Assembly Actions -
Lowercase Senate Actions - UPPERCASE |
|
---|---|
Jan 05, 2022 |
referred to codes |
Feb 01, 2021 |
referred to codes |
Senate Bill S4021
2021-2022 Legislative Session
Establishes the "It's Your Data Act"
download bill text pdfSponsored By
(D) 14th Senate District
Archive: Last Bill Status - In Senate Committee Codes Committee
- Introduced
-
- In Committee Assembly
- In Committee Senate
-
- On Floor Calendar Assembly
- On Floor Calendar Senate
-
- Passed Assembly
- Passed Senate
- Delivered to Governor
- Signed By Governor
Actions
2021-S4021 (ACTIVE) - Details
- See Assembly Version of this Bill:
- A3586
- Current Committee:
- Senate Codes
- Law Section:
- Civil Rights Law
- Laws Affected:
- Amd §§50 & 51, Civ Rts L; add Art 32-A §§676 - 676-q, Gen Bus L
- Versions Introduced in Other Legislative Sessions:
-
2019-2020:
S9073, A7736
2023-2024: S5555
2021-S4021 (ACTIVE) - Sponsor Memo
BILL NUMBER: S4021 SPONSOR: COMRIE TITLE OF BILL: An act to amend the civil rights law and the general business law, in relation to establishing the "It's Your Data Act" PURPOSE OR GENERAL IDEA OF BILL: This bill seeks to establish a duty of care requirement for data extrac- tors & miners, and mandates these entities adhere strictly to this legal obligation when it comes to the sovereignty and privacy of an individ- ual's private information. SUMMARY OF PROVISIONS: Section one sets the title as the "Its Your Data Act" Section two amends section 50 of the civil rights law so any person, firm or corporation that collects, stores, or uses for the purpose of
advertising, trade, data-mining, or generating commercial or economic value, the name, portrait, picture, video, voice, likeness, and all other personal data, biometric data, and location data of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, or, if such consent is obtained, subsequently fails to exercise reasonable care consistent with its obligations as bailee of that individual's name, portrait, picture, video, voice, likeness, and all other personal data, biometric data, and location data, is guilty of a misdemeanor. Section three amends section 51 of the civil rights law to establish the means of redress for individuals whose rights under this act have been violated. Section four amends the general business law to establish the defi- nitions for terms or phrases used in this act, and introduces the following clauses in relation to this act: "Transparency of the collection , use, retention, and sharing of personal information", "Fair Collection and use of personal information", "Deletion of personal information", " Access to retained personal information", "Access to disclosure of personal information", "Consent to additional collection or sharing of personal information", "No discrimination by a business against a consumer for exercise of rights", "Reasonable security", " Business implementation of duties", "Exceptions", "Consumer's private right of actions", " Agency enforcement action", "Construction", "Attor- ney general regulations", "Intermediate transactions", "Non-waiver", and "Severability". Section five sets forward an effective date 1 year after enactment. JUSTIFICATION: In the 21st century, Americans' fundamental right to privacy has steadi- ly eroded in the shadow of surveillance capitalism. The passage of the Patriot Act and the rise of big-tech companies have enabled the public and private sector to siphon more and more of our personal data, often without our consent or knowledge. The institutional legitimization of mass surveillance and data extraction has begun to warp our society's very perspective on individual autonomy and privacy. The commercial sector of the Internet is now being used in ways that repeatedly wear away an individual's ability to exercise control over his or her life. Every video we watch, every ad we click on, and every word we search is now being logged, analyzed, and synthesized by corpo- rations in order to predict and influence our behaviors as consumers. The internet is no longer a peer-to-peer experiment; it has morphed into a data extraction infrastructure that relies on machine-learning algo- rithms which can ultimately shape our views or control our future actions. We have to recognize that life in a society of pervasive monitoring is not truly life under the rule of law. Businesses that make hundreds of billions of dollars monitoring every aspect of our daily lives - the essence of Surveillance Capitalism - represent new, unregulated, and dangerous territory. The It's Your Data Act (IYD) is designed to regain individual sovereignty and end abusive and exploitative data-mining practices, so that an individual's inalienable rights includes their right to retain control of their own data under all circumstances. The IYD Act institutes a duty of care requirement for data extractors & miners, and mandates that they strictly adhere to this legal obligation when it comes to the sovereignty and privacy of a person's private information. Our data is more than alienable property that can be sold to the highest bidder. PRIOR LEGISLATIVE HISTORY: This is a new bill. FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS: To be determined. EFFECTIVE DATE: This act shall take effect one year after it shall have become law.
2021-S4021 (ACTIVE) - Bill Text download pdf
S T A T E O F N E W Y O R K ________________________________________________________________________ 4021 2021-2022 Regular Sessions I N S E N A T E February 1, 2021 ___________ Introduced by Sen. COMRIE -- read twice and ordered printed, and when printed to be committed to the Committee on Codes AN ACT to amend the civil rights law and the general business law, in relation to establishing the "It's Your Data Act" THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS: Section 1. This act shall be known and may be cited as the "It's Your Data Act". § 2. Section 50 of the civil rights law is amended to read as follows: § 50. Right of privacy. A person, firm or corporation that COLLECTS, STORES, AND/OR uses for THE PURPOSE OF advertising [purposes, or for the purposes of], trade, DATA-MINING, OR GENERATING COMMERCIAL OR ECONOMIC VALUE, the name, portrait [or], picture, VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, OR, IF SUCH CONSENT IS OBTAINED, SUBSEQUENTLY FAILS TO EXERCISE REASONABLE CARE CONSISTENT WITH ITS OBLIGATIONS AS BAILEE OF THAT INDIVIDUAL'S NAME, PORTRAIT, PICTURE, VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA, is guilty of a misdemeanor. § 3. Section 51 of the civil rights law, as amended by chapter 674 of the laws of 1995, is amended to read as follows: § 51. Action for injunction and for damages. Any person [whose name, portrait, picture or voice is used within this state for advertising purposes or for the purposes of trade without the written consent], FIRM OR CORPORATION THAT COLLECTS, STORES, AND/OR USES FOR THE PURPOSE OF ADVERTISING, TRADE, DATA-MINING, OR GENERATING COMMERCIAL OR ECONOMIC VALUE, NAME, PORTRAIT, PICTURE, VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA OF ANY LIVING PERSON WITHOUT HAVING FIRST OBTAINED THE WRITTEN CONSENT OF SUCH PERSON, OR IF A MINOR OF HIS OR HER PARENT OR GUARDIAN, OR, WHEN SUCH CONSENT IS EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted.
LBD06064-01-1 S. 4021 2 OBTAINED, SUBSEQUENTLY FAILS TO EXERCISE REASONABLE CARE CONSISTENT WITH ITS OBLIGATIONS AS BAILEE OF THAT INDIVIDUAL'S NAME, PORTRAIT, PICTURE, VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA first obtained as above provided may maintain an equitable action in the supreme court of this state against the person, firm or corporation so using his OR HER name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA to prevent and restrain the use thereof; and may also sue and recover damages for any injuries sustained by reason of such use and if the defendant shall have knowingly used such person's name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOM- ETRIC DATA, AND LOCATION DATA in such manner as is forbidden or declared to be unlawful by section fifty of this article, the jury, in its discretion, may award exemplary damages. But nothing contained in this article shall be so construed as to prevent any person, firm or corpo- ration from selling or otherwise transferring any material containing such name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA in whatever medium to any user of such name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA or to any third party [for sale] or transfer directly or indirectly to such a user, for use, PROVIDED THAT THE TRANSFERRING PARTY UNDERTAKES REASON- ABLE STEPS TO ENSURE THAT ANY SUCH USE IS CONSISTENT WITH THE SELLING OR TRANSFERRING PARTY'S OBLIGATIONS AS BAILEE OF THAT INDIVIDUAL'S NAME, PORTRAIT, PICTURE, VIDEO, VOICE, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA AND USE in a manner lawful under this article; nothing contained in this article shall be so construed as to prevent any person, firm or corporation, practicing the profession of photography, from exhibiting in or about his or its establishment speci- mens of the work of such establishment, unless the same is continued by such person, firm or corporation after written notice objecting thereto has been given by the person portrayed; and nothing contained in this article shall be so construed as to prevent any person, firm or corpo- ration from using the name, portrait, picture [or], VIDEO, voice, LIKE- NESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA of any manufacturer or dealer in connection with the goods, wares and merchandise manufactured, produced or dealt in by him OR HER which he OR SHE has sold or disposed of with such name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA used in connection therewith; or from using the name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA of any author, composer or artist in connection with his OR HER literary, musical or artistic productions which he OR SHE has sold or disposed of with such name, portrait, picture [or], VIDEO, voice, LIKENESS, AND ALL OTHER PERSONAL DATA, BIOMETRIC DATA, AND LOCATION DATA used in connection therewith. Nothing contained in this section shall be construed to prohibit the copyright owner of a sound recording from disposing of, dealing in, licensing or selling that sound recording to any party, if the right to dispose of, deal in, license or sell such sound recording has been conferred by contract or other written document by such living person or the holder of such right. Nothing contained in the foregoing sentence shall be deemed to abrogate or otherwise limit any rights or remedies otherwise conferred by federal law or state law. § 4. The general business law is amended by adding a new article 32-A to read as follows: S. 4021 3 ARTICLE 32-A IT'S YOUR DATA ACT SECTION 676. DEFINITIONS. 676-A. TRANSPARENCY OF THE COLLECTION, USE, RETENTION, AND SHAR- ING OF PERSONAL INFORMATION. 676-B. FAIR COLLECTION AND USE OF PERSONAL INFORMATION. 676-C. DELETION OF PERSONAL INFORMATION. 676-D. ACCESS TO RETAINED PERSONAL INFORMATION. 676-E. ACCESS TO DISCLOSURE OF PERSONAL INFORMATION. 676-F. CONSENT TO ADDITIONAL COLLECTION OR SHARING OF PERSONAL INFORMATION. 676-G. NO DISCRIMINATION BY A BUSINESS AGAINST A CONSUMER FOR EXERCISE OF RIGHTS. 676-H. REASONABLE SECURITY. 676-I. BUSINESS IMPLEMENTATION OF DUTIES. 676-J. EXCEPTIONS. 676-K. CONSUMER'S PRIVATE RIGHT OF ACTION. 676-L. AGENCY ENFORCEMENT ACTION. 676-M. CONSTRUCTION. 676-N. ATTORNEY GENERAL REGULATIONS. 676-O. INTERMEDIATE TRANSACTIONS. 676-P. NON-WAIVER. 676-Q. SEVERABILITY. § 676. DEFINITIONS. 1. FOR THE PURPOSES OF THIS ARTICLE: (A) "AGGREGATE CONSUMER INFORMATION" MEANS INFORMATION THAT RELATES TO A GROUP OF CONSUMERS, FROM WHICH INDIVIDUAL CONSUMER IDENTITIES HAVE BEEN REMOVED, THAT IS NOT LINKED OR REASONABLY LINKABLE TO ANY CONSUMER OR HOUSEHOLD, INCLUDING VIA A DEVICE. AGGREGATE CONSUMER INFORMATION DOES NOT MEAN ONE OR MORE INDIVIDUAL CONSUMER RECORDS THAT HAVE BEEN DE-IDENTIFIED. (B) "BIOMETRIC INFORMATION" MEANS AN INDIVIDUAL'S PHYSIOLOGICAL, BIOLOGICAL OR BEHAVIORAL CHARACTERISTICS OR AN ELECTRONIC REPRESENTATION OF SUCH, INCLUDING AN INDIVIDUAL'S DEOXYRIBONUCLEIC ACID (DNA), THAT CAN BE USED, SINGLY OR IN COMBINATION WITH EACH OTHER OR WITH OTHER IDENTI- FYING DATA, TO ESTABLISH INDIVIDUAL IDENTITY. BIOMETRIC INFORMATION INCLUDES, BUT IS NOT LIMITED TO, IMAGERY OF THE IRIS, RETINA, FINGER- PRINT, FACE, HAND, PALM, VEIN PATTERNS, AND VOICE RECORDINGS, FROM WHICH AN IDENTIFIER TEMPLATE, SUCH AS A FACEPRINT, A MINUTIAE TEMPLATE, OR A VOICEPRINT, CAN BE EXTRACTED, AND KEYSTROKE PATTERNS OR RHYTHMS, GAIT PATTERNS OR RHYTHMS, AND SLEEP, HEALTH, OR EXERCISE DATA THAT CONTAIN IDENTIFYING INFORMATION. (C) "BUSINESS" MEANS: (I) A SOLE PROPRIETORSHIP, PARTNERSHIP, LIMITED LIABILITY COMPANY, CORPORATION, ASSOCIATION, OR OTHER LEGAL ENTITY THAT IS ORGANIZED OR OPERATED FOR THE PROFIT OR FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS, THAT COLLECTS CONSUMERS' PERSONAL INFORMATION, OR ON THE BEHALF OF WHICH SUCH INFORMATION IS COLLECTED AND THAT ALONE, OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF CONSUMERS' PERSONAL INFORMATION, THAT DOES BUSINESS IN THE STATE OF NEW YORK, AND THAT SATISFIES ONE OR MORE OF THE FOLLOWING THRESHOLDS: (1) HAS ANNUAL GROSS REVENUES IN EXCESS OF FIFTY MILLION DOLLARS, AS ADJUSTED PURSUANT TO PARAGRAPH (F) OF SUBDIVISION ONE OF SECTION SIX HUNDRED SEVENTY-SIX-N OF THIS ARTICLE; (2) ALONE OR IN COMBINATION, ANNUALLY BUYS, RECEIVES FOR THE BUSINESS' COMMERCIAL PURPOSES, SELLS, OR DISCLOSES FOR COMMERCIAL PURPOSES, ALONE S. 4021 4 OR IN COMBINATION, THE PERSONAL INFORMATION OF FIFTY THOUSAND OR MORE CONSUMERS, HOUSEHOLDS, OR DEVICES; OR (3) DERIVES FIFTY PERCENT OR MORE OF ITS ANNUAL REVENUES FROM SELLING CONSUMERS' PERSONAL INFORMATION; AND (II) ANY ENTITY THAT CONTROLS OR IS CONTROLLED BY A BUSINESS, AS DEFINED IN SUBPARAGRAPH (I) OF THIS PARAGRAPH, AND THAT SHARES COMMON BRANDING WITH SUCH BUSINESS. (D) "CONTROL" OR "CONTROLLED" MEANS OWNERSHIP OF, OR THE POWER TO VOTE, MORE THAN FIFTY PERCENT OF THE OUTSTANDING SHARES OF ANY CLASS OF VOTING SECURITY OF A BUSINESS; CONTROL IN ANY MANNER OVER THE ELECTION OF A MAJORITY OF THE DIRECTORS, OR OF INDIVIDUALS EXERCISING SIMILAR FUNCTIONS; OR THE POWER TO EXERCISE A CONTROLLING INFLUENCE OVER THE MANAGEMENT OF A BUSINESS. (E) "COMMON BRANDING" MEANS A SHARED NAME, SERVICEMARK, OR TRADEMARK. (F) "OPERATIONAL PURPOSE" MEANS THE USE OF PERSONAL INFORMATION WHEN REASONABLY NECESSARY AND PROPORTIONATE TO ACHIEVE ONE OF THE FOLLOWING OPERATIONAL PURPOSES: (I) AUDITING RELATED TO A CURRENT INTERACTION WITH THE CONSUMER AND CONCURRENT TRANSACTIONS, INCLUDING, BUT NOT LIMITED TO, COUNTING AD IMPRESSIONS TO UNIQUE VISITORS, VERIFYING POSITIONING AND QUALITY OF AD IMPRESSIONS, AND AUDITING COMPLIANCE WITH THIS PARAGRAPH AND OTHER STAN- DARDS; (II) DETECTING AND RESPONDING TO SECURITY INCIDENTS, PROTECTING AGAINST MALICIOUS, DECEPTIVE, FRAUDULENT, OR ILLEGAL ACTIVITY, AND PROS- ECUTING THOSE RESPONSIBLE FOR THAT ACTIVITY; (III) DEBUGGING TO IDENTIFY AND REPAIR ERRORS THAT IMPAIR EXISTING INTENDED FUNCTIONALITY; (IV) SHORT-TERM, TRANSIENT USE, PROVIDED THE PERSONAL INFORMATION IS NOT DISCLOSED TO ANOTHER THIRD PARTY AND IS NOT USED TO BUILD A PROFILE ABOUT A CONSUMER OR OTHERWISE ALTER AN INDIVIDUAL CONSUMER'S EXPERIENCE OUTSIDE THE CURRENT INTERACTION, INCLUDING, BUT NOT LIMITED TO, THE CONTEXTUAL CUSTOMIZATION OF ADS SHOWN AS PART OF THE SAME INTERACTION; (V) PERFORMING OR PROVIDING SERVICES ON BEHALF OF THE BUSINESS OR SERVICE PROVIDER, INCLUDING MAINTAINING OR SERVICING ACCOUNTS, BILLING OR COLLECTING FOR REQUESTED PRODUCTS OR SERVICES, PROVIDING CUSTOMER SERVICE, PROCESSING OR FULFILLING ORDERS AND TRANSACTIONS, VERIFYING CUSTOMER INFORMATION, PROCESSING PAYMENTS, PROVIDING FINANCING, PROVID- ING ADVERTISING OR MARKETING SERVICES, PROVIDING ANALYTIC SERVICES, OR PROVIDING SIMILAR SERVICES ON BEHALF OF THE BUSINESS OR SERVICE PROVID- ER; (VI) UNDERTAKING INTERNAL RESEARCH FOR TECHNOLOGICAL DEVELOPMENT AND DEMONSTRATION; (VII) UNDERTAKING ACTIVITIES TO VERIFY OR MAINTAIN THE QUALITY OR SAFETY OF A SERVICE OR DEVICE THAT IS OWNED, MANUFACTURED, MANUFACTURED FOR, OR CONTROLLED BY THE BUSINESS, OR TO IMPROVE, UPGRADE, OR ENHANCE THE SERVICE OR DEVICE THAT IS OWNED, MANUFACTURED, MANUFACTURED FOR, OR CONTROLLED BY THE BUSINESS; (VIII) CUSTOMIZATION OF CONTENT; OR (IX) CUSTOMIZATION OF ADVERTISING OR MARKETING. (G) "COLLECTS," "COLLECTED," OR "COLLECTION" MEANS BUYING, RENTING, GATHERING, OBTAINING, RECEIVING, OR ACCESSING ANY PERSONAL INFORMATION PERTAINING TO A CONSUMER BY ANY MEANS. THIS SHALL INCLUDE, BUT SHALL NOT BE LIMITED TO, RECEIVING INFORMATION FROM THE CONSUMER, EITHER ACTIVELY OR PASSIVELY, OR BY OBSERVING THE CONSUMER'S BEHAVIOR. (H) "COMMERCIAL PURPOSES" MEANS TO ADVANCE A PERSON'S COMMERCIAL OR ECONOMIC INTERESTS, SUCH AS BY INDUCING ANOTHER PERSON TO BUY, RENT, S. 4021 5 LEASE, JOIN, SUBSCRIBE TO, PROVIDE, OR EXCHANGE PRODUCTS, GOODS, PROPER- TY, INFORMATION, OR SERVICES, OR ENABLING OR EFFECTING, DIRECTLY OR INDIRECTLY, A COMMERCIAL TRANSACTION. COMMERCIAL PURPOSES SHALL NOT INCLUDE ENGAGING IN SPEECH THAT STATE OR FEDERAL COURTS HAVE RECOGNIZED AS NONCOMMERCIAL SPEECH, INCLUDING, BUT NOT LIMITED TO, POLITICAL SPEECH AND JOURNALISM. (I) "CONSUMER" MEANS A NATURAL PERSON WHO IS A RESIDENT OF THE STATE OF NEW YORK. (J) "DE-IDENTIFIED" MEANS INFORMATION THAT CANNOT REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR CONSUMER, PROVIDED THAT A BUSI- NESS THAT USES DE-IDENTIFIED INFORMATION: (I) TAKES REASONABLE MEASURES TO ENSURE THAT THE DATA IS DE-IDENTI- FIED; (II) PUBLICLY COMMITS TO MAINTAIN AND USE THE DATA IN A DE-IDENTIFIED FASHION AND NOT TO ATTEMPT TO RE-IDENTIFY THE DATA; AND (III) CONTRACTUALLY PROHIBITS DOWNSTREAM RECIPIENTS FROM ATTEMPTING TO RE-IDENTIFY THE DATA. (K) "DESIGNATED METHODS FOR SUBMITTING REQUESTS" MEANS A MAILING ADDRESS, EMAIL ADDRESS, INTERNET WEB PAGE, INTERNET WEB PORTAL, TOLL- FREE TELEPHONE NUMBER, OR OTHER APPLICABLE CONTACT INFORMATION, WHEREBY CONSUMERS MAY SUBMIT A REQUEST UNDER THIS ARTICLE, AND ANY NEW, CONSUM- ER-FRIENDLY MEANS OF CONTACTING A BUSINESS, AS APPROVED BY THE ATTORNEY GENERAL PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-N OF THIS ARTICLE. (L) "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECTING TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE. (M) "HEALTH INSURANCE INFORMATION" MEANS A CONSUMER'S INSURANCE POLICY NUMBER OR SUBSCRIBER IDENTIFICATION NUMBER, ANY UNIQUE IDENTIFIER USED BY A HEALTH INSURER TO IDENTIFY THE CONSUMER, OR ANY INFORMATION IN THE CONSUMER'S APPLICATION AND CLAIMS HISTORY, INCLUDING ANY APPEALS RECORDS, IF THE INFORMATION IS LINKED OR REASONABLY LINKABLE TO A CONSUMER OR HOUSEHOLD, INCLUDING VIA A DEVICE, BY A BUSINESS OR SERVICE PROVIDER. (N) "INFER" OR "INFERENCE" MEANS THE DERIVATION OF INFORMATION, DATA, ASSUMPTIONS, OR CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER SOURCE OF INFORMATION OR DATA. (O) "PERSON" MEANS AN INDIVIDUAL, PROPRIETORSHIP, FIRM, PARTNERSHIP, JOINT VENTURE, SYNDICATE, BUSINESS TRUST, COMPANY, CORPORATION, LIMITED LIABILITY COMPANY, ASSOCIATION, COMMITTEE, AND ANY OTHER ORGANIZATION OR GROUP OF PERSONS ACTING IN CONCERT. (P) "PERSONAL INFORMATION" MEANS INFORMATION THAT IDENTIFIES OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A PARTICULAR CONSUM- ER, HOUSEHOLD, OR CONSUMER DEVICE. PERSONAL INFORMATION SHALL NOT INCLUDE PUBLICLY AVAILABLE INFORMATION, INFORMATION THAT IS DE-IDENTI- FIED, OR AGGREGATE CONSUMER INFORMATION. (Q) "PUBLICLY AVAILABLE" MEANS INFORMATION THAT IS LAWFULLY MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS. PUBLICLY AVAILABLE DOES NOT MEAN INFORMATION COLLECTED BY A BUSINESS ABOUT A CONSUMER WITHOUT THE CONSUMER'S KNOWLEDGE. (R) "SERVICE" OR "SERVICES" MEANS WORK, LABOR, AND SERVICES, INCLUDING SERVICES FURNISHED IN CONNECTION WITH THE PRODUCTION, SALE OR REPAIR OF GOODS. (S) "SERVICE PROVIDER" MEANS AN INDIVIDUAL SOLE PROPRIETORSHIP, PART- NERSHIP, LIMITED LIABILITY COMPANY, CORPORATION, ASSOCIATION, OR OTHER LEGAL ENTITY THAT IS ORGANIZED OR OPERATED FOR THE PROFIT OR FINANCIAL BENEFIT OF ITS SHAREHOLDERS OR OTHER OWNERS, THAT PROCESSES INFORMATION S. 4021 6 ON BEHALF OF A BUSINESS AND TO WHICH SUCH BUSINESS DISCLOSES A CONSUM- ER'S PERSONAL INFORMATION FOR AN OPERATIONAL PURPOSE PURSUANT TO A WRIT- TEN OR ELECTRONIC CONTRACT, PROVIDED THAT THE CONTRACT PROHIBITS THE ENTITY RECEIVING THE INFORMATION FROM RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN FOR THE SPECIFIC PURPOSE OF PERFORMING THE SERVICES SPECIFIED IN THE CONTRACT FOR SUCH BUSINESS, OR AS OTHERWISE PERMITTED BY THIS ARTICLE, INCLUDING A PROHI- BITION ON RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR A COMMERCIAL PURPOSE OTHER THAN PROVIDING THE SERVICES SPECIFIED IN THE CONTRACT WITH SUCH BUSINESS. (T) "VERIFIABLE CONSUMER REQUEST" MEANS A REQUEST THAT IS MADE BY A CONSUMER, BY A CONSUMER ON BEHALF OF THE CONSUMER'S MINOR CHILD, OR BY A NATURAL PERSON OR A PERSON REGISTERED WITH THE SECRETARY OF STATE, AUTHORIZED BY THE CONSUMER TO ACT ON THE CONSUMER'S BEHALF, AND THAT THE BUSINESS CAN REASONABLY VERIFY. A BUSINESS SHALL NOT BE OBLIGATED TO PROVIDE ANY PERSONAL INFORMATION TO A CONSUMER IF SUCH BUSINESS CANNOT VERIFY THAT THE CONSUMER MAKING THE REQUEST IS THE CONSUMER ABOUT WHOM SUCH BUSINESS HAS COLLECTED PERSONAL INFORMATION OR IS A PERSON AUTHOR- IZED BY THE CONSUMER TO ACT ON SUCH CONSUMER'S BEHALF. (U) "THIRD PARTY" MEANS A PERSON OR BUSINESS THAT IS NOT ANY OF THE FOLLOWING: (I) THE BUSINESS THAT COLLECTS PERSONAL INFORMATION FROM CONSUMERS UNDER THIS ARTICLE; OR (II) A PERSON TO WHOM THE BUSINESS DISCLOSES A CONSUMER'S PERSONAL INFORMATION FOR AN OPERATIONAL PURPOSE PURSUANT TO A WRITTEN CONTRACT, PROVIDED THAT THE CONTRACT: (1) PROHIBITS THE PERSON RECEIVING THE PERSONAL INFORMATION FROM: (A) SELLING THE PERSONAL INFORMATION; (B) RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN FOR THE SPECIFIC PURPOSE OF PERFORMING THE SERVICES SPECIFIED IN THE CONTRACT, INCLUDING RETAINING, USING, OR DISCLOSING THE PERSONAL INFORMATION FOR A COMMERCIAL PURPOSE OTHER THAN PROVIDING THE SERVICES SPECIFIED IN THE CONTRACT; AND (C) RETAINING, USING, OR DISCLOSING THE INFORMATION OUTSIDE OF THE DIRECT BUSINESS RELATIONSHIP BETWEEN THE PERSON AND THE BUSINESS; AND (2) INCLUDES A CERTIFICATION MADE BY THE PERSON RECEIVING THE PERSONAL INFORMATION THAT THE PERSON UNDERSTANDS THE RESTRICTIONS IN CLAUSE ONE OF THIS PARAGRAPH AND WILL COMPLY WITH SUCH RESTRICTIONS. 2. FOR REFERENCES TO A CATEGORY OR CATEGORIES OF PERSONAL INFORMATION REQUIRED TO BE DISCLOSED PURSUANT TO THIS ARTICLE: (A) "PROCESSING" MEANS ANY OPERATION OR SET OF OPERATIONS THAT ARE PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS. (B) "RESEARCH" MEANS SCIENTIFIC AND SYSTEMATIC STUDY AND OBSERVATION, INCLUDING BASIC RESEARCH OR APPLIED RESEARCH THAT IS IN THE PUBLIC INTEREST AND THAT ADHERES TO ALL OTHER APPLICABLE ETHICS AND PRIVACY LAWS OR STUDIES CONDUCTED IN THE PUBLIC INTEREST IN THE AREA OF PUBLIC HEALTH. RESEARCH WITH PERSONAL INFORMATION THAT MAY HAVE BEEN COLLECTED FROM A CONSUMER IN THE COURSE OF THE CONSUMER'S INTERACTIONS WITH A BUSINESS' SERVICE OR DEVICE FOR OTHER PURPOSES SHALL BE: (I) COMPATIBLE WITH AN OPERATIONAL PURPOSE FOR WHICH THE PERSONAL INFORMATION WAS COLLECTED; (II) SUBSEQUENTLY DE-IDENTIFIED, OR IN THE AGGREGATE, SUCH THAT THE INFORMATION CANNOT REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR CONSUMER; S. 4021 7 (III) MADE SUBJECT TO TECHNICAL SAFEGUARDS TO PREVENT RE-IDENTIFICA- TION OF THE CONSUMER TO WHOM THE INFORMATION MAY PERTAIN; (IV) SUBJECT TO BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT RE-IDEN- TIFICATION OF THE INFORMATION; (V) MADE SUBJECT TO BUSINESS PROCESSES TO PREVENT INADVERTENT RELEASE OF DE-IDENTIFIED INFORMATION; (VI) PROTECTED FROM ANY RE-IDENTIFICATION ATTEMPTS; (VII) USED SOLELY FOR RESEARCH PURPOSES THAT ARE COMPATIBLE WITH THE CONTEXT IN WHICH THE PERSONAL INFORMATION WAS COLLECTED; (VIII) NOT BE USED FOR ANY COMMERCIAL PURPOSE; AND (IX) SUBJECTED BY THE BUSINESS CONDUCTING THE RESEARCH TO ADDITIONAL SECURITY CONTROLS THAT LIMIT ACCESS TO THE RESEARCH DATA TO ONLY THOSE INDIVIDUALS IN A BUSINESS AS ARE NECESSARY TO CARRY OUT THE RESEARCH PURPOSE. (C) (I) "SELL," "SELLING," "SALE," OR "SOLD," MEANS SELLING, RENTING, RELEASING, DISCLOSING, DISSEMINATING, MAKING AVAILABLE, TRANSFERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS, A CONSUMER'S PERSONAL INFORMATION BY THE BUSINESS TO ANOTHER BUSINESS OR A THIRD PARTY FOR MONETARY OR OTHER VALUABLE CONSIDERATION. (II) FOR PURPOSES OF THIS ARTICLE, A BUSINESS DOES NOT SELL PERSONAL INFORMATION WHEN: (1) A CONSUMER USES OR DIRECTS THE BUSINESS TO INTENTIONALLY DISCLOSE PERSONAL INFORMATION OR USES THE BUSINESS TO INTENTIONALLY INTERACT WITH A THIRD PARTY, PROVIDED SUCH THIRD PARTY DOES NOT ALSO SELL THE PERSONAL INFORMATION, UNLESS SUCH DISCLOSURE WOULD BE CONSISTENT WITH THE PROVISIONS OF THIS ARTICLE. AN INTENTIONAL INTERACTION OCCURS WHEN THE CONSUMER INTENDS TO INTERACT WITH THE THIRD PARTY, VIA ONE OR MORE DELIBERATE INTERACTIONS. HOVERING OVER, MUTING, PAUSING, OR CLOSING A GIVEN PIECE OF CONTENT SHALL NOT CONSTITUTE A CONSUMER'S INTENT TO INTERACT WITH A THIRD PARTY; (2) THE BUSINESS USES OR DISCLOSES AN IDENTIFIER FOR A CONSUMER WHO HAS OPTED OUT OF THE SALE OF THE CONSUMER'S PERSONAL INFORMATION FOR THE PURPOSES OF ALERTING THIRD PARTIES THAT THE CONSUMER HAS OPTED OUT OF THE SALE OF THE CONSUMER'S PERSONAL INFORMATION; (3) THE BUSINESS USES OR DISCLOSES PERSONAL INFORMATION OF A CONSUMER WITH A SERVICE PROVIDER THAT IS NECESSARY TO PERFORM AN OPERATIONAL PURPOSE AND THE BUSINESS HAS PROVIDED NOTICE THAT INFORMATION BEING USED OR DISCLOSED IN ITS TERMS AND CONDITIONS CONSISTENT WITH SECTION SIX HUNDRED SEVENTY-SIX-I OF THIS ARTICLE; OR (4) THE BUSINESS TRANSFERS TO A THIRD PARTY THE PERSONAL INFORMATION OF A CONSUMER AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANK- RUPTCY, OR OTHER TRANSACTION IN WHICH THE THIRD PARTY ASSUMES CONTROL OF ALL OR PART OF THE BUSINESS, PROVIDED THAT INFORMATION IS USED OR DISCLOSED CONSISTENTLY WITH THIS ARTICLE. A THIRD PARTY MAY NOT MATE- RIALLY ALTER HOW IT USES OR DISCLOSES THE PERSONAL INFORMATION OF A CONSUMER IN A MANNER THAT IS MATERIALLY INCONSISTENT WITH THE PROMISES MADE AT THE TIME OF COLLECTION, UNLESS IT FIRST OBTAINS OPT-IN CONSENT, AS SET FORTH IN THIS ARTICLE. § 676-A. TRANSPARENCY OF THE COLLECTION, USE, RETENTION, AND SHARING OF PERSONAL INFORMATION. ANY BUSINESS THAT COLLECTS A CONSUMER'S PERSONAL INFORMATION SHALL DISCLOSE THE FOLLOWING INFORMATION IN ITS ONLINE PRIVACY POLICY OR POLICIES, IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY, AND UPDATE SUCH INFORMATION AT LEAST ONCE EVERY TWELVE MONTHS: 1. A DESCRIPTION OF A CONSUMER'S RIGHTS PURSUANT TO SECTIONS SIX HUNDRED SEVENTY-SIX-B, SIX HUNDRED SEVENTY-SIX-D, SIX HUNDRED SEVENTY- SIX-E, SIX HUNDRED SEVENTY-SIX-F AND SIX HUNDRED SEVENTY-SIX-G OF THIS S. 4021 8 ARTICLE AND ONE OR MORE DESIGNATED METHODS FOR SUBMITTING REQUESTS PURSUANT TO SECTIONS SIX HUNDRED SEVENTY-SIX-C, SIX HUNDRED SEVENTY-SIX-D, AND SIX HUNDRED SEVENTY-SIX-E OF THIS ARTICLE; 2. A DESCRIPTION OF THE PERSONAL INFORMATION SUCH BUSINESS COLLECTS ABOUT CONSUMERS; 3. THE CATEGORIES OF SOURCES FROM WHICH THE PERSONAL INFORMATION IS COLLECTED; 4. A DESCRIPTION OF THE METHODS SUCH BUSINESS USES TO COLLECT PERSONAL INFORMATION; 5. THE SPECIFIC PURPOSES FOR COLLECTING, DISCLOSING, OR RETAINING PERSONAL INFORMATION; 6. A DESCRIPTION OF THE PERSONAL INFORMATION IT DISCLOSES ABOUT CONSUMERS, OR IF THE BUSINESS DOES NOT DISCLOSE CONSUMERS' PERSONAL INFORMATION, THE BUSINESS SHALL DISCLOSE SUCH FACT; 7. THE CATEGORIES OF THIRD PARTIES WITH WHOM SUCH BUSINESS SHARES PERSONAL INFORMATION WITH, OR IF THE BUSINESS DOES NOT DISCLOSE CONSUM- ERS' PERSONAL INFORMATION TO THIRD PARTIES, THE BUSINESS SHALL DISCLOSE SUCH FACT; 8. THE CATEGORIES OF SERVICE PROVIDERS WITH WHOM SUCH BUSINESS SHARES PERSONAL INFORMATION WITH, OR IF THE BUSINESS DOES NOT DISCLOSE CONSUM- ERS' PERSONAL INFORMATION TO SERVICE PROVIDERS, THE BUSINESS SHALL DISCLOSE SUCH FACT; 9. A DESCRIPTION OF THE LENGTH OF TIME FOR WHICH PERSONAL INFORMATION IS RETAINED; AND 10. IF PERSONAL DATA IS DE-IDENTIFIED SUCH THAT IT IS NO LONGER CONSIDERED PERSONAL INFORMATION BUT SUBSEQUENTLY RETAINED, USED, OR SHARED BY THE BUSINESS, A DESCRIPTION OF THE METHOD OR METHODS OF DE-I- DENTIFICATION. § 676-B. FAIR COLLECTION AND USE OF PERSONAL INFORMATION. 1. SUBJECT TO SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS ARTICLE A BUSINESS THAT COLLECTS A CONSUMER'S PERSONAL INFORMATION SHALL LIMIT ITS COLLECTION AND SHARING OF PERSONAL INFORMATION WITH THIRD PARTIES TO WHAT IS REASONABLY NECESSARY TO PROVIDE A SERVICE OR CONDUCT AN ACTIVITY THAT A CONSUMER HAS REQUESTED OR IS REASONABLY NECESSARY FOR SECURITY OR FRAUD PREVENTION, AND SHALL REQUIRE ANY SUCH THIRD PARTY TO EXERCISE CARE OVER THE CONSUMER'S PERSONAL INFORMATION CONSISTENT WITH THE ORIGINAL BUSI- NESS'S OBLIGATIONS AS BAILEE OF SUCH INFORMATION. 2. SUBJECT TO SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS ARTICLE, A BUSINESS THAT COLLECTS A CONSUMER'S PERSONAL INFORMATION SHALL BE OBLI- GATED TO EXERCISE REASONABLE CARE WITH RESPECT TO THE COLLECTION, STOR- AGE, AND USE OF THAT INFORMATION, CONSISTENT WITH ITS OBLIGATIONS AS A BAILEE, AND SHALL LIMIT ITS USE AND RETENTION OF PERSONAL INFORMATION TO WHAT IS REASONABLY NECESSARY TO PROVIDE A SERVICE OR CONDUCT AN ACTIVITY THAT A CONSUMER HAS REQUESTED OR A RELATED OPERATIONAL PURPOSE, PROVIDED HOWEVER THAT DATA COLLECTED OR RETAINED SOLELY FOR SECURITY OR FRAUD PREVENTION MAY NOT BE USED FOR RELATED OPERATIONAL PURPOSES. § 676-C. DELETION OF PERSONAL INFORMATION. 1. A CONSUMER SHALL HAVE THE RIGHT TO REQUEST THAT A BUSINESS DELETE ANY PERSONAL INFORMATION ABOUT SUCH CONSUMER WHICH THE BUSINESS HAS COLLECTED FROM THE CONSUMER. 2. A BUSINESS THAT COLLECTS PERSONAL INFORMATION ABOUT CONSUMERS SHALL DISCLOSE, PURSUANT TO THE NOTICE REQUIREMENTS OF SECTION SIX HUNDRED SEVENTY-SIX-I OF THIS ARTICLE, THE CONSUMER'S RIGHTS TO REQUEST THE DELETION OF THE CONSUMER'S PERSONAL INFORMATION. 3. A BUSINESS THAT RECEIVES A VERIFIABLE CONSUMER REQUEST FROM A CONSUMER TO DELETE THE CONSUMER'S PERSONAL INFORMATION PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL DELETE THE CONSUMER'S PERSONAL S. 4021 9 INFORMATION FROM ITS RECORDS AND DIRECT ANY SERVICE PROVIDERS TO DELETE THE CONSUMER'S PERSONAL INFORMATION FROM THEIR RECORDS. 4. A BUSINESS OR A SERVICE PROVIDER SHALL NOT BE REQUIRED TO COMPLY WITH A CONSUMER'S REQUEST TO DELETE THE CONSUMER'S PERSONAL INFORMATION IF: (A) SUCH RETENTION OF PERSONAL INFORMATION IS REASONABLY ANTICIPATED WITHIN THE CONTEXT OF A BUSINESS'S ONGOING BUSINESS RELATIONSHIP WITH THE CONSUMER; OR (B) IT IS NECESSARY FOR THE BUSINESS OR SERVICE PROVIDER TO MAINTAIN THE CONSUMER'S PERSONAL INFORMATION IN ORDER TO: (I) COMPLETE THE TRANSACTION FOR WHICH THE PERSONAL INFORMATION WAS COLLECTED, PROVIDE A GOOD OR SERVICE REQUESTED BY THE CONSUMER, OR OTHERWISE PERFORM A CONTRACT BETWEEN THE BUSINESS AND THE CONSUMER; (II) DETECT OR RESPOND TO SECURITY INCIDENTS, PROTECT AGAINST MALI- CIOUS, DECEPTIVE, FRAUDULENT, OR ILLEGAL ACTIVITY, OR PROSECUTE THOSE RESPONSIBLE FOR THAT ACTIVITY; (III) DEBUG TO IDENTIFY AND REPAIR ERRORS THAT IMPAIR EXISTING INTENDED FUNCTIONALITY; (IV) EXERCISE FREE SPEECH, ENSURE THE RIGHT OF ANOTHER CONSUMER TO EXERCISE HIS OR HER RIGHT OF FREE SPEECH; (V) ENGAGE IN PUBLIC OR PEER-REVIEWED SCIENTIFIC, HISTORICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE BUSINESSES' DELETION OF THE INFORMATION IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR THE ACHIEVEMENT OF SUCH RESEARCH, IF THE CONSUMER HAS PROVIDED INFORMED CONSENT; OR (VI) COMPLY WITH A LEGAL OBLIGATION. § 676-D. ACCESS TO RETAINED PERSONAL INFORMATION. 1. IF A BUSINESS COLLECTS PERSONAL INFORMATION ABOUT A CONSUMER, THE CONSUMER SHALL HAVE THE RIGHT TO ASK THE BUSINESS FOR THE FOLLOWING INFORMATION, AND THE BUSINESS SHALL HAVE THE DUTY TO PROVIDE IT, PROMPTLY AND FREE OF CHARGE, UPON RECEIPT OF A VERIFIABLE REQUEST: (A) THE SPECIFIC PIECES OF PERSONAL INFORMATION THAT THE BUSINESS RETAINS ABOUT THAT CONSUMER; (B) THE SPECIFIC SOURCES FROM WHICH THE BUSINESS COLLECTED THE PERSONAL INFORMATION; AND (C) ITS PURPOSE FOR COLLECTING THE PERSONAL INFORMATION. 2. WHEN A BUSINESS RECEIVES A VERIFIABLE CONSUMER REQUEST FROM A CONSUMER FOR THE SPECIFIC PIECES OF THEIR PERSONAL INFORMATION, SUCH BUSINESS SHALL DISCLOSE SUCH INFORMATION IN AN ELECTRONIC, PORTABLE, MACHINE-READABLE, AND READILY-USEABLE FORMAT OR FORMATS THAT ALLOW THE CONSUMER TO UNDERSTAND SUCH INFORMATION AND TO TRANSMIT SUCH INFORMATION TO ANOTHER ENTITY WITHOUT HINDRANCE. § 676-E. ACCESS TO DISCLOSURE OF PERSONAL INFORMATION. IF A BUSINESS DISCLOSES PERSONAL INFORMATION ABOUT A CONSUMER TO A THIRD PARTY, THE CONSUMER SHALL HAVE THE RIGHT TO REQUEST THE FOLLOWING INFORMATION FROM THE BUSINESS, AND SUCH BUSINESS SHALL HAVE THE DUTY TO PROVIDE IT, PROMPTLY AND FREE OF CHARGE, UPON RECEIPT OF A VERIFIABLE REQUEST: 1. THE CATEGORIES OF PERSONAL INFORMATION THAT THE BUSINESS DISCLOSED ABOUT THE CONSUMER, AND THE CATEGORIES OF THIRD PARTIES TO WHOM THE PERSONAL INFORMATION WAS DISCLOSED, BY CATEGORY OF PERSONAL INFORMATION FOR EACH CATEGORY OF THIRD PARTY; AND 2. THE SPECIFIC THIRD PARTIES TO WHOM THE PERSONAL INFORMATION WAS DISCLOSED. § 676-F. CONSENT TO ADDITIONAL COLLECTION OR SHARING OF PERSONAL INFORMATION. 1. OTHER THAN AS DESCRIBED IN SECTION SIX HUNDRED SEVENTY- S. 4021 10 SIX-B OF THIS ARTICLE, A BUSINESS SHALL NOT COLLECT OR SHARE A CONSUM- ER'S PERSONAL INFORMATION UNLESS THE CONSUMER HAS AFFIRMATIVELY AUTHOR- IZED THE COLLECTION OR DISCLOSURE. THIS RIGHT TO COLLECT OR SHARE A CONSUMER'S PERSONAL INFORMATION MAY BE REFERRED TO AS THE RIGHT TO "OPT-IN CONSENT". 2. ANY PERSONAL INFORMATION OF A CONSUMER COLLECTED OR SHARED BY A BUSINESS UPON THE AFFIRMATIVE AUTHORIZATION OF THE CONSUMER SHALL REMAIN THE PROPERTY OF SUCH CONSUMER, AND THE BUSINESS SHALL BE REQUIRED TO EXERCISE REASONABLE CARE IN THE COLLECTION AND SHARING OF SUCH DATA, CONSISTENT WITH ITS OBLIGATIONS TOWARDS THE CONSUMER AS BAILEE OF HIS OR HER PERSONAL INFORMATION. 3. A BUSINESS SHALL REQUEST A USER'S OPT-IN CONSENT SEPARATELY FROM ANY OTHER PERMISSION OR CONSENT, WITH THE OPTION TO DECLINE CONSENT AT LEAST AS PROMINENT AS THE OPTION TO PROVIDE CONSENT. 4. IF A CONSUMER DECLINES TO PROVIDE THEIR OPT-IN CONSENT TO THE DISCLOSURE OF THEIR PERSONAL INFORMATION, A BUSINESS SHALL REFRAIN FOR AT LEAST TWELVE MONTHS BEFORE AGAIN REQUESTING THAT THE CONSUMER PROVIDE THEIR OPT-IN CONSENT TO THE DISCLOSURE OF THEIR PERSONAL INFORMATION. 5. A BUSINESS MAY MAKE AVAILABLE A SETTING OR OTHER USER CONTROL THAT THE CONSUMER MAY AFFIRMATIVELY ACCESS IN ORDER TO CONSENT TO ADDITIONAL DATA COLLECTION OR SHARING. 6. A BUSINESS THAT OBTAINS A CONSUMER'S OPT-IN CONSENT TO COLLECT OR DISCLOSE THEIR PERSONAL INFORMATION PURSUANT TO THIS SECTION SHALL PROVIDE CONSUMERS THE ABILITY TO WITHDRAW SUCH CONSENT THROUGH A READILY USABLE AND AUTOMATED MEANS AT ANY TIME. § 676-G. NO DISCRIMINATION BY A BUSINESS AGAINST A CONSUMER FOR EXER- CISE OF RIGHTS. A BUSINESS SHALL NOT DISCRIMINATE AGAINST A CONSUMER BECAUSE THE CONSUMER EXERCISED ANY OF THE CONSUMER'S RIGHTS UNDER THIS ARTICLE OR DOES NOT PROVIDE CONSENT TO ADDITIONAL DATA COLLECTION OR SHARING UNDER SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS ARTICLE INCLUD- ING, BUT NOT LIMITED TO, BY: 1. DENYING GOODS OR SERVICES TO THE CONSUMER; 2. CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR SERVICES, INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS OR IMPOSING PENALTIES; 3. PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES TO THE CONSUMER; OR 4. SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF GOODS OR SERVICES. § 676-H. REASONABLE SECURITY. 1. A BUSINESS OR SERVICE PROVIDER SHALL IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES, INCLUDING ADMINISTRATIVE, PHYSICAL, AND TECHNICAL SAFEGUARDS, APPROPRI- ATE TO THE NATURE OF THE INFORMATION AND THE PURPOSES FOR WHICH THE PERSONAL INFORMATION WILL BE USED, TO PROTECT CONSUMERS' PERSONAL INFOR- MATION FROM UNAUTHORIZED USE, DISCLOSURE, ACCESS, DESTRUCTION, OR MODIFICATION. 2. A BUSINESS OR SERVICE PROVIDER MAY EMPLOY ANY LAWFUL SECURITY MEAS- URES THAT ALLOW IT TO COMPLY WITH THE REQUIREMENTS SET FORTH IN THIS SECTION. § 676-I. BUSINESS IMPLEMENTATION OF DUTIES. 1. A BUSINESS SHALL: (A) MAKE AVAILABLE TO CONSUMERS TWO OR MORE DESIGNATED METHODS FOR SUBMITTING REQUESTS PURSUANT TO SECTIONS SIX HUNDRED SEVENTY-SIX-C, SIX HUNDRED SEVENTY-SIX-D, AND SIX HUNDRED SEVENTY-SIX-E OF THIS ARTICLE, INCLUDING, AT A MINIMUM, A TELEPHONE NUMBER, AND, IF THE BUSINESS MAIN- TAINS AN INTERNET WEB SITE, A WEB SITE ADDRESS; S. 4021 11 (B) DISCLOSE AND DELIVER THE REQUIRED INFORMATION TO A CONSUMER FREE OF CHARGE WITHIN FORTY-FIVE DAYS OF RECEIVING A VERIFIABLE CONSUMER REQUEST. A BUSINESS SHALL TAKE STEPS TO DETERMINE WHETHER THE REQUEST IS A VERIFIABLE CONSUMER REQUEST FROM THE IDENTIFIED CONSUMER. THE TIME PERIOD MAY BE EXTENDED ONCE BY FORTY-FIVE DAYS WHEN REASONABLY NECES- SARY, PROVIDED THE CONSUMER IS PROVIDED NOTICE OF THE EXTENSION WITHIN THE FIRST FORTY-FIVE DAY PERIOD. THE DISCLOSURE SHALL COVER THE TWELVE MONTH PERIOD PRECEDING THE REQUEST. IT SHALL BE DELIVERED THROUGH THE CONSUMER'S ACCOUNT WITH THE BUSINESS, IF THE CONSUMER MAINTAINS AN ACCOUNT WITH THE BUSINESS, OR BY MAIL OR ELECTRONICALLY AT THE CONSUM- ER'S OPTION, IF THE CONSUMER DOES NOT MAINTAIN AN ACCOUNT WITH THE BUSI- NESS. THE BUSINESS SHALL NOT REQUIRE THE CONSUMER TO CREATE AN ACCOUNT WITH THE BUSINESS IN ORDER TO MAKE A VERIFIABLE REQUEST; (C) ENSURE THAT ALL INDIVIDUALS RESPONSIBLE FOR HANDLING CONSUMER INQUIRIES ABOUT THE BUSINESS'S PRIVACY PRACTICES OR THE BUSINESS'S COMPLIANCE WITH THIS ARTICLE ARE INFORMED OF ALL REQUIREMENTS IN THIS ARTICLE, AND HOW TO DIRECT CONSUMERS TO EXERCISE THEIR RIGHTS IN THIS ARTICLE; AND (D) LIMIT THE USE OF ANY PERSONAL INFORMATION COLLECTED FROM THE CONSUMER IN CONNECTION WITH A BUSINESS'S VERIFICATION OF THE CONSUMER'S REQUEST SOLELY FOR THE PURPOSES OF VERIFICATION. 2. A BUSINESS SHALL NOT BE OBLIGATED TO PROVIDE THE INFORMATION REQUIRED BY SECTIONS SIX HUNDRED SEVENTY-SIX-D AND SIX HUNDRED SEVENTY- SIX-E OF THIS ARTICLE TO THE SAME CONSUMER MORE THAN TWICE IN A TWELVE MONTH PERIOD. § 676-J. EXCEPTIONS. 1. THE OBLIGATIONS IMPOSED ON BUSINESSES BY THIS ARTICLE SHALL NOT RESTRICT A BUSINESS'S OR SERVICE PROVIDER'S ABILITY TO: (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS; (B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI- GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES; (C) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR ACTIVITY THAT THE BUSINESS, SERVICE PROVIDER, OR THIRD PARTY REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAW; (D) EXERCISE OR DEFEND LEGAL CLAIMS; (E) COLLECT, USE, RETAIN, SELL, OR DISCLOSE CONSUMER INFORMATION THAT IS DE-IDENTIFIED OR IN THE AGGREGATE; OR (F) COLLECT OR SELL A CONSUMER'S PERSONAL INFORMATION IF EVERY ASPECT OF THAT COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE OF THE STATE. FOR PURPOSES OF THIS SECTION, COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE OF THE STATE IF THE BUSINESS COLLECTED INFORMATION WHILE THE CONSUMER WAS OUTSIDE OF THE STATE, NO PART OF THE SALE OF THE CONSUMER'S PERSONAL INFORMATION OCCURRED IN THE STATE, AND NO PERSONAL INFORMATION COLLECTED WHILE THE CONSUMER WAS IN THE STATE IS SOLD. THIS PARAGRAPH SHALL NOT PERMIT A BUSINESS FROM STORING, INCLUDING ON A DEVICE, PERSONAL INFORMA- TION ABOUT A CONSUMER WHEN SUCH CONSUMER IS IN THE STATE AND THEN COLLECTING SUCH PERSONAL INFORMATION WHEN SUCH CONSUMER AND STORED PERSONAL INFORMATION IS OUTSIDE OF THE STATE. 2. NOTHING IN THIS ARTICLE SHALL REQUIRE A BUSINESS TO VIOLATE AN EVIDENTIARY PRIVILEGE UNDER STATE OR FEDERAL LAW OR PREVENT A BUSINESS FROM PROVIDING THE PERSONAL INFORMATION OF A CONSUMER WHO IS COVERED BY AN EVIDENTIARY PRIVILEGE UNDER STATE OR FEDERAL LAW AS PART OF A PRIVI- LEGED COMMUNICATION. 3. THIS ARTICLE SHALL NOT APPLY TO ANY OF THE FOLLOWING: (A) MEDICAL INFORMATION GOVERNED BY PART 2.6 OF THE CONFIDENTIALITY OF MEDICAL INFORMATION ACT OR PROTECTED HEALTH INFORMATION THAT IS S. 4021 12 COLLECTED BY A COVERED ENTITY OR BUSINESS ASSOCIATE GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED OR ESTABLISHED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, 45 C.F.R. PARTS 160 AND 164, THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, OR THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLIN- ICAL HEALTH ACT; (B) A PROVIDER OF HEALTH CARE GOVERNED BY PART 2.6 OF THE CONFIDEN- TIALITY OF MEDICAL INFORMATION ACT OR A COVERED ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES ISSUED OR ESTABLISHED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, 45 C.F.R. PARTS 160 AND 164, OR THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABIL- ITY ACT OF 1996, TO THE EXTENT THE PROVIDER OR COVERED ENTITY MAINTAINS PATIENT INFORMATION IN THE SAME MANNER AS MEDICAL INFORMATION OR PROTECTED HEALTH INFORMATION AS DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION; (C) INFORMATION COLLECTED AS PART OF A CLINICAL TRIAL SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE "COMMON RULE", PURSUANT TO GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR HARMONIZATION OR PURSUANT TO HUMAN SUBJECT PROTECTION REQUIREMENTS OF THE UNITED STATES FOOD AND DRUG ADMINIS- TRATION; (D) THE SALE OF PERSONAL INFORMATION TO OR FROM A CONSUMER REPORTING AGENCY IF SUCH INFORMATION IS TO BE REPORTED IN, OR USED TO GENERATE, A CONSUMER REPORT AS DEFINED IN SECTION THREE HUNDRED EIGHTY-A OF THIS CHAPTER AND USE OF THAT INFORMATION IS LIMITED BY THE FEDERAL FAIR CRED- IT REPORTING ACT, 15 USC 1681; (E) PERSONAL INFORMATION COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE FEDERAL GRAMM-LEACH-BLILEY ACT OR ANY FINANCIAL PRIVACY LAWS OR REGULATIONS OF THE STATE OF NEW YORK, AND IMPLEMENTING REGU- LATIONS, IF IT IS IN CONFLICT WITH SUCH LAW; OR (F) PERSONAL INFORMATION COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO THE DRIVER'S PRIVACY PROTECTION ACT OF 1994, IF IT IS IN CONFLICT WITH SUCH ACT. 4. NOTWITHSTANDING A BUSINESS' OBLIGATIONS TO RESPOND TO AND HONOR CONSUMER RIGHTS REQUESTS PURSUANT TO SECTIONS SIX HUNDRED SEVENTY-SIX-C, SIX HUNDRED SEVENTY-SIX-D, AND SIX HUNDRED SEVENTY-SIX-E OF THIS ARTI- CLE: (A) THE TIME PERIOD FOR A BUSINESS TO RESPOND TO ANY VERIFIED CONSUMER REQUEST MAY BE EXTENDED BY UP TO NINETY ADDITIONAL DAYS WHERE NECESSARY, TAKING INTO ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. A BUSI- NESS SHALL INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY; (B) IF A BUSINESS DOES NOT TAKE ACTION ON THE REQUEST OF THE CONSUMER, SUCH BUSINESS SHALL INFORM THE CONSUMER, WITHOUT DELAY AND AT THE LATEST WITHIN THE TIME PERIOD PERMITTED OF RESPONSE BY THIS SECTION, OF THE REASONS FOR NOT TAKING ACTION AND ANY RIGHTS THE CONSUMER MAY HAVE TO APPEAL THE DECISION TO THE BUSINESS; AND (C) IF REQUESTS FROM A CONSUMER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR BECAUSE OF THEIR REPETITIVE CHARACTER, A BUSINESS MAY EITHER CHARGE A REASONABLE FEE, TAKING INTO ACCOUNT THE ADMINISTRATIVE COSTS OF PROVIDING THE INFORMATION OR COMMUNICATION OR TAKING THE ACTION REQUESTED, OR REFUSE TO ACT ON THE REQUEST AND NOTIFY THE CONSUMER OF THE REASON FOR REFUSING THE REQUEST. SUCH BUSINESS SHALL BEAR THE BURDEN OF DEMONSTRATING THAT ANY VERIFIED CONSUMER REQUEST IS MANIFESTLY UNFOUNDED OR EXCESSIVE. S. 4021 13 5. A BUSINESS THAT DISCLOSES PERSONAL INFORMATION TO A SERVICE PROVID- ER SHALL NOT BE LIABLE UNDER THIS ARTICLE IF THE SERVICE PROVIDER RECEIVING THE PERSONAL INFORMATION USES IT IN VIOLATION OF THE RESTRICTIONS SET FORTH IN THIS ARTICLE, PROVIDED THAT, AT THE TIME OF DISCLOSING THE PERSONAL INFORMATION, SUCH BUSINESS DOES NOT HAVE ACTUAL KNOWLEDGE, OR REASON TO BELIEVE, THAT THE SERVICE PROVIDER INTENDS TO COMMIT SUCH A VIOLATION. A SERVICE PROVIDER SHALL NOT BE LIABLE UNDER THIS ARTICLE FOR THE OBLIGATIONS OF A BUSINESS FOR WHICH IT PROVIDES SERVICES AS SET FORTH IN THIS ARTICLE. 6. THIS ARTICLE SHALL NOT BE CONSTRUED TO: (A) REQUIRE A BUSINESS TO COLLECT OR RETAIN PERSONAL INFORMATION ABOUT A CONSUMER LONGER THAN IT WOULD BE RETAINED SUCH INFORMATION IN THE ORDINARY COURSE OF BUSINESS; OR (B) REQUIRE A BUSINESS TO RE-IDENTIFY OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED IN A MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION. 7. THE RIGHTS AFFORDED TO CONSUMERS AND THE OBLIGATIONS IMPOSED ON A BUSINESS PURSUANT TO THIS ARTICLE SHALL NOT ADVERSELY AFFECT THE RIGHTS AND FREEDOMS OF OTHER CONSUMERS. 8. THE RIGHTS AFFORDED TO CONSUMERS AND THE OBLIGATIONS IMPOSED ON ANY BUSINESS PURSUANT TO THIS ARTICLE SHALL NOT APPLY TO THE EXTENT THAT THEY INFRINGE ON THE NONCOMMERCIAL ACTIVITIES OF A PUBLISHER, EDITOR, REPORTER, OR OTHER PERSON CONNECTED WITH OR EMPLOYED UPON A NEWSPAPER, MAGAZINE, OR OTHER PERIODICAL PUBLICATION, OR BY A PRESS ASSOCIATION OR WIRE SERVICE. § 676-K. CONSUMER'S PRIVATE RIGHT OF ACTION. 1. A CONSUMER WHO HAS SUFFERED A VIOLATION OF THIS ARTICLE MAY BRING A LAWSUIT AGAINST THE BUSINESS THAT COMMITTED SUCH VIOLATION. A VIOLATION OF THIS ARTICLE SHALL BE DEEMED TO CONSTITUTE AN INJURY IN FACT TO THE CONSUMER WHO HAS SUFFERED SUCH VIOLATION, AND THE CONSUMER NEED NOT SUFFER MONETARY OR PROPERTY LOSS AS A RESULT OF SUCH VIOLATION IN ORDER TO BRING AN ACTION FOR A VIOLATION OF THIS ARTICLE. 2. A CONSUMER WHO PREVAILS IN SUCH AN ACTION SHALL OBTAIN THE FOLLOW- ING REMEDIES: (A) DAMAGES IN AN AMOUNT NOT TO EXCEED SEVEN HUNDRED FIFTY DOLLARS PER CONSUMER PER VIOLATION OR ACTUAL DAMAGES, WHICHEVER IS GREATER; (B) INJUNCTIVE OR DECLARATORY RELIEF, AS THE COURT DEEMS PROPER; (C) REASONABLE ATTORNEY FEES AND COSTS; AND (D) ANY OTHER RELIEF THE COURT DEEMS PROPER. 3. IN ASSESSING THE AMOUNT OF STATUTORY DAMAGES, THE COURT SHALL CONSIDER ANY ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY OF THE PARTIES TO THE CASE, INCLUDING, BUT NOT LIMITED TO, THE NATURE AND SERIOUSNESS OF THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCONDUCT, THE LENGTH OF TIME OVER WHICH THE MISCON- DUCT OCCURRED, THE WILLFULNESS OF THE DEFENDANT'S MISCONDUCT, AND THE DEFENDANT'S ASSETS, LIABILITIES, AND NET WORTH. 4. A CONSUMER BRINGING AN ACTION PURSUANT TO THIS SECTION SHALL NOTIFY THE ATTORNEY GENERAL WITHIN THIRTY DAYS OF THE FILING OF SUCH ACTION. § 676-L. AGENCY ENFORCEMENT ACTION. 1. THE ATTORNEY GENERAL, COUNTY DISTRICT ATTORNEY, OR CITY CORPORATION COUNSEL HAVING PROPER JURISDIC- TION MAY BRING A CIVIL ACTION IN THE NAME OF THE PEOPLE OF THE STATE OF NEW YORK AGAINST ANY PERSON, BUSINESS, OR SERVICE PROVIDER WHO VIOLATES ANY PROVISION OF THIS ARTICLE. 2. ANY PERSON, BUSINESS, OR SERVICE PROVIDER WHO VIOLATES THE PROVISIONS OF THIS ARTICLE MAY BE LIABLE FOR A CIVIL PENALTY OF UP TO SEVEN THOUSAND FIVE HUNDRED DOLLARS FOR EACH INTENTIONAL VIOLATION AND S. 4021 14 OF UP TO TWO THOUSAND FIVE HUNDRED DOLLARS FOR EACH UNINTENTIONAL VIOLATION. § 676-M. CONSTRUCTION. THIS ARTICLE IS INTENDED TO FURTHER THE CONSTI- TUTIONAL RIGHT OF PRIVACY AND TO SUPPLEMENT EXISTING LAWS RELATING TO CONSUMERS' PERSONAL INFORMATION. THE PROVISIONS OF THIS ARTICLE ARE NOT LIMITED TO INFORMATION COLLECTED ELECTRONICALLY OR OVER THE INTERNET, BUT SHALL APPLY TO THE COLLECTION AND SALE OF ALL PERSONAL INFORMATION COLLECTED BY A BUSINESS FROM CONSUMERS. WHEREVER POSSIBLE, LAW RELATING TO CONSUMERS' PERSONAL INFORMATION SHOULD BE CONSTRUED TO HARMONIZE WITH THE PROVISIONS OF THIS ARTICLE, BUT IN THE EVENT OF A CONFLICT BETWEEN OTHER LAWS AND THE PROVISIONS OF THIS ARTICLE, THE PROVISIONS OF THE LAW THAT AFFORD THE GREATEST PROTECTION FOR THE RIGHT OF PRIVACY FOR CONSUM- ERS SHALL CONTROL. § 676-N. ATTORNEY GENERAL REGULATIONS. 1. WITHIN ONE YEAR OF THE EFFECTIVE DATE OF THIS ARTICLE, THE ATTORNEY GENERAL SHALL ADOPT REGU- LATIONS TO FURTHER THE PURPOSES OF THIS ARTICLE, INCLUDING, BUT NOT LIMITED TO: (A) DETAILING AS NEEDED THE TYPES OF INFORMATION THAT ARE PERSONAL INFORMATION IN TECHNOLOGY, DATA COLLECTION PRACTICES, OBSTACLES TO IMPLEMENTATION, AND PRIVACY CONCERNS; (B) ESTABLISHING ANY EXCEPTIONS NECESSARY TO COMPLY WITH STATE OR FEDERAL LAW, INCLUDING, BUT NOT LIMITED TO, THOSE RELATING TO TRADE SECRETS AND INTELLECTUAL PROPERTY RIGHTS; (C) FACILITATING AND GOVERNING THE SUBMISSION OF A REQUEST BY A CONSUMER TO OPT OUT OF THE SALE OF PERSONAL INFORMATION PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-F OF THIS ARTICLE; (D) GOVERNING BUSINESS COMPLIANCE WITH A CONSUMER'S OPT-OUT REQUEST; (E) DEVELOPING A RECOGNIZABLE AND UNIFORM OPT-OUT LOGO OR BUTTON BY ALL BUSINESSES TO PROMOTE CONSUMER AWARENESS OF THE OPPORTUNITY TO OPT- OUT OF THE SALE OF PERSONAL INFORMATION; (F) ADJUSTING THE MONETARY THRESHOLD IN CLAUSE ONE OF SUBPARAGRAPH (I) OF PARAGRAPH (C) OF SUBDIVISION ONE OF SECTION SIX HUNDRED SEVENTY-SIX OF THIS ARTICLE IN JANUARY OF EVERY ODD-NUMBERED YEAR TO REFLECT ANY INCREASE IN THE CONSUMER PRICE INDEX; (G) ESTABLISHING RULES, PROCEDURES, AND ANY EXCEPTIONS NECESSARY TO ENSURE THAT THE NOTICES AND INFORMATION THAT BUSINESSES ARE REQUIRED TO PROVIDE PURSUANT TO THIS ARTICLE ARE PROVIDED IN A MANNER THAT MAY BE EASILY UNDERSTOOD BY THE AVERAGE CONSUMER, ARE ACCESSIBLE TO CONSUMERS WITH DISABILITIES, AND ARE AVAILABLE IN THE LANGUAGE PRIMARILY USED TO INTERACT WITH THE CONSUMER, INCLUDING ESTABLISHING RULES AND GUIDELINES REGARDING FINANCIAL INCENTIVE OFFERINGS; AND (H) ESTABLISHING RULES AND PROCEDURES TO FURTHER THE PURPOSES OF SECTIONS SIX HUNDRED SEVENTY-SIX-D AND SIX HUNDRED SEVENTY-SIX-E OF THIS ARTICLE AND TO FACILITATE A CONSUMER'S OR THE CONSUMER'S AUTHORIZED AGENT'S ABILITY TO OBTAIN INFORMATION PURSUANT TO SECTION SIX HUNDRED SEVENTY-SIX-I OF THIS ARTICLE, WITH THE GOAL OF MINIMIZING THE ADMINIS- TRATIVE BURDEN ON CONSUMERS, TAKING INTO ACCOUNT AVAILABLE TECHNOLOGY, SECURITY CONCERNS, AND THE BURDEN ON THE BUSINESS, TO GOVERN A BUSINESS' DETERMINATION THAT A REQUEST FOR INFORMATION RECEIVED BY A CONSUMER IS A VERIFIABLE CONSUMER REQUEST, INCLUDING TREATING A REQUEST SUBMITTED THROUGH A PASSWORD-PROTECTED ACCOUNT MAINTAINED BY THE CONSUMER WITH THE BUSINESS WHILE THE CONSUMER IS LOGGED INTO THE ACCOUNT AS A VERIFIABLE CONSUMER REQUEST AND PROVIDING A MECHANISM FOR A CONSUMER WHO DOES NOT MAINTAIN AN ACCOUNT WITH THE BUSINESS TO REQUEST INFORMATION THROUGH THE BUSINESS' AUTHENTICATION OF THE CONSUMER'S IDENTITY. S. 4021 15 2. THE ATTORNEY GENERAL MAY UPDATE THE FOREGOING REGULATIONS, AND ADOPT ADDITIONAL REGULATIONS, AS NECESSARY TO FURTHER THE PURPOSES OF THIS ARTICLE. 3. BEFORE ADOPTING ANY REGULATIONS, THE ATTORNEY GENERAL SHALL SOLICIT BROAD PUBLIC PARTICIPATION CONCERNING THOSE REGULATIONS. § 676-O. INTERMEDIATE TRANSACTIONS. IF A SERIES OF STEPS OR TRANS- ACTIONS WERE COMPONENT PARTS OF A SINGLE TRANSACTION INTENDED FROM THE BEGINNING TO BE TAKEN WITH THE INTENTION OF AVOIDING THE REACH OF THIS ARTICLE, A COURT SHALL DISREGARD THE INTERMEDIATE STEPS OR TRANSACTIONS FOR PURPOSES OF EFFECTUATING THE PURPOSES OF THIS ARTICLE. § 676-P. NON-WAIVER. ANY PROVISION OF A CONTRACT OR AGREEMENT OF ANY KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS UNDER THIS ARTICLE, INCLUDING, BUT NOT LIMITED TO, ANY RIGHT TO A REMEDY OR MEANS OF ENFORCEMENT, SHALL BE DEEMED CONTRARY TO PUBLIC POLICY AND SHALL BE VOID AND UNENFORCEABLE. THIS SECTION SHALL NOT PREVENT A CONSUMER FROM DECLINING TO REQUEST INFORMATION FROM A BUSINESS, DECLIN- ING TO OPT OUT OF A BUSINESS' SALE OF THE CONSUMER'S PERSONAL INFORMA- TION, OR AUTHORIZING A BUSINESS TO SELL THE CONSUMER'S PERSONAL INFORMA- TION AFTER PREVIOUSLY OPTING OUT. § 676-Q. SEVERABILITY. IF ANY PROVISION OF THIS ARTICLE OR THE APPLI- CATION THEREOF TO ANY PERSON, BUSINESS, SERVICE PROVIDER, OR CIRCUM- STANCES IS HELD INVALID, SUCH INVALIDITY SHALL NOT AFFECT OTHER PROVISIONS OR APPLICATIONS OF THIS ARTICLE WHICH CAN BE GIVEN EFFECT WITHOUT THE INVALID PROVISION OR APPLICATION, AND TO THIS END THE PROVISIONS OF THIS ARTICLE ARE DECLARED TO BE SEVERABLE. § 5. This act shall take effect one year after it shall have become a law.
Comments
Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.
Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.
Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.