLAINTIFF. 4. ANY CONTROLLER OR PROCESSOR WHO VIOLATES THIS ARTICLE IS SUBJECT TO AN INJUNCTION AND LIABLE FOR DAMAGES AND A CIVIL PENALTY. WHEN CALCULAT- ING DAMAGES AND CIVIL PENALTIES, THE COURT SHALL CONSIDER THE NUMBER OF AFFECTED INDIVIDUALS, THE SEVERITY OF THE VIOLATION, AND THE SIZE AND REVENUES OF THE COVERED ENTITY. EACH INDIVIDUAL WHOSE INFORMATION WAS UNLAWFULLY PROCESSED COUNTS AS A SEPARATE VIOLATION. EACH PROVISION OF THIS ARTICLE THAT WAS VIOLATED COUNTS AS A SEPARATE VIOLATION. § 1110. PREEMPTION. THIS ARTICLE SUPERSEDES AND PREEMPTS LAWS ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING OF PERSONAL DATA BY CONTROLLERS OR PROCESSORS. § 3. This act shall take effect on the one hundred eightieth day after it shall have become a law.
co-Sponsors
Dan Quart
David Weprin
Daniel Rosenthal
Jo Anne Simon
Jeffrey Dinowitz
Amy Paulin
2021-A680A - Details
2021-A680A - Bill Text download pdf
S T A T E O F N E W Y O R K ________________________________________________________________________ 680--A 2021-2022 Regular Sessions I N A S S E M B L Y (PREFILED) January 6, 2021 ___________ Introduced by M. of A. L. ROSENTHAL, QUART, WEPRIN, D. ROSENTHAL, SIMON -- read once and referred to the Committee on Consumer Affairs and Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the general business law, in relation to the management and oversight of personal data THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. Short title. This act shall be known and may be cited as the "New York privacy act". § 2. Legislative intent. 1. Privacy is a fundamental right and an essential element of freedom. Advances in technology have produced ramp- ant growth in the amount and categories of personal data being gener- ated, collected, stored, analyzed, and potentially shared, which presents both promise and peril. Companies collect, use and share our personal information in ways that can be difficult for ordinary consum- ers to understand. Opaque data processing policies make it impossible to evaluate risks and compare privacy-related protections across services, stifling competition. Algorithms quietly make decisions with critical consequences for New York consumers, often with no human accountability. Behavioral advertising generates profits by turning people into products and their activity into assets. New York consumers deserve more notice and more control over their data and their digital privacy. 2. This act seeks to help New York consumers regain their privacy. It gives New York consumers the ability to exercise more control over their personal data and requires businesses to be responsible, thoughtful, and accountable managers of that information. To achieve this, this act provides New York consumers a number of new rights, including clear notice of how their data is being used, processed and shared; the abili- ty to access and obtain a copy of their data in a commonly used elec- EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted. LBD00516-02-1 A. 680--A 2 tronic format, with the ability to transfer it between services; the ability to correct inaccurate data and to delete their data; and the ability to challenge certain automated decisions. This act also imposes obligations upon businesses to maintain reasonable data security for personal data, to notify New York consumers of foreseeable harms arising from use of their data and to obtain specific consent for that use, and to conduct regular assessments to ensure that data is not being used for unacceptable purposes. These data assessments can be obtained and evalu- ated by the New York State Attorney General, who is empowered to obtain penalties for violations of this act and prevent future violations. This act also grants New York consumers who have been injured as the result of a violation a private right of action, which includes reasonable attorneys' fees to a prevailing plaintiff. § 3. The general business law is amended by adding a new article 42 to read as follows: ARTICLE 42 NEW YORK PRIVACY ACT SECTION 1100. DEFINITIONS. 1101. JURISDICTIONAL SCOPE. 1102. CONSUMER RIGHTS. 1103. CONTROLLER, PROCESSOR, AND THIRD-PARTY RESPONSIBILITIES. 1104. DATA BROKERS. 1105. LIMITATIONS. 1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION. 1107. MISCELLANEOUS. § 1100. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY THROUGHOUT THIS ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE: 1. "AUTOMATED DECISION-MAKING" OR "AUTOMATED DECISION" MEANS A COMPU- TATIONAL PROCESS, INCLUDING ONE DERIVED FROM MACHINE LEARNING, ARTIFI- CIAL INTELLIGENCE, OR ANY OTHER AUTOMATED PROCESS, INVOLVING PERSONAL DATA THAT RESULTS IN A DECISION AFFECTING A CONSUMER. 2. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM THE MEASUREMENT OR SPECIFIC TECHNOLOGICAL PROCESSING OF AN INDIVIDUAL'S BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS, INCLUDING FING- ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES, DEOXYRIBONUCLEIC ACID (DNA) INFORMATION, AND GAIT. 3. "BUSINESS ASSOCIATE" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 4. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT TO THE PROCESSING OF DATA RELATING TO THE CONSUMER MADE IN RESPONSE TO A DEDICATED PROMPT OUTLINING IN CLEAR AND CONSPICUOUS LANGUAGE THE MATERI- AL NATURE OF THE PROCESSING TO WHICH THE CONSUMER IS CONSENTING. A PRE-CHECKED BOX OR SIMILAR DEFAULT IS NOT AFFIRMATIVE CONSENT. CONSENT MAY BE WITHDRAWN AT ANY TIME, AND A CONTROLLER MUST PROVIDE CLEAR, CONSPICUOUS, AND CONSUMER-FRIENDLY MEANS TO WITHDRAW CONSENT. THE BURDEN OF ESTABLISHING CONSENT IS ON THE CONTROLLER. 5. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING ONLY IN AN INDIVIDUAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO BE ACTING IN A COMMERCIAL OR EMPLOYMENT CONTEXT. 6. "CONTROLLER" MEANS THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA. 7. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. A. 680--A 3 8. "DATA BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A LEGAL ENTITY, SEPARATELY OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK AND KNOWINGLY COLLECTS, AND SELLS TO CONTROLLERS OR THIRD-PARTIES, THE PERSONAL DATA OF A CONSUMER WITH WHOM IT DOES NOT HAVE A DIRECT RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING: (A) A CONSUMER REPORTING AGENCY TO THE EXTENT THAT IT IS COVERED BY THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR (B) A FINANCIAL INSTITUTION TO THE EXTENT THAT IT IS COVERED BY THE GRAMM-LEACH-BLILEY ACT (PUBLIC LAW 106-102) AND IMPLEMENTING REGU- LATIONS. 9. "DEIDENTIFIED DATA" MEANS DATA THAT CANNOT REASONABLY BE USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR CONSUM- ER, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT POSSESSES THE DATA: (A) TAKES REASONABLE MEASURES TO ENSURE THAT THE DATA CANNOT BE ASSO- CIATED WITH A CONSUMER OR DEVICE; (B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND NOT ATTEMPT TO REIDENTIFY THE DATA, EXCEPT THAT THE CONTROLLER OR PROCESSOR MAY ATTEMPT TO REIDENTIFY THE INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING WHETHER ITS DEIDENTIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SUBDIVISION; AND (C) CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY WITH ALL PROVISIONS OF THIS ARTICLE. 10. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECTING TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE AND IS INTENDED FOR USE BY A NATURAL PERSON OR HOUSEHOLD OR, IF USED OUTSIDE THE HOME, FOR USE BY THE GENERAL PUBLIC. 11. "MEANINGFUL HUMAN REVIEW" MEANS REVIEW OR OVERSIGHT BY ONE OR MORE INDIVIDUALS WHO (A) ARE TRAINED IN THE CAPABILITIES AND LIMITATIONS OF THE ALGORITHM AT ISSUE AND THE PROCEDURES TO INTERPRET AND ACT ON THE OUTPUT OF THE ALGORITHM, AND (B) HAVE THE AUTHORITY TO ALTER THE AUTO- MATED DECISION UNDER REVIEW. 12. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID- UAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO BE ACTING IN A COMMERCIAL OR EMPLOYMENT CONTEXT. 13. "PERSON" MEANS A NATURAL PERSON OR A LEGAL ENTITY, INCLUDING BUT NOT LIMITED TO A PROPRIETORSHIP, PARTNERSHIP, LIMITED PARTNERSHIP, CORPORATION, COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION, ASSOCI- ATION, OR OTHER FIRM OR SIMILAR BODY, OR ANY UNIT, DIVISION, AGENCY, DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF. 14. "PERSONAL DATA" MEANS ANY DATA THAT IS IDENTIFIED OR COULD REASON- ABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL PERSON, HOUSEHOLD, OR DEVICE. PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED DATA. 15. "IDENTIFIED OR IDENTIFIABLE NATURAL PERSON" MEANS A NATURAL PERSON WHO CAN BE IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO AN IDENTIFIER SUCH AS A NAME, AN IDENTIFICATION NUMBER, LOCATION DATA, OR AN ONLINE OR DEVICE IDENTIFIER. 16. "PROCESS," "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA, INCLUDING BUT NOT LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION, ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN- IZATION, STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION, ANALYSIS, DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI- CATION OF DATA. 17. "PROCESSOR" MEANS A PERSON THAT PROCESSES DATA ON BEHALF OF THE CONTROLLER. A. 680--A 4 18. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 19. "SALE," "SELL," OR "SOLD" MEANS THE DISCLOSURE, TRANSFER, CONVEY- ANCE, SHARING, LICENSING, MAKING AVAILABLE, PROCESSING, GRANTING OF PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER EXCHANGE OF PERSONAL DATA, OR PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU- ABLE CONSIDERATION BY THE CONTROLLER TO A THIRD-PARTY. "SALE" INCLUDES ENABLING, FACILITATING OR PROVIDING ACCESS TO A CONSUMER FOR TARGETED ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING: (A) THE DISCLOSURE OF DATA TO A PROCESSOR WHO PROCESSES THE DATA ON BEHALF OF THE CONTROLLER AND WHICH IS CONTRACTUALLY PROHIBITED FROM USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER; OR (B) THE DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL- LER'S ASSETS. 20. "TARGETED ADVERTISING" MEANS DISPLAYING ONLINE ADVERTISEMENTS TO A CONSUMER WHERE THE ADVERTISEMENT IS SELECTED BASED ON PERSONAL DATA OBTAINED FROM A CONSUMER'S ACTIVITIES OVER TIME AND ACROSS ONE OR MORE DISTINCTLY-BRANDED WEBSITES, ONLINE APPLICATIONS, OR SERVICES, TO PREDICT THE CONSUMER'S PREFERENCES OR INTERESTS. IT DOES NOT INCLUDE ADVERTISING (A) BASED ON THE CONTEXT OF THE CONSUMER'S CURRENT SEARCH QUERY OR VISIT TO A WEBSITE OR ONLINE APPLICATION, OR (B) TO A CONSUMER IN DIRECT RESPONSE TO THE CONSUMER'S REQUEST FOR INFORMATION OR FEED- BACK. 21. "THIRD-PARTY" MEANS, WITH RESPECT TO A PARTICULAR INTERACTION OR OCCURRENCE, A PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER THAN THE CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER. A THIRD PARTY MAY ALSO BE A CONTROLLER IF THE THIRD PARTY, ALONE OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA. 22. "VERIFIED REQUEST" MEANS A REQUEST BY A CONSUMER TO EXERCISE A RIGHT AUTHORIZED BY THIS ARTICLE, THE AUTHENTICITY OF WHICH HAS BEEN ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH (C) OF SUBDI- VISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE. § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS THAT CONDUCT BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR SERVICES THAT ARE TARGETED TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR MORE OF THE FOLLOWING THRESHOLDS: (A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE; (B) CONTROLS OR PROCESSES PERSONAL DATA OF ONE HUNDRED THOUSAND CONSUMERS OR MORE; (C) CONTROLS OR PROCESSES PERSONAL DATA OF FIVE HUNDRED THOUSAND NATURAL PERSONS OR MORE NATIONWIDE, AND CONTROLS OR PROCESSES PERSONAL DATA OF TEN THOUSAND CONSUMERS; OR (D) DERIVES OVER FIFTY PERCENT OF GROSS REVENUE FROM THE SALE OF PERSONAL DATA, AND CONTROLS OR PROCESSES PERSONAL DATA OF TWENTY-FIVE THOUSAND CONSUMERS OR MORE. 2. THIS ARTICLE DOES NOT APPLY TO: (A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC- IPAL CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND PROCESSING FEES ARE NOT SALE); (B) INFORMATION THAT MEETS THE FOLLOWING CRITERIA: (I) PERSONAL DATA REQUIRED TO BE COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL GRAMM-LEACH-BLILEY ACT (P.L. 106-102), A. 680--A 5 AND IMPLEMENTING REGULATIONS, IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLIANCE WITH SUCH LAW; (II) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18 U.S.C. SEC. 2721 ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLIANCE WITH THAT LAW; (III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS; (IV) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL FARM CREDIT ACT OF 1971 (AS AMENDED IN 12 U.S.C. SEC. 2001-2279CC) AND ITS IMPLEMENTING REGULATIONS (12 C.F.R. PART 600 ET SEQ.) IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLI- ANCE WITH THAT LAW; (V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW; (VI) DATA MAINTAINED FOR EMPLOYMENT RECORDS PURPOSES, FOR PURPOSES OTHER THAN SALE; (VII) PROTECTED HEALTH INFORMATION THAT IS COLLECTED BY A COVERED ENTITY OR BUSINESS ASSOCIATE GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTA- BILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191) ("HIPAA") AND THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC LAW 111-5); (VIII) PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2; (IX) INFORMATION AND DOCUMENTS CREATED FOR PURPOSES OF THE FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND RELATED REGULATIONS; (X) PATIENT SAFETY WORK PRODUCT FOR PURPOSES OF 42 C.F.R. PART 3, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26; (XI) INFORMATION ORIGINATING FROM, AND INTERMINGLED TO BE INDISTIN- GUISHABLE FROM, OR INFORMATION TREATED IN THE SAME MANNER AS, INFORMA- TION EXEMPT UNDER THIS SUBDIVISION THAT IS MAINTAINED BY A COVERED ENTI- TY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM OR A QUALIFIED SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C. § 290DD-2; (XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE FOLLOWING CONDITIONS: (A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN- TIFICATION SET FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; (B) IT IS DERIVED FROM PROTECTED HEALTH INFORMATION, INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION, OR IDENTIFIABLE PRIVATE INFORMATION CONSISTENT WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE; AND (C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN- TIFY THE INFORMATION NOR DO THEY ACTUALLY REIDENTIFY THE INFORMATION EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW; (XIII) PATIENT INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS ASSOCIATE GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGU- LATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE COVERED ENTITY OR BUSINESS ASSOCIATE MAINTAINS THE PATIENT INFORMATION IN THE SAME MANNER AS PROTECTED HEALTH INFORMATION AS DESCRIBED IN SUBPARAGRAPH (VII) OF THIS PARAGRAPH; A. 680--A 6 (XIV) DATA COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT PROTECTION REQUIREMENTS OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR (XV) PERSONAL DATA PROCESSED ONLY FOR ONE OR MORE OF THE FOLLOWING PURPOSES: (A) PRODUCT REGISTRATION AND TRACKING CONSISTENT WITH APPLICABLE UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE; (B) PUBLIC HEALTH ACTIVITIES AND PURPOSES AS DESCRIBED IN SECTION 164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR (C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS REGULATED BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION; (C) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S CREDIT WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING BY A CONSUMER REPORTING AGENCY, AS DEFINED IN TITLE 15 U.S.C. SEC. 1681A(F), BY A FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC. 1681S-2, WHO PROVIDES INFORMATION FOR USE IN A CONSUMER REPORT, AS DEFINED IN TITLE 15 U.S.C. SEC. 1861A(D), AND BY A USER OF A CONSUMER REPORT, AS SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND (II) THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION, OR USE OF SUCH DATA BY THAT AGENCY, FURNISHER, OR USER IS SUBJECT TO REGULATION UNDER THE FAIR CREDIT REPORTING ACT, TITLE 15 U.S.C. SEC. 1681 ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED, COMMUNI- CATED, DISCLOSED, OR SOLD EXCEPT AS AUTHORIZED BY THE FAIR CREDIT REPORTING ACT. § 1102. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL- LER THAT PROCESSES A CONSUMER'S PERSONAL DATA MUST MAKE PUBLICLY AND PERSISTENTLY AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE MANNER, A NOTICE CONTAINING THE FOLLOWING: (I) A DESCRIPTION OF THE CONSUMER'S RIGHTS UNDER SUBDIVISIONS TWO THROUGH SIX OF THIS SECTION AND HOW A CONSUMER MAY EXERCISE THOSE RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT; (II) THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER AND BY ANY PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROL- LER; (III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED; (IV) THE PURPOSES FOR PROCESSING PERSONAL DATA; (V) THE IDENTITY OF EACH PROCESSOR OR THIRD PARTY TO WHOM THE CONTROL- LER DISCLOSES, SHARES, TRANSFERS, OR SELLS PERSONAL DATA AND, FOR EACH IDENTIFIED PROCESSOR OR THIRD PARTY, (A) THE CATEGORIES OF PERSONAL DATA BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO THE PROCESSOR OR THIRD PARTY, (B) THE PURPOSES FOR WHICH PERSONAL DATA IS BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO THE PROCESSOR OR THIRD PARTY, (C) THE THIRD PARTY'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL DATA PROC- ESSED BY THE THIRD PARTY OR PROCESSED ON THEIR BEHALF, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THE PERIOD, AND (D) WHETHER THE ENTITY USES THE PERSONAL DATA FOR TARGETED ADVERTISING; (VI) THE CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL DATA THAT THEY PROCESS OR IS PROCESSED ON THEIR BEHALF, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD; AND A. 680--A 7 (VII) FOR CONTROLLERS ENGAGING IN TARGETED ADVERTISING, AVERAGE EXPECTED REVENUE PER USER (ARPU) OR A SIMILAR METRIC FOR THE MOST RECENT FISCAL YEAR FOR THE REGION THAT COVERS NEW YORK. (B) NOTICE REQUIREMENTS. (I) THE NOTICE MUST BE WRITTEN IN EASY-TO-UNDERSTAND LANGUAGE AT AN EIGHTH GRADE READING LEVEL OR BELOW. (II) THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR WHICH EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED AT A LEVEL SPECIFIC ENOUGH TO ENABLE A CONSUMER TO EXERCISE MEANINGFUL CONTROL OVER THEIR PERSONAL DATA BUT NOT SO SPECIFIC AS TO RENDER THE NOTICE UNHELP- FUL TO A REASONABLE CONSUMER. (III) THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED AT LEAST ANNUALLY. (IV) THE NOTICE, AS WELL AS EACH VERSION OF THE NOTICE IN EFFECT IN THE PRECEDING SIX YEARS, MUST BE EASILY ACCESSIBLE TO CONSUMERS AND CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME. 2. OPT-IN CONSENT. (A) A CONTROLLER MUST OBTAIN FREELY GIVEN, SPECIF- IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO: (I) PROCESS THE CONSUMER'S PERSONAL DATA FOR ANY PURPOSE; OR (II) MAKE ANY CHANGES IN THE PROCESSING OR PROCESSING PURPOSE, INCLUD- ING THE METHOD AND SCOPE OF COLLECTION, OF THE CONSUMER'S PERSONAL DATA THAT ARE LESS PROTECTIVE OF THE CONSUMER'S PERSONAL DATA THAN THE PROC- ESSING TO WHICH THE CONSUMER HAS PREVIOUSLY GIVEN THEIR FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT. (B) ANY REQUEST FOR CONSENT MUST, IN A STANDALONE DISCLOSURE, BE PROVIDED TO THE CONSUMER PRIOR TO PROCESSING THEIR PERSONAL DATA, SEPA- RATE AND APART FROM ANY CONTRACT OR PRIVACY POLICY. THE REQUEST FOR CONSENT MUST: (I) INCLUDE A CLEAR AND CONSPICUOUS DESCRIPTION OF EACH CATEGORY OF DATA AND PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT; (II) CLEARLY IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF DATA AND PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER; (III) ENABLE A REASONABLE CONSUMER TO EASILY IDENTIFY THE CATEGORIES OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT; (IV) CLEARLY PRESENT AS THE MOST CONSPICUOUS CHOICE AN OPTION TO PROVIDE ONLY THE CONSENT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER; (V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND (VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO THIRD PARTIES, IDENTIFY EACH SUCH THIRD PARTY, THE CATEGORIES OF DATA SOLD OR SHARED WITH THEM, THE PROCESSING PURPOSES, THE RETENTION PERIOD, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THE PERIOD, AND FOR EACH THIRD PARTY STATE IF SUCH SHARING, DISCLOSURE, TRANSFER, OR SALE ENABLES OR INVOLVES TARGETED ADVERTISING. THE DETAILS OF IDENTITIES OF SUCH THIRD PARTIES, AND THE CATEGORIES OF DATA, PROCESSING PURPOSES, AND THE RETENTION PERIOD, MAY BE SET FORTH IN A DIFFERENT DISCLOSURE, PROVIDED THAT THE REQUEST FOR CONSENT CONTAINS A CONSPICUOUS AND DIRECTLY ACCESSIBLE LINK TO THAT DISCLOSURE. (C) TARGETED ADVERTISING AND SALE OF PERSONAL DATA SHALL NOT BE CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR GOODS REQUESTED BY A CONSUMER. A. 680--A 8 (D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT TO PROCESS THEIR PERSONAL DATA FOR A PROCESS- ING PURPOSE, A CONTROLLER MAY RELY ON SUCH CONSENT UNTIL IT IS WITH- DRAWN. (E) A CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER TO WITHDRAW PREVIOUSLY GIVEN CONSENT AT ANY TIME. SUCH MECHANISM SHALL MAKE IT AS EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER TO PROVIDE CONSENT. THE CONTROLLER MAY STYLE THE MECHANISM ALLOWING CONSUMERS TO WITHDRAW PREVIOUSLY GIVEN CONSENT AS AN OPT-OUT. (F) A CONTROLLER MUST NOT INFER THAT A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM THE CONSUMER'S INACTION OR THE CONSUMER'S CONTINUED USE OF A SERVICE OR PRODUCT PROVIDED BY THE CONTROLLER. (G) TO THE EXTENT THAT A CONTROLLER MUST PROCESS INTERNET PROTOCOL ADDRESSES, SYSTEM CONFIGURATION INFORMATION, URLS OF REFERRING PAGES, LOCALE AND LANGUAGE PREFERENCES, KEYSTROKES, OR ANY OTHER DATA THAT INDIVIDUALLY OR COLLECTIVELY MAY COMPRISE PERSONAL DATA IN ORDER TO OBTAIN A CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT, THE CONTROLLER MUST: (I) PROCESS ONLY THE PERSONAL DATA NECESSARY TO REQUEST FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; (II) PROCESS THE PERSONAL DATA SOLELY TO REQUEST FREELY GIVEN, SPECIF- IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; AND (III) IMMEDIATELY DELETE THE PERSONAL DATA IF CONSENT IS WITHHELD, DENIED, OR WITHDRAWN. (H) CONTROLLERS MUST NOT REQUEST CONSENT FROM A CONSUMER WHO HAS PREVIOUSLY WITHHELD OR DENIED CONSENT, UNLESS CONSENT IS NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER. (I) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER, BROWSER PLUG-IN, SMARTPHONE APPLICATION, OPERATING SYSTEM, DEVICE SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S CHOICE NOT TO BE SUBJECT TO TARGETED ADVERTISING OR THE SALE OF THEIR PERSONAL DATA AS A DENIAL OF CONSENT UNDER THIS ACT. TO THE EXTENT THAT THE PRIVACY CONTROL CONFLICTS WITH A CONSUMER'S CONSENT, THE PRIVACY CONTROL SETTINGS GOVERN, UNLESS THE CONSUMER PROVIDES FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT TO OVERRIDE THE PRIVACY CONTROL. (J) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A CONSUMER FOR WITH- HOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY: (I) DENYING SERVICES OR GOODS TO THE CONSUMER, UNLESS THE CONSUMER DOES NOT CONSENT TO PROCESSING NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER; (II) CHARGING DIFFERENT PRICES FOR GOODS OR SERVICES, INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING PENALTIES, OR PROVIDING A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR (III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS. (K) A CONTROLLER MAY, WITH THE CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION, OPERATE A PROGRAM IN WHICH INFORMATION, PRODUCTS, OR SERVICES SOLD TO THE CONSUMER ARE DISCOUNTED BASED ON SUCH CONSUMER'S PRIOR PURCHASES FROM THE CONTROLLER, PROVIDED THAT THE PERSONAL DATA USED TO OPERATE SUCH PROGRAM IS PROCESSED SOLELY FOR THE PURPOSE OF OPERATING SUCH PROGRAM. A. 680--A 9 (L) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS- ACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR MAJORITY OF THE CONTROLLER'S ASSETS, ANY CONSENT PROVIDED TO THE CONTROLLER BY A CONSUMER PRIOR TO SUCH TRANSACTION SHALL BE DEEMED WITH- DRAWN. 3. RIGHT TO ACCESS. UPON THE VERIFIED REQUEST OF A CONSUMER, A CONTROLLER SHALL: (A) CONFIRM WHETHER OR NOT THE CONTROLLER IS PROCESSING OR HAS PROC- ESSED PERSONAL DATA OF THAT CONSUMER, AND PROVIDE ACCESS TO A COPY OF ANY SUCH PERSONAL DATA WHEN REQUESTED; AND (B) PROVIDE THE IDENTITY OF EACH PROCESSOR OR THIRD-PARTY TO WHOM THE CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL DATA AND, FOR EACH IDENTIFIED PROCESSOR OR THIRD-PARTY, (A) THE CATEGORIES OF THE CONSUMER'S PERSONAL DATA DISCLOSED, TRANSFERRED, OR SOLD TO EACH PROCESSOR OR THIRD-PARTY AND (B) THE PURPOSES FOR WHICH EACH CATEGORY OF THE CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO EACH PROCESSOR OR THIRD-PARTY. 4. RIGHT TO PORTABLE DATA. UPON A VERIFIED REQUEST, AND TO THE EXTENT TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A COPY OF ALL OF, OR A PORTION OF, AS DESIGNATED IN A VERIFIED REQUEST, THE CONSUMER'S PERSONAL DATA IN A STRUCTURED, COMMONLY USED AND MACHINE-READABLE FORMAT AND (B) AT THE CONSUMER'S REQUEST, TRANSMIT THE DATA TO ANOTHER PERSON OF THE CONSUMER'S DESIGNATION WITHOUT HINDRANCE. 5. RIGHT TO CORRECT. (A) UPON THE VERIFIED REQUEST OF A CONSUMER, A CONTROLLER MUST CONDUCT A REASONABLE INVESTIGATION TO DETERMINE WHETHER PERSONAL DATA, THE ACCURACY OF WHICH IS DISPUTED BY THE CONSUMER, IS INACCURATE, WITH SUCH INVESTIGATION TO BE CONCLUDED WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION. (B) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, A CONTROLLER MAY TERMINATE AN INVESTIGATION OF PERSONAL DATA DISPUTED BY A CONSUMER UNDER SUCH PARAGRAPH IF THE CONTROLLER REASONABLY DETERMINES THAT THE DISPUTE BY THE CONSUMER IS FRIVOLOUS, INCLUDING BY REASON OF A FAILURE BY A CONSUMER TO PROVIDE SUFFICIENT INFORMATION TO INVESTIGATE THE DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH THIS PARAGRAPH THAT A DISPUTE IS FRIVOLOUS, A CONTROLLER MUST, WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION, PROVIDE THE AFFECTED CONSUMER A STATEMENT IN WRITING THAT INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR THE DETERMINATION, AND IDENTIFICATION OF ANY INFORMATION REQUIRED TO INVESTIGATE THE DISPUTED PERSONAL DATA, WHICH MAY CONSIST OF A STANDARDIZED FORM DESCRIBING THE GENERAL NATURE OF SUCH INFORMATION. (C) IF, AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF THIS SUBDIVI- SION OF ANY PERSONAL DATA DISPUTED BY A CONSUMER, AN ITEM OF THE PERSONAL DATA IS FOUND TO BE INACCURATE OR INCOMPLETE, OR CANNOT BE VERIFIED, THE CONTROLLER MUST: (I) CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE CONSUM- ER; AND (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT, COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD-PARTY TO WHOM THE CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECEDING THE CONSUMER'S REQUEST, AND TO REQUIRE THOSE PROCESSORS OR THIRD-PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD-PAR- TIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO. (D) IF THE INVESTIGATION DOES NOT RESOLVE THE DISPUTE, THE CONSUMER MAY FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE NATURE OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE A. 680--A 10 EXISTS REASONABLE GROUNDS TO BELIEVE THAT IT IS FRIVOLOUS, THE CONTROL- LER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE EITHER THE CONSUMER'S STATEMENT OR A CLEAR AND ACCURATE CODIFICATION OR SUMMARY THEREOF WITH THE DISPUTED PERSONAL DATA WHENEVER IT IS DISCLOSED, TRANS- FERRED, OR SOLD TO ANY PROCESSOR OR THIRD-PARTY. 6. RIGHT TO DELETE. (A) UPON THE VERIFIED REQUEST OF A CONSUMER, A CONTROLLER MUST: (I) WITHIN A REASONABLE AMOUNT OF TIME AFTER RECEIVING THE VERIFIED REQUEST, DELETE ANY OR ALL PERSONAL DATA, AS DIRECTED BY THE CONSUMER, THAT THE CONTROLLER POSSESSES OR CONTROLS; AND (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT, COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD-PARTY TO WHOM THE CONTROLLER DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECEDING THE CONSUMER'S REQUEST AND TO REQUIRE THOSE PROCESSORS OR THIRD-PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD-PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO. (B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A PROCESSOR OF THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO (I) COMMUNI- CATE THE CONSUMER'S REQUEST FOR DELETION TO THE PROCESSOR, OR (II) REQUEST THAT THE PROCESSOR RETURN TO THE CONTROLLER THE PERSONAL DATA THAT IS THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE SUCH PERSONAL DATA UPON RECEIPT OF THE REQUEST. (C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A REQUEST TO THE CONTROLLER TO DELETE ALL OF THAT CONSUMER'S PERSONAL DATA. (D) A CONTROLLER MUST MAINTAIN REASONABLE PROCEDURES DESIGNED TO PREVENT THE REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA IT DISCLOSES, TRANSFERS, OR SELLS TO ANY PROCESSOR OR THIRD-PARTY, THE PERSONAL DATA THAT IS DELETED PURSUANT TO THIS SUBDIVISION. (E) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A CONSUMER'S REQUEST TO DELETE PERSONAL DATA IF: (I) COMPLYING WITH THE REQUEST WOULD PREVENT THE CONTROLLER FROM PERFORMING ACCOUNTING FUNCTIONS, PROCESSING REFUNDS, EFFECTUATING A PRODUCT RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING WARRANTY CLAIMS, PROVIDED THAT THE PERSONAL DATA THAT IS THE SUBJECT OF THE REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV- ITIES; OR (II) IT IS NECESSARY FOR THE CONTROLLER TO MAINTAIN THE CONSUMER'S PERSONAL DATA TO ENGAGE IN PUBLIC OR PEER-REVIEWED SCIENTIFIC, HISTOR- ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION OF THE INFORMATION IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR THE ACHIEVEMENT OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER HAS GIVEN INFORMED CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH RESEARCH. 7. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO- MATED DECISION INVOLVING SOLELY AUTOMATED PROCESSING THAT RESULTS IN A DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION, INSURANCE, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, THE CONTROLLER MUST: (I) DISCLOSE IN A CLEAR CONSPICUOUS, AND CONSUMER-FRIENDLY MANNER THAT THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS; (II) PROVIDE AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL THE DECI- SION, WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO (A) EXPRESS THEIR POINT OF VIEW, (B) CONTEST THE DECISION, AND (C) OBTAIN MEANINGFUL HUMAN REVIEW; AND A. 680--A 11 (III) EXPLAIN HOW TO APPEAL THE DECISION. (B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE APPEAL. THAT PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY. (C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING AFFECTING FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION, INSURANCE, EDUCATION ENROLLMENT, EMPLOYMENT, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR ENGAGED IN ASSISTING OTHERS IN AUTOMATED DECISION-MAKING IN THOSE FIELDS, MUST ANNUALLY CONDUCT AN IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING THAT: (A) DESCRIBES AND EVALUATES THE OBJECTIVES AND DEVELOPMENT OF THE AUTOMATED DECISION-MAKING PROCESSES INCLUDING THE DESIGN AND TRAINING DATA USED TO DEVELOP THE AUTOMATED DECISION-MAKING PROCESS, HOW THE AUTOMATED DECISION-MAKING PROCESS WAS TESTED FOR ACCURACY, FAIRNESS, BIAS AND DISCRIMINATION; AND (B) ASSESSES WHETHER THE AUTOMATED DECISION-MAKING SYSTEM PRODUCES DISCRIMINATORY RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM- ERS' ACTUAL OR PERCEIVED RACE, COLOR, ETHNICITY, RELIGION, NATIONAL ORIGIN, SEX, GENDER, GENDER IDENTITY, SEXUAL ORIENTATION, FAMILIAL STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF INCOME, OR DISABILITY. (II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN EXTERNAL, INDEPENDENT AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS. (III) A CONTROLLER OR PROCESSOR MUST MAKE PUBLIC ALL IMPACT ASSESS- MENTS PREPARED PURSUANT TO THIS SECTION, RETAIN ALL SUCH IMPACT ASSESS- MENTS FOR AT LEAST SIX YEARS, AND MAKE ANY SUCH RETAINED IMPACT ASSESS- MENTS AVAILABLE TO ANY STATE, FEDERAL, OR LOCAL GOVERNMENT AUTHORITY UPON REQUEST. (IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL SCOPE SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF SECTION ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY. 8. RESPONDING TO REQUESTS. (A) A CONTROLLER MUST TAKE ACTION UNDER SUBDIVISIONS THREE THROUGH SIX OF THIS SECTION AND INFORM THE CONSUMER OF ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY- FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER MUST INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN A CONTROLLER DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD DISCLOSE TO THE CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS FOR THE DENIAL. (B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS OBLIGATIONS SET FORTH IN SUBDIVISIONS THREE THROUGH SIX OF THIS SECTION FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR BECAUSE OF THEIR REPETITIVE CHARACTER, THE CONTROLLER MAY EITHER (I) CHARGE A REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING WITH THE REQUEST OR (II) REFUSE TO ACT ON THE REQUEST AND NOTIFY THE CONSUMER OF THE REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE CHAR- ACTER OF THE REQUEST. A. 680--A 12 (C) (I) A CONTROLLER SHALL PROMPTLY ATTEMPT, USING COMMERCIALLY REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE ANY RIGHTS SET FORTH IN ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON LAWFULLY EXERCISING THE RIGHT ON BEHALF OF THE CONSUMER WHO IS THE SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED BASED ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF THE DATA IMPLICATED BY THE REQUEST. (II) A CONTROLLER MAY REQUIRE THE CONSUMER TO PROVIDE ADDITIONAL INFORMATION ONLY IF THE REQUEST CANNOT REASONABLY BE VERIFIED WITHOUT THE PROVISION OF SUCH ADDITIONAL INFORMATION. A CONTROLLER MUST NOT TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO THIS SECTION FOR ANY OTHER PURPOSE AND MUST DELETE ANY SUCH ADDITIONAL INFORMATION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE DAYS AFTER THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN ACTION ON A REQUEST UNDER SUBDIVISIONS TWO THROUGH FIVE OF THIS SECTION AS DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION. (III) IF A CONTROLLER DISCLOSES THIS ADDITIONAL INFORMATION TO ANY PROCESSOR OR THIRD-PARTY FOR THE PURPOSE OF VERIFYING A CONSUMER REQUEST, IT MUST NOTIFY THE RECEIVING PROCESSOR OR THIRD PARTY AT THE TIME OF SUCH DISCLOSURE, OR AS CLOSE IN TIME TO THE DISCLOSURE AS IS REASONABLY PRACTICABLE, THAT SUCH INFORMATION WAS PROVIDED BY THE CONSUMER FOR THE SOLE PURPOSE OF VERIFICATION. 9. IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY ACCESSI- BLE AND CONVENIENT MEANS FOR CONSUMERS TO EXERCISE THEIR RIGHTS UNDER THIS ARTICLE. 10. NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS UNDER THIS ARTICLE IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNEN- FORCEABLE. § 1103. CONTROLLER, PROCESSOR, AND THIRD-PARTY RESPONSIBILITIES. 1. CONTROLLER RESPONSIBILITIES. (A) DUTY OF LOYALTY. (I) WHERE IT IS REASONABLY FORESEEABLE TO THE CONTROLLER THAT A PROCESS WILL BE AGAINST A CONSUMER'S PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR REPUTATIONAL INTER- ESTS OR AGAINST THE PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR REPUTATIONAL INTERESTS OF A CLASS OF CONSUMERS THAT THE CONSUMER IS KNOWN TO BELONG TO, THE CONTROLLER MUST NOTIFY THAT CONSUMER OF ANY INTEREST THAT MAY BE HARMED IN ADVANCE OF REQUESTING CONSENT AND AS CLOSE IN TIME TO THE PROCESSING AS PRACTICABLE. THIS OBLIGATION DOES NOT APPLY WITH RESPECT TO PROCESSING: (A) AS REQUIRED BY LAW; (B) PURSUANT TO A REQUEST BY A FEDERAL, STATE, OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR (C) THAT SIGNIFICANTLY ADVANCES PROTECTION AGAINST CRIMINAL OR TORTIOUS ACTIVITY. (II) CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE PROCESSING OF PERSONAL DATA, AND A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS ARTICLE, INCLUDING WITHOUT LIMITATION: (A) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL EFFECT OF DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE, OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE IN ORDER TO OBTAIN CONSENT; OR (B) OBTAINING CONSENT IN A MANNER DESIGNED TO OVERPOWER A CONSUMER'S RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT. (B) DUTY OF CARE. (I) (A) CONTROLLERS MUST, ON AT LEAST AN ANNUAL BASIS, CONDUCT AND DOCUMENT RISK ASSESSMENTS OF ALL CURRENT PROCESSES OF PERSONAL DATA. (B) RISK ASSESSMENTS MUST ASSESS AT A MINIMUM: A. 680--A 13 (I) THE NATURE, SENSITIVITY AND CONTEXT OF THE PERSONAL DATA THAT THE CONTROLLER PROCESSES; (II) THE NATURE, PURPOSE, AND VALUE OF THE PROCESSES; (III) ANY RISKS OR HARMS TO CONSUMERS ACTUALLY OR POTENTIALLY ARISING OUT OF THE PROCESSES, INCLUDING PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR REPUTATIONAL HARMS; (IV) THE ADEQUACY AND EFFECT OF SAFEGUARDS IMPLEMENTED BY THE CONTROL- LERS; (V) THE SUFFICIENCY OF THE CONTROLLER'S NOTICES TO CONSUMERS AT DESCRIBING AND OBTAINING CONSENT CONCERNING THE PROCESSES; AND (VI) THE ADEQUACY OF THE SAFEGUARDS AND MONITORING PRACTICES OF PROCESSORS AND THIRD PARTIES TO WHOM THE CONTROLLER HAS PROVIDED PERSONAL DATA. (C) THE CONTROLLER MUST RETAIN RISK ASSESSMENTS FOR AT LEAST SIX YEARS AND MAKE RISK ASSESSMENTS AVAILABLE TO THE ATTORNEY GENERAL UPON REQUEST. (II) CONTROLLERS MUST DEVELOP, IMPLEMENT, AND MAINTAIN REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE. (III) (A) A CONTROLLER THAT COLLECTS A CONSUMER'S PERSONAL DATA SHALL LIMIT ITS USE AND RETENTION OF THAT DATA TO WHAT IS NECESSARY TO PROVIDE A SERVICE OR GOOD REQUESTED BY A CONSUMER OR FOR PURPOSES FOR WHICH THE CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT. (B) AT LEAST ANNUALLY, A CONTROLLER MUST DISPOSE OF ALL PERSONAL DATA THAT IS EITHER NO LONGER NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER OR FOR THE PURPOSES FOR WHICH THE CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT IS IN EFFECT, CONSISTENT WITH THE RETENTION PERIOD DISCLOSED IN NOTICE PURSU- ANT TO SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE. (IV) CONTROLLERS SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND TO UPDATE THEIR CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE ACCORDINGLY. (C) NON-DISCRIMINATION. (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A CONSUMER FOR EXERCISING RIGHTS UNDER THIS ACT, INCLUDING BUT NOT LIMITED TO, BY: (A) DENYING SERVICES OR GOODS TO CONSUMERS; (B) CHARGING DIFFERENT PRICES FOR SERVICES OR GOODS, INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING PENALTIES; OR PROVIDING A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR (C) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS. (II) THIS PARAGRAPH DOES NOT APPLY TO A CONTROLLER'S CONDUCT WITH RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH (J) OF SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE GOVERNS. (D) AGREEMENTS WITH PROCESSORS. (I) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING DATA, THE NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC- ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF A. 680--A 14 BOTH PARTIES. THE CONTRACT MUST ALSO INCLUDE REQUIREMENTS THAT THE PROCESSOR MUST: (A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA; (B) PROTECT THE DATA CONSISTENT WITH THE REQUIREMENTS OF THIS ACT AND ANY STATEMENTS MADE BY THE CONTROLLER IN THEIR PUBLICLY AVAILABLE POLI- CIES, NOTICES, OR SIMILAR STATEMENTS; (C) PROCESS THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY TO COMPLY WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY AUTHORIZED BY THE CONTROLLER; (D) NOT COMBINE THE PERSONAL INFORMATION WHICH THE PROCESSOR RECEIVES FROM OR ON BEHALF OF THE CONTROLLER WITH PERSONAL INFORMATION WHICH THE PROCESSOR RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR COLLECTS FROM ITS OWN INTERACTION WITH CONSUMERS; (E) COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER, SUBJECT TO THE LIMITATIONS SET FORTH IN SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE; (F) AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; (G) UPON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO THE CONTROLLER ALL INFORMATION IN ITS POSSESSION NECESSARY TO DEMON- STRATE THE PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ACT; (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE CONTROL- LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS- OR MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT ASSESSOR TO CONDUCT AN ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS ARTICLE USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT PROCEDURE FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT OF SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST; (I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED DISCLOSURE OR TRANSFER AND PROVIDE THE CONTROLLER AN OPPORTUNITY TO APPROVE OR REJECT THE PROPOSAL; AND (J) ENGAGE ANY FURTHER PROCESSOR PURSUANT TO A WRITTEN, SIGNED CONTRACT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS PROVIDED IN THIS PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR HAS ENTERED INTO WITH REGARD TO THE DATA. (II) A CONTROLLER MUST NOT AGREE TO INDEMNIFY, DEFEND, OR HOLD A PROCESSOR HARMLESS, OR AGREE TO A PROVISION THAT HAS THE EFFECT OF INDEMNIFYING, DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM CLAIMS OR LIABILITY ARISING FROM THE PROCESSOR'S BREACH OF THE CONTRACT REQUIRED BY CLAUSE (A) OF SUBPARAGRAPH (I) OF THIS PARAGRAPH OR A VIOLATION OF THIS ACT. ANY PROVISION OF AN AGREEMENT THAT VIOLATES THIS SUBPARAGRAPH IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNENFORCEABLE. (III) NOTHING IN THIS PARAGRAPH RELIEVES A CONTROLLER OR A PROCESSOR FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS- ING RELATIONSHIP AS DEFINED BY THIS ARTICLE. (IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES- SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER- MINATION THAT DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS TO BE PROCESSED. A PROCESSOR THAT CONTINUES TO ADHERE TO A CONTROLLER'S INSTRUCTIONS WITH RESPECT TO A SPECIFIC PROCESSING OF PERSONAL DATA REMAINS A PROCESSOR. A. 680--A 15 (E) THIRD PARTIES. (I) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANS- FER, OR SELL PERSONAL DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO A THIRD PARTY FOR WHICH CONSENT OF THE CONSUMER PURSUANT TO SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, HAS NOT BEEN OBTAINED OR IS NOT CURRENTLY IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE, TRANS- FER, OR SELL PERSONAL DATA, OR TO FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO A THIRD PARTY MUST CLEARLY INCLUDE THE IDENTITY OF THE THIRD PARTY AND THE PROCESSING PURPOSES FOR WHICH THE THIRD-PARTY MAY USE THE PERSONAL DATA. (II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA IF IT CAN REASONABLY EXPECT THE PERSONAL DATA OF A CONSUMER TO BE USED FOR PURPOSES THAT THE CONSUMER HAS NOT CONSENTED TO PURSUANT TO SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTI- CLE, OR IF IT CAN REASONABLY EXPECT THAT ANY RIGHTS OF THE CONSUMER PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED AS A RESULT OF SUCH TRANS- ACTION. (III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO ANY THIRD PARTY, THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED CONTRACT. SUCH CONTRACT MUST BE BINDING AND THE SCOPE, NATURE, AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA- TION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES. SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY: (A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY THE AGREEMENT ENTERED INTO WITH THE CONTROLLER; AND (B) PROVIDE A MECHANISM TO COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY THIS ARTICLE; AND (C) TO THE EXTENT THE DISCLOSURE, TRANSFER, OR SALE OF THE PERSONAL DATA CAUSES THE THIRD PARTY TO BECOME A CONTROLLER, COMPLY WITH ALL OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE. 2. PROCESSOR RESPONSIBILITIES. (A) FOR ANY PERSONAL DATA THAT IS OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED BY A PROCESSOR, WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR, THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A) THROUGH (J) OF SUBPARAGRAPH (I) OF PARAGRAPH (D) OF SUBDIVISION ONE OF THIS SECTION. (B) A PROCESSOR IS NOT REQUIRED TO COMPLY WITH A REQUEST BY THE CONSUMER SUBMITTED PURSUANT TO THIS ARTICLE BY A CONSUMER DIRECTLY TO THE PROCESSOR TO THE EXTENT THAT THE PROCESSOR HAS PROCESSED THE CONSUM- ER'S PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER. (C) PROCESSORS SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND TO UPDATE THEIR CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE ACCORDINGLY. (D) A PROCESSOR SHALL NOT ENGAGE IN ANY SALE OF PERSONAL DATA OTHER THAN ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED INTO WITH THE CONTROLLER. 3. THIRD-PARTY RESPONSIBILITIES. (A) FOR ANY PERSONAL DATA THAT IS OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED OR ACCESSED BY A THIRD-PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD-PARTY MUST: (I) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY ANY AGREEMENTS ENTERED INTO WITH THE CONTROLLER; A. 680--A 16 (II) PROCESS ONLY THE PERSONAL DATA NECESSARY FOR PURPOSES FOR WHICH FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT IS IN EFFECT, AS CONVEYED BY THE CONTROLLER, LIMIT THE USE AND RETENTION OF THAT DATA TO WHAT IS NECESSARY FOR SUCH PURPOSES, AND SHALL IMMEDIATELY DELETE SUCH PERSONAL DATA WHEN NOTIFIED THAT THE CONSENT IS WITHHELD, DENIED, OR WITHDRAWN; (III) COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR PROCESSOR, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY THIS ARTICLE; AND (IV) TO THE EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR PERSONAL DATA, COMPLY WITH ALL OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE. 4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE: (A) THE PROCESSING IS REQUIRED BY LAW; (B) THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL, STATE, OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR (C) THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST CRIMINAL OR TORTIOUS ACTIVITY. § 1104. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE, MUST: (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE: (I) REGISTER WITH THE ATTORNEY GENERAL; (II) PAY A REGISTRATION FEE OF ONE HUNDRED DOLLARS OR AS OTHERWISE DETERMINED BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT TO EXCEED THE REASONABLE COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR- MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND (III) PROVIDE THE FOLLOWING INFORMATION: (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS OF THE DATA BROKER; (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA BROKER; (C) A STATEMENT DESCRIBING THE METHOD FOR EXERCISING CONSUMERS RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE; (D) A STATEMENT WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER CREDEN- TIALING PROCESS; AND (E) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES. 2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST: (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN WHICH A PERSON MEETS THE DEFINITION OF CONTROLLER IN THIS ACT, PROVIDE TO THE ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS REASONABLY BELIEVED TO BE DATA BROKERS TO WHICH THE CONTROLLER PROVIDED PERSONAL DATA IN THE PRECEDING YEAR; AND (B) NOT SELL A CONSUMER'S PERSONAL DATA TO A DATA BROKER THAT IS NOT REGISTERED WITH THE ATTORNEY GENERAL. 3. THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A STATE- WIDE REGISTRY ON ITS INTERNET WEBSITE, WHICH SHALL LIST ALL REGISTERED DATA BROKERS AND MAKE ACCESSIBLE TO THE PUBLIC ALL THE INFORMATION PROVIDED BY DATA BROKERS PURSUANT TO THIS SECTION. PRINTED HARD COPIES OF SUCH REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT OF A FEE TO BE DETERMINED BY THE ATTORNEY GENERAL. A. 680--A 17 4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR SUBMITS FALSE INFORMATION IN ITS REGISTRATION IS, IN ADDITION TO ANY OTHER INJUNCTION, PENALTY, OR LIABILITY THAT MAY BE IMPOSED UNDER THIS ARTICLE, LIABLE FOR CIVIL PENALTIES, FEES, AND COSTS IN AN ACTION BROUGHT BY THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY OF ONE THOUSAND DOLLARS FOR EACH DAY THE DATA BROKER FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION, (B) AN AMOUNT EQUAL TO THE FEES THAT WERE DUE DURING THE PERIOD IT FAILED TO REGISTER, AND (C) EXPENSES INCURRED BY THE ATTORNEY GENERAL IN THE INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI- ATE. § 1105. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER OR PROCESSOR TO DO ANY OF THE FOLLOWING SOLELY FOR PURPOSES OF COMPLYING WITH THIS ARTICLE: (A) REIDENTIFY DEIDENTIFIED DATA; (B) COMPLY WITH A VERIFIED CONSUMER REQUEST TO ACCESS, CORRECT, OR DELETE PERSONAL DATA PURSUANT TO THIS ARTICLE IF ALL OF THE FOLLOWING ARE TRUE: (I) THE CONTROLLER IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA; (II) THE CONTROLLER DOES NOT ASSOCIATE THE PERSONAL DATA WITH OTHER PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER AS PART OF ITS NORMAL BUSINESS PRACTICE; AND (III) THE CONTROLLER DOES NOT SELL THE PERSONAL DATA TO ANY THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO ANY PROCESSOR OR THIRD PARTY, EXCEPT AS OTHERWISE PERMITTED IN THIS ARTICLE; OR (C) MAINTAIN PERSONAL DATA IN IDENTIFIABLE FORM, OR COLLECT, OBTAIN, RETAIN, OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE CAPA- BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA. 2. THE OBLIGATIONS IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO ANY OF THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S PERSONAL DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES: (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS; (B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI- GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN- MENTAL AUTHORITIES; (C) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGU- LATIONS; (D) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR, OR DEFEND LEGAL CLAIMS; (E) PROCESS PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY A CONSUMER, UNLESS THE CONSUMER WITHHOLDS, DENIES, OR WITH- DRAWS CONSENT; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A PARTY; OR TAKE STEPS AT THE REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT; (F) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE CONSUMER OR OF ANOTHER NATURAL PERSON, AND WHERE THE PROCESSING CANNOT BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS; (G) PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO SECURITY INCI- DENTS, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIV- ITIES, OR ANY ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY OF A. 680--A 18 SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR ANY SUCH ACTION; OR (H) IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY. 3. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI- LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION. 4. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT APPLY TO THE PUBLICATION OF NEWSWORTHY INFORMATION OF LEGITIMATE PUBLIC CONCERN TO THE PUBLIC, OR THE PROCESSING OR TRANSFER OF INFORMATION BY A CONTROLLER FOR SUCH PURPOSE. 5. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS THREE THROUGH SIX OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR A PROCESS- OR OR THIRD PARTY TO WHOM A CONTROLLER COMMUNICATES SUCH A REQUEST, MAY DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF: (A) THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY THE REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH (C) OF SUBDIVISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE; (B) COMPLYING WITH THE REQUEST WOULD BE DEMONSTRABLY IMPOSSIBLE (FOR PURPOSES OF THIS PARAGRAPH, THE RECEIPT OF A LARGE NUMBER OF VERIFIED REQUESTS, ON ITS OWN, IS NOT SUFFICIENT TO RENDER COMPLIANCE WITH A REQUEST DEMONSTRABLY IMPOSSIBLE); (C) COMPLYING WITH THE REQUEST WOULD IMPAIR THE PRIVACY OF ANOTHER INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR (D) THE PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER THAN THE CONSUMER MAKING THE REQUEST AND IS BEING PROCESSED FOR THE PURPOSE OF FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION. § 1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL, EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON OR PERSONS HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR PROP- ERTY OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN CIVIL PENALTIES OF NOT MORE THAN FIFTEEN THOUSAND DOLLARS PER VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF. (A) ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS. (B) EACH INSTANCE OF UNLAWFUL PROCESSING COUNTS AS A SEPARATE VIOLATION. UNLAWFUL PROCESSING OF THE PERSONAL DATA OF MORE THAN ONE CONSUMER COUNTS AS A SEPARATE VIOLATION AS TO EACH CONSUMER. EACH PROVISION OF THIS ARTICLE THAT IS VIOLATED COUNTS AS A SEPARATE VIOLATION. (C) IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY OF THE PARTIES, INCLUDING, BUT NOT LIMITED TO, THE NATURE AND SERIOUSNESS OF THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON- DUCT, THE LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED, THE WILL- FULNESS OF THE VIOLATOR'S MISCONDUCT, AND THE VIOLATOR'S FINANCIAL CONDITION. A. 680--A 19 2. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD- ANCE WITH THE CIVIL PRACTICE LAW AND RULES. THE ATTORNEY GENERAL MAY ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE- VANT AND MAY REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON OF ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL UNDER THIS ARTICLE. 3. ANY PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE ATTORNEY GENERAL BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS, OR OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR PRACTICES STATED TO BE UNLAWFUL IN THIS ARTICLE IS SUBJECT TO THE SERVICE OF A SUBPOENA ISSUED BY THE ATTORNEY GENERAL PURSUANT TO THIS SECTION. SERVICE MAY BE MADE IN ANY MANNER THAT IS AUTHORIZED FOR SERVICE OF A SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE. 4. (A) FAILURE TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS SECTION WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF LIMI- TATIONS IN ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE ATTORNEY GENERAL'S INVESTIGATION. (B) IF A PERSON FAILS TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS SECTION, THE ATTORNEY GENERAL MAY MOVE IN THE SUPREME COURT TO COMPEL COMPLIANCE. IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED, IT SHALL ORDER COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP TO FIVE HUNDRED DOLLARS PER DAY OF NONCOMPLIANCE. (C) SUCH TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO ANY OTHER PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA. 5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL UNDER THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT ANY INQUIRY. 6. ANY CONSUMER WHO HAS BEEN INJURED BY A VIOLATION OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH UNLAWFUL ACT OR PRACTICE AND TO RECOVER HIS OR HER ACTUAL DAMAGES OR ONE THOUSAND DOLLARS, WHICHEVER IS GREATER. THE COURT MAY ALSO AWARD REASONABLE ATTORNEYS' FEES TO A PREVAILING PLAINTIFF. ACTIONS PURSUANT TO THIS SECTION MAY BE BROUGHT ON A CLASS-WIDE BASIS. § 1107. MISCELLANEOUS. 1. PREEMPTION: THIS ARTICLE DOES NOT ANNUL, ALTER, OR AFFECT THE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS- FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR PROCESSOR SUBJECT TO THIS ACT, EXCEPT TO THE EXTENTS THOSE LAWS, ORDI- NANCES, REGULATIONS, OR THE EQUIVALENT ARE INCONSISTENT WITH THE PROVISIONS OF THIS ACT, AND THEN ONLY TO THE EXTENT OF THE INCONSISTEN- CY. 2. IMPACT REPORT: THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR PERSONS, THE LIABILITY AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO ENFORCE THIS ARTICLE, AND ANY RECOMMENDATIONS FOR CHANGES TO SUCH PROVISIONS. THE ATTORNEY GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE COMMIT- TEES OF THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS SECTION. A. 680--A 20 3. REGULATORY AUTHORITY: (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES GOVERNING THE FORM AND CONTENT OF ANY DISCLOSURES OR COMMUNICATIONS REQUIRED BY THIS ARTICLE. (B) THE ATTORNEY GENERAL MAY REQUEST DATA AND INFORMATION FROM CONTROLLERS CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK STATE GOVERNMENT ENTITIES ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER PROTECTION AND PRIVACY ADVOCATES AND RESEARCHERS, INTERNET STANDARDS SETTING BODIES, SUCH AS THE INTERNET ENGINEERING TASKFORCE AND THE INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, AND OTHER RELEVANT SOURCES, TO CONDUCT STUDIES TO INFORM SUITABLE RULES AND REGULATIONS. THE ATTORNEY GENERAL SHALL RECEIVE, UPON REQUEST, DATA FROM OTHER NEW YORK STATE GOVERNMENTAL ENTITIES. 4. EXERCISE OF RIGHTS: ANY CONSUMER RIGHT SET FORTH IN THIS ARTICLE MAY BE EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, BY AN AGENT AUTHORIZED BY A CONSUMER TO EXERCISE THE RIGHTS SET FORTH IN THIS ACT ON THEIR BEHALF, OR BY A PARENT OR GUARDIAN AUTHORIZED BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF THE CONSUMER WHO IS THE SUBJECT OF THE DATA. § 4. This act shall take effect immediately; provided, however, that sections 1101, 1102, 1103, 1105, 1106 and 1107 of the general business law, as added by section three of this act, shall take effect January 1, 2022.
co-Sponsors
Dan Quart
David Weprin
Jo Anne Simon
Jeffrey Dinowitz
Amy Paulin
Thomas Abinanti
2021-A680B (ACTIVE) - Details
2021-A680B (ACTIVE) - Bill Text download pdf
S T A T E O F N E W Y O R K ________________________________________________________________________ 680--B 2021-2022 Regular Sessions I N A S S E M B L Y (PREFILED) January 6, 2021 ___________ Introduced by M. of A. L. ROSENTHAL, QUART, WEPRIN, D. ROSENTHAL, SIMON, DINOWITZ, PAULIN -- read once and referred to the Committee on Consum- er Affairs and Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee -- recommitted to the Committee on Consumer Affairs and Protection in accordance with Assembly Rule 3, sec. 2 -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said commit- tee AN ACT to amend the general business law, in relation to the management and oversight of personal data THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. Short title. This act shall be known and may be cited as the "New York privacy act". § 2. Legislative intent. 1. Privacy is a fundamental right and an essential element of freedom. Advances in technology have produced ramp- ant growth in the amount and categories of personal data being gener- ated, collected, stored, analyzed, and potentially shared, which presents both promise and peril. Companies collect, use and share our personal data in ways that can be difficult for ordinary consumers to understand. Opaque data processing policies make it impossible to evalu- ate risks and compare privacy-related protections across services, stifling competition. Algorithms quietly make decisions with critical consequences for New York consumers, often with no human accountability. Behavioral advertising generates profits by turning people into products and their activity into assets. New York consumers deserve more notice and more control over their data and their digital privacy. 2. This act seeks to help New York consumers regain their privacy. It gives New York consumers the ability to exercise more control over their personal data and requires businesses to be responsible, thoughtful, and EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted.
LBD00516-05-1 A. 680--B 2 accountable managers of that information. To achieve this, this act provides New York consumers a number of new rights, including clear notice of how their data is being used, processed and shared; the abili- ty to access and obtain a copy of their data in a commonly used elec- tronic format, with the ability to transfer it between services; the ability to correct inaccurate data and to delete their data; and the ability to challenge certain automated decisions. This act also imposes obligations upon businesses to maintain reasonable data security for personal data, to notify New York consumers of foreseeable harms arising from use of their data and to obtain specific consent for that use, and to conduct regular assessments to ensure that data is not being used for unacceptable purposes. These data assessments can be obtained and evalu- ated by the New York State Attorney General, who is empowered to obtain penalties for violations of this act and prevent future violations. This act also grants New York consumers who have been injured as the result of a violation a private right of action, which includes reasonable attorneys' fees to a prevailing plaintiff. § 3. The general business law is amended by adding a new article 42 to read as follows: ARTICLE 42 NEW YORK PRIVACY ACT SECTION 1100. DEFINITIONS. 1101. JURISDICTIONAL SCOPE. 1102. CONSUMER RIGHTS. 1103. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES. 1104. DATA BROKERS. 1105. LIMITATIONS. 1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION. 1107. MISCELLANEOUS. § 1100. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY THROUGHOUT THIS ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE: 1. "AUTOMATED DECISION-MAKING" OR "AUTOMATED DECISION" MEANS A COMPU- TATIONAL PROCESS, INCLUDING ONE DERIVED FROM MACHINE LEARNING, ARTIFI- CIAL INTELLIGENCE, OR ANY OTHER AUTOMATED PROCESS, INVOLVING PERSONAL DATA THAT RESULTS IN A DECISION AFFECTING A CONSUMER. 2. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM THE MEASUREMENT OR SPECIFIC TECHNOLOGICAL PROCESSING OF A NATURAL PERSON'S BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS, INCLUDING FING- ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES, DEOXYRIBONUCLEIC ACID (DNA) INFORMATION, AND GAIT. 3. "BUSINESS ASSOCIATE" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 4. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT TO THE PROCESSING OF DATA RELATING TO THE CONSUMER. CONSENT MAY BE WITHDRAWN AT ANY TIME, AND A CONTROLLER MUST PROVIDE CLEAR, CONSPICUOUS, AND CONSUMER-FRIENDLY MEANS TO WITHDRAW CONSENT. THE BURDEN OF ESTAB- LISHING CONSENT IS ON THE CONTROLLER. CONSENT DOES NOT INCLUDE: (A) AN AGREEMENT OF GENERAL TERMS OF USE OR A SIMILAR DOCUMENT THAT REFERENCES UNRELATED INFORMATION IN ADDITION TO PERSONAL DATA PROCESSING; (B) AN AGREEMENT OBTAINED THROUGH FRAUD, DECEIT OR DECEPTION; (C) ANY ACT THAT DOES NOT CONSTITUTE A USER'S INTENT TO INTERACT WITH ANOTHER PARTY SUCH AS HOVERING OVER, PAUSING OR CLOSING ANY CONTENT; OR (D) A PRE-CHECKED BOX OR SIMILAR DEFAULT. A. 680--B 3 5. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING ONLY IN AN INDIVIDUAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO BE ACTING IN A PROFESSIONAL OR EMPLOYMENT CONTEXT. 6. "CONTROLLER" MEANS THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA. 7. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 8. "DATA BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A LEGAL ENTITY, SEPARATELY OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK AND KNOWINGLY COLLECTS, AND SELLS TO CONTROLLERS OR THIRD PARTIES, THE PERSONAL DATA OF A CONSUMER WITH WHOM IT DOES NOT HAVE A DIRECT RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING: (A) A CONSUMER REPORTING AGENCY TO THE EXTENT THAT IT IS COVERED BY THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR (B) A FINANCIAL INSTITUTION TO THE EXTENT THAT IT IS COVERED BY THE GRAMM-LEACH-BLILEY ACT (PUBLIC LAW 106-102) AND IMPLEMENTING REGU- LATIONS. 9. "DEIDENTIFIED DATA" MEANS DATA THAT CANNOT REASONABLY BE USED TO INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR CONSUM- ER, HOUSEHOLD OR DEVICE, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT POSSESSES THE DATA: (A) IMPLEMENTS REASONABLE TECHNICAL SAFEGUARDS TO ENSURE THAT THE DATA CANNOT BE ASSOCIATED WITH A CONSUMER, HOUSEHOLD OR DEVICE; (B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND NOT ATTEMPT TO REIDENTIFY THE DATA, EXCEPT THAT THE CONTROLLER OR PROCESSOR MAY ATTEMPT TO REIDENTIFY THE INFORMATION SOLELY FOR THE PURPOSE OF DETERMINING WHETHER ITS DEIDENTIFICATION PROCESSES SATISFY THE REQUIREMENTS OF THIS SUBDIVISION; AND (C) CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY WITH ALL PROVISIONS OF THIS ARTICLE. 10. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECTING TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE AND IS INTENDED FOR USE BY A NATURAL PERSON OR HOUSEHOLD OR, IF USED OUTSIDE THE HOME, FOR USE BY THE GENERAL PUBLIC. 11. "MEANINGFUL HUMAN REVIEW" MEANS REVIEW OR OVERSIGHT BY ONE OR MORE INDIVIDUALS WHO (A) ARE TRAINED IN THE CAPABILITIES AND LIMITATIONS OF THE ALGORITHM AT ISSUE AND THE PROCEDURES TO INTERPRET AND ACT ON THE OUTPUT OF THE ALGORITHM, AND (B) HAVE THE AUTHORITY TO ALTER THE AUTO- MATED DECISION UNDER REVIEW. 12. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID- UAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO BE ACTING IN A PROFESSIONAL OR EMPLOYMENT CONTEXT. 13. "PERSON" MEANS A NATURAL PERSON OR A LEGAL ENTITY, INCLUDING BUT NOT LIMITED TO A PROPRIETORSHIP, PARTNERSHIP, LIMITED PARTNERSHIP, CORPORATION, COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION, ASSOCI- ATION, OR OTHER FIRM OR SIMILAR BODY, OR ANY UNIT, DIVISION, AGENCY, DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF. 14. "PERSONAL DATA" MEANS ANY DATA THAT IDENTIFIES OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL PERSON, HOUSEHOLD, OR DEVICE. PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED DATA. 15. "IDENTIFIED OR IDENTIFIABLE" MEANS A NATURAL PERSON WHO CAN BE IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO AN IDENTIFI- ER SUCH AS A NAME, AN IDENTIFICATION NUMBER, LOCATION DATA, OR AN ONLINE OR DEVICE IDENTIFIER. A. 680--B 4 16. "PROCESS", "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA, INCLUDING BUT NOT LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION, ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN- IZATION, STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION, ANALYSIS, DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI- CATION OF DATA. 17. "PROCESSOR" MEANS A PERSON THAT PROCESSES DATA ON BEHALF OF THE CONTROLLER. 18. "PROFILING" MEANS ANY FORM OF AUTOMATED PROCESSING PERFORMED ON PERSONAL DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS RELATED TO AN IDENTIFIED OR IDENTIFIABLE NATURAL PERSON'S ECONOMIC SITUATION, HEALTH, PERSONAL PREFERENCES, INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS. 19. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 20. "SALE", "SELL", OR "SOLD" MEANS THE DISCLOSURE, TRANSFER, CONVEY- ANCE, SHARING, LICENSING, MAKING AVAILABLE, PROCESSING, GRANTING OF PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER EXCHANGE OF PERSONAL DATA, OR PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU- ABLE CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY. "SALE" INCLUDES ENABLING, FACILITATING OR PROVIDING ACCESS TO A CONSUMER FOR TARGETED ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING: (A) THE DISCLOSURE OF DATA TO A PROCESSOR WHO PROCESSES THE DATA ON BEHALF OF THE CONTROLLER AND WHICH IS CONTRACTUALLY PROHIBITED FROM USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER; OR (B) THE DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL- LER'S ASSETS. 21. "TARGETED ADVERTISING" MEANS DISPLAYING ONLINE ADVERTISEMENTS TO A CONSUMER WHERE THE ADVERTISEMENT IS SELECTED BASED ON PERSONAL DATA OBTAINED OR INFERRED FROM A CONSUMER'S ACTIVITIES OVER TIME AND ACROSS ONE OR MORE DISTINCTLY-BRANDED WEBSITES, ONLINE APPLICATIONS, OR SERVICES, TO PREDICT THE CONSUMER'S PREFERENCES OR INTERESTS. IT DOES NOT INCLUDE ADVERTISING (A) BASED SOLELY ON THE CONTEXT OF THE CONSUM- ER'S CURRENT SEARCH QUERY OR VISIT TO A WEBSITE OR ONLINE APPLICATION OR (B) TO A CONSUMER IN DIRECT RESPONSE TO THE CONSUMER'S REQUEST FOR INFORMATION OR FEEDBACK. 22. "THIRD PARTY" MEANS, WITH RESPECT TO A PARTICULAR INTERACTION OR OCCURRENCE, A PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER THAN THE CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER. A THIRD PARTY MAY ALSO BE A CONTROLLER IF THE THIRD PARTY, ALONE OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA. 23. "VERIFIED REQUEST" MEANS A REQUEST BY A CONSUMER OR THEIR AGENT TO EXERCISE A RIGHT AUTHORIZED BY THIS ARTICLE, THE AUTHENTICITY OF WHICH HAS BEEN ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH (C) OF SUBDIVISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE. § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS THAT CONDUCT BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR SERVICES THAT ARE TARGETED TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR MORE OF THE FOLLOWING THRESHOLDS: (A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE; A. 680--B 5 (B) CONTROLS OR PROCESSES PERSONAL DATA OF ONE HUNDRED THOUSAND CONSUMERS OR MORE; (C) CONTROLS OR PROCESSES PERSONAL DATA OF FIVE HUNDRED THOUSAND NATURAL PERSONS OR MORE NATIONWIDE, AND CONTROLS OR PROCESSES PERSONAL DATA OF TEN THOUSAND CONSUMERS OR MORE; OR (D) DERIVES OVER FIFTY PERCENT OF GROSS REVENUE FROM THE SALE OF PERSONAL DATA, AND CONTROLS OR PROCESSES PERSONAL DATA OF TWENTY-FIVE THOUSAND CONSUMERS OR MORE. 2. THIS ARTICLE DOES NOT APPLY TO: (A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC- IPAL CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND PROCESSING FEES ARE NOT SALE); (B) A NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT TO SECTION 15A OF THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED, OR REGULATIONS ADOPTED THEREUNDER OR A REGISTERED FUTURES ASSOCIATION SO DESIGNATED PURSUANT TO SECTION 17 OF THE COMMODITY EXCHANGE ACT, AS AMENDED, OR ANY REGULATIONS ADOPTED THEREUNDER; (C) INFORMATION THAT MEETS THE FOLLOWING CRITERIA: (I) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO AND IN COMPLIANCE WITH THE FEDERAL GRAMM-LEACH-BLILEY ACT (P.L. 106-102), AND IMPLEMENTING REGULATIONS; (II) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18 U.S.C. SEC. 2721 ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLIANCE WITH THAT LAW; (III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS; (IV) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL FARM CREDIT ACT OF 1971 (AS AMENDED IN 12 U.S.C. SEC. 2001-2279CC) AND ITS IMPLEMENTING REGULATIONS (12 C.F.R. PART 600 ET SEQ.) IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLI- ANCE WITH THAT LAW; (V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW; (VI) DATA MAINTAINED AS EMPLOYMENT RECORDS, FOR PURPOSES OTHER THAN SALE; (VII) PROTECTED HEALTH INFORMATION THAT IS LAWFULLY COLLECTED BY A COVERED ENTITY OR BUSINESS ASSOCIATE AND IS GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191) ("HIPAA") AND THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (PUBLIC LAW 111-5); (VIII) PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2, AS LONG AS SUCH DATA IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR FEDERAL LAW; (IX) INFORMATION AND DOCUMENTS LAWFULLY CREATED FOR PURPOSES OF THE FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND RELATED REGU- LATIONS; (X) PATIENT SAFETY WORK PRODUCT CREATED FOR PURPOSES OF 42 C.F.R. PART 3, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26; (XI) INFORMATION THAT IS TREATED IN THE SAME MANNER AS INFORMATION EXEMPT UNDER SUBPARAGRAPH (VII) OF THIS PARAGRAPH THAT IS MAINTAINED BY A COVERED ENTITY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM OR A QUALIFIED SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C. § 290DD-2, A. 680--B 6 AS LONG AS SUCH DATA IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR FEDERAL LAW; (XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE FOLLOWING CONDITIONS: (A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN- TIFICATION SET FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; (B) IT IS DERIVED FROM PROTECTED HEALTH INFORMATION, INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION, OR IDENTIFIABLE PRIVATE INFORMATION COMPLIANT WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE; AND (C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN- TIFY THE INFORMATION NOR DO THEY ACTUALLY REIDENTIFY THE INFORMATION EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW; (XIII) PATIENT INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS ASSOCIATE GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGU- LATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE COVERED ENTITY OR BUSINESS ASSOCIATE MAINTAINS THE PATIENT INFORMATION IN THE SAME MANNER AS PROTECTED HEALTH INFORMATION AS DESCRIBED IN SUBPARAGRAPH (VII) OF THIS PARAGRAPH; (XIV) DATA COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT PROTECTION REQUIREMENTS OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR (XV) PERSONAL DATA PROCESSED ONLY FOR ONE OR MORE OF THE FOLLOWING PURPOSES: (A) PRODUCT REGISTRATION AND TRACKING CONSISTENT WITH APPLICABLE UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE; (B) PUBLIC HEALTH ACTIVITIES AND PURPOSES AS DESCRIBED IN SECTION 164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR (C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS REGULATED BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION; (D) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S CREDIT WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING BY A CONSUMER REPORTING AGENCY, AS DEFINED IN TITLE 15 U.S.C. SEC. 1681A(F), BY A FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC. 1681S-2, WHO PROVIDES INFORMATION FOR USE IN A CONSUMER REPORT, AS DEFINED IN TITLE 15 U.S.C. SEC. 1861A(D), AND BY A USER OF A CONSUMER REPORT, AS SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND (II) THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION, OR USE OF SUCH DATA BY THAT AGENCY, FURNISHER, OR USER IS SUBJECT TO REGULATION UNDER THE FAIR CREDIT REPORTING ACT, TITLE 15 U.S.C. SEC. 1681 ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED, COMMUNI- CATED, DISCLOSED, OR SOLD EXCEPT AS AUTHORIZED BY THE FAIR CREDIT REPORTING ACT. § 1102. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL- LER THAT PROCESSES A CONSUMER'S PERSONAL DATA MUST MAKE PUBLICLY AND A. 680--B 7 PERSISTENTLY AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE MANNER, A NOTICE CONTAINING THE FOLLOWING: (I) A DESCRIPTION OF THE CONSUMER'S RIGHTS UNDER SUBDIVISIONS TWO THROUGH SIX OF THIS SECTION AND HOW A CONSUMER MAY EXERCISE THOSE RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT; (II) THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER AND BY ANY PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROL- LER; (III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED; (IV) THE PURPOSES FOR PROCESSING PERSONAL DATA; (V) THE IDENTITY OF EACH THIRD PARTY TO WHOM THE CONTROLLER DISCLOSED, SHARED, TRANSFERRED OR SOLD PERSONAL DATA AND, FOR EACH IDENTIFIED THIRD PARTY, (A) THE CATEGORIES OF PERSONAL DATA BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO THE THIRD PARTY, (B) THE PURPOSES FOR WHICH PERSONAL DATA IS BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO THE THIRD PARTY, (C) THE THIRD PARTY'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL DATA PROCESSED BY THE THIRD PARTY OR PROCESSED ON THEIR BEHALF, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THE PERIOD, AND (D) WHETHER THE THIRD PARTY USES THE PERSONAL DATA FOR TARGETED ADVERTISING; (VI) THE CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL DATA THAT THEY PROCESS OR IS PROCESSED ON THEIR BEHALF, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD; AND (VII) FOR CONTROLLERS ENGAGING IN TARGETED ADVERTISING, AVERAGE EXPECTED REVENUE PER USER (ARPU) OR A SIMILAR METRIC FOR THE MOST RECENT FISCAL YEAR FOR THE REGION THAT COVERS NEW YORK. (B) NOTICE REQUIREMENTS. (I) THE NOTICE MUST BE WRITTEN IN EASY-TO-UNDERSTAND LANGUAGE AT AN EIGHTH GRADE READING LEVEL OR BELOW. (II) THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR WHICH EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED AT A LEVEL SPECIFIC ENOUGH TO ENABLE A CONSUMER TO EXERCISE MEANINGFUL CONTROL OVER THEIR PERSONAL DATA BUT NOT SO SPECIFIC AS TO RENDER THE NOTICE UNHELP- FUL TO A REASONABLE CONSUMER. (III) THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED AT LEAST ANNUALLY. WHEN THE INFORMATION REQUIRED TO BE DISCLOSED TO A CONSUMER PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION HAS NOT CHANGED SINCE THE IMMEDIATELY PREVIOUS NOTICE (WHETHER INITIAL, ANNUAL, OR REVISED) PROVIDED TO THE CONSUMER, A CONTROLLER MAY ISSUE A STATEMENT THAT NO CHANGES HAVE BEEN MADE. (IV) THE NOTICE, AS WELL AS EACH VERSION OF THE NOTICE IN EFFECT IN THE PRECEDING SIX YEARS, MUST BE EASILY ACCESSIBLE TO CONSUMERS AND CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME. 2. OPT-IN CONSENT. (A) A CONTROLLER MUST OBTAIN FREELY GIVEN, SPECIF- IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO: (I) PROCESS THE CONSUMER'S PERSONAL DATA FOR ANY PURPOSE OTHER THAN THOSE IN SUBDIVISION TWO OF SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE; OR (II) MAKE ANY CHANGES TO THE EXISTING PROCESSING OR PROCESSING PURPOSE, INCLUDING THOSE REGARDING THE METHOD AND SCOPE OF COLLECTION, OF THE CONSUMER'S PERSONAL DATA THAT MAY BE LESS PROTECTIVE OF THE CONSUMER'S PERSONAL DATA THAN THE PROCESSING TO WHICH THE CONSUMER HAS PREVIOUSLY GIVEN THEIR FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT. (B) ANY REQUEST FOR CONSENT MUST BE PROVIDED TO THE CONSUMER, PRIOR TO PROCESSING THEIR PERSONAL DATA, IN A STANDALONE DISCLOSURE THAT IS SEPA- A. 680--B 8 RATE AND APART FROM ANY CONTRACT OR PRIVACY POLICY. THE REQUEST FOR CONSENT MUST: (I) INCLUDE A CLEAR AND CONSPICUOUS DESCRIPTION OF EACH CATEGORY OF DATA AND PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT; (II) CLEARLY IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF DATA AND PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER; (III) ENABLE A REASONABLE CONSUMER TO EASILY IDENTIFY THE CATEGORIES OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT; (IV) CLEARLY PRESENT AS THE MOST CONSPICUOUS CHOICE AN OPTION TO PROVIDE ONLY THE CONSENT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER; (V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND (VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO THIRD PARTIES, IDENTIFY EACH SUCH THIRD PARTY, THE CATEGORIES OF DATA SOLD OR SHARED WITH THEM, THE PROCESSING PURPOSES, THE RETENTION PERIOD, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THE PERIOD, AND FOR EACH THIRD PARTY STATE IF SUCH SHARING, DISCLOSURE, TRANSFER, OR SALE ENABLES OR INVOLVES TARGETED ADVERTISING. THE DETAILS OF IDENTITIES OF SUCH THIRD PARTIES, AND THE CATEGORIES OF DATA, PROCESSING PURPOSES, AND THE RETENTION PERIOD, MAY BE SET FORTH IN A DIFFERENT DISCLOSURE, PROVIDED THAT THE REQUEST FOR CONSENT CONTAINS A CONSPICUOUS AND DIRECTLY ACCESSIBLE LINK TO THAT DISCLOSURE. (C) TARGETED ADVERTISING AND SALE OF PERSONAL DATA SHALL NOT BE CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR GOODS REQUESTED BY A CONSUMER. (D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT TO PROCESS THEIR PERSONAL DATA FOR A PROCESS- ING PURPOSE, A CONTROLLER MAY RELY ON SUCH CONSENT UNTIL IT IS WITH- DRAWN. (E) A CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER TO WITHDRAW PREVIOUSLY GIVEN CONSENT AT ANY TIME. SUCH MECHANISM SHALL MAKE IT AS EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER TO PROVIDE CONSENT. (F) A CONTROLLER MUST NOT INFER THAT A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM THE CONSUMER'S INACTION OR THE CONSUMER'S CONTINUED USE OF A SERVICE OR PRODUCT PROVIDED BY THE CONTROLLER. (G) TO THE EXTENT THAT A CONTROLLER MUST PROCESS INTERNET PROTOCOL ADDRESSES, SYSTEM CONFIGURATION INFORMATION, URLS OF REFERRING PAGES, LOCALE AND LANGUAGE PREFERENCES, KEYSTROKES, OR ANY OTHER DATA THAT INDIVIDUALLY OR COLLECTIVELY MAY COMPRISE PERSONAL DATA IN ORDER TO OBTAIN A CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT, THE CONTROLLER MUST: (I) PROCESS ONLY THE PERSONAL DATA NECESSARY TO REQUEST FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; (II) PROCESS THE PERSONAL DATA SOLELY TO REQUEST FREELY GIVEN, SPECIF- IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; AND (III) PROMPTLY DELETE THE PERSONAL DATA IF CONSENT IS WITHHELD, DENIED, OR WITHDRAWN. (H) CONTROLLERS MUST NOT REQUEST CONSENT FROM A CONSUMER WHO HAS PREVIOUSLY WITHHELD OR DENIED CONSENT, UNLESS CONSENT IS NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER. A. 680--B 9 (I) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER, BROWSER PLUG-IN, SMARTPHONE APPLICATION, OPERATING SYSTEM, DEVICE SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S CHOICE NOT TO BE SUBJECT TO TARGETED ADVERTISING OR THE SALE OF THEIR PERSONAL DATA AS A DENIAL OF CONSENT UNDER THIS ACT. TO THE EXTENT THAT THE PRIVACY CONTROL CONFLICTS WITH A CONSUMER'S CONSENT, THE PRIVACY CONTROL SETTINGS GOVERN, UNLESS THE CONSUMER PROVIDES FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT TO OVERRIDE THE PRIVACY CONTROL. (J) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A CONSUMER FOR WITH- HOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY: (I) DENYING SERVICES OR GOODS TO THE CONSUMER, UNLESS THE CONSUMER DOES NOT CONSENT TO PROCESSING NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER; (II) CHARGING DIFFERENT PRICES FOR GOODS OR SERVICES, INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING PENALTIES, OR PROVIDING A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR (III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS. (K) A CONTROLLER MAY, WITH THE CONSUMER'S FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION, OPERATE A PROGRAM IN WHICH INFORMATION, PRODUCTS, OR SERVICES SOLD TO THE CONSUMER ARE DISCOUNTED BASED SOLELY ON SUCH CONSUMER'S PRIOR PURCHASES FROM THE CONTROLLER, PROVIDED THAT THE PERSONAL DATA USED TO OPERATE SUCH PROGRAM IS PROCESSED SOLELY FOR THE PURPOSE OF OPERATING SUCH PROGRAM. (L) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS- ACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR MAJORITY OF THE CONTROLLER'S ASSETS, ANY CONSENT PROVIDED TO THE CONTROLLER BY A CONSUMER PRIOR TO SUCH TRANSACTION SHALL BE DEEMED WITH- DRAWN. 3. RIGHT TO ACCESS. UPON THE VERIFIED REQUEST OF A CONSUMER, A CONTROLLER SHALL: (A) CONFIRM WHETHER OR NOT THE CONTROLLER IS PROCESSING OR HAS PROC- ESSED PERSONAL DATA OF THAT CONSUMER, AND PROVIDE ACCESS TO A COPY OF ANY SUCH PERSONAL DATA IN A MANNER UNDERSTANDABLE TO A REASONABLE CONSUMER WHEN REQUESTED; AND (B) PROVIDE THE IDENTITY OF EACH PROCESSOR OR THIRD PARTY TO WHOM THE CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL DATA AND, FOR EACH IDENTIFIED PROCESSOR OR THIRD PARTY, (I) THE CATEGORIES OF THE CONSUMER'S PERSONAL DATA DISCLOSED, TRANSFERRED, OR SOLD TO EACH PROCESSOR OR THIRD PARTY AND (II) THE PURPOSES FOR WHICH EACH CATEGORY OF THE CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO EACH PROCESSOR OR THIRD PARTY. 4. RIGHT TO PORTABLE DATA. UPON A VERIFIED REQUEST, AND TO THE EXTENT TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A COPY OF ALL OF, OR A PORTION OF, AS DESIGNATED IN A VERIFIED REQUEST, THE CONSUMER'S PERSONAL DATA IN A STRUCTURED, COMMONLY USED AND MACHINE-READABLE FORMAT AND (B) TRANSMIT THE DATA TO ANOTHER PERSON OF THE CONSUMER'S OR THEIR AGENT'S DESIGNATION WITHOUT HINDRANCE. 5. RIGHT TO CORRECT. (A) UPON THE VERIFIED REQUEST OF A CONSUMER OR THEIR AGENT, A CONTROLLER MUST CONDUCT A REASONABLE INVESTIGATION TO DETERMINE WHETHER PERSONAL DATA, THE ACCURACY OF WHICH IS DISPUTED BY THE CONSUMER, IS INACCURATE, WITH SUCH INVESTIGATION TO BE CONCLUDED A. 680--B 10 WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION. (B) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, A CONTROLLER MAY TERMINATE AN INVESTIGATION INITIATED PURSUANT TO SUCH PARAGRAPH IF THE CONTROLLER REASONABLY AND IN GOOD FAITH DETERMINES THAT THE DISPUTE BY THE CONSUMER IS WHOLLY WITHOUT MERIT, INCLUDING BY REASON OF A FAIL- URE BY A CONSUMER TO PROVIDE SUFFICIENT INFORMATION TO INVESTIGATE THE DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH THIS PARAGRAPH THAT A DISPUTE IS WHOLLY WITHOUT MERIT, A CONTROLLER MUST, WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION, PROVIDE THE AFFECTED CONSUMER A STATEMENT IN WRITING THAT INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR THE DETER- MINATION, AND IDENTIFICATION OF ANY INFORMATION REQUIRED TO INVESTIGATE THE DISPUTED PERSONAL DATA, WHICH MAY CONSIST OF A STANDARDIZED FORM DESCRIBING THE GENERAL NATURE OF SUCH INFORMATION. (C) IF, AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF THIS SUBDIVI- SION OF ANY PERSONAL DATA DISPUTED BY A CONSUMER, AN ITEM OF THE PERSONAL DATA IS FOUND TO BE INACCURATE OR INCOMPLETE, OR CANNOT BE VERIFIED, THE CONTROLLER MUST: (I) CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE CONSUM- ER; AND (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT, COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD PARTY TO WHOM THE CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECEDING THE CONSUMER'S REQUEST, AND TO REQUIRE THOSE PROCESSORS OR THIRD PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO. (D) IF THE INVESTIGATION DOES NOT RESOLVE THE DISPUTE, THE CONSUMER MAY FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE NATURE OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE EXISTS REASONABLE GROUNDS TO BELIEVE THAT IT IS WHOLLY WITHOUT MERIT, THE CONTROLLER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE EITHER THE CONSUMER'S STATEMENT OR A CLEAR AND ACCURATE CODIFICATION OR SUMMARY THEREOF WITH THE DISPUTED PERSONAL DATA WHENEVER IT IS DISCLOSED, TRANSFERRED, OR SOLD TO ANY PROCESSOR OR THIRD PARTY. 6. RIGHT TO DELETE. (A) UPON THE VERIFIED REQUEST OF A CONSUMER, A CONTROLLER MUST: (I) WITHIN FORTY-FIVE DAYS AFTER RECEIVING THE VERIFIED REQUEST, DELETE ANY OR ALL PERSONAL DATA, AS DIRECTED BY THE CONSUMER OR THEIR AGENT, THAT THE CONTROLLER POSSESSES OR CONTROLS; AND (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT THAT IS DOCUMENTED IN WRITING BY THE CONTROLLER, COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD PARTY TO WHOM THE CONTROLLER DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECED- ING THE CONSUMER'S REQUEST AND TO REQUIRE THOSE PROCESSORS OR THIRD PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO. (B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A PROCESSOR OF THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO (I) COMMUNI- CATE THE CONSUMER'S REQUEST FOR DELETION TO THE PROCESSOR, OR (II) REQUEST THAT THE PROCESSOR RETURN TO THE CONTROLLER THE PERSONAL DATA THAT IS THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE SUCH PERSONAL DATA UPON RECEIPT OF THE REQUEST. (C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A REQUEST TO THE CONTROLLER TO DELETE ALL OF THAT CONSUMER'S PERSONAL DATA. A. 680--B 11 (D) A CONTROLLER MUST MAINTAIN REASONABLE PROCEDURES DESIGNED TO PREVENT THE REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA IT DISCLOSES, TRANSFERS, OR SELLS TO ANY PROCESSOR OR THIRD PARTY, THE PERSONAL DATA THAT IS DELETED PURSUANT TO THIS SUBDIVISION. (E) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A CONSUMER'S REQUEST TO DELETE PERSONAL DATA IF: (I) COMPLYING WITH THE REQUEST WOULD PREVENT THE CONTROLLER FROM PERFORMING ACCOUNTING FUNCTIONS, PROCESSING REFUNDS, EFFECTUATING A PRODUCT RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING WARRANTY CLAIMS, PROVIDED THAT THE PERSONAL DATA THAT IS THE SUBJECT OF THE REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV- ITIES; OR (II) IT IS NECESSARY FOR THE CONTROLLER TO MAINTAIN THE CONSUMER'S PERSONAL DATA TO ENGAGE IN PUBLIC OR PEER-REVIEWED SCIENTIFIC, HISTOR- ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION OF THE INFORMATION IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR THE ACHIEVEMENT OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER HAS GIVEN INFORMED CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH RESEARCH. 7. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO- MATED DECISION INVOLVING SOLELY AUTOMATED PROCESSING THAT MATERIALLY CONTRIBUTES TO A DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION, INSURANCE, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, THE CONTROLLER MUST: (I) DISCLOSE IN A CLEAR, CONSPICUOUS, AND CONSUMER-FRIENDLY MANNER THAT THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS; (II) PROVIDE AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL THE DECI- SION, WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO (A) FORMALLY CONTEST THE DECISION, (B) PROVIDE INFORMATION TO SUPPORT THEIR POSITION, AND (C) OBTAIN MEANINGFUL HUMAN REVIEW OF THE DECISION; AND (III) EXPLAIN THE PROCESS TO APPEAL THE DECISION. (B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE APPEAL. THAT PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY. (C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING AFFECTING FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION, INSURANCE, EDUCATION ENROLLMENT, EMPLOYMENT, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR ENGAGED IN ASSISTING OTHERS IN AUTOMATED DECISION-MAKING IN THOSE FIELDS, MUST ANNUALLY CONDUCT AN IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING THAT: (A) DESCRIBES AND EVALUATES THE OBJECTIVES AND DEVELOPMENT OF THE AUTOMATED DECISION-MAKING PROCESSES INCLUDING THE DESIGN AND TRAINING DATA USED TO DEVELOP THE AUTOMATED DECISION-MAKING PROCESS, HOW THE AUTOMATED DECISION-MAKING PROCESS WAS TESTED FOR ACCURACY, FAIRNESS, BIAS AND DISCRIMINATION; AND (B) ASSESSES WHETHER THE AUTOMATED DECISION-MAKING SYSTEM PRODUCES DISCRIMINATORY RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM- ERS' ACTUAL OR PERCEIVED RACE, COLOR, ETHNICITY, RELIGION, NATIONAL ORIGIN, SEX, GENDER, GENDER IDENTITY, SEXUAL ORIENTATION, FAMILIAL STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF INCOME, OR DISABILITY. A. 680--B 12 (II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN EXTERNAL, INDEPENDENT AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS. (III) A CONTROLLER OR PROCESSOR MUST MAKE PUBLICLY AVAILABLE IN A MANNER ACCESSIBLE ONLINE ALL IMPACT ASSESSMENTS PREPARED PURSUANT TO THIS SECTION, RETAIN ALL SUCH IMPACT ASSESSMENTS FOR AT LEAST SIX YEARS, AND MAKE ANY SUCH RETAINED IMPACT ASSESSMENTS AVAILABLE TO ANY STATE, FEDERAL, OR LOCAL GOVERNMENT AUTHORITY UPON REQUEST. (IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL SCOPE SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF SECTION ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY. 8. RESPONDING TO REQUESTS. (A) A CONTROLLER MUST TAKE ACTION UNDER SUBDIVISIONS THREE THROUGH SIX OF THIS SECTION AND INFORM THE CONSUMER OF ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY- FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER MUST INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN A CONTROLLER DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD DISCLOSE TO THE CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS FOR THE DENIAL. (B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS OBLIGATIONS SET FORTH IN SUBDIVISIONS THREE THROUGH SIX OF THIS SECTION FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR BECAUSE OF THEIR REPETITIVE CHARACTER, THE CONTROLLER MAY EITHER (I) CHARGE A REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING WITH THE REQUEST OR (II) REFUSE TO ACT ON THE REQUEST AND NOTIFY THE CONSUMER OF THE REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE CHAR- ACTER OF THE REQUEST. (C) (I) A CONTROLLER SHALL PROMPTLY ATTEMPT, USING COMMERCIALLY REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE ANY RIGHTS SET FORTH IN ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON LAWFULLY EXERCISING THE RIGHT ON BEHALF OF THE CONSUMER WHO IS THE SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED BASED ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF THE DATA IMPLICATED BY THE REQUEST. (II) A CONTROLLER MAY REQUIRE THE CONSUMER TO PROVIDE ADDITIONAL INFORMATION ONLY IF THE REQUEST CANNOT REASONABLY BE VERIFIED WITHOUT THE PROVISION OF SUCH ADDITIONAL INFORMATION. A CONTROLLER MUST NOT TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO THIS SECTION FOR ANY OTHER PURPOSE AND MUST DELETE ANY SUCH ADDITIONAL INFORMATION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE DAYS AFTER THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN ACTION ON A REQUEST UNDER SUBDIVISIONS TWO THROUGH FIVE OF THIS SECTION AS DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION. (III) IF A CONTROLLER DISCLOSES THIS ADDITIONAL INFORMATION TO ANY PROCESSOR OR THIRD PARTY FOR THE PURPOSE OF VERIFYING A CONSUMER REQUEST, IT MUST NOTIFY THE RECEIVING PROCESSOR OR THIRD PARTY AT THE TIME OF SUCH DISCLOSURE, OR AS CLOSE IN TIME TO THE DISCLOSURE AS IS REASONABLY PRACTICABLE, THAT SUCH INFORMATION WAS PROVIDED BY THE CONSUMER FOR THE SOLE PURPOSE OF VERIFICATION AND CANNOT BE PROCESSED FOR ANY PURPOSE OTHER THAN VERIFICATION. A. 680--B 13 9. IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY ACCESSI- BLE AND CONVENIENT MEANS FOR CONSUMERS TO EXERCISE THEIR RIGHTS UNDER THIS ARTICLE. 10. NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS UNDER THIS ARTICLE IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNEN- FORCEABLE. § 1103. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES. 1. CONTROLLER RESPONSIBILITIES. (A) DATA PROTECTION ASSESSMENT. A CONTROL- LER SHALL REGULARLY CONDUCT AND DOCUMENT A DATA PROTECTION ASSESSMENT FOR PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO THE CONSUMER. SUCH ASSESSMENT MUST IDENTIFY AND WEIGH THE BENEFITS THAT MAY FLOW, DIRECTLY AND INDIRECTLY, FROM THE PROCESSING TO THE CONTROLLER, THE CONSUMER, OTHER STAKEHOLDERS, AND THE PUBLIC AGAINST THE POTENTIAL RISKS TO THE RIGHTS OF THE CONSUMER, OR CLASS OF CONSUMERS, ASSOCIATED WITH THE PROCESSING, AS MITIGATED BY SAFEGUARDS THAT THE CONTROLLER CAN EMPLOY TO REDUCE THE RISKS. THE CONTROLLER SHALL FACTOR INTO THIS ASSESSMENT THE USE OF DEIDENTIFIED DATA AND THE REASONABLE EXPECTATIONS OF CONSUMERS, AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATION- SHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE PROCESSED, WITH THE GOAL OF RESTRICTING OR PROHIBITING SUCH PROCESSING IF THE RISKS OF HARM TO THE CONSUMER OUTWEIGH THE BENEFITS RESULTING FROM THE PROCESSING TO THE CONSUMER. PROCESSING THAT PRESENTS A HEIGHT- ENED RISK OF HARM TO THE CONSUMER INCLUDES THE FOLLOWING: (I) PROCESSING THAT MAY BENEFIT THE CONTROLLER TO THE DETRIMENT OF THE CONSUMER; (II) PROCESSING THAT WOULD BE UNEXPECTED AND HIGHLY OFFENSIVE TO A REASONABLE CONSUMER; (III) PROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING; (IV) SALE OF PERSONAL DATA; AND (V) PROCESSING OF PERSONAL DATA FOR PURPOSES OF PROFILING, WHERE SUCH PROFILING PRESENTS A REASONABLY FORESEEABLE RISK OF: (A) UNFAIR OR DECEPTIVE TREATMENT, OR UNLAWFUL DISPARATE IMPACT ON, CONSUMERS OR A CLASS OF CONSUMERS; (B) FINANCIAL, PHYSICAL, PSYCHOLOGICAL OR REPUTATIONAL INJURY TO CONSUMERS, OR A CLASS OF CONSUMERS; (C) A PHYSICAL OR OTHERWISE INTRUSION UPON THE SOLITUDE OR SECLUSION, OR THE PRIVATE AFFAIRS OR CONCERNS, OF CONSUMERS, WHERE SUCH INTRUSION WOULD BE OFFENSIVE TO A REASONABLE PERSON; OR (D) OTHER SUBSTANTIAL INJURY TO CONSUMERS. (B) DUTY OF LOYALTY. (I) A CONTROLLER MUST NOTIFY THE CONSUMER, OR CLASS OF CONSUMERS, OF THE INTEREST THAT MAY BE HARMED IN ADVANCE OF REQUESTING CONSENT AND AS CLOSE IN TIME TO THE PROCESSING AS PRACTICABLE WHERE IT IS REASONABLY FORESEEABLE TO THE CONTROLLER THAT A PROCESS PRESENTS A HEIGHTENED RISK OF HARM TO THE CONSUMER OR CLASS OF CONSUM- ERS. (II) CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE PROCESSING OF PERSONAL DATA, AND A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS ARTICLE, INCLUDING WITHOUT LIMITATION: (A) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL EFFECT OF DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE, OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE IN ORDER TO OBTAIN CONSENT; OR (B) OBTAINING CONSENT IN A MANNER DESIGNED TO OVERPOWER A CONSUMER'S RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT. A. 680--B 14 (C) DUTY OF CARE. (I) (A) CONTROLLERS MUST, ON AT LEAST AN ANNUAL BASIS, CONDUCT AND DOCUMENT RISK ASSESSMENTS OF ALL CURRENT PROCESSING OF PERSONAL DATA. (B) RISK ASSESSMENTS MUST ASSESS AT A MINIMUM: (I) THE NATURE, SENSITIVITY AND CONTEXT OF THE PERSONAL DATA THAT THE CONTROLLER PROCESSES; (II) THE NATURE, PURPOSE, AND VALUE OF THE PROCESSES; (III) ANY RISKS OR HARMS TO CONSUMERS ACTUALLY OR POTENTIALLY ARISING OUT OF THE PROCESSES, INCLUDING PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR REPUTATIONAL HARMS; (IV) THE ADEQUACY AND EFFECT OF SAFEGUARDS IMPLEMENTED BY THE CONTROL- LERS; (V) THE SUFFICIENCY OF THE CONTROLLER'S NOTICES TO CONSUMERS AT DESCRIBING AND OBTAINING CONSENT CONCERNING THE PROCESSES; AND (VI) THE ADEQUACY OF THE SAFEGUARDS AND MONITORING PRACTICES OF PROCESSORS AND THIRD PARTIES TO WHOM THE CONTROLLER HAS PROVIDED PERSONAL DATA. (C) THE CONTROLLER MUST RETAIN RISK ASSESSMENTS FOR AT LEAST SIX YEARS AND MAKE RISK ASSESSMENTS AVAILABLE TO THE ATTORNEY GENERAL UPON REQUEST. (II) CONTROLLERS MUST DEVELOP, IMPLEMENT, AND MAINTAIN REASONABLE SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT ISSUE. (III) (A) A CONTROLLER SHALL LIMIT THE USE AND RETENTION OF A CONSUM- ER'S PERSONAL DATA TO WHAT IS NECESSARY TO PROVIDE A SERVICE OR GOOD REQUESTED BY A CONSUMER OR FOR PURPOSES FOR WHICH THE CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT. (B) AT LEAST ANNUALLY, A CONTROLLER SHALL REVIEW ITS RETENTION PRAC- TICES FOR THE PURPOSE OF ENSURING THAT IT IS MAINTAINING THE MINIMUM AMOUNT OF PERSONAL DATA AS IS NECESSARY FOR THE OPERATION OF ITS BUSI- NESS. A CONTROLLER MUST DISPOSE OF ALL PERSONAL DATA THAT IS NO LONGER (I) NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUM- ER, (II) NECESSARY FOR THE INTERNAL BUSINESS OPERATIONS OF THE CONTROL- LER AND CONSISTENT WITH THE DISCLOSURES MADE TO THE CONSUMER PURSUANT TO SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR (III) NECESSARY TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE CONTROLLER. (IV) CONTROLLERS SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND TO UPDATE THEIR CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE ACCORDINGLY. (D) NON-DISCRIMINATION. (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A CONSUMER FOR EXERCISING RIGHTS UNDER THIS ACT, INCLUDING BUT NOT LIMITED TO, BY: (A) DENYING SERVICES OR GOODS TO CONSUMERS; (B) CHARGING DIFFERENT PRICES FOR SERVICES OR GOODS, INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING PENALTIES; OR PROVIDING A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR (C) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS. A. 680--B 15 (II) THIS PARAGRAPH DOES NOT APPLY TO A CONTROLLER'S CONDUCT WITH RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH (J) OF SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE GOVERNS. (E) AGREEMENTS WITH PROCESSORS. (I) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING DATA, THE NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC- ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES. THE CONTRACT MUST ALSO INCLUDE REQUIREMENTS THAT THE PROCESSOR MUST: (A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA; (B) PROTECT THE DATA IN A MANNER CONSISTENT WITH THE REQUIREMENTS OF THIS ACT AND AT LEAST EQUAL TO THE SECURITY REQUIREMENTS OF THE CONTROL- LER SET FORTH IN THEIR PUBLICLY AVAILABLE POLICIES, NOTICES, OR SIMILAR STATEMENTS; (C) PROCESS THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY TO COMPLY WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY AUTHORIZED BY THE CONTROLLER; (D) NOT COMBINE THE PERSONAL DATA WHICH THE PROCESSOR RECEIVES FROM OR ON BEHALF OF THE CONTROLLER WITH PERSONAL DATA WHICH THE PROCESSOR RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR COLLECTS FROM ITS OWN INTERACTION WITH CONSUMERS; (E) COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER, SUBJECT TO THE LIMITATIONS SET FORTH IN SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE; (F) AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICES, UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW; (G) UPON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO THE CONTROLLER ALL DATA IN ITS POSSESSION NECESSARY TO DEMONSTRATE THE PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ACT; (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE CONTROL- LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS- OR MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT ASSESSOR TO CONDUCT AN ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS ARTICLE USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT PROCEDURE FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT OF SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST; (I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED DISCLOSURE OR TRANSFER AND PROVIDE THE CONTROLLER AN OPPORTUNITY TO APPROVE OR REJECT THE PROPOSAL; AND (J) ENGAGE ANY FURTHER PROCESSOR PURSUANT TO A WRITTEN, SIGNED CONTRACT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS PROVIDED IN THIS PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR HAS ENTERED INTO WITH REGARD TO THE DATA. (II) A CONTROLLER MUST NOT AGREE TO INDEMNIFY, DEFEND, OR HOLD A PROCESSOR HARMLESS, OR AGREE TO A PROVISION THAT HAS THE EFFECT OF INDEMNIFYING, DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM CLAIMS OR LIABILITY ARISING FROM THE PROCESSOR'S BREACH OF THE CONTRACT REQUIRED BY CLAUSE (A) OF SUBPARAGRAPH (I) OF THIS PARAGRAPH OR A A. 680--B 16 VIOLATION OF THIS ACT. ANY PROVISION OF AN AGREEMENT THAT VIOLATES THIS SUBPARAGRAPH IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNENFORCEABLE. (III) NOTHING IN THIS PARAGRAPH RELIEVES A CONTROLLER OR A PROCESSOR FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS- ING RELATIONSHIP AS DEFINED BY THIS ARTICLE. (IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES- SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER- MINATION THAT DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS TO BE PROCESSED. A PROCESSOR THAT CONTINUES TO ADHERE TO A CONTROLLER'S INSTRUCTIONS WITH RESPECT TO A SPECIFIC PROCESSING OF PERSONAL DATA REMAINS A PROCESSOR. (F) THIRD PARTIES. (I) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANS- FER, OR SELL PERSONAL DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO A THIRD PARTY FOR WHICH CONSENT OF THE CONSUMER PURSUANT TO SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, HAS NOT BEEN OBTAINED OR IS NOT CURRENTLY IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE, TRANS- FER, OR SELL PERSONAL DATA, OR TO FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO A THIRD PARTY MUST CLEARLY INCLUDE THE IDENTITY OF THE THIRD PARTY AND THE PROCESSING PURPOSES FOR WHICH THE THIRD PARTY MAY USE THE PERSONAL DATA. (II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA IF IT CAN REASONABLY EXPECT THE PERSONAL DATA OF A CONSUMER TO BE USED FOR PURPOSES THAT THE CONSUMER HAS NOT CONSENTED TO PURSUANT TO SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTI- CLE, OR IF IT CAN REASONABLY EXPECT THAT ANY RIGHTS OF THE CONSUMER PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED AS A RESULT OF SUCH TRANS- ACTION. (III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO ANY THIRD PARTY, THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED CONTRACT. SUCH CONTRACT MUST BE BINDING AND THE SCOPE, NATURE, AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA- TION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES. SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY: (A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY THE AGREEMENT ENTERED INTO WITH THE CONTROLLER; AND (B) PROVIDE A MECHANISM TO COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY THIS ARTICLE; AND (C) TO THE EXTENT THE DISCLOSURE, TRANSFER, OR SALE OF THE PERSONAL DATA CAUSES THE THIRD PARTY TO BECOME A CONTROLLER, COMPLY WITH ALL OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE. 2. PROCESSOR RESPONSIBILITIES. (A) FOR ANY PERSONAL DATA THAT IS OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED BY A PROCESSOR, WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR, THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A) THROUGH (J) OF SUBPARAGRAPH (I) OF PARAGRAPH (E) OF SUBDIVISION ONE OF THIS SECTION. (B) A PROCESSOR IS NOT REQUIRED TO COMPLY WITH A REQUEST BY THE CONSUMER SUBMITTED PURSUANT TO THIS ARTICLE BY A CONSUMER DIRECTLY TO THE PROCESSOR TO THE EXTENT THAT THE PROCESSOR HAS PROCESSED THE CONSUM- ER'S PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER. (C) PROCESSORS SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT A. 680--B 17 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND TO UPDATE THEIR CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE ACCORDINGLY. (D) A PROCESSOR SHALL NOT ENGAGE IN ANY SALE OF PERSONAL DATA OTHER THAN ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED INTO WITH THE CONTROLLER. 3. THIRD PARTY RESPONSIBILITIES. (A) FOR ANY PERSONAL DATA THAT IS OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED OR ACCESSED BY A THIRD PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD PARTY MUST: (I) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY ANY AGREEMENTS ENTERED INTO WITH THE CONTROLLER; (II) PROCESS ONLY THE PERSONAL DATA NECESSARY FOR PURPOSES FOR WHICH FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT IS IN EFFECT, AS CONVEYED BY THE CONTROLLER, LIMIT THE USE AND RETENTION OF THAT DATA TO WHAT IS NECESSARY FOR SUCH PURPOSES, AND SHALL IMMEDIATELY DELETE SUCH PERSONAL DATA WHEN NOTIFIED THAT THE CONSENT IS WITHHELD, DENIED, OR WITHDRAWN; (III) COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR PROCESSOR, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY THIS ARTICLE; AND (IV) TO THE EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR PERSONAL DATA, COMPLY WITH ALL OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE. 4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE: (A) THE PROCESSING IS REQUIRED BY LAW; (B) THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL, STATE, OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR (C) THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST CRIMINAL OR TORTIOUS ACTIVITY. § 1104. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE, MUST: (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE: (I) REGISTER WITH THE ATTORNEY GENERAL; (II) PAY A REGISTRATION FEE OF ONE HUNDRED DOLLARS OR AS OTHERWISE DETERMINED BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT TO EXCEED THE REASONABLE COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR- MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND (III) PROVIDE THE FOLLOWING INFORMATION: (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS OF THE DATA BROKER; (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA BROKER; (C) A STATEMENT DESCRIBING THE METHOD FOR EXERCISING CONSUMERS RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE; (D) A STATEMENT WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER CREDEN- TIALING PROCESS; AND (E) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES. 2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST: (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN WHICH A PERSON MEETS THE DEFINITION OF CONTROLLER IN THIS ACT, PROVIDE A. 680--B 18 TO THE ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS REASONABLY BELIEVED TO BE DATA BROKERS TO WHICH THE CONTROLLER PROVIDED PERSONAL DATA IN THE PRECEDING YEAR; AND (B) NOT SELL A CONSUMER'S PERSONAL DATA TO A DATA BROKER THAT IS NOT REGISTERED WITH THE ATTORNEY GENERAL. 3. THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A STATE- WIDE REGISTRY ON ITS INTERNET WEBSITE, WHICH SHALL LIST ALL REGISTERED DATA BROKERS AND MAKE ACCESSIBLE TO THE PUBLIC ALL THE INFORMATION PROVIDED BY DATA BROKERS PURSUANT TO THIS SECTION. PRINTED HARD COPIES OF SUCH REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT OF A FEE TO BE DETERMINED BY THE ATTORNEY GENERAL. 4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR SUBMITS FALSE INFORMATION IN ITS REGISTRATION IS, IN ADDITION TO ANY OTHER INJUNCTION, PENALTY, OR LIABILITY THAT MAY BE IMPOSED UNDER THIS ARTICLE, LIABLE FOR CIVIL PENALTIES, FEES, AND COSTS IN AN ACTION BROUGHT BY THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY OF ONE THOUSAND DOLLARS FOR EACH DAY THE DATA BROKER FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION, (B) AN AMOUNT EQUAL TO THE FEES THAT WERE DUE DURING THE PERIOD IT FAILED TO REGISTER, AND (C) EXPENSES INCURRED BY THE ATTORNEY GENERAL IN THE INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI- ATE. § 1105. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER OR PROCESSOR TO DO ANY OF THE FOLLOWING SOLELY FOR PURPOSES OF COMPLYING WITH THIS ARTICLE: (A) REIDENTIFY DEIDENTIFIED DATA; (B) COMPLY WITH A VERIFIED CONSUMER REQUEST TO ACCESS, CORRECT, OR DELETE PERSONAL DATA PURSUANT TO THIS ARTICLE IF ALL OF THE FOLLOWING ARE TRUE: (I) THE CONTROLLER IS NOT REASONABLY CAPABLE OF ASSOCIATING THE REQUEST WITH THE PERSONAL DATA; (II) THE CONTROLLER DOES NOT ASSOCIATE THE PERSONAL DATA WITH OTHER PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER AS PART OF ITS NORMAL BUSINESS PRACTICE; AND (III) THE CONTROLLER DOES NOT SELL THE PERSONAL DATA TO ANY THIRD PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO ANY PROCESSOR OR THIRD PARTY, EXCEPT AS OTHERWISE PERMITTED IN THIS ARTICLE; OR (C) MAINTAIN PERSONAL DATA IN IDENTIFIABLE FORM, OR COLLECT, OBTAIN, RETAIN, OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE CAPA- BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA. 2. THE OBLIGATIONS IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO ANY OF THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S PERSONAL DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES: (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS; (B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI- GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN- MENTAL AUTHORITIES; (C) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGU- LATIONS; (D) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR, OR DEFEND LEGAL CLAIMS; A. 680--B 19 (E) PROCESS PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY A CONSUMER; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A PARTY; OR TAKE STEPS AT THE REQUEST OF THE CONSUMER PRIOR TO ENTERING INTO A CONTRACT; (F) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE CONSUMER OR OF ANOTHER NATURAL PERSON, AND WHERE THE PROCESSING CANNOT BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS; (G) PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO SECURITY INCI- DENTS, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIV- ITIES, OR ANY ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY OF SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR ANY SUCH ACTION; (H) IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR INTENDED FUNCTIONALITY; OR (I) PROCESS BUSINESS CONTACT INFORMATION, INCLUDING A NATURAL PERSON'S NAME, POSITION NAME OR TITLE, BUSINESS TELEPHONE NUMBER, BUSINESS ADDRESS, BUSINESS ELECTRONIC MAIL ADDRESS, BUSINESS FAX NUMBER, OR QUAL- IFICATIONS AND ANY OTHER SIMILAR INFORMATION ABOUT THE NATURAL PERSON. 3. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS ARTICLE DO NOT APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI- LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION. 4. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS THREE THROUGH SIX OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR A PROCESS- OR OR THIRD PARTY TO WHOM A CONTROLLER COMMUNICATES SUCH A REQUEST, MAY DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF: (A) THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY THE REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH (C) OF SUBDIVISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE; (B) COMPLYING WITH THE REQUEST WOULD BE DEMONSTRABLY IMPOSSIBLE (FOR PURPOSES OF THIS PARAGRAPH, THE RECEIPT OF A LARGE NUMBER OF VERIFIED REQUESTS, ON ITS OWN, IS NOT SUFFICIENT TO RENDER COMPLIANCE WITH A REQUEST DEMONSTRABLY IMPOSSIBLE); (C) COMPLYING WITH THE REQUEST WOULD IMPAIR THE PRIVACY OF ANOTHER INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR (D) THE PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER THAN THE CONSUMER MAKING THE REQUEST AND IS BEING PROCESSED FOR THE PURPOSE OF FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION. § 1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL, EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON OR PERSONS HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR PROP- ERTY OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN CIVIL PENALTIES OF NOT MORE THAN FIFTEEN THOUSAND DOLLARS PER VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF. (A) ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS. (B) EACH INSTANCE OF UNLAWFUL PROCESSING COUNTS AS A SEPARATE VIOLATION. UNLAWFUL PROCESSING OF THE PERSONAL DATA OF MORE THAN ONE A. 680--B 20 CONSUMER COUNTS AS A SEPARATE VIOLATION AS TO EACH CONSUMER. EACH PROVISION OF THIS ARTICLE THAT IS VIOLATED COUNTS AS A SEPARATE VIOLATION. (C) IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY OF THE PARTIES, INCLUDING, BUT NOT LIMITED TO, THE NATURE AND SERIOUSNESS OF THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON- DUCT, THE LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED, THE WILL- FULNESS OF THE VIOLATOR'S MISCONDUCT, AND THE VIOLATOR'S FINANCIAL CONDITION. 2. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD- ANCE WITH THE CIVIL PRACTICE LAW AND RULES. THE ATTORNEY GENERAL MAY ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE- VANT AND MAY REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON OF ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL UNDER THIS ARTICLE. 3. ANY PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE ATTORNEY GENERAL BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS, OR OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR PRACTICES STATED TO BE UNLAWFUL IN THIS ARTICLE IS SUBJECT TO THE SERVICE OF A SUBPOENA ISSUED BY THE ATTORNEY GENERAL PURSUANT TO THIS SECTION. SERVICE MAY BE MADE IN ANY MANNER THAT IS AUTHORIZED FOR SERVICE OF A SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE. 4. (A) FAILURE TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS SECTION WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF LIMI- TATIONS IN ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE ATTORNEY GENERAL'S INVESTIGATION. (B) IF A PERSON FAILS TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS SECTION, THE ATTORNEY GENERAL MAY MOVE IN THE SUPREME COURT TO COMPEL COMPLIANCE. IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED, IT SHALL ORDER COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP TO FIVE HUNDRED DOLLARS PER DAY OF NONCOMPLIANCE. (C) SUCH TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO ANY OTHER PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA. 5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL UNDER THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT ANY INQUIRY. 6. ANY CONSUMER WHO HAS BEEN INJURED BY A VIOLATION OF SUBDIVISION TWO, SEVEN OR EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH UNLAWFUL ACT OR PRACTICE AND TO RECOVER HIS OR HER ACTUAL DAMAGES OR ONE THOUSAND DOLLARS, WHICHEVER IS GREATER. THE COURT MAY ALSO AWARD REASONABLE ATTORNEYS' FEES TO A PREVAILING PLAINTIFF. ACTIONS PURSUANT TO THIS SECTION MAY BE BROUGHT ON A CLASS-WIDE BASIS. § 1107. MISCELLANEOUS. 1. PREEMPTION: THIS ARTICLE DOES NOT ANNUL, ALTER, OR AFFECT THE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS- FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR PROCESSOR SUBJECT TO THIS ARTICLE, EXCEPT TO THE EXTENT THOSE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT CREATE REQUIREMENTS OR OBLI- A. 680--B 21 GATIONS THAT CONFLICT WITH OR REDUCE THE PROTECTIONS AFFORDED TO CONSUM- ERS UNDER THIS ARTICLE. 2. IMPACT REPORT: THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR PERSONS, THE LIABILITY AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO ENFORCE THIS ARTICLE, AND ANY RECOMMENDATIONS FOR CHANGES TO SUCH PROVISIONS. THE ATTORNEY GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE COMMIT- TEES OF THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS SECTION. 3. REGULATORY AUTHORITY: (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES GOVERNING THE FORM AND CONTENT OF ANY DISCLOSURES OR COMMUNICATIONS REQUIRED BY THIS ARTICLE. (B) THE ATTORNEY GENERAL MAY REQUEST DATA AND INFORMATION FROM CONTROLLERS CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK STATE GOVERNMENT ENTITIES ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER PROTECTION AND PRIVACY ADVOCATES AND RESEARCHERS, INTERNET STANDARDS SETTING BODIES, SUCH AS THE INTERNET ENGINEERING TASKFORCE AND THE INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, AND OTHER RELEVANT SOURCES, TO CONDUCT STUDIES TO INFORM SUITABLE RULES AND REGULATIONS. THE ATTORNEY GENERAL SHALL RECEIVE, UPON REQUEST, DATA FROM OTHER NEW YORK STATE GOVERNMENTAL ENTITIES. 4. EXERCISE OF RIGHTS: ANY CONSUMER RIGHT SET FORTH IN THIS ARTICLE MAY BE EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA OR BY A PARENT OR GUARDIAN AUTHORIZED BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF OF THE CONSUMER WHO IS THE SUBJECT OF THE DATA. AN AGENT AUTHORIZED BY A CONSUMER MAY EXERCISE THE CONSUMER RIGHTS SET FORTH IN SUBDIVISIONS THREE THROUGH SIX OF SECTION ELEVEN HUNDRED TWO OF THIS ACT ON THE CONSUMERS BEHALF. § 4. This act shall take effect immediately; provided, however, that sections 1101, 1102, 1103, 1105, 1106 and 1107 of the general business law, as added by section three of this act, shall take effect two years after it shall have become a law but the private right of action author- ized by subdivision 6 of section 1106 of the general business law shall take effect three years after such section shall have become a law.
Comments
Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.
Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.
Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.