NY State Senate Bill 2021-S6701B

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
May 31, 2022	print number 6701b
May 31, 2022	amend and recommit to internet and technology
Feb 08, 2022	reported and committed to internet and technology
Jan 06, 2022	print number 6701a
Jan 06, 2022	amend and recommit to consumer protection
Jan 05, 2022	referred to consumer protection
Jun 10, 2021	committed to rules
May 24, 2021	advanced to third reading
May 20, 2021	2nd report cal.
May 18, 2021	1st report cal.1080
May 12, 2021	referred to consumer protection

Votes

- Feb 8, 2022 - Consumer Protection Committee Vote
  S6701B
  
  5
  
  Aye
  
  1
  
  Nay
  
  1
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Consumer Protection Committee Vote: Feb 8, 2022
      
      aye (5)
      
      Cleare
      
      Kavanagh
      
      Myrie
      
      Reichlin-Melnick
      
      Thomas
      
      nay (1)
      
      Tedisco
      
      aye wr (1)
      
      Mattera
  May 18, 2021 - Consumer Protection Committee Vote
  S6701B
  
  3
  
  Aye
  
  1
  
  Nay
  
  3
  
  Aye with Reservations
  
  0
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  - - Consumer Protection Committee Vote: May 18, 2021
      
      aye (3)
      
      Myrie
      
      Reichlin-Melnick
      
      Thomas
      
      nay (1)
      
      Tedisco
      
      aye wr (3)
      
      Gounardes
      
      Kavanagh
      
      Mattera

Bill Amendments

Original

B (Active)

co-Sponsors

2021-S6701 - Details

Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1107, Gen Bus L
Versions Introduced in 2023-2024 Legislative Session:: S365

2021-S6701 - Summary

Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

2021-S6701 - Sponsor Memo

                                 
BILL NUMBER: S6701               Revised 5/27/2021

SPONSOR: THOMAS
 
TITLE OF BILL:

An act to amend the general business law, in relation to the management
and oversight of personal data

 
PURPOSE GENERAL IDEA OF BILL:

The purpose of the bill is to help New Yorkers regain their privacy.
The bill, cited as the NY Privacy Act, will require the companies to
attain consent from consumers before processing the personal data of
consumers.

 
SUMMARY OF PROVISIONS:

Section 1 of the bill defines the act as the "New York Privacy Act".

Section 2 of the bill contains the legislative intent.

Section 3 of the bill amends the general business law is amended by

adding a new article 42 with sections 1100, 1101, 1102, 1103, 1104,
1105, 1106, and 1107:

Section 1100 of the new article 42 provides definitions of relevant
terms to be used in this act.

Section 1101 of the new article 42 states that the jurisdictional scope
of this article applies to legal persons that conduct business in New
York State or produce products or services intentionally targeted to
residents in New York State and that satisfy one or more of the required
thresholds. This section also contains exemptions.

Section 1102 of the new article 42 delineates consumer rights including
notice of how their data is being processed and sold, opt-in consent,
the ability to access and obtain a copy of their data in a commonly used
electronic format, the ability to correct inaccurate data and to delete
data, and the ability to challenge certain automated decisions.

Section 1103 of the new article 42 defines the responsibilities and
obligations assigned to controllers, processors and third parties.

First, controllers owe a duty of loyalty to consumers and have to notify
the consumer of any interest that may be harmed before requesting
consent. Controllers are also prohibited from engaging in unfair, decep-
tive, or abusive acts or practices with respect to obtaining consumer
consent, the processing of personal data, and a consumer's exercise of
any rights of this article. Additionally, controllers owe a duty of care
and have to conduct and document risk assessments of all current proc-
esses of personal data at least once a year. Furthermore, controllers
cannot discriminate against consumers for exercising their data rights;
and prior to sharing a consumer's personal data, the controller must
enter into a written and signed contract with a processor before it
provides the consumer's personal data.

Next, processors must act in accordance with the written contract it has
entered into with a controller. The contract sets forth instructions for
processing data; the nature and purpose of the processing; the type of
data subject to processing; the duration of the processing; and their
rights and obligations. In addition, processors are under a continuing
obligation to engage in reasonable measures to review their processing
activities with respect to data identification.

Lastly, for any data acquired or accessed by a third-party from a
controller or processor, the third-party can only process that data to
the extent permitted by the provisions of the written contract and to
the extent necessary for the purpose of obtaining unambiguous opt-in
consent.

Section 1104 of the new article 42 requires data brokers to register and
pay a fee annually with the Attorney General and submit information
regarding the data broker's data use practices and contact information.
The Attorney General will maintain a data broker registry on its
website. Additionally, controllers must annually submit a list of all
known data brokers or persons reasonably believed to be data brokers
with whom the controller provided personal data in the preceding year
and can only share personal data with a registered data broker.

Section 1105 of the new article 42 describes when controllers and
processors are exempt from complying with the obligations set forth in
Section 1103.

Section 1106 of the new article 42 authorizes the Attorney General to
bring an action or special proceeding whenever it appears that a person
has engaged in or is about to engage in a violation of the article. The
section also authorizes private rights of action and class actions.

Section 1107 of the new article 42 contains miscellaneous provisions
including a conflict preemption clause, timing for the Attorney General
to submit a report on the effectiveness of the article, regulatory
authority for the Attorney General, and how consumers can exercise their
rights under this article.

Section 3 of the bill states that the act will take effect immediately;
provided however, that sections 1101, 1102, 1103, 1105, 1106 and 1107 of
the general business law, as added by section three of this act, shall
take effect January 1, 2022.

 
JUSTIFICATION:

According to a Pew survey from 2018, 69% of American adults use at least
one social media platform, up from 5% in 2005. Americans use these plat-
forms to engage with friends and family, to connect with social and
political organizations, and to follow news and current events.  Despite
the platforms' usefulness, many social media users have reservations
about the handling of their personal information. A 2014 Pew survey
found that 91% of Americans believe that people have lost control over
how their personal information is collected and used.  Some 80% of
social media users said they were concerned about advertisers and busi-
nesses accessing and using data that they share on social media plat-
forms. Around 64% of people in this survey also said that the government
should do more to address this issue.

Social media companies obtain their revenues through targeted advertis-
ing based on users' likes, shares, searches, phone numbers, emails, and
other information provided while they use these platforms. According to
The New York Times, some of the largest social media companies fail to
inform or obtain consent from users regarding the sharing of their
personal data. It found that in some instances, these social media
companies share the information of hundreds of millions of users without
notifying their consumers. It also found that if users were to choose
the most restrictive privacy settings made available, their personal
data was still shareable with some external companies or affiliates.
What's more, according to these large social media companies, any infor-
mation shared on these platforms can be given to other companies without
any additional consent.

Currently, there are no federal regulations addressing this privacy
issue, and few attempts of self-regulation by these companies have been
frail and falls well short of addressing consumers' concerns.  Hence,
New York must join the increasing number of other states to fill this
void.

 
PRIOR LEGISLATIVE HISTORY:

2019-20: S.5642 (Thomas) / A.8526 (L. Rosenthal) - Referred to Consumer
Protection.

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

None to the state.

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become law.

2021-S6701 - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   6701
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                               May 12, 2021
                                ___________
 
 Introduced  by  Sen.  THOMAS -- read twice and ordered printed, and when
   printed to be committed to the Committee on Consumer Protection
 
 AN ACT to amend the general business law, in relation to the  management
   and oversight of personal data
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. Short title. This act shall be known and may  be  cited  as
 the "New York privacy act".
   §  2.  Legislative  intent.  1.  Privacy is a fundamental right and an
 essential element of freedom. Advances in technology have produced ramp-
 ant growth in the amount and categories of personal  data  being  gener-
 ated,   collected,  stored,  analyzed,  and  potentially  shared,  which
 presents both promise and peril. Companies collect, use  and  share  our
 personal  information in ways that can be difficult for ordinary consum-
 ers to understand. Opaque data processing policies make it impossible to
 evaluate risks and compare privacy-related protections across  services,
 stifling  competition.  Algorithms  quietly make decisions with critical
 consequences for New York consumers, often with no human accountability.
 Behavioral advertising generates profits by turning people into products
 and their activity into assets. New York consumers deserve  more  notice
 and more control over their data and their digital privacy.
   2. This act seeks to help New York consumers regain their privacy.  It
 gives New York consumers the ability to exercise more control over their
 personal data and requires businesses to be responsible, thoughtful, and
 accountable  managers  of  that  information.  To achieve this, this act
 provides New York consumers a number  of  new  rights,  including  clear
 notice of how their data is being used, processed and shared; the abili-
 ty  to  access  and obtain a copy of their data in a commonly used elec-
 tronic format, with the ability to transfer  it  between  services;  the
 ability  to  correct  inaccurate  data and to delete their data; and the
 ability to challenge certain automated decisions. This act also  imposes
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD11397-02-1

 S. 6701                             2
 
 obligations  upon  businesses  to  maintain reasonable data security for
 personal data, to notify New York consumers of foreseeable harms arising
 from use of their data and to obtain specific consent for that use,  and
 to conduct regular assessments to ensure that data is not being used for
 unacceptable purposes. These data assessments can be obtained and evalu-
 ated  by the New York State Attorney General, who is empowered to obtain
 penalties for violations of this act and prevent future violations. This
 act also grants New York consumers who have been injured as  the  result
 of  a  violation  a  private  right of action, which includes reasonable
 attorneys' fees to a prevailing plaintiff.
   § 3. The general business law is amended by adding a new article 42 to
 read as follows:
                                ARTICLE 42
                           NEW YORK PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. JURISDICTIONAL SCOPE.
         1102. CONSUMER RIGHTS.
         1103. CONTROLLER, PROCESSOR, AND THIRD-PARTY RESPONSIBILITIES.
         1104. DATA BROKERS.
         1105. LIMITATIONS.
         1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION.
         1107. MISCELLANEOUS.
   § 1100. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY  THROUGHOUT  THIS
 ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1.  "AUTOMATED DECISION-MAKING" OR "AUTOMATED DECISION" MEANS A COMPU-
 TATIONAL PROCESS, INCLUDING ONE DERIVED FROM MACHINE  LEARNING,  ARTIFI-
 CIAL  INTELLIGENCE,  OR  ANY OTHER AUTOMATED PROCESS, INVOLVING PERSONAL
 DATA THAT RESULTS IN A DECISION AFFECTING A CONSUMER.
   2. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM  THE
 MEASUREMENT  OR  SPECIFIC  TECHNOLOGICAL  PROCESSING  OF AN INDIVIDUAL'S
 BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS, INCLUDING  FING-
 ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
 DEOXYRIBONUCLEIC ACID (DNA) INFORMATION, AND GAIT.
   3.  "BUSINESS  ASSOCIATE"  HAS  THE SAME MEANING AS IN TITLE 45 OF THE
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   4. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY  GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT
 TO THE PROCESSING OF DATA RELATING TO THE CONSUMER MADE IN RESPONSE TO A
 DEDICATED PROMPT OUTLINING IN CLEAR AND CONSPICUOUS LANGUAGE THE MATERI-
 AL  NATURE  OF  THE  PROCESSING  TO WHICH THE CONSUMER IS CONSENTING.  A
 PRE-CHECKED BOX OR SIMILAR DEFAULT IS NOT AFFIRMATIVE  CONSENT.  CONSENT
 MAY  BE  WITHDRAWN  AT  ANY  TIME,  AND A CONTROLLER MUST PROVIDE CLEAR,
 CONSPICUOUS, AND CONSUMER-FRIENDLY MEANS TO WITHDRAW CONSENT. THE BURDEN
 OF ESTABLISHING CONSENT IS ON THE CONTROLLER.
   5. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
 ONLY IN AN INDIVIDUAL OR  HOUSEHOLD  CONTEXT.  IT  DOES  NOT  INCLUDE  A
 NATURAL PERSON KNOWN TO BE ACTING IN A COMMERCIAL OR EMPLOYMENT CONTEXT.
   6.  "CONTROLLER"  MEANS  THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS,
 DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA.
   7. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R.,
 ESTABLISHED PURSUANT TO THE FEDERAL  HEALTH  INSURANCE  PORTABILITY  AND
 ACCOUNTABILITY ACT OF 1996.
   8.  "DATA  BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A LEGAL ENTITY,
 SEPARATELY OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK  AND
 KNOWINGLY  COLLECTS,  AND  SELLS  TO  CONTROLLERS  OR THIRD-PARTIES, THE

 S. 6701                             3
 
 PERSONAL DATA OF A  CONSUMER  WITH  WHOM  IT  DOES  NOT  HAVE  A  DIRECT
 RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING:
   (A)  A  CONSUMER  REPORTING AGENCY TO THE EXTENT THAT IT IS COVERED BY
 THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR
   (B) A FINANCIAL INSTITUTION TO THE EXTENT THAT IT IS  COVERED  BY  THE
 GRAMM-LEACH-BLILEY  ACT  (PUBLIC  LAW  106-102)  AND  IMPLEMENTING REGU-
 LATIONS.
   9. "DEIDENTIFIED DATA" MEANS DATA THAT CANNOT REASONABLY  BE  USED  TO
 INFER  INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR CONSUM-
 ER, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT POSSESSES THE DATA:
   (A) TAKES REASONABLE MEASURES TO ENSURE THAT THE DATA CANNOT BE  ASSO-
 CIATED WITH A CONSUMER OR DEVICE;
   (B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND
 NOT  ATTEMPT  TO  REIDENTIFY  THE  DATA,  EXCEPT  THAT THE CONTROLLER OR
 PROCESSOR MAY ATTEMPT TO  REIDENTIFY  THE  INFORMATION  SOLELY  FOR  THE
 PURPOSE  OF  DETERMINING  WHETHER ITS DEIDENTIFICATION PROCESSES SATISFY
 THE REQUIREMENTS OF THIS SUBDIVISION; AND
   (C) CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY  WITH
 ALL PROVISIONS OF THIS ARTICLE.
   10.  "DEVICE"  MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECTING
 TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO  ANOTHER  DEVICE  AND  IS
 INTENDED  FOR  USE  BY A NATURAL PERSON OR HOUSEHOLD OR, IF USED OUTSIDE
 THE HOME, FOR USE BY THE GENERAL PUBLIC.
   11. "MEANINGFUL HUMAN REVIEW" MEANS REVIEW OR OVERSIGHT BY ONE OR MORE
 INDIVIDUALS WHO (A) ARE TRAINED IN THE CAPABILITIES AND  LIMITATIONS  OF
 THE  ALGORITHM  AT  ISSUE AND THE PROCEDURES TO INTERPRET AND ACT ON THE
 OUTPUT OF THE ALGORITHM, AND (B) HAVE THE AUTHORITY TO ALTER  THE  AUTO-
 MATED DECISION UNDER REVIEW.
   12. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID-
 UAL  OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO
 BE ACTING IN A COMMERCIAL OR EMPLOYMENT CONTEXT.
   13. "PERSON" MEANS A NATURAL PERSON OR A LEGAL ENTITY,  INCLUDING  BUT
 NOT  LIMITED  TO  A  PROPRIETORSHIP,  PARTNERSHIP,  LIMITED PARTNERSHIP,
 CORPORATION, COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION,  ASSOCI-
 ATION,  OR  OTHER  FIRM  OR SIMILAR BODY, OR ANY UNIT, DIVISION, AGENCY,
 DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF.
   14. "PERSONAL DATA" MEANS ANY DATA THAT IS IDENTIFIED OR COULD REASON-
 ABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL  PERSON,
 HOUSEHOLD, OR DEVICE.  PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED DATA.
   15. "IDENTIFIED OR IDENTIFIABLE NATURAL PERSON" MEANS A NATURAL PERSON
 WHO  CAN  BE IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO
 AN IDENTIFIER SUCH AS A NAME, AN IDENTIFICATION NUMBER,  LOCATION  DATA,
 OR AN ONLINE OR DEVICE IDENTIFIER.
   16.  "PROCESS,"  "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET
 OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA,  INCLUDING
 BUT  NOT  LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION,
 ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN-
 IZATION,  STRUCTURING,  STORAGE,  DISCLOSURE,  TRANSMISSION,   ANALYSIS,
 DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI-
 CATION OF DATA.
   17.  "PROCESSOR"  MEANS  A PERSON THAT PROCESSES DATA ON BEHALF OF THE
 CONTROLLER.
   18. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.

 S. 6701                             4
 
   19. "SALE," "SELL," OR "SOLD" MEANS THE DISCLOSURE, TRANSFER,  CONVEY-
 ANCE,  SHARING,  LICENSING,  MAKING  AVAILABLE,  PROCESSING, GRANTING OF
 PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER  EXCHANGE  OF  PERSONAL
 DATA,  OR  PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU-
 ABLE  CONSIDERATION BY THE CONTROLLER TO A THIRD-PARTY.  "SALE" INCLUDES
 ENABLING, FACILITATING OR PROVIDING ACCESS TO A  CONSUMER  FOR  TARGETED
 ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING:
   (A)  THE  DISCLOSURE  OF DATA TO A PROCESSOR WHO PROCESSES THE DATA ON
 BEHALF OF THE CONTROLLER AND  WHICH  IS  CONTRACTUALLY  PROHIBITED  FROM
 USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER; OR
   (B)  THE  DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART OF A
 MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN  WHICH  ANOTHER
 ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL-
 LER'S ASSETS.
   20. "TARGETED ADVERTISING" MEANS DISPLAYING ONLINE ADVERTISEMENTS TO A
 CONSUMER  WHERE  THE  ADVERTISEMENT  IS  SELECTED BASED ON PERSONAL DATA
 OBTAINED FROM A CONSUMER'S ACTIVITIES OVER TIME AND ACROSS ONE  OR  MORE
 DISTINCTLY-BRANDED   WEBSITES,  ONLINE  APPLICATIONS,  OR  SERVICES,  TO
 PREDICT THE CONSUMER'S PREFERENCES OR INTERESTS.   IT DOES  NOT  INCLUDE
 ADVERTISING  (A)  BASED  ON THE CONTEXT OF THE CONSUMER'S CURRENT SEARCH
 QUERY OR VISIT TO A WEBSITE OR ONLINE APPLICATION, OR (B) TO A  CONSUMER
 IN  DIRECT  RESPONSE  TO THE CONSUMER'S REQUEST FOR INFORMATION OR FEED-
 BACK.
   21. "THIRD-PARTY" MEANS, WITH RESPECT TO A PARTICULAR  INTERACTION  OR
 OCCURRENCE,  A  PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER THAN THE
 CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER.  A THIRD PARTY
 MAY ALSO BE A CONTROLLER IF THE  THIRD  PARTY,  ALONE  OR  JOINTLY  WITH
 OTHERS,  DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL
 DATA.
   22. "VERIFIED REQUEST" MEANS A REQUEST BY A  CONSUMER  TO  EXERCISE  A
 RIGHT  AUTHORIZED  BY  THIS  ARTICLE, THE AUTHENTICITY OF WHICH HAS BEEN
 ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH (C) OF SUBDI-
 VISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE.
   § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS
 THAT CONDUCT BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR  SERVICES  THAT
 ARE  TARGETED  TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR MORE OF
 THE FOLLOWING THRESHOLDS:
   (A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE;
   (B) CONTROLS OR  PROCESSES  PERSONAL  DATA  OF  ONE  HUNDRED  THOUSAND
 CONSUMERS OR MORE;
   (C)  CONTROLS  OR  PROCESSES  PERSONAL  DATA  OF FIVE HUNDRED THOUSAND
 NATURAL PERSONS OR MORE NATIONWIDE, AND CONTROLS OR  PROCESSES  PERSONAL
 DATA OF TEN THOUSAND CONSUMERS; OR
   (D)  DERIVES  OVER  FIFTY  PERCENT  OF  GROSS REVENUE FROM THE SALE OF
 PERSONAL DATA, AND CONTROLS OR PROCESSES PERSONAL  DATA  OF  TWENTY-FIVE
 THOUSAND CONSUMERS OR MORE.
   2. THIS ARTICLE DOES NOT APPLY TO:
   (A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC-
 IPAL  CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND PROCESSING
 FEES ARE NOT SALE);
   (B) INFORMATION THAT MEETS THE FOLLOWING CRITERIA:
   (I) PERSONAL DATA  REQUIRED  TO  BE  COLLECTED,  PROCESSED,  SOLD,  OR
 DISCLOSED PURSUANT TO THE FEDERAL GRAMM-LEACH-BLILEY ACT (P.L. 106-102),
 AND  IMPLEMENTING  REGULATIONS,  IF THE COLLECTION, PROCESSING, SALE, OR
 DISCLOSURE IS IN COMPLIANCE WITH SUCH LAW;

 S. 6701                             5
 
   (II) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR  DISCLOSED  PURSUANT
 TO  THE  FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18 U.S.C. SEC.
 2721 ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS  IN
 COMPLIANCE WITH THAT LAW;
   (III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS
 AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS;
   (IV)  PERSONAL  DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT
 TO THE FEDERAL FARM CREDIT ACT OF 1971 (AS AMENDED  IN  12  U.S.C.  SEC.
 2001-2279CC)  AND  ITS  IMPLEMENTING  REGULATIONS (12 C.F.R. PART 600 ET
 SEQ.) IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS  IN  COMPLI-
 ANCE WITH THAT LAW;
   (V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW;
   (VI)  DATA  MAINTAINED  FOR  EMPLOYMENT RECORDS PURPOSES, FOR PURPOSES
 OTHER THAN SALE;
   (VII) PROTECTED HEALTH INFORMATION THAT  IS  COLLECTED  BY  A  COVERED
 ENTITY  OR  BUSINESS  ASSOCIATE  GOVERNED  BY THE PRIVACY, SECURITY, AND
 BREACH NOTIFICATION RULES ISSUED BY  THE  UNITED  STATES  DEPARTMENT  OF
 HEALTH  AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF
 FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTA-
 BILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW 104-191) ("HIPAA") AND
 THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL  HEALTH  ACT
 (PUBLIC LAW 111-5);
   (VIII)  PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART
 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2;
   (IX) INFORMATION AND DOCUMENTS CREATED FOR  PURPOSES  OF  THE  FEDERAL
 HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND RELATED REGULATIONS;
   (X)  PATIENT  SAFETY  WORK  PRODUCT  FOR PURPOSES OF 42 C.F.R. PART 3,
 ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26;
   (XI) INFORMATION ORIGINATING FROM, AND INTERMINGLED  TO  BE  INDISTIN-
 GUISHABLE  FROM,  OR INFORMATION TREATED IN THE SAME MANNER AS, INFORMA-
 TION EXEMPT UNDER THIS SUBDIVISION THAT IS MAINTAINED BY A COVERED ENTI-
 TY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM OR A QUALIFIED
 SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C. § 290DD-2;
   (XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE  FOLLOWING
 CONDITIONS:
   (A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN-
 TIFICATION  SET  FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE
 CODE OF FEDERAL REGULATIONS;
   (B) IT IS DERIVED  FROM  PROTECTED  HEALTH  INFORMATION,  INDIVIDUALLY
 IDENTIFIABLE  HEALTH  INFORMATION,  OR  IDENTIFIABLE PRIVATE INFORMATION
 CONSISTENT WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS,
 ALSO KNOWN AS THE COMMON RULE; AND
   (C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN-
 TIFY THE INFORMATION NOR DO THEY  ACTUALLY  REIDENTIFY  THE  INFORMATION
 EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW;
   (XIII)  PATIENT INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS
 ASSOCIATE GOVERNED BY THE PRIVACY,  SECURITY,  AND  BREACH  NOTIFICATION
 RULES  ISSUED  BY  THE  UNITED  STATES  DEPARTMENT  OF  HEALTH AND HUMAN
 SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE  CODE  OF  FEDERAL  REGU-
 LATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY AND
 ACCOUNTABILITY ACT OF 1996 (PUBLIC  LAW  104-191),  TO  THE  EXTENT  THE
 COVERED  ENTITY  OR BUSINESS ASSOCIATE MAINTAINS THE PATIENT INFORMATION
 IN THE SAME MANNER AS  PROTECTED  HEALTH  INFORMATION  AS  DESCRIBED  IN
 SUBPARAGRAPH (VII) OF THIS PARAGRAPH;
   (XIV)  DATA  COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A
 CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR  THE

 S. 6701                             6
 
 PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO
 GOOD  CLINICAL  PRACTICE  GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL
 FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT  PROTECTION  REQUIREMENTS
 OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR
   (XV)  PERSONAL  DATA  PROCESSED  ONLY FOR ONE OR MORE OF THE FOLLOWING
 PURPOSES:
   (A) PRODUCT  REGISTRATION  AND  TRACKING  CONSISTENT  WITH  APPLICABLE
 UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE;
   (B)  PUBLIC  HEALTH  ACTIVITIES  AND  PURPOSES AS DESCRIBED IN SECTION
 164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR
   (C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS  REGULATED
 BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION;
   (C) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE,
 SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S
 CREDIT  WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL
 REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING  BY  A  CONSUMER
 REPORTING  AGENCY,  AS  DEFINED  IN  TITLE 15 U.S.C. SEC. 1681A(F), BY A
 FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC.  1681S-2,
 WHO PROVIDES INFORMATION FOR USE IN A CONSUMER  REPORT,  AS  DEFINED  IN
 TITLE  15  U.S.C.  SEC. 1861A(D), AND BY A USER OF A CONSUMER REPORT, AS
 SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND
   (II) THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH  ACTIVITY
 INVOLVING  THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION,
 OR USE OF SUCH DATA BY THAT AGENCY, FURNISHER, OR  USER  IS  SUBJECT  TO
 REGULATION  UNDER  THE  FAIR  CREDIT REPORTING ACT, TITLE 15 U.S.C. SEC.
 1681 ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED,  COMMUNI-
 CATED,  DISCLOSED,  OR  SOLD  EXCEPT  AS  AUTHORIZED  BY THE FAIR CREDIT
 REPORTING ACT.
   § 1102. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL-
 LER THAT PROCESSES A CONSUMER'S PERSONAL DATA  MUST  MAKE  PUBLICLY  AND
 PERSISTENTLY  AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE MANNER,
 A NOTICE CONTAINING THE FOLLOWING:
   (I) A DESCRIPTION OF THE  CONSUMER'S  RIGHTS  UNDER  SUBDIVISIONS  TWO
 THROUGH  SIX  OF  THIS  SECTION  AND  HOW  A CONSUMER MAY EXERCISE THOSE
 RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT;
   (II) THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE  CONTROLLER  AND
 BY  ANY  PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROL-
 LER;
   (III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED;
   (IV) THE PURPOSES FOR PROCESSING PERSONAL DATA;
   (V) THE IDENTITY OF EACH PROCESSOR OR THIRD PARTY TO WHOM THE CONTROL-
 LER DISCLOSES, SHARES, TRANSFERS, OR SELLS PERSONAL DATA AND,  FOR  EACH
 IDENTIFIED PROCESSOR OR THIRD PARTY, (A) THE CATEGORIES OF PERSONAL DATA
 BEING  SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO THE PROCESSOR OR THIRD
 PARTY, (B) THE  PURPOSES  FOR  WHICH  PERSONAL  DATA  IS  BEING  SHARED,
 DISCLOSED, TRANSFERRED, OR SOLD TO THE PROCESSOR OR THIRD PARTY, (C) THE
 THIRD  PARTY'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL DATA PROC-
 ESSED BY THE THIRD PARTY OR PROCESSED ON THEIR BEHALF, OR IF THAT IS NOT
 POSSIBLE, THE CRITERIA USED TO DETERMINE THE PERIOD, AND (D) WHETHER THE
 ENTITY USES THE PERSONAL DATA FOR TARGETED ADVERTISING;
   (VI) THE CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY  OF  PERSONAL
 DATA  THAT  THEY  PROCESS OR IS PROCESSED ON THEIR BEHALF, OR IF THAT IS
 NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD; AND
   (VII)  FOR  CONTROLLERS  ENGAGING  IN  TARGETED  ADVERTISING,  AVERAGE
 EXPECTED REVENUE PER USER (ARPU) OR A SIMILAR METRIC FOR THE MOST RECENT
 FISCAL YEAR FOR THE REGION THAT COVERS NEW YORK.

 S. 6701                             7
 
   (B) NOTICE REQUIREMENTS.
   (I)  THE  NOTICE  MUST BE WRITTEN IN EASY-TO-UNDERSTAND LANGUAGE AT AN
 EIGHTH GRADE READING LEVEL OR BELOW.
   (II) THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR  WHICH
 EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED AT A LEVEL
 SPECIFIC ENOUGH TO ENABLE A CONSUMER TO EXERCISE MEANINGFUL CONTROL OVER
 THEIR  PERSONAL DATA BUT NOT SO SPECIFIC AS TO RENDER THE NOTICE UNHELP-
 FUL TO A REASONABLE CONSUMER.
   (III) THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED  AT
 LEAST ANNUALLY.
   (IV)  THE  NOTICE,  AS WELL AS EACH VERSION OF THE NOTICE IN EFFECT IN
 THE PRECEDING SIX YEARS,   MUST BE EASILY ACCESSIBLE  TO  CONSUMERS  AND
 CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME.
   2. OPT-IN CONSENT.  (A) A CONTROLLER MUST OBTAIN FREELY GIVEN, SPECIF-
 IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO:
   (I) PROCESS THE CONSUMER'S PERSONAL DATA FOR ANY PURPOSE; OR
   (II) MAKE ANY CHANGES IN THE PROCESSING OR PROCESSING PURPOSE, INCLUD-
 ING  THE METHOD AND SCOPE OF COLLECTION, OF THE CONSUMER'S PERSONAL DATA
 THAT ARE LESS PROTECTIVE OF THE CONSUMER'S PERSONAL DATA THAN THE  PROC-
 ESSING  TO  WHICH  THE CONSUMER HAS PREVIOUSLY GIVEN THEIR FREELY GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT.
   (B) ANY REQUEST FOR CONSENT  MUST,  IN  A  STANDALONE  DISCLOSURE,  BE
 PROVIDED  TO THE CONSUMER PRIOR TO PROCESSING THEIR PERSONAL DATA, SEPA-
 RATE AND APART FROM ANY CONTRACT OR  PRIVACY  POLICY.  THE  REQUEST  FOR
 CONSENT MUST:
   (I)  INCLUDE  A  CLEAR AND CONSPICUOUS DESCRIPTION OF EACH CATEGORY OF
 DATA AND PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT;
   (II) CLEARLY IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF  DATA  AND
 PROCESSING  PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES
 THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
 CONSUMER;
   (III) ENABLE A REASONABLE CONSUMER TO EASILY IDENTIFY  THE  CATEGORIES
 OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT;
   (IV)  CLEARLY  PRESENT  AS  THE  MOST  CONSPICUOUS CHOICE AN OPTION TO
 PROVIDE ONLY THE CONSENT NECESSARY TO  PROVIDE  THE  SERVICES  OR  GOODS
 REQUESTED BY THE CONSUMER;
   (V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND
   (VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER,
 OR  SALE  OF  PERSONAL  DATA  TO THIRD PARTIES, IDENTIFY EACH SUCH THIRD
 PARTY, THE CATEGORIES OF DATA SOLD OR SHARED WITH THEM,  THE  PROCESSING
 PURPOSES, THE RETENTION PERIOD, OR IF THAT IS NOT POSSIBLE, THE CRITERIA
 USED  TO  DETERMINE  THE  PERIOD, AND FOR EACH THIRD PARTY STATE IF SUCH
 SHARING, DISCLOSURE, TRANSFER, OR  SALE  ENABLES  OR  INVOLVES  TARGETED
 ADVERTISING.  THE  DETAILS  OF IDENTITIES OF SUCH THIRD PARTIES, AND THE
 CATEGORIES OF DATA, PROCESSING PURPOSES, AND THE RETENTION  PERIOD,  MAY
 BE  SET  FORTH  IN A DIFFERENT DISCLOSURE, PROVIDED THAT THE REQUEST FOR
 CONSENT CONTAINS A CONSPICUOUS AND  DIRECTLY  ACCESSIBLE  LINK  TO  THAT
 DISCLOSURE.
   (C)  TARGETED  ADVERTISING  AND  SALE  OF  PERSONAL  DATA SHALL NOT BE
 CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR
 GOODS REQUESTED BY A CONSUMER.
   (D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND
 UNAMBIGUOUS OPT-IN CONSENT TO PROCESS THEIR PERSONAL DATA FOR A PROCESS-
 ING PURPOSE, A CONTROLLER MAY RELY ON SUCH CONSENT  UNTIL  IT  IS  WITH-
 DRAWN.

 S. 6701                             8
 
   (E)  A  CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER TO WITHDRAW
 PREVIOUSLY GIVEN CONSENT AT ANY TIME. SUCH MECHANISM SHALL  MAKE  IT  AS
 EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER
 TO  PROVIDE  CONSENT.  THE  CONTROLLER  MAY STYLE THE MECHANISM ALLOWING
 CONSUMERS TO WITHDRAW PREVIOUSLY GIVEN CONSENT AS AN OPT-OUT.
   (F)  A  CONTROLLER  MUST NOT INFER THAT A CONSUMER HAS PROVIDED FREELY
 GIVEN, SPECIFIC, INFORMED,  AND  UNAMBIGUOUS  OPT-IN  CONSENT  FROM  THE
 CONSUMER'S  INACTION  OR  THE  CONSUMER'S  CONTINUED USE OF A SERVICE OR
 PRODUCT PROVIDED BY THE CONTROLLER.
   (G) TO THE EXTENT THAT A CONTROLLER  MUST  PROCESS  INTERNET  PROTOCOL
 ADDRESSES,  SYSTEM  CONFIGURATION  INFORMATION, URLS OF REFERRING PAGES,
 LOCALE AND LANGUAGE PREFERENCES, KEYSTROKES,  OR  ANY  OTHER  DATA  THAT
 INDIVIDUALLY  OR  COLLECTIVELY  MAY  COMPRISE  PERSONAL DATA IN ORDER TO
 OBTAIN A CONSUMER'S FREELY GIVEN, SPECIFIC,  INFORMED,  AND  UNAMBIGUOUS
 OPT-IN CONSENT, THE CONTROLLER MUST:
   (I)  PROCESS ONLY THE PERSONAL DATA NECESSARY TO REQUEST FREELY GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT;
   (II) PROCESS THE PERSONAL DATA SOLELY TO REQUEST FREELY GIVEN, SPECIF-
 IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; AND
   (III) IMMEDIATELY DELETE THE PERSONAL DATA  IF  CONSENT  IS  WITHHELD,
 DENIED, OR WITHDRAWN.
   (H)  CONTROLLERS  MUST  NOT  REQUEST  CONSENT  FROM A CONSUMER WHO HAS
 PREVIOUSLY WITHHELD OR DENIED CONSENT, UNLESS CONSENT  IS  NECESSARY  TO
 PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER.
   (I) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER,
 BROWSER   PLUG-IN,  SMARTPHONE  APPLICATION,  OPERATING  SYSTEM,  DEVICE
 SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE  CONSUMER'S
 CHOICE  NOT  TO  BE SUBJECT TO TARGETED ADVERTISING OR THE SALE OF THEIR
 PERSONAL DATA AS A DENIAL OF CONSENT UNDER THIS ACT. TO THE EXTENT  THAT
 THE  PRIVACY  CONTROL  CONFLICTS  WITH A CONSUMER'S CONSENT, THE PRIVACY
 CONTROL SETTINGS GOVERN, UNLESS  THE  CONSUMER  PROVIDES  FREELY  GIVEN,
 SPECIFIC,  INFORMED,  AND  UNAMBIGUOUS  OPT-IN  CONSENT  TO OVERRIDE THE
 PRIVACY CONTROL.
   (J) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A  CONSUMER  FOR  WITH-
 HOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY:
   (I)  DENYING  SERVICES  OR  GOODS TO THE CONSUMER, UNLESS THE CONSUMER
 DOES NOT CONSENT TO PROCESSING NECESSARY  TO  PROVIDE  THE  SERVICES  OR
 GOODS REQUESTED BY THE CONSUMER;
   (II)  CHARGING  DIFFERENT  PRICES  FOR  GOODS  OR  SERVICES, INCLUDING
 THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING  PENALTIES,  OR
 PROVIDING  A  DIFFERENT  LEVEL  OR  QUALITY  OF SERVICES OR GOODS TO THE
 CONSUMER; OR
   (III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT  PRICE  OR
 RATE  FOR  GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF SERVICES
 OR GOODS.
   (K) A CONTROLLER MAY, WITH  THE  CONSUMER'S  FREELY  GIVEN,  SPECIFIC,
 INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION,
 OPERATE  A  PROGRAM  IN WHICH INFORMATION, PRODUCTS, OR SERVICES SOLD TO
 THE CONSUMER ARE DISCOUNTED BASED ON  SUCH  CONSUMER'S  PRIOR  PURCHASES
 FROM  THE  CONTROLLER,  PROVIDED  THAT THE PERSONAL DATA USED TO OPERATE
 SUCH PROGRAM IS PROCESSED SOLELY  FOR  THE  PURPOSE  OF  OPERATING  SUCH
 PROGRAM.
   (L) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS-
 ACTION  IN  WHICH  ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR
 MAJORITY OF  THE  CONTROLLER'S  ASSETS,  ANY  CONSENT  PROVIDED  TO  THE

 S. 6701                             9
 
 CONTROLLER BY A CONSUMER PRIOR TO SUCH TRANSACTION SHALL BE DEEMED WITH-
 DRAWN.
   3.  RIGHT  TO  ACCESS.  UPON  THE  VERIFIED  REQUEST  OF A CONSUMER, A
 CONTROLLER SHALL:
   (A) CONFIRM WHETHER OR NOT THE CONTROLLER IS PROCESSING OR  HAS  PROC-
 ESSED  PERSONAL  DATA  OF THAT CONSUMER, AND PROVIDE ACCESS TO A COPY OF
 ANY SUCH PERSONAL DATA WHEN REQUESTED; AND
   (B) PROVIDE THE IDENTITY OF EACH PROCESSOR OR THIRD-PARTY TO WHOM  THE
 CONTROLLER  DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL DATA
 AND, FOR EACH IDENTIFIED PROCESSOR OR THIRD-PARTY, (A) THE CATEGORIES OF
 THE CONSUMER'S PERSONAL DATA DISCLOSED, TRANSFERRED,  OR  SOLD  TO  EACH
 PROCESSOR OR THIRD-PARTY AND (B) THE PURPOSES FOR WHICH EACH CATEGORY OF
 THE CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO EACH
 PROCESSOR OR THIRD-PARTY.
   4. RIGHT TO PORTABLE DATA.  UPON A VERIFIED REQUEST, AND TO THE EXTENT
 TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A
 COPY  OF  ALL  OF, OR A PORTION OF, AS DESIGNATED IN A VERIFIED REQUEST,
 THE  CONSUMER'S  PERSONAL  DATA  IN  A  STRUCTURED,  COMMONLY  USED  AND
 MACHINE-READABLE  FORMAT AND (B) AT THE CONSUMER'S REQUEST, TRANSMIT THE
 DATA TO ANOTHER PERSON OF THE CONSUMER'S DESIGNATION WITHOUT HINDRANCE.
   5. RIGHT TO CORRECT. (A) UPON THE VERIFIED REQUEST OF  A  CONSUMER,  A
 CONTROLLER  MUST CONDUCT A REASONABLE INVESTIGATION TO DETERMINE WHETHER
 PERSONAL DATA, THE ACCURACY OF WHICH IS DISPUTED  BY  THE  CONSUMER,  IS
 INACCURATE,  WITH  SUCH  INVESTIGATION  TO  BE CONCLUDED WITHIN THE TIME
 PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT OF THIS SECTION.
   (B) NOTWITHSTANDING PARAGRAPH (A) OF THIS  SUBDIVISION,  A  CONTROLLER
 MAY  TERMINATE  AN INVESTIGATION OF PERSONAL DATA DISPUTED BY A CONSUMER
 UNDER SUCH PARAGRAPH IF THE CONTROLLER REASONABLY  DETERMINES  THAT  THE
 DISPUTE  BY  THE CONSUMER IS FRIVOLOUS, INCLUDING BY REASON OF A FAILURE
 BY A CONSUMER TO  PROVIDE  SUFFICIENT  INFORMATION  TO  INVESTIGATE  THE
 DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH
 THIS  PARAGRAPH  THAT  A DISPUTE IS FRIVOLOUS, A CONTROLLER MUST, WITHIN
 THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT OF  THIS
 SECTION,  PROVIDE  THE  AFFECTED  CONSUMER  A  STATEMENT IN WRITING THAT
 INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR THE DETERMINATION,  AND
 IDENTIFICATION  OF  ANY INFORMATION REQUIRED TO INVESTIGATE THE DISPUTED
 PERSONAL DATA, WHICH MAY CONSIST OF A STANDARDIZED FORM  DESCRIBING  THE
 GENERAL NATURE OF SUCH INFORMATION.
   (C)  IF,  AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF THIS SUBDIVI-
 SION OF ANY PERSONAL DATA  DISPUTED  BY  A  CONSUMER,  AN  ITEM  OF  THE
 PERSONAL  DATA  IS  FOUND  TO  BE INACCURATE OR INCOMPLETE, OR CANNOT BE
 VERIFIED, THE CONTROLLER MUST:
   (I) CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE  CONSUM-
 ER; AND
   (II)  UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT,
 COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD-PARTY  TO  WHOM  THE
 CONTROLLER  DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN ONE
 YEAR PRECEDING THE CONSUMER'S REQUEST, AND TO REQUIRE  THOSE  PROCESSORS
 OR THIRD-PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD-PAR-
 TIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (D)  IF  THE  INVESTIGATION DOES NOT RESOLVE THE DISPUTE, THE CONSUMER
 MAY FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE  NATURE
 OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE
 EXISTS  REASONABLE GROUNDS TO BELIEVE THAT IT IS FRIVOLOUS, THE CONTROL-
 LER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE EITHER THE
 CONSUMER'S STATEMENT OR A CLEAR AND  ACCURATE  CODIFICATION  OR  SUMMARY

 S. 6701                            10

 THEREOF WITH THE DISPUTED PERSONAL DATA WHENEVER IT IS DISCLOSED, TRANS-
 FERRED, OR SOLD TO ANY PROCESSOR OR THIRD-PARTY.
   6.  RIGHT  TO  DELETE.  (A) UPON THE VERIFIED REQUEST OF A CONSUMER, A
 CONTROLLER MUST:
   (I) WITHIN A REASONABLE AMOUNT OF TIME AFTER  RECEIVING  THE  VERIFIED
 REQUEST,  DELETE  ANY OR ALL PERSONAL DATA, AS DIRECTED BY THE CONSUMER,
 THAT THE CONTROLLER POSSESSES OR CONTROLS; AND
   (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE  EFFORT,
 COMMUNICATE  SUCH  REQUEST  TO EACH PROCESSOR OR THIRD-PARTY TO WHOM THE
 CONTROLLER DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA  WITHIN  ONE
 YEAR PRECEDING THE CONSUMER'S REQUEST AND TO REQUIRE THOSE PROCESSORS OR
 THIRD-PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD-PARTIES
 THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A
 PROCESSOR  OF  THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO (I) COMMUNI-
 CATE THE CONSUMER'S REQUEST FOR  DELETION  TO  THE  PROCESSOR,  OR  (II)
 REQUEST  THAT  THE  PROCESSOR RETURN TO THE CONTROLLER THE PERSONAL DATA
 THAT IS THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE  SUCH  PERSONAL
 DATA UPON RECEIPT OF THE REQUEST.
   (C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A
 REQUEST  TO  THE  CONTROLLER  TO  DELETE ALL OF THAT CONSUMER'S PERSONAL
 DATA.
   (D) A CONTROLLER  MUST  MAINTAIN  REASONABLE  PROCEDURES  DESIGNED  TO
 PREVENT  THE  REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA IT DISCLOSES,
 TRANSFERS, OR SELLS TO ANY PROCESSOR OR THIRD-PARTY, THE  PERSONAL  DATA
 THAT IS DELETED PURSUANT TO THIS SUBDIVISION.
   (E)  A  CONTROLLER IS NOT REQUIRED TO COMPLY WITH A CONSUMER'S REQUEST
 TO DELETE PERSONAL DATA IF:
   (I) COMPLYING WITH THE  REQUEST  WOULD  PREVENT  THE  CONTROLLER  FROM
 PERFORMING  ACCOUNTING  FUNCTIONS,  PROCESSING  REFUNDS,  EFFECTUATING A
 PRODUCT RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING  WARRANTY
 CLAIMS,  PROVIDED  THAT  THE  PERSONAL  DATA  THAT IS THE SUBJECT OF THE
 REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV-
 ITIES; OR
   (II) IT IS NECESSARY FOR THE CONTROLLER  TO  MAINTAIN  THE  CONSUMER'S
 PERSONAL  DATA  TO ENGAGE IN PUBLIC OR PEER-REVIEWED SCIENTIFIC, HISTOR-
 ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL
 OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION
 OF THE INFORMATION IS LIKELY TO RENDER IMPOSSIBLE  OR  SERIOUSLY  IMPAIR
 THE  ACHIEVEMENT  OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER HAS GIVEN
 INFORMED CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY  PURPOSE
 OTHER THAN SUCH RESEARCH.
   7. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO-
 MATED  DECISION  INVOLVING SOLELY AUTOMATED PROCESSING THAT RESULTS IN A
 DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC  ACCOMMODATION,
 INSURANCE, HEALTH CARE SERVICES, OR ACCESS TO BASIC NECESSITIES, SUCH AS
 FOOD AND WATER, THE CONTROLLER MUST:
   (I) DISCLOSE IN A CLEAR CONSPICUOUS, AND CONSUMER-FRIENDLY MANNER THAT
 THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS;
   (II)  PROVIDE  AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL THE DECI-
 SION, WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO  (A)  EXPRESS
 THEIR POINT OF VIEW, (B) CONTEST THE DECISION, AND (C) OBTAIN MEANINGFUL
 HUMAN REVIEW; AND
   (III) EXPLAIN HOW TO APPEAL THE DECISION.
   (B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE
 DAYS  OF  RECEIPT  OF  THE  APPEAL.  THAT PERIOD MAY BE EXTENDED ONCE BY

 S. 6701                            11
 
 FORTY-FIVE ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING  INTO
 ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM
 THE  CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF
 THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY.
   (C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING
 AFFECTING  FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION,
 INSURANCE, EDUCATION ENROLLMENT, EMPLOYMENT, HEALTH  CARE  SERVICES,  OR
 ACCESS  TO  BASIC  NECESSITIES,  SUCH  AS  FOOD AND WATER, OR ENGAGED IN
 ASSISTING OTHERS IN AUTOMATED  DECISION-MAKING  IN  THOSE  FIELDS,  MUST
 ANNUALLY  CONDUCT AN IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING
 THAT:
   (A) DESCRIBES AND EVALUATES THE  OBJECTIVES  AND  DEVELOPMENT  OF  THE
 AUTOMATED  DECISION-MAKING  PROCESSES  INCLUDING THE DESIGN AND TRAINING
 DATA USED TO DEVELOP THE  AUTOMATED  DECISION-MAKING  PROCESS,  HOW  THE
 AUTOMATED  DECISION-MAKING  PROCESS  WAS  TESTED FOR ACCURACY, FAIRNESS,
 BIAS AND DISCRIMINATION; AND
   (B) ASSESSES WHETHER THE  AUTOMATED  DECISION-MAKING  SYSTEM  PRODUCES
 DISCRIMINATORY  RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM-
 ERS' ACTUAL OR PERCEIVED  RACE,  COLOR,  ETHNICITY,  RELIGION,  NATIONAL
 ORIGIN,  SEX,  GENDER,  GENDER  IDENTITY,  SEXUAL  ORIENTATION, FAMILIAL
 STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF INCOME, OR DISABILITY.
   (II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN  EXTERNAL,  INDEPENDENT
 AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS.
   (III)  A  CONTROLLER  OR PROCESSOR MUST MAKE PUBLIC ALL IMPACT ASSESS-
 MENTS PREPARED PURSUANT TO THIS SECTION, RETAIN ALL SUCH IMPACT  ASSESS-
 MENTS  FOR AT LEAST SIX YEARS, AND MAKE ANY SUCH RETAINED IMPACT ASSESS-
 MENTS AVAILABLE TO ANY STATE, FEDERAL,  OR  LOCAL  GOVERNMENT  AUTHORITY
 UPON REQUEST.
   (IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL
 SCOPE  SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF SECTION
 ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY.
   8. RESPONDING TO REQUESTS. (A) A CONTROLLER  MUST  TAKE  ACTION  UNDER
 SUBDIVISIONS  THREE  THROUGH SIX OF THIS SECTION AND INFORM THE CONSUMER
 OF ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN  FORTY-
 FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY
 FORTY-FIVE  ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING INTO
 ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE  CONTROLLER  MUST
 INFORM  THE  CONSUMER  OF  ANY  SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF
 RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN  A
 CONTROLLER  DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD DISCLOSE
 TO THE CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS  FOR  THE
 DENIAL.
   (B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS
 OBLIGATIONS  SET FORTH IN SUBDIVISIONS THREE THROUGH SIX OF THIS SECTION
 FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE  REQUESTS
 FROM  A  CONSUMER  ARE  MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR
 BECAUSE OF THEIR REPETITIVE CHARACTER, THE  CONTROLLER  MAY  EITHER  (I)
 CHARGE  A  REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING
 WITH THE REQUEST OR (II) REFUSE TO ACT ON THE  REQUEST  AND  NOTIFY  THE
 CONSUMER  OF  THE  REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS
 THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE  CHAR-
 ACTER OF THE REQUEST.
   (C)  (I)  A  CONTROLLER  SHALL  PROMPTLY  ATTEMPT,  USING COMMERCIALLY
 REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE  ANY  RIGHTS
 SET  FORTH  IN  ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST
 WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON

 S. 6701                            12
 
 LAWFULLY EXERCISING THE RIGHT ON BEHALF  OF  THE  CONSUMER  WHO  IS  THE
 SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED
 BASED  ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF THE
 DATA IMPLICATED BY THE REQUEST.
   (II)  A  CONTROLLER  MAY  REQUIRE  THE  CONSUMER TO PROVIDE ADDITIONAL
 INFORMATION ONLY IF THE REQUEST CANNOT REASONABLY  BE  VERIFIED  WITHOUT
 THE  PROVISION  OF  SUCH  ADDITIONAL  INFORMATION. A CONTROLLER MUST NOT
 TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO
 THIS SECTION FOR ANY OTHER PURPOSE AND MUST DELETE ANY  SUCH  ADDITIONAL
 INFORMATION  WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE DAYS
 AFTER THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN  ACTION
 ON  A  REQUEST  UNDER  SUBDIVISIONS  TWO THROUGH FIVE OF THIS SECTION AS
 DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION.
   (III) IF A CONTROLLER DISCLOSES THIS  ADDITIONAL  INFORMATION  TO  ANY
 PROCESSOR  OR  THIRD-PARTY  FOR  THE  PURPOSE  OF  VERIFYING  A CONSUMER
 REQUEST, IT MUST NOTIFY THE RECEIVING PROCESSOR OR THIRD  PARTY  AT  THE
 TIME  OF  SUCH  DISCLOSURE,  OR AS CLOSE IN TIME TO THE DISCLOSURE AS IS
 REASONABLY PRACTICABLE,  THAT  SUCH  INFORMATION  WAS  PROVIDED  BY  THE
 CONSUMER FOR THE SOLE PURPOSE OF VERIFICATION.
   9.  IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY ACCESSI-
 BLE AND CONVENIENT MEANS FOR CONSUMERS TO EXERCISE  THEIR  RIGHTS  UNDER
 THIS ARTICLE.
   10.  NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT OF
 ANY KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S  RIGHTS
 UNDER  THIS  ARTICLE  IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNEN-
 FORCEABLE.
   § 1103.  CONTROLLER, PROCESSOR, AND THIRD-PARTY  RESPONSIBILITIES.  1.
 CONTROLLER  RESPONSIBILITIES.  (A)  DUTY  OF  LOYALTY.   (I) WHERE IT IS
 REASONABLY FORESEEABLE TO THE CONTROLLER THAT A PROCESS WILL BE  AGAINST
 A  CONSUMER'S PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR REPUTATIONAL INTER-
 ESTS OR AGAINST THE PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR  REPUTATIONAL
 INTERESTS  OF  A CLASS OF CONSUMERS THAT THE CONSUMER IS KNOWN TO BELONG
 TO, THE CONTROLLER MUST NOTIFY THAT CONSUMER OF ANY INTEREST THAT MAY BE
 HARMED IN ADVANCE OF REQUESTING CONSENT AND AS  CLOSE  IN  TIME  TO  THE
 PROCESSING  AS  PRACTICABLE. THIS OBLIGATION DOES NOT APPLY WITH RESPECT
 TO PROCESSING: (A) AS REQUIRED BY LAW; (B) PURSUANT TO A  REQUEST  BY  A
 FEDERAL,  STATE,  OR  LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR (C) THAT
 SIGNIFICANTLY ADVANCES PROTECTION AGAINST CRIMINAL OR TORTIOUS ACTIVITY.
   (II) CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS
 OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE  PROCESSING
 OF  PERSONAL  DATA,  AND  A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS
 ARTICLE, INCLUDING WITHOUT LIMITATION:
   (A) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL  EFFECT
 OF  DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE,
 OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE  IN
 ORDER TO OBTAIN CONSENT; OR
   (B)  OBTAINING  CONSENT IN A MANNER DESIGNED TO OVERPOWER A CONSUMER'S
 RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT.
   (B) DUTY OF CARE. (I) (A) CONTROLLERS MUST,  ON  AT  LEAST  AN  ANNUAL
 BASIS, CONDUCT AND DOCUMENT RISK ASSESSMENTS OF ALL CURRENT PROCESSES OF
 PERSONAL DATA.
   (B) RISK ASSESSMENTS MUST ASSESS AT A MINIMUM:
   (I)  THE NATURE, SENSITIVITY AND CONTEXT OF THE PERSONAL DATA THAT THE
 CONTROLLER PROCESSES;
   (II) THE NATURE, PURPOSE, AND VALUE OF THE PROCESSES;

 S. 6701                            13
 
   (III) ANY RISKS OR HARMS TO CONSUMERS ACTUALLY OR POTENTIALLY  ARISING
 OUT  OF  THE PROCESSES, INCLUDING PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR
 REPUTATIONAL HARMS;
   (IV) THE ADEQUACY AND EFFECT OF SAFEGUARDS IMPLEMENTED BY THE CONTROL-
 LERS;
   (V)  THE  SUFFICIENCY  OF  THE  CONTROLLER'S  NOTICES  TO CONSUMERS AT
 DESCRIBING AND OBTAINING CONSENT CONCERNING THE PROCESSES; AND
   (VI) THE ADEQUACY  OF  THE  SAFEGUARDS  AND  MONITORING  PRACTICES  OF
 PROCESSORS  AND  THIRD  PARTIES  TO  WHOM  THE  CONTROLLER  HAS PROVIDED
 PERSONAL DATA.
   (C) THE CONTROLLER MUST RETAIN RISK ASSESSMENTS FOR AT LEAST SIX YEARS
 AND MAKE  RISK  ASSESSMENTS  AVAILABLE  TO  THE  ATTORNEY  GENERAL  UPON
 REQUEST.
   (II)  CONTROLLERS  MUST  DEVELOP,  IMPLEMENT,  AND MAINTAIN REASONABLE
 SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
 PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE,
 TECHNICAL AND PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME  AND  NATURE
 OF THE PERSONAL DATA AT ISSUE.
   (III)  (A) A CONTROLLER THAT COLLECTS A CONSUMER'S PERSONAL DATA SHALL
 LIMIT ITS USE AND RETENTION OF THAT DATA TO WHAT IS NECESSARY TO PROVIDE
 A SERVICE OR GOOD REQUESTED BY A CONSUMER OR FOR PURPOSES FOR WHICH  THE
 CONSUMER  HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
 OPT-IN CONSENT.
   (B) AT LEAST ANNUALLY, A CONTROLLER MUST DISPOSE OF ALL PERSONAL  DATA
 THAT  IS  EITHER  NO  LONGER  NECESSARY TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY THE CONSUMER OR FOR THE PURPOSES FOR WHICH  THE  CONSUMER'S
 FREELY  GIVEN,  SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT IS IN
 EFFECT, CONSISTENT WITH THE RETENTION PERIOD DISCLOSED IN NOTICE  PURSU-
 ANT TO SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE.
   (IV)  CONTROLLERS  SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN
 REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES  FOR  CIRCUMSTANCES  THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO  UPDATE  THEIR  CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
 ACCORDINGLY.
   (C) NON-DISCRIMINATION. (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST
 A CONSUMER FOR EXERCISING RIGHTS  UNDER  THIS  ACT,  INCLUDING  BUT  NOT
 LIMITED TO, BY:
   (A) DENYING SERVICES OR GOODS TO CONSUMERS;
   (B) CHARGING DIFFERENT PRICES FOR SERVICES OR GOODS, INCLUDING THROUGH
 THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING PENALTIES; OR PROVIDING
 A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR
   (C)  SUGGESTING  THAT  THE  CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
 RATE FOR SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY  OF  SERVICES
 OR GOODS.
   (II)  THIS  PARAGRAPH  DOES  NOT  APPLY TO A CONTROLLER'S CONDUCT WITH
 RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH  (J)  OF  SUBDIVISION
 TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE GOVERNS.
   (D)  AGREEMENTS  WITH  PROCESSORS.  (I)  BEFORE MAKING ANY DISCLOSURE,
 TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST
 ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT
 MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING  DATA,
 THE  NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC-
 ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS  AND  OBLIGATIONS  OF
 BOTH  PARTIES.  THE  CONTRACT  MUST  ALSO  INCLUDE REQUIREMENTS THAT THE
 PROCESSOR MUST:

 S. 6701                            14
 
   (A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT  TO  A
 DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA;
   (B)  PROTECT THE DATA CONSISTENT WITH THE REQUIREMENTS OF THIS ACT AND
 ANY STATEMENTS MADE BY THE CONTROLLER IN THEIR PUBLICLY AVAILABLE  POLI-
 CIES, NOTICES, OR SIMILAR STATEMENTS;
   (C)  PROCESS  THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY TO COMPLY
 WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY
 AUTHORIZED BY THE CONTROLLER;
   (D) NOT COMBINE THE PERSONAL INFORMATION WHICH THE PROCESSOR  RECEIVES
 FROM  OR ON BEHALF OF THE CONTROLLER WITH PERSONAL INFORMATION WHICH THE
 PROCESSOR RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR COLLECTS  FROM
 ITS OWN INTERACTION WITH CONSUMERS;
   (E)  COMPLY  WITH  ANY  EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF  THE  CONTROLLER,
 SUBJECT  TO  THE LIMITATIONS SET FORTH IN SECTION ELEVEN HUNDRED FIVE OF
 THIS ARTICLE;
   (F) AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL  DATA
 TO  THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICES,
 UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW;
   (G) UPON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE  AVAILABLE  TO
 THE  CONTROLLER  ALL  INFORMATION  IN ITS POSSESSION NECESSARY TO DEMON-
 STRATE THE PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ACT;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE  CONTROL-
 LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS-
 OR  MAY  ARRANGE  FOR A QUALIFIED AND INDEPENDENT ASSESSOR TO CONDUCT AN
 ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECHNICAL AND  ORGANIZATIONAL
 MEASURES  IN  SUPPORT  OF  THE  OBLIGATIONS  UNDER THIS ARTICLE USING AN
 APPROPRIATE AND ACCEPTED CONTROL STANDARD OR  FRAMEWORK  AND  ASSESSMENT
 PROCEDURE  FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT OF
 SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE
 DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED
 DISCLOSURE OR TRANSFER AND PROVIDE  THE  CONTROLLER  AN  OPPORTUNITY  TO
 APPROVE OR REJECT THE PROPOSAL; AND
   (J)  ENGAGE  ANY  FURTHER  PROCESSOR  PURSUANT  TO  A  WRITTEN, SIGNED
 CONTRACT THAT INCLUDES THE CONTRACTUAL  REQUIREMENTS  PROVIDED  IN  THIS
 PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR
 HAS ENTERED INTO WITH REGARD TO THE DATA.
   (II)  A  CONTROLLER  MUST  NOT  AGREE  TO INDEMNIFY, DEFEND, OR HOLD A
 PROCESSOR HARMLESS, OR AGREE TO A  PROVISION  THAT  HAS  THE  EFFECT  OF
 INDEMNIFYING,  DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM CLAIMS
 OR LIABILITY  ARISING  FROM  THE  PROCESSOR'S  BREACH  OF  THE  CONTRACT
 REQUIRED  BY  CLAUSE  (A)  OF  SUBPARAGRAPH  (I)  OF THIS PARAGRAPH OR A
 VIOLATION OF THIS ACT. ANY PROVISION OF AN AGREEMENT THAT VIOLATES  THIS
 SUBPARAGRAPH IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNENFORCEABLE.
   (III)  NOTHING  IN THIS PARAGRAPH RELIEVES A CONTROLLER OR A PROCESSOR
 FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS-
 ING RELATIONSHIP AS DEFINED BY THIS ARTICLE.
   (IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES-
 SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER-
 MINATION THAT DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS  TO  BE
 PROCESSED.  A  PROCESSOR  THAT  CONTINUES  TO  ADHERE  TO A CONTROLLER'S
 INSTRUCTIONS WITH RESPECT TO A  SPECIFIC  PROCESSING  OF  PERSONAL  DATA
 REMAINS A PROCESSOR.
   (E)  THIRD  PARTIES. (I) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANS-
 FER, OR SELL PERSONAL DATA, OR  FACILITATE  OR  ENABLE  THE  PROCESSING,

 S. 6701                            15
 
 DISCLOSURE,  TRANSFER,  OR  SALE  OF  PERSONAL DATA TO A THIRD PARTY FOR
 WHICH CONSENT OF THE CONSUMER PURSUANT TO  SUBDIVISION  TWO  OF  SECTION
 ELEVEN  HUNDRED  TWO  OF  THIS  ARTICLE, HAS NOT BEEN OBTAINED OR IS NOT
 CURRENTLY  IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE, TRANS-
 FER, OR SELL PERSONAL DATA, OR TO FACILITATE OR ENABLE  THE  PROCESSING,
 DISCLOSURE,  TRANSFER,  OR  SALE  OF PERSONAL DATA TO A THIRD PARTY MUST
 CLEARLY INCLUDE THE IDENTITY OF  THE  THIRD  PARTY  AND  THE  PROCESSING
 PURPOSES FOR WHICH THE THIRD-PARTY MAY USE THE PERSONAL DATA.
   (II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL
 DATA,  OR  FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR
 SALE OF PERSONAL DATA IF IT CAN REASONABLY EXPECT THE PERSONAL DATA OF A
 CONSUMER TO BE USED FOR PURPOSES THAT THE CONSUMER HAS NOT CONSENTED  TO
 PURSUANT  TO SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTI-
 CLE, OR IF IT CAN REASONABLY EXPECT THAT  ANY  RIGHTS  OF  THE  CONSUMER
 PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED AS A RESULT OF SUCH TRANS-
 ACTION.
   (III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA
 TO  ANY  THIRD  PARTY,  THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED
 CONTRACT. SUCH CONTRACT MUST BE  BINDING  AND  THE  SCOPE,  NATURE,  AND
 PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA-
 TION  OF  PROCESSING,  AND  THE  RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
 SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY:
   (A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED  BY  THE  AGREEMENT
 ENTERED INTO WITH THE CONTROLLER; AND
   (B)  PROVIDE  A MECHANISM TO COMPLY WITH ANY EXERCISES OF A CONSUMER'S
 RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST
 OF THE CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS  AUTHORIZED  BY
 THIS ARTICLE; AND
   (C)  TO  THE  EXTENT THE DISCLOSURE, TRANSFER, OR SALE OF THE PERSONAL
 DATA CAUSES THE THIRD PARTY TO BECOME  A  CONTROLLER,  COMPLY  WITH  ALL
 OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE.
   2.  PROCESSOR  RESPONSIBILITIES.  (A)  FOR  ANY  PERSONAL DATA THAT IS
 OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE  ACQUIRED  BY  A  PROCESSOR,
 WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR,
 THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A)
 THROUGH  (J)  OF SUBPARAGRAPH (I) OF PARAGRAPH (D) OF SUBDIVISION ONE OF
 THIS SECTION.
   (B) A PROCESSOR IS NOT REQUIRED  TO  COMPLY  WITH  A  REQUEST  BY  THE
 CONSUMER  SUBMITTED  PURSUANT  TO THIS ARTICLE BY A CONSUMER DIRECTLY TO
 THE PROCESSOR TO THE EXTENT THAT THE PROCESSOR HAS PROCESSED THE CONSUM-
 ER'S PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER.
   (C) PROCESSORS SHALL BE UNDER A CONTINUING  OBLIGATION  TO  ENGAGE  IN
 REASONABLE  MEASURES  TO  REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO UPDATE THEIR CLASSIFICATIONS OF DATA AS  IDENTIFIED  OR  IDENTIFIABLE
 ACCORDINGLY.
   (D)  A  PROCESSOR  SHALL NOT ENGAGE IN ANY SALE OF PERSONAL DATA OTHER
 THAN ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED  INTO
 WITH THE CONTROLLER.
   3.  THIRD-PARTY  RESPONSIBILITIES.  (A)  FOR ANY PERSONAL DATA THAT IS
 OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED OR  ACCESSED  BY  A
 THIRD-PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD-PARTY MUST:
   (I)  PROCESS  THAT DATA ONLY TO THE EXTENT PERMITTED BY ANY AGREEMENTS
 ENTERED INTO WITH THE CONTROLLER;
   (II) PROCESS ONLY THE PERSONAL DATA NECESSARY FOR PURPOSES  FOR  WHICH
 FREELY  GIVEN,  SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT IS IN

 S. 6701                            16
 
 EFFECT, AS CONVEYED BY THE CONTROLLER, LIMIT THE USE  AND  RETENTION  OF
 THAT  DATA TO WHAT IS NECESSARY FOR SUCH PURPOSES, AND SHALL IMMEDIATELY
 DELETE SUCH PERSONAL DATA WHEN NOTIFIED THAT THE  CONSENT  IS  WITHHELD,
 DENIED, OR WITHDRAWN;
   (III)  COMPLY  WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR
 PROCESSOR, SUBJECT TO ANY LIMITATIONS  THEREON  AS  AUTHORIZED  BY  THIS
 ARTICLE; AND
   (IV)  TO  THE EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR PERSONAL
 DATA, COMPLY WITH ALL OBLIGATIONS  IMPOSED  ON  CONTROLLERS  UNDER  THIS
 ARTICLE.
   4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE:
   (A) THE PROCESSING IS REQUIRED BY LAW;
   (B)  THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL, STATE,
 OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR
   (C) THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST  CRIMINAL
 OR TORTIOUS ACTIVITY.
   § 1104. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE,
 MUST:
   (A)  ANNUALLY,  ON  OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
 WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
   (I) REGISTER WITH THE ATTORNEY GENERAL;
   (II) PAY A REGISTRATION FEE OF ONE HUNDRED  DOLLARS  OR  AS  OTHERWISE
 DETERMINED  BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY
 GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT  TO  EXCEED  THE
 REASONABLE  COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (III) PROVIDE THE FOLLOWING INFORMATION:
   (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
 OF THE DATA BROKER;
   (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
 THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
 BROKER;
   (C) A STATEMENT DESCRIBING THE METHOD FOR EXERCISING CONSUMERS  RIGHTS
 UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
   (D) A STATEMENT WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER CREDEN-
 TIALING PROCESS; AND
   (E)  ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER
 THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST:
   (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING  A  YEAR  IN
 WHICH  A  PERSON MEETS THE DEFINITION OF CONTROLLER IN THIS ACT, PROVIDE
 TO THE ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS REASONABLY
 BELIEVED TO BE DATA BROKERS TO WHICH THE  CONTROLLER  PROVIDED  PERSONAL
 DATA IN THE PRECEDING YEAR; AND
   (B)  NOT  SELL A CONSUMER'S PERSONAL DATA TO A DATA BROKER THAT IS NOT
 REGISTERED WITH THE ATTORNEY GENERAL.
   3. THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A  STATE-
 WIDE  REGISTRY  ON ITS INTERNET WEBSITE, WHICH SHALL LIST ALL REGISTERED
 DATA BROKERS AND MAKE ACCESSIBLE  TO  THE  PUBLIC  ALL  THE  INFORMATION
 PROVIDED  BY  DATA BROKERS PURSUANT TO THIS SECTION. PRINTED HARD COPIES
 OF SUCH REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT  OF  A
 FEE TO BE DETERMINED BY THE ATTORNEY GENERAL.
   4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR
 SUBMITS  FALSE  INFORMATION  IN  ITS REGISTRATION IS, IN ADDITION TO ANY

 S. 6701                            17
 
 OTHER INJUNCTION, PENALTY, OR LIABILITY THAT MAY BE IMPOSED  UNDER  THIS
 ARTICLE,  LIABLE  FOR  CIVIL  PENALTIES,  FEES,  AND  COSTS IN AN ACTION
 BROUGHT BY THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY  OF  ONE
 THOUSAND  DOLLARS  FOR  EACH  DAY  THE  DATA BROKER FAILS TO REGISTER AS
 REQUIRED BY THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION,  (B)  AN
 AMOUNT  EQUAL  TO  THE FEES THAT WERE DUE DURING THE PERIOD IT FAILED TO
 REGISTER, AND (C) EXPENSES INCURRED  BY  THE  ATTORNEY  GENERAL  IN  THE
 INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI-
 ATE.
   §  1105. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER OR
 PROCESSOR TO DO ANY OF THE FOLLOWING SOLELY FOR  PURPOSES  OF  COMPLYING
 WITH THIS ARTICLE:
   (A) REIDENTIFY DEIDENTIFIED DATA;
   (B)  COMPLY  WITH  A  VERIFIED CONSUMER REQUEST TO ACCESS, CORRECT, OR
 DELETE PERSONAL DATA PURSUANT TO THIS ARTICLE IF ALL  OF  THE  FOLLOWING
 ARE TRUE:
   (I)  THE  CONTROLLER  IS  NOT  REASONABLY  CAPABLE  OF ASSOCIATING THE
 REQUEST WITH THE PERSONAL DATA;
   (II) THE CONTROLLER DOES NOT ASSOCIATE THE PERSONAL  DATA  WITH  OTHER
 PERSONAL  DATA  ABOUT  THE  SAME SPECIFIC CONSUMER AS PART OF ITS NORMAL
 BUSINESS PRACTICE; AND
   (III) THE CONTROLLER DOES NOT SELL THE  PERSONAL  DATA  TO  ANY  THIRD
 PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO
 ANY  PROCESSOR  OR  THIRD  PARTY,  EXCEPT AS OTHERWISE PERMITTED IN THIS
 ARTICLE; OR
   (C) MAINTAIN PERSONAL DATA IN IDENTIFIABLE FORM, OR  COLLECT,  OBTAIN,
 RETAIN,  OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE CAPA-
 BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA.
   2. THE OBLIGATIONS IMPOSED ON CONTROLLERS AND  PROCESSORS  UNDER  THIS
 ARTICLE  DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO ANY
 OF THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S  PERSONAL
 DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES:
   (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS;
   (B)  COMPLY  WITH  A  CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI-
 GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER  GOVERN-
 MENTAL AUTHORITIES;
   (C)  COOPERATE  WITH  LAW  ENFORCEMENT  AGENCIES CONCERNING CONDUCT OR
 ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN  GOOD  FAITH
 BELIEVES  MAY  VIOLATE  FEDERAL,  STATE,  OR LOCAL LAWS, RULES, OR REGU-
 LATIONS;
   (D) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE  FOR,  OR  DEFEND  LEGAL
 CLAIMS;
   (E)  PROCESS  PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY A CONSUMER, UNLESS THE CONSUMER WITHHOLDS, DENIES, OR WITH-
 DRAWS CONSENT; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A  PARTY;  OR
 TAKE  STEPS  AT  THE  REQUEST  OF  THE CONSUMER PRIOR TO ENTERING INTO A
 CONTRACT;
   (F) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE
 CONSUMER OR OF ANOTHER NATURAL PERSON, AND WHERE THE  PROCESSING  CANNOT
 BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS;
   (G)  PREVENT,  DETECT,  PROTECT  AGAINST, OR RESPOND TO SECURITY INCI-
 DENTS, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE  ACTIV-
 ITIES,  OR  ANY  ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY OF
 SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR  ANY
 SUCH ACTION; OR

 S. 6701                            18
 
   (H)  IDENTIFY  AND  REPAIR  TECHNICAL  ERRORS  THAT IMPAIR EXISTING OR
 INTENDED FUNCTIONALITY.
   3.  THE  OBLIGATIONS  IMPOSED  ON CONTROLLERS OR PROCESSORS UNDER THIS
 ARTICLE DO NOT APPLY WHERE COMPLIANCE BY  THE  CONTROLLER  OR  PROCESSOR
 WITH  THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK
 LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL
 DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY  PRIVI-
 LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION.
   4.  THE  OBLIGATIONS  IMPOSED  ON CONTROLLERS OR PROCESSORS UNDER THIS
 ARTICLE DO NOT APPLY TO THE PUBLICATION  OF  NEWSWORTHY  INFORMATION  OF
 LEGITIMATE  PUBLIC  CONCERN TO THE PUBLIC, OR THE PROCESSING OR TRANSFER
 OF INFORMATION BY A CONTROLLER FOR SUCH PURPOSE.
   5. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS THREE
 THROUGH SIX OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR A PROCESS-
 OR OR THIRD PARTY TO WHOM A CONTROLLER COMMUNICATES SUCH A REQUEST,  MAY
 DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF:
   (A)  THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY THE
 REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH
 (C) OF SUBDIVISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
   (B) COMPLYING WITH THE REQUEST WOULD BE DEMONSTRABLY  IMPOSSIBLE  (FOR
 PURPOSES  OF  THIS  PARAGRAPH, THE RECEIPT OF A LARGE NUMBER OF VERIFIED
 REQUESTS, ON ITS OWN, IS NOT SUFFICIENT  TO  RENDER  COMPLIANCE  WITH  A
 REQUEST DEMONSTRABLY IMPOSSIBLE);
   (C)  COMPLYING  WITH  THE  REQUEST WOULD IMPAIR THE PRIVACY OF ANOTHER
 INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR
   (D) THE PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER  THAN  THE
 CONSUMER  MAKING  THE  REQUEST AND IS BEING PROCESSED FOR THE PURPOSE OF
 FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION.
   § 1106. ENFORCEMENT AND  PRIVATE  RIGHT  OF  ACTION.  1.  WHENEVER  IT
 APPEARS  TO  THE  ATTORNEY  GENERAL, EITHER UPON COMPLAINT OR OTHERWISE,
 THAT ANY PERSON OR PERSONS HAS ENGAGED IN OR IS ABOUT TO ENGAGE  IN  ANY
 OF  THE  ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE
 ATTORNEY GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN  THE  NAME
 AND  ON  BEHALF  OF  THE  PEOPLE  OF THE STATE OF NEW YORK TO ENJOIN ANY
 VIOLATION OF THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR  PROP-
 ERTY  OBTAINED  DIRECTLY  OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN
 DISGORGEMENT OF ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY  SUCH
 VIOLATION,  TO  OBTAIN CIVIL PENALTIES OF NOT MORE THAN FIFTEEN THOUSAND
 DOLLARS PER VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND  FURTHER  RELIEF
 AS THE COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF.
   (A)  ANY  ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS.
   (B)  EACH  INSTANCE  OF  UNLAWFUL  PROCESSING  COUNTS  AS  A  SEPARATE
 VIOLATION.  UNLAWFUL  PROCESSING  OF  THE PERSONAL DATA OF MORE THAN ONE
 CONSUMER COUNTS AS A  SEPARATE  VIOLATION  AS  TO  EACH  CONSUMER.  EACH
 PROVISION  OF  THIS  ARTICLE  THAT  IS  VIOLATED  COUNTS  AS  A SEPARATE
 VIOLATION.
   (C) IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER  ANY
 ONE  OR  MORE  OF  THE  RELEVANT  CIRCUMSTANCES  PRESENTED BY ANY OF THE
 PARTIES, INCLUDING, BUT NOT LIMITED TO, THE NATURE  AND  SERIOUSNESS  OF
 THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON-
 DUCT,  THE  LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED, THE WILL-
 FULNESS OF THE  VIOLATOR'S  MISCONDUCT,  AND  THE  VIOLATOR'S  FINANCIAL
 CONDITION.
   2.  IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
 THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND  MAKE

 S. 6701                            19
 
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE  WITH  THE  CIVIL PRACTICE LAW AND RULES.  THE ATTORNEY GENERAL MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT  AND  MAY  REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH.  SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF ANY ACTION OR SPECIAL PROCEEDING  BROUGHT  BY  THE  ATTORNEY  GENERAL
 UNDER THIS ARTICLE.
   3.  ANY  PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE ATTORNEY GENERAL
 BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS,
 OR OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR  PRACTICES
 STATED  TO  BE  UNLAWFUL  IN THIS ARTICLE IS SUBJECT TO THE SERVICE OF A
 SUBPOENA ISSUED BY  THE  ATTORNEY  GENERAL  PURSUANT  TO  THIS  SECTION.
 SERVICE  MAY  BE  MADE IN ANY MANNER THAT IS AUTHORIZED FOR SERVICE OF A
 SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE.
   4. (A) FAILURE TO   COMPLY WITH A SUBPOENA  ISSUED  PURSUANT  TO  THIS
 SECTION  WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF LIMI-
 TATIONS IN ANY ACTION OR SPECIAL  PROCEEDING  BROUGHT  BY  THE  ATTORNEY
 GENERAL  AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE ATTORNEY
 GENERAL'S INVESTIGATION.
   (B) IF A PERSON FAILS TO COMPLY WITH A  SUBPOENA  ISSUED  PURSUANT  TO
 THIS  SECTION,  THE  ATTORNEY  GENERAL  MAY MOVE IN THE SUPREME COURT TO
 COMPEL COMPLIANCE.  IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED,
 IT SHALL ORDER COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP  TO  FIVE
 HUNDRED DOLLARS PER DAY OF NONCOMPLIANCE.
   (C)  SUCH  TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO ANY OTHER
 PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA.
   5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL  UNDER
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL  NOT  SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
 WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION  OR  CONDUCT
 ANY INQUIRY.
   6.  ANY CONSUMER WHO HAS BEEN INJURED BY A VIOLATION OF SECTION ELEVEN
 HUNDRED TWO OF THIS ARTICLE MAY BRING AN ACTION IN HIS OR HER  OWN  NAME
 TO ENJOIN SUCH UNLAWFUL ACT OR PRACTICE AND TO RECOVER HIS OR HER ACTUAL
 DAMAGES  OR  ONE  THOUSAND  DOLLARS, WHICHEVER IS GREATER. THE COURT MAY
 ALSO  AWARD  REASONABLE  ATTORNEYS'  FEES  TO  A  PREVAILING  PLAINTIFF.
 ACTIONS PURSUANT TO THIS SECTION MAY BE BROUGHT ON A CLASS-WIDE BASIS.
   §  1107.  MISCELLANEOUS.  1.  PREEMPTION: THIS ARTICLE DOES NOT ANNUL,
 ALTER, OR AFFECT THE LAWS, ORDINANCES, REGULATIONS,  OR  THE  EQUIVALENT
 ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS-
 FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR
 PROCESSOR  SUBJECT  TO THIS ACT, EXCEPT TO THE EXTENTS THOSE LAWS, ORDI-
 NANCES,  REGULATIONS,  OR  THE  EQUIVALENT  ARE  INCONSISTENT  WITH  THE
 PROVISIONS  OF THIS ACT, AND THEN ONLY TO THE EXTENT OF THE INCONSISTEN-
 CY.
   2. IMPACT REPORT: THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING
 THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR  PERSONS,  THE
 LIABILITY  AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT
 LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO  ENFORCE  THIS  ARTICLE,
 AND  ANY  RECOMMENDATIONS  FOR  CHANGES TO SUCH PROVISIONS. THE ATTORNEY
 GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT
 OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE  COMMIT-
 TEES  OF  THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS
 SECTION.
   3. REGULATORY AUTHORITY: (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED
 AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND

 S. 6701                            20
 
 REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES
 GOVERNING THE FORM AND CONTENT  OF  ANY  DISCLOSURES  OR  COMMUNICATIONS
 REQUIRED BY THIS ARTICLE.
   (B)  THE  ATTORNEY  GENERAL  MAY  REQUEST  DATA  AND  INFORMATION FROM
 CONTROLLERS CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK  STATE
 GOVERNMENT  ENTITIES  ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER
 PROTECTION AND PRIVACY ADVOCATES  AND  RESEARCHERS,  INTERNET  STANDARDS
 SETTING  BODIES,  SUCH  AS  THE  INTERNET  ENGINEERING TASKFORCE AND THE
 INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS,  AND  OTHER  RELEVANT
 SOURCES,  TO  CONDUCT  STUDIES TO INFORM SUITABLE RULES AND REGULATIONS.
 THE ATTORNEY GENERAL SHALL RECEIVE, UPON REQUEST, DATA  FROM  OTHER  NEW
 YORK STATE GOVERNMENTAL ENTITIES.
   4.  EXERCISE  OF  RIGHTS: ANY CONSUMER RIGHT SET FORTH IN THIS ARTICLE
 MAY BE EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT  OF  THE
 DATA,  BY  AN  AGENT AUTHORIZED BY A CONSUMER TO EXERCISE THE RIGHTS SET
 FORTH IN THIS ACT ON THEIR BEHALF, OR BY A PARENT OR GUARDIAN AUTHORIZED
 BY LAW TO TAKE ACTIONS OF LEGAL CONSEQUENCE ON BEHALF  OF  THE  CONSUMER
 WHO IS THE SUBJECT OF THE DATA.
   §  4.  This act shall take effect immediately; provided, however, that
 sections 1101, 1102, 1103, 1105, 1106 and 1107 of the  general  business
 law, as added by section three of this act, shall take effect January 1,
 2022.

co-Sponsors

View additional co-sponsors

2021-S6701A - Details

Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1107, Gen Bus L
Versions Introduced in 2023-2024 Legislative Session:: S365

2021-S6701A - Summary

2021-S6701A - Sponsor Memo

                                 
BILL NUMBER: S6701A

SPONSOR: THOMAS
 
TITLE OF BILL:

An act to amend the general business law, in relation to the management
and oversight of personal data

 
PURPOSE GENERAL IDEA OF BILL:

The purpose of the bill is to help New Yorkers regain their privacy.
The bill, cited as the NY Privacy Act, will require the companies to
obtain consent from consumers before processing the personal data of
consumers.

 
SUMMARY OF PROVISIONS:

Section 1 of the bill defines the act as the "New York Privacy Act".

Section 2 of the bill contains the legislative intent.

Section 3 of the bill amends the general business law by adding a new

article 42.

Section 1100 of the new article 42 provides definitions of relevant
terms to be used in this act.

Section 1101 of the new article 42 states that the jurisdictional scope
of this article applies to legal persons that conduct business in New
York State or produce products or services intentionally targeted to
residents in New York State and that satisfy one or more of the required
thresholds. This section also contains exemptions.

Section 1102 of the new article 42 delineates consumer rights including
notice of how their data is being processed and sold, opt-in consent,
the ability to request access and obtain a copy of their data in a
commonly used electronic format, the ability to request the correction
of inaccurate data and deletion of data, and the ability to challenge
certain automated decisions.

Section 1103 of the new article 42 defines the responsibilities and
obligations assigned to controllers, processors and third parties.

First, controllers have an obligation to regularly conduct data
protection assessments for processing activities that present a height-
ened risk of harm to consumers. Controllers owe a duty of loyalty to
consumers which requires controllers to notify the consumer of any
interest that may be harmed before requesting consent. The duty of
loyalty also prohibits controllers from engaging in unfair, deceptive,
or abusive acts or practices with respect to obtaining consumer consent,
the processing of personal data, and a consumer's exercise of any rights
of this article. Additionally, controllers owe consumer's a duty of care
which requires controllers to conduct and document risk assessments of
all current processes of personal data at least once a year. The duty of
care also requires controllers to develop, implement, and maintain
reasonable safeguards to protect the security, confidentiality and
integrity of the consumer data the controller collects and to limit data
use and retention. Furthermore, controllers cannot discriminate against
consumers for exercising their data rights; and prior to sharing a
consumer's personal data, the controller must enter into a written and
signed contract with a processor before it provides the consumer's
personal data.

Next, processors must act in accordance with the written contract it has
entered into with a controller. Each contract must set forth
instructions for processing data; the nature and purpose of the process-
ing; the type of data subject to processing; the duration of the proc-
essing; and the rights and obligations of the controller and processor.
In addition, processors are under a continuing obligation to engage in
reasonable measures to review their processing activities with respect
to data identification.

Lastly, for any data acquired or accessed by a third-party from a
controller or processor, the third-party can only process that data to
the extent permitted by the provisions of the written contract and after
the consumer has consented to the individual third party and the purpose
for third party processing.

Section 1104 of the new article 42 requires data brokers to register and
pay an annual fee to the Attorney General and submit information regard-
ing the data broker's data use practices and contact information. The
Attorney General will maintain a data broker registry on its website.
Additionally, controllers must annually submit a list of all known data
brokers or persons reasonably believed to be data brokers with whom the
controller provided personal data in the preceding year. Controllers are
prohibited from sharing personal data with an unregistered data broker.

Section 1105 of the new article 42 describes when controllers and
processors are exempt from complying with the obligations set forth in
Section 1103.

Section 1106 of the new article 42 authorizes the Attorney General to
bring an action or special proceeding whenever it appears that a person
has engaged in or is about to engage in a violation of the article. The
section also authorizes private rights of action and class actions.

Section 1107 of the new article 42 contains miscellaneous provisions
including a conflict preemption clause, timing for the Attorney General
to submit a report on the effectiveness of the article, regulatory
authority for the Attorney General, and how consumers can exercise their
rights under this article.

Section 4 of the bill states that the act will take effect immediately;
provided however, that sections 1101, 1102, 1103, 1105, 1106 and 1107 of
the general business law, as added by section three of this act, shall
take effect two years after the effective date but the private right of
action authorized in subdivision 6 of section 1106 will take effect
three years after the effective date.

 
JUSTIFICATION:

According to a Pew survey from 2018, 69% of American adults use at least
one social media platform, up from 5% in 2005. Americans use these plat-
forms to engage with friends and family, to connect with social and
political organizations, and to follow news and current events. Despite
the platforms' usefulness, many social media users have reservations
about the handling of their personal information. A 2014 Pew survey
found that 91% of Americans believe that people have lost control over
how their personal information is collected and used. Some 80% of social
media users said they were concerned about advertisers and businesses
accessing and using data that they share on social media platforms.
Around 64% of people in this survey also said that the government should
do more to address this issue.

Social media companies obtain their revenues through targeted advertis-
ing based on users' likes, shares, searches, phone numbers, emails, and
other information provided while they use these platforms. According to
The New York Times, some of the largest social media companies fail to
inform or obtain consent from users regarding the sharing of their
personal data. It found that in some instances, these social media
companies share the information of hundreds of millions of users without
notifying their consumers. It also found that if users were to choose
the most restrictive privacy settings made available, their personal
data was still shareable with some external companies or affiliates.
What's more, according to these large social media companies, any infor-
mation shared on these platforms can be given to other companies without
any additional consent.

Currently, there are no federal regulations addressing this privacy
issue, and the few attempts of self-regulation by these companies have
been frail and fall well short of addressing consumers' concerns. Hence,
New York must join the increasing number of other states to fill this
void.

 
PRIOR LEGISLATIVE HISTORY:

2019-20: S.5642 (Thomas) / A.8526 (L. Rosenthal) - Advanced to third
reading calendar.

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

None to the state.

 
EFFECTIVE DATE:
This act shall take effect immediately; provided however, that sections
1101, 1102, 1103, 1105, 1106 and 1107 of the general business law, added
by section three of this act, shall take effect two years after it shall
have become law but the private right of action authorized by subdivi-
sion 6 of section 1106 of the general business law shall take effect
three years after such section shall have become law.

2021-S6701A - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  6701--A
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                               May 12, 2021
                                ___________
 
 Introduced  by  Sens. THOMAS, MAY -- read twice and ordered printed, and
   when printed to be committed to the Committee on  Consumer  Protection
   --  recommitted  to the Committee on Consumer Protection in accordance
   with Senate Rule 6, sec. 8  --  committee  discharged,  bill  amended,
   ordered reprinted as amended and recommitted to said committee

 AN  ACT to amend the general business law, in relation to the management
   and oversight of personal data
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Short  title. This act shall be known and may be cited as
 the "New York privacy act".
   § 2. Legislative intent. 1. Privacy is  a  fundamental  right  and  an
 essential element of freedom. Advances in technology have produced ramp-
 ant  growth  in  the amount and categories of personal data being gener-
 ated,  collected,  stored,  analyzed,  and  potentially  shared,   which
 presents  both  promise  and peril. Companies collect, use and share our
 personal data in ways that can be difficult for  ordinary  consumers  to
 understand. Opaque data processing policies make it impossible to evalu-
 ate  risks  and  compare  privacy-related  protections  across services,
 stifling competition. Algorithms quietly make  decisions  with  critical
 consequences for New York consumers, often with no human accountability.
 Behavioral advertising generates profits by turning people into products
 and  their  activity into assets. New York consumers deserve more notice
 and more control over their data and their digital privacy.
   2. This act seeks to help New York consumers regain their privacy.  It
 gives New York consumers the ability to exercise more control over their
 personal data and requires businesses to be responsible, thoughtful, and
 accountable managers of that information.  To  achieve  this,  this  act
 provides  New  York  consumers  a  number of new rights, including clear
 notice of how their data is being used, processed and shared; the abili-
 ty to access and obtain a copy of their data in a  commonly  used  elec-
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD11397-06-1

 S. 6701--A                          2
 
 tronic  format,  with  the  ability to transfer it between services; the
 ability to correct inaccurate data and to delete  their  data;  and  the
 ability  to challenge certain automated decisions. This act also imposes
 obligations  upon  businesses  to  maintain reasonable data security for
 personal data, to notify New York consumers of foreseeable harms arising
 from use of their data and to obtain specific consent for that use,  and
 to conduct regular assessments to ensure that data is not being used for
 unacceptable purposes. These data assessments can be obtained and evalu-
 ated  by the New York State Attorney General, who is empowered to obtain
 penalties for violations of this act and prevent future violations. This
 act also grants New York consumers who have been injured as  the  result
 of  a  violation  a  private  right of action, which includes reasonable
 attorneys' fees to a prevailing plaintiff.
   § 3. The general business law is amended by adding a new article 42 to
 read as follows:
                                ARTICLE 42
                           NEW YORK PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. JURISDICTIONAL SCOPE.
         1102. CONSUMER RIGHTS.
         1103. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES.
         1104. DATA BROKERS.
         1105. LIMITATIONS.
         1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION.
         1107. MISCELLANEOUS.
   § 1100. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY  THROUGHOUT  THIS
 ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1.  "AUTOMATED DECISION-MAKING" OR "AUTOMATED DECISION" MEANS A COMPU-
 TATIONAL PROCESS, INCLUDING ONE DERIVED FROM MACHINE  LEARNING,  ARTIFI-
 CIAL  INTELLIGENCE,  OR  ANY OTHER AUTOMATED PROCESS, INVOLVING PERSONAL
 DATA THAT RESULTS IN A DECISION AFFECTING A CONSUMER.
   2. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM  THE
 MEASUREMENT  OR  SPECIFIC TECHNOLOGICAL PROCESSING OF A NATURAL PERSON'S
 BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS, INCLUDING  FING-
 ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
 DEOXYRIBONUCLEIC ACID (DNA) INFORMATION, AND GAIT.
   3.  "BUSINESS  ASSOCIATE"  HAS  THE SAME MEANING AS IN TITLE 45 OF THE
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   4. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY  GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT
 TO  THE  PROCESSING  OF  DATA RELATING TO THE CONSUMER.   CONSENT MAY BE
 WITHDRAWN AT ANY TIME, AND A CONTROLLER MUST PROVIDE CLEAR, CONSPICUOUS,
 AND CONSUMER-FRIENDLY MEANS TO WITHDRAW CONSENT. THE  BURDEN  OF  ESTAB-
 LISHING  CONSENT IS ON THE CONTROLLER.  CONSENT DOES NOT INCLUDE: (A) AN
 AGREEMENT OF GENERAL TERMS OF USE OR A SIMILAR DOCUMENT THAT  REFERENCES
 UNRELATED  INFORMATION  IN  ADDITION TO PERSONAL DATA PROCESSING; (B) AN
 AGREEMENT OBTAINED THROUGH FRAUD, DECEIT OR DECEPTION; (C) ANY ACT  THAT
 DOES  NOT CONSTITUTE A USER'S INTENT TO INTERACT WITH ANOTHER PARTY SUCH
 AS HOVERING OVER, PAUSING OR CLOSING ANY CONTENT; OR (D)  A  PRE-CHECKED
 BOX OR SIMILAR DEFAULT.
   5. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
 ONLY  IN  AN  INDIVIDUAL  OR  HOUSEHOLD  CONTEXT.  IT DOES NOT INCLUDE A
 NATURAL PERSON KNOWN TO  BE  ACTING  IN  A  PROFESSIONAL  OR  EMPLOYMENT
 CONTEXT.
 S. 6701--A                          3
 
   6.  "CONTROLLER"  MEANS  THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS,
 DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA.
   7. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R.,
 ESTABLISHED  PURSUANT  TO  THE  FEDERAL HEALTH INSURANCE PORTABILITY AND
 ACCOUNTABILITY ACT OF 1996.
   8. "DATA BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A  LEGAL  ENTITY,
 SEPARATELY  OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK AND
 KNOWINGLY COLLECTS, AND SELLS  TO  CONTROLLERS  OR  THIRD  PARTIES,  THE
 PERSONAL  DATA  OF  A  CONSUMER  WITH  WHOM  IT  DOES  NOT HAVE A DIRECT
 RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING:
   (A) A CONSUMER REPORTING AGENCY TO THE EXTENT THAT IT  IS  COVERED  BY
 THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR
   (B)  A  FINANCIAL  INSTITUTION TO THE EXTENT THAT IT IS COVERED BY THE
 GRAMM-LEACH-BLILEY ACT  (PUBLIC  LAW  106-102)  AND  IMPLEMENTING  REGU-
 LATIONS.
   9.  "DEIDENTIFIED  DATA"  MEANS DATA THAT CANNOT REASONABLY BE USED TO
 INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR  CONSUM-
 ER,  HOUSEHOLD OR DEVICE, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT
 POSSESSES THE DATA:
   (A) IMPLEMENTS REASONABLE TECHNICAL SAFEGUARDS TO ENSURE THAT THE DATA
 CANNOT BE ASSOCIATED WITH A CONSUMER, HOUSEHOLD OR DEVICE;
   (B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND
 NOT ATTEMPT TO REIDENTIFY  THE  DATA,  EXCEPT  THAT  THE  CONTROLLER  OR
 PROCESSOR  MAY  ATTEMPT  TO  REIDENTIFY  THE  INFORMATION SOLELY FOR THE
 PURPOSE OF DETERMINING WHETHER ITS  DEIDENTIFICATION  PROCESSES  SATISFY
 THE REQUIREMENTS OF THIS SUBDIVISION; AND
   (C)  CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY WITH
 ALL PROVISIONS OF THIS ARTICLE.
   10. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE  OF  CONNECTING
 TO  THE  INTERNET,  DIRECTLY  OR INDIRECTLY, OR TO ANOTHER DEVICE AND IS
 INTENDED FOR USE BY A NATURAL PERSON OR HOUSEHOLD OR,  IF  USED  OUTSIDE
 THE HOME, FOR USE BY THE GENERAL PUBLIC.
   11. "MEANINGFUL HUMAN REVIEW" MEANS REVIEW OR OVERSIGHT BY ONE OR MORE
 INDIVIDUALS  WHO  (A) ARE TRAINED IN THE CAPABILITIES AND LIMITATIONS OF
 THE ALGORITHM AT ISSUE AND THE PROCEDURES TO INTERPRET AND  ACT  ON  THE
 OUTPUT  OF  THE ALGORITHM, AND (B) HAVE THE AUTHORITY TO ALTER THE AUTO-
 MATED DECISION UNDER REVIEW.
   12. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID-
 UAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN  TO
 BE ACTING IN A PROFESSIONAL OR EMPLOYMENT CONTEXT.
   13.  "PERSON"  MEANS A NATURAL PERSON OR A LEGAL ENTITY, INCLUDING BUT
 NOT LIMITED  TO  A  PROPRIETORSHIP,  PARTNERSHIP,  LIMITED  PARTNERSHIP,
 CORPORATION,  COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION, ASSOCI-
 ATION, OR OTHER FIRM OR SIMILAR BODY, OR  ANY  UNIT,  DIVISION,  AGENCY,
 DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF.
   14. "PERSONAL DATA" MEANS ANY DATA THAT IDENTIFIES OR COULD REASONABLY
 BE  LINKED,  DIRECTLY  OR  INDIRECTLY,  WITH  A SPECIFIC NATURAL PERSON,
 HOUSEHOLD, OR DEVICE.  PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED DATA.
   15. "IDENTIFIED OR IDENTIFIABLE" MEANS A NATURAL  PERSON  WHO  CAN  BE
 IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO AN IDENTIFI-
 ER SUCH AS A NAME, AN IDENTIFICATION NUMBER, LOCATION DATA, OR AN ONLINE
 OR DEVICE IDENTIFIER.
   16.  "PROCESS",  "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET
 OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA,  INCLUDING
 BUT  NOT  LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION,
 ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN-
 S. 6701--A                          4
 
 IZATION,  STRUCTURING,  STORAGE,  DISCLOSURE,  TRANSMISSION,   ANALYSIS,
 DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI-
 CATION OF DATA.
   17.  "PROCESSOR"  MEANS  A PERSON THAT PROCESSES DATA ON BEHALF OF THE
 CONTROLLER.
   18. "PROFILING" MEANS ANY FORM OF AUTOMATED  PROCESSING  PERFORMED  ON
 PERSONAL  DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS RELATED
 TO AN IDENTIFIED OR IDENTIFIABLE NATURAL  PERSON'S  ECONOMIC  SITUATION,
 HEALTH,   PERSONAL   PREFERENCES,   INTERESTS,   RELIABILITY,  BEHAVIOR,
 LOCATION, OR MOVEMENTS.
   19. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   20. "SALE", "SELL", OR "SOLD" MEANS THE DISCLOSURE, TRANSFER,  CONVEY-
 ANCE,  SHARING,  LICENSING,  MAKING  AVAILABLE,  PROCESSING, GRANTING OF
 PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER  EXCHANGE  OF  PERSONAL
 DATA,  OR  PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU-
 ABLE CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY.  "SALE"  INCLUDES
 ENABLING,  FACILITATING  OR  PROVIDING ACCESS TO A CONSUMER FOR TARGETED
 ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING:
   (A) THE DISCLOSURE OF DATA TO A PROCESSOR WHO PROCESSES  THE  DATA  ON
 BEHALF  OF  THE  CONTROLLER  AND  WHICH IS CONTRACTUALLY PROHIBITED FROM
 USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER; OR
   (B) THE DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART  OF  A
 MERGER,  ACQUISITION,  BANKRUPTCY, OR OTHER TRANSACTION IN WHICH ANOTHER
 ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL-
 LER'S ASSETS.
   21. "TARGETED ADVERTISING" MEANS DISPLAYING ONLINE ADVERTISEMENTS TO A
 CONSUMER WHERE THE ADVERTISEMENT IS  SELECTED  BASED  ON  PERSONAL  DATA
 OBTAINED  OR  INFERRED FROM A CONSUMER'S ACTIVITIES OVER TIME AND ACROSS
 ONE  OR  MORE  DISTINCTLY-BRANDED  WEBSITES,  ONLINE  APPLICATIONS,   OR
 SERVICES,  TO  PREDICT THE CONSUMER'S PREFERENCES OR INTERESTS.  IT DOES
 NOT INCLUDE ADVERTISING (A) BASED SOLELY ON THE CONTEXT OF  THE  CONSUM-
 ER'S CURRENT SEARCH QUERY OR VISIT TO A WEBSITE OR ONLINE APPLICATION OR
 (B)  TO  A  CONSUMER  IN  DIRECT  RESPONSE TO THE CONSUMER'S REQUEST FOR
 INFORMATION OR FEEDBACK.
   22. "THIRD PARTY" MEANS, WITH RESPECT TO A PARTICULAR  INTERACTION  OR
 OCCURRENCE,  A  PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER THAN THE
 CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER.  A THIRD PARTY
 MAY ALSO BE A CONTROLLER IF THE  THIRD  PARTY,  ALONE  OR  JOINTLY  WITH
 OTHERS,  DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL
 DATA.
   23. "VERIFIED REQUEST" MEANS A REQUEST BY A CONSUMER OR THEIR AGENT TO
 EXERCISE A RIGHT AUTHORIZED BY THIS ARTICLE, THE AUTHENTICITY  OF  WHICH
 HAS  BEEN ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH (C)
 OF SUBDIVISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE.
   § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS
 THAT CONDUCT BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR  SERVICES  THAT
 ARE  TARGETED  TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR MORE OF
 THE FOLLOWING THRESHOLDS:
   (A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE;
   (B) CONTROLS OR  PROCESSES  PERSONAL  DATA  OF  ONE  HUNDRED  THOUSAND
 CONSUMERS OR MORE;
   (C)  CONTROLS  OR  PROCESSES  PERSONAL  DATA  OF FIVE HUNDRED THOUSAND
 NATURAL PERSONS OR MORE NATIONWIDE, AND CONTROLS OR  PROCESSES  PERSONAL
 DATA OF TEN THOUSAND CONSUMERS OR MORE; OR
 S. 6701--A                          5
 
   (D)  DERIVES  OVER  FIFTY  PERCENT  OF  GROSS REVENUE FROM THE SALE OF
 PERSONAL DATA, AND CONTROLS OR PROCESSES PERSONAL  DATA  OF  TWENTY-FIVE
 THOUSAND CONSUMERS OR MORE.
   2. THIS ARTICLE DOES NOT APPLY TO:
   (A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC-
 IPAL  CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND PROCESSING
 FEES ARE NOT SALE);
   (B) A NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT  TO  SECTION
 15A  OF  THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED, OR REGULATIONS
 ADOPTED THEREUNDER OR A REGISTERED  FUTURES  ASSOCIATION  SO  DESIGNATED
 PURSUANT TO SECTION 17 OF THE COMMODITY EXCHANGE ACT, AS AMENDED, OR ANY
 REGULATIONS ADOPTED THEREUNDER;
   (C) INFORMATION THAT MEETS THE FOLLOWING CRITERIA:
   (I) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO
 AND   IN  COMPLIANCE  WITH  THE  FEDERAL  GRAMM-LEACH-BLILEY  ACT  (P.L.
 106-102), AND IMPLEMENTING REGULATIONS;
   (II) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR  DISCLOSED  PURSUANT
 TO  THE  FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18 U.S.C. SEC.
 2721 ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS  IN
 COMPLIANCE WITH THAT LAW;
   (III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS
 AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS;
   (IV)  PERSONAL  DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT
 TO THE FEDERAL FARM CREDIT ACT OF 1971 (AS AMENDED  IN  12  U.S.C.  SEC.
 2001-2279CC)  AND  ITS  IMPLEMENTING  REGULATIONS (12 C.F.R. PART 600 ET
 SEQ.) IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS  IN  COMPLI-
 ANCE WITH THAT LAW;
   (V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW;
   (VI)  DATA  MAINTAINED  AS EMPLOYMENT RECORDS, FOR PURPOSES OTHER THAN
 SALE;
   (VII) PROTECTED HEALTH INFORMATION THAT IS  LAWFULLY  COLLECTED  BY  A
 COVERED  ENTITY  OR  BUSINESS  ASSOCIATE AND IS GOVERNED BY THE PRIVACY,
 SECURITY, AND BREACH NOTIFICATION RULES  ISSUED  BY  THE  UNITED  STATES
 DEPARTMENT  OF  HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45
 OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO  THE  HEALTH
 INSURANCE  PORTABILITY  AND  ACCOUNTABILITY  ACT  OF  1996  (PUBLIC  LAW
 104-191) ("HIPAA") AND THE HEALTH INFORMATION  TECHNOLOGY  FOR  ECONOMIC
 AND CLINICAL HEALTH ACT (PUBLIC LAW 111-5);
   (VIII)  PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART
 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2, AS LONG AS SUCH  DATA
 IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR FEDERAL LAW;
   (IX)  INFORMATION  AND  DOCUMENTS LAWFULLY CREATED FOR PURPOSES OF THE
 FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND  RELATED  REGU-
 LATIONS;
   (X) PATIENT SAFETY WORK PRODUCT CREATED FOR PURPOSES OF 42 C.F.R. PART
 3, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26;
   (XI)  INFORMATION  THAT  IS  TREATED IN THE SAME MANNER AS INFORMATION
 EXEMPT UNDER SUBPARAGRAPH (VII) OF THIS PARAGRAPH THAT IS MAINTAINED  BY
 A  COVERED ENTITY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM
 OR A QUALIFIED SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C.  §  290DD-2,
 AS  LONG  AS SUCH DATA IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR
 FEDERAL LAW;
   (XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE  FOLLOWING
 CONDITIONS:
 S. 6701--A                          6
 
   (A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN-
 TIFICATION  SET  FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE
 CODE OF FEDERAL REGULATIONS;
   (B)  IT  IS  DERIVED  FROM  PROTECTED HEALTH INFORMATION, INDIVIDUALLY
 IDENTIFIABLE HEALTH INFORMATION,  OR  IDENTIFIABLE  PRIVATE  INFORMATION
 COMPLIANT  WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS,
 ALSO KNOWN AS THE COMMON RULE; AND
   (C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN-
 TIFY THE INFORMATION NOR DO THEY  ACTUALLY  REIDENTIFY  THE  INFORMATION
 EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW;
   (XIII)  PATIENT INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS
 ASSOCIATE GOVERNED BY THE PRIVACY,  SECURITY,  AND  BREACH  NOTIFICATION
 RULES  ISSUED  BY  THE  UNITED  STATES  DEPARTMENT  OF  HEALTH AND HUMAN
 SERVICES, PARTS 160 AND 164 OF TITLE 45 OF THE  CODE  OF  FEDERAL  REGU-
 LATIONS,  ESTABLISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY AND
 ACCOUNTABILITY ACT OF 1996 (PUBLIC  LAW  104-191),  TO  THE  EXTENT  THE
 COVERED  ENTITY  OR BUSINESS ASSOCIATE MAINTAINS THE PATIENT INFORMATION
 IN THE SAME MANNER AS  PROTECTED  HEALTH  INFORMATION  AS  DESCRIBED  IN
 SUBPARAGRAPH (VII) OF THIS PARAGRAPH;
   (XIV)  DATA  COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A
 CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR  THE
 PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO
 GOOD  CLINICAL  PRACTICE  GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL
 FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT  PROTECTION  REQUIREMENTS
 OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR
   (XV)  PERSONAL  DATA  PROCESSED  ONLY FOR ONE OR MORE OF THE FOLLOWING
 PURPOSES:
   (A) PRODUCT  REGISTRATION  AND  TRACKING  CONSISTENT  WITH  APPLICABLE
 UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE;
   (B)  PUBLIC  HEALTH  ACTIVITIES  AND  PURPOSES AS DESCRIBED IN SECTION
 164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR
   (C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS  REGULATED
 BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION;
   (D) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE,
 SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S
 CREDIT  WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL
 REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING  BY  A  CONSUMER
 REPORTING  AGENCY,  AS  DEFINED  IN  TITLE 15 U.S.C. SEC. 1681A(F), BY A
 FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC.  1681S-2,
 WHO PROVIDES INFORMATION FOR USE IN A CONSUMER  REPORT,  AS  DEFINED  IN
 TITLE  15  U.S.C.  SEC. 1861A(D), AND BY A USER OF A CONSUMER REPORT, AS
 SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND
   (II) THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH  ACTIVITY
 INVOLVING  THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION,
 OR USE OF SUCH DATA BY THAT AGENCY, FURNISHER, OR  USER  IS  SUBJECT  TO
 REGULATION  UNDER  THE  FAIR  CREDIT REPORTING ACT, TITLE 15 U.S.C. SEC.
 1681 ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED,  COMMUNI-
 CATED,  DISCLOSED,  OR  SOLD  EXCEPT  AS  AUTHORIZED  BY THE FAIR CREDIT
 REPORTING ACT.
   § 1102. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL-
 LER THAT PROCESSES A CONSUMER'S PERSONAL DATA  MUST  MAKE  PUBLICLY  AND
 PERSISTENTLY  AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE MANNER,
 A NOTICE CONTAINING THE FOLLOWING:
   (I) A DESCRIPTION OF THE  CONSUMER'S  RIGHTS  UNDER  SUBDIVISIONS  TWO
 THROUGH  SIX  OF  THIS  SECTION  AND  HOW  A CONSUMER MAY EXERCISE THOSE
 RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT;
 S. 6701--A                          7
 
   (II) THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE  CONTROLLER  AND
 BY  ANY  PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROL-
 LER;
   (III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED;
   (IV) THE PURPOSES FOR PROCESSING PERSONAL DATA;
   (V) THE IDENTITY OF EACH THIRD PARTY TO WHOM THE CONTROLLER DISCLOSED,
 SHARED, TRANSFERRED OR SOLD PERSONAL DATA AND, FOR EACH IDENTIFIED THIRD
 PARTY,  (A)  THE  CATEGORIES  OF  PERSONAL DATA BEING SHARED, DISCLOSED,
 TRANSFERRED, OR SOLD TO THE THIRD PARTY,  (B)  THE  PURPOSES  FOR  WHICH
 PERSONAL  DATA  IS  BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO THE
 THIRD PARTY, (C) THE THIRD PARTY'S RETENTION PERIOD FOR EACH CATEGORY OF
 PERSONAL DATA PROCESSED BY THE THIRD PARTY OR PROCESSED ON THEIR BEHALF,
 OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE  THE  PERIOD,
 AND  (D)  WHETHER  THE  THIRD  PARTY USES THE PERSONAL DATA FOR TARGETED
 ADVERTISING;
   (VI) THE CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY  OF  PERSONAL
 DATA  THAT  THEY  PROCESS OR IS PROCESSED ON THEIR BEHALF, OR IF THAT IS
 NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD; AND
   (VII)  FOR  CONTROLLERS  ENGAGING  IN  TARGETED  ADVERTISING,  AVERAGE
 EXPECTED REVENUE PER USER (ARPU) OR A SIMILAR METRIC FOR THE MOST RECENT
 FISCAL YEAR FOR THE REGION THAT COVERS NEW YORK.
   (B) NOTICE REQUIREMENTS.
   (I)  THE  NOTICE  MUST BE WRITTEN IN EASY-TO-UNDERSTAND LANGUAGE AT AN
 EIGHTH GRADE READING LEVEL OR BELOW.
   (II) THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR  WHICH
 EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED AT A LEVEL
 SPECIFIC ENOUGH TO ENABLE A CONSUMER TO EXERCISE MEANINGFUL CONTROL OVER
 THEIR  PERSONAL DATA BUT NOT SO SPECIFIC AS TO RENDER THE NOTICE UNHELP-
 FUL TO A REASONABLE CONSUMER.
   (III) THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED  AT
 LEAST  ANNUALLY.    WHEN  THE  INFORMATION REQUIRED TO BE DISCLOSED TO A
 CONSUMER PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION HAS  NOT  CHANGED
 SINCE  THE  IMMEDIATELY  PREVIOUS  NOTICE  (WHETHER  INITIAL, ANNUAL, OR
 REVISED) PROVIDED TO THE CONSUMER, A CONTROLLER MAY  ISSUE  A  STATEMENT
 THAT NO CHANGES HAVE BEEN MADE.
   (IV)  THE  NOTICE,  AS WELL AS EACH VERSION OF THE NOTICE IN EFFECT IN
 THE PRECEDING SIX YEARS,   MUST BE EASILY ACCESSIBLE  TO  CONSUMERS  AND
 CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME.
   2. OPT-IN CONSENT.  (A) A CONTROLLER MUST OBTAIN FREELY GIVEN, SPECIF-
 IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO:
   (I)  PROCESS  THE  CONSUMER'S PERSONAL DATA FOR ANY PURPOSE OTHER THAN
 THOSE IN SUBDIVISION TWO OF SECTION ELEVEN HUNDRED FIVE OF THIS ARTICLE;
 OR
   (II) MAKE  ANY  CHANGES  TO  THE  EXISTING  PROCESSING  OR  PROCESSING
 PURPOSE,  INCLUDING  THOSE REGARDING THE METHOD AND SCOPE OF COLLECTION,
 OF THE CONSUMER'S PERSONAL DATA THAT  MAY  BE  LESS  PROTECTIVE  OF  THE
 CONSUMER'S  PERSONAL  DATA THAN THE PROCESSING TO WHICH THE CONSUMER HAS
 PREVIOUSLY GIVEN THEIR FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
 OPT-IN CONSENT.
   (B) ANY REQUEST FOR CONSENT MUST BE PROVIDED TO THE CONSUMER, PRIOR TO
 PROCESSING THEIR PERSONAL DATA, IN A STANDALONE DISCLOSURE THAT IS SEPA-
 RATE AND APART FROM ANY CONTRACT OR  PRIVACY  POLICY.  THE  REQUEST  FOR
 CONSENT MUST:
   (I)  INCLUDE  A  CLEAR AND CONSPICUOUS DESCRIPTION OF EACH CATEGORY OF
 DATA AND PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT;
 S. 6701--A                          8
 
   (II) CLEARLY IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF  DATA  AND
 PROCESSING  PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES
 THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
 CONSUMER;
   (III)  ENABLE  A REASONABLE CONSUMER TO EASILY IDENTIFY THE CATEGORIES
 OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT;
   (IV) CLEARLY PRESENT AS THE  MOST  CONSPICUOUS  CHOICE  AN  OPTION  TO
 PROVIDE  ONLY  THE  CONSENT  NECESSARY  TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY THE CONSUMER;
   (V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND
   (VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER,
 OR SALE OF PERSONAL DATA TO THIRD  PARTIES,  IDENTIFY  EACH  SUCH  THIRD
 PARTY,  THE  CATEGORIES OF DATA SOLD OR SHARED WITH THEM, THE PROCESSING
 PURPOSES, THE RETENTION PERIOD, OR IF THAT IS NOT POSSIBLE, THE CRITERIA
 USED TO DETERMINE THE PERIOD, AND FOR EACH THIRD  PARTY  STATE  IF  SUCH
 SHARING,  DISCLOSURE,  TRANSFER,  OR  SALE  ENABLES OR INVOLVES TARGETED
 ADVERTISING. THE DETAILS OF IDENTITIES OF SUCH THIRD  PARTIES,  AND  THE
 CATEGORIES  OF  DATA, PROCESSING PURPOSES, AND THE RETENTION PERIOD, MAY
 BE SET FORTH IN A DIFFERENT DISCLOSURE, PROVIDED THAT  THE  REQUEST  FOR
 CONSENT  CONTAINS  A  CONSPICUOUS  AND  DIRECTLY ACCESSIBLE LINK TO THAT
 DISCLOSURE.
   (C) TARGETED ADVERTISING AND  SALE  OF  PERSONAL  DATA  SHALL  NOT  BE
 CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR
 GOODS REQUESTED BY A CONSUMER.
   (D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND
 UNAMBIGUOUS OPT-IN CONSENT TO PROCESS THEIR PERSONAL DATA FOR A PROCESS-
 ING  PURPOSE,  A  CONTROLLER  MAY RELY ON SUCH CONSENT UNTIL IT IS WITH-
 DRAWN.
   (E) A CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER  TO  WITHDRAW
 PREVIOUSLY  GIVEN  CONSENT  AT ANY TIME. SUCH MECHANISM SHALL MAKE IT AS
 EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER
 TO PROVIDE CONSENT.
   (F) A CONTROLLER MUST NOT INFER THAT A CONSUMER  HAS  PROVIDED  FREELY
 GIVEN,  SPECIFIC,  INFORMED,  AND  UNAMBIGUOUS  OPT-IN  CONSENT FROM THE
 CONSUMER'S INACTION OR THE CONSUMER'S CONTINUED  USE  OF  A  SERVICE  OR
 PRODUCT PROVIDED BY THE CONTROLLER.
   (G)  TO  THE  EXTENT  THAT A CONTROLLER MUST PROCESS INTERNET PROTOCOL
 ADDRESSES, SYSTEM CONFIGURATION INFORMATION, URLS  OF  REFERRING  PAGES,
 LOCALE  AND  LANGUAGE  PREFERENCES,  KEYSTROKES,  OR ANY OTHER DATA THAT
 INDIVIDUALLY OR COLLECTIVELY MAY COMPRISE  PERSONAL  DATA  IN  ORDER  TO
 OBTAIN  A  CONSUMER'S  FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
 OPT-IN CONSENT, THE CONTROLLER MUST:
   (I) PROCESS ONLY THE PERSONAL DATA NECESSARY TO REQUEST FREELY  GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT;
   (II) PROCESS THE PERSONAL DATA SOLELY TO REQUEST FREELY GIVEN, SPECIF-
 IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT; AND
   (III)  PROMPTLY  DELETE  THE  PERSONAL  DATA  IF  CONSENT IS WITHHELD,
 DENIED, OR WITHDRAWN.
   (H) CONTROLLERS MUST NOT REQUEST  CONSENT  FROM  A  CONSUMER  WHO  HAS
 PREVIOUSLY  WITHHELD  OR  DENIED CONSENT, UNLESS CONSENT IS NECESSARY TO
 PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER.
   (I) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER,
 BROWSER  PLUG-IN,  SMARTPHONE  APPLICATION,  OPERATING  SYSTEM,   DEVICE
 SETTING,  OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S
 CHOICE NOT TO BE SUBJECT TO TARGETED ADVERTISING OR THE  SALE  OF  THEIR
 S. 6701--A                          9
 
 PERSONAL  DATA AS A DENIAL OF CONSENT UNDER THIS ACT. TO THE EXTENT THAT
 THE PRIVACY CONTROL CONFLICTS WITH A  CONSUMER'S  CONSENT,  THE  PRIVACY
 CONTROL  SETTINGS  GOVERN,  UNLESS  THE  CONSUMER PROVIDES FREELY GIVEN,
 SPECIFIC,  INFORMED,  AND  UNAMBIGUOUS  OPT-IN  CONSENT  TO OVERRIDE THE
 PRIVACY CONTROL.
   (J) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A  CONSUMER  FOR  WITH-
 HOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY:
   (I)  DENYING  SERVICES  OR  GOODS TO THE CONSUMER, UNLESS THE CONSUMER
 DOES NOT CONSENT TO PROCESSING NECESSARY  TO  PROVIDE  THE  SERVICES  OR
 GOODS REQUESTED BY THE CONSUMER;
   (II)  CHARGING  DIFFERENT  PRICES  FOR  GOODS  OR  SERVICES, INCLUDING
 THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING  PENALTIES,  OR
 PROVIDING  A  DIFFERENT  LEVEL  OR  QUALITY  OF SERVICES OR GOODS TO THE
 CONSUMER; OR
   (III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT  PRICE  OR
 RATE  FOR  GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF SERVICES
 OR GOODS.
   (K) A CONTROLLER MAY, WITH  THE  CONSUMER'S  FREELY  GIVEN,  SPECIFIC,
 INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION,
 OPERATE  A  PROGRAM  IN WHICH INFORMATION, PRODUCTS, OR SERVICES SOLD TO
 THE CONSUMER ARE  DISCOUNTED  BASED  SOLELY  ON  SUCH  CONSUMER'S  PRIOR
 PURCHASES  FROM  THE CONTROLLER, PROVIDED THAT THE PERSONAL DATA USED TO
 OPERATE SUCH PROGRAM IS PROCESSED SOLELY FOR THE  PURPOSE  OF  OPERATING
 SUCH PROGRAM.
   (L) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS-
 ACTION  IN  WHICH  ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR
 MAJORITY OF  THE  CONTROLLER'S  ASSETS,  ANY  CONSENT  PROVIDED  TO  THE
 CONTROLLER BY A CONSUMER PRIOR TO SUCH TRANSACTION SHALL BE DEEMED WITH-
 DRAWN.
   3.  RIGHT  TO  ACCESS.  UPON  THE  VERIFIED  REQUEST  OF A CONSUMER, A
 CONTROLLER SHALL:
   (A) CONFIRM WHETHER OR NOT THE CONTROLLER IS PROCESSING OR  HAS  PROC-
 ESSED  PERSONAL  DATA  OF THAT CONSUMER, AND PROVIDE ACCESS TO A COPY OF
 ANY SUCH PERSONAL DATA  IN  A  MANNER  UNDERSTANDABLE  TO  A  REASONABLE
 CONSUMER WHEN REQUESTED; AND
   (B)  PROVIDE THE IDENTITY OF EACH PROCESSOR OR THIRD PARTY TO WHOM THE
 CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL  DATA
 AND, FOR EACH IDENTIFIED PROCESSOR OR THIRD PARTY, (I) THE CATEGORIES OF
 THE  CONSUMER'S  PERSONAL  DATA  DISCLOSED, TRANSFERRED, OR SOLD TO EACH
 PROCESSOR OR THIRD PARTY AND (II) THE PURPOSES FOR WHICH  EACH  CATEGORY
 OF  THE  CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO
 EACH PROCESSOR OR THIRD PARTY.
   4. RIGHT TO PORTABLE DATA.  UPON A VERIFIED REQUEST, AND TO THE EXTENT
 TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A
 COPY OF ALL OF, OR A PORTION OF, AS DESIGNATED IN  A  VERIFIED  REQUEST,
 THE  CONSUMER'S  PERSONAL  DATA  IN  A  STRUCTURED,  COMMONLY  USED  AND
 MACHINE-READABLE FORMAT AND (B) TRANSMIT THE DATA TO ANOTHER  PERSON  OF
 THE CONSUMER'S OR THEIR AGENT'S DESIGNATION WITHOUT HINDRANCE.
   5.  RIGHT  TO  CORRECT. (A) UPON THE VERIFIED REQUEST OF A CONSUMER OR
 THEIR AGENT, A CONTROLLER MUST CONDUCT  A  REASONABLE  INVESTIGATION  TO
 DETERMINE  WHETHER  PERSONAL  DATA, THE ACCURACY OF WHICH IS DISPUTED BY
 THE CONSUMER, IS INACCURATE, WITH SUCH  INVESTIGATION  TO  BE  CONCLUDED
 WITHIN  THE  TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION EIGHT
 OF THIS SECTION.
   (B) NOTWITHSTANDING PARAGRAPH (A) OF THIS  SUBDIVISION,  A  CONTROLLER
 MAY  TERMINATE  AN INVESTIGATION INITIATED PURSUANT TO SUCH PARAGRAPH IF
 S. 6701--A                         10
 
 THE CONTROLLER REASONABLY AND IN GOOD FAITH DETERMINES THAT THE  DISPUTE
 BY  THE CONSUMER IS WHOLLY WITHOUT MERIT, INCLUDING BY REASON OF A FAIL-
 URE BY A CONSUMER TO PROVIDE SUFFICIENT INFORMATION TO  INVESTIGATE  THE
 DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH
 THIS  PARAGRAPH  THAT  A  DISPUTE  IS WHOLLY WITHOUT MERIT, A CONTROLLER
 MUST, WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A)  OF  SUBDIVISION
 EIGHT  OF  THIS  SECTION,  PROVIDE  THE AFFECTED CONSUMER A STATEMENT IN
 WRITING THAT INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR THE DETER-
 MINATION, AND IDENTIFICATION OF ANY INFORMATION REQUIRED TO  INVESTIGATE
 THE  DISPUTED  PERSONAL  DATA,  WHICH MAY CONSIST OF A STANDARDIZED FORM
 DESCRIBING THE GENERAL NATURE OF SUCH INFORMATION.
   (C) IF, AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF  THIS  SUBDIVI-
 SION  OF  ANY  PERSONAL  DATA  DISPUTED  BY  A  CONSUMER, AN ITEM OF THE
 PERSONAL DATA IS FOUND TO BE INACCURATE  OR  INCOMPLETE,  OR  CANNOT  BE
 VERIFIED, THE CONTROLLER MUST:
   (I)  CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE CONSUM-
 ER; AND
   (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE  EFFORT,
 COMMUNICATE  SUCH  REQUEST  TO EACH PROCESSOR OR THIRD PARTY TO WHOM THE
 CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN  ONE
 YEAR  PRECEDING  THE CONSUMER'S REQUEST, AND TO REQUIRE THOSE PROCESSORS
 OR THIRD PARTIES TO DO THE SAME FOR  ANY  FURTHER  PROCESSORS  OR  THIRD
 PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (D)  IF  THE  INVESTIGATION DOES NOT RESOLVE THE DISPUTE, THE CONSUMER
 MAY FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE  NATURE
 OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE
 EXISTS  REASONABLE  GROUNDS  TO BELIEVE THAT IT IS WHOLLY WITHOUT MERIT,
 THE CONTROLLER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE
 EITHER THE CONSUMER'S STATEMENT OR A CLEAR AND ACCURATE CODIFICATION  OR
 SUMMARY   THEREOF  WITH  THE  DISPUTED  PERSONAL  DATA  WHENEVER  IT  IS
 DISCLOSED, TRANSFERRED, OR SOLD TO ANY PROCESSOR OR THIRD PARTY.
   6. RIGHT TO DELETE. (A) UPON THE VERIFIED REQUEST  OF  A  CONSUMER,  A
 CONTROLLER MUST:
   (I)  WITHIN  FORTY-FIVE  DAYS  AFTER  RECEIVING  THE VERIFIED REQUEST,
 DELETE ANY OR ALL PERSONAL DATA, AS DIRECTED BY THE  CONSUMER  OR  THEIR
 AGENT,  THAT THE CONTROLLER POSSESSES OR CONTROLS; AND
   (II)  UNLESS  IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
 THAT IS DOCUMENTED  IN  WRITING  BY  THE  CONTROLLER,  COMMUNICATE  SUCH
 REQUEST  TO  EACH  PROCESSOR  OR  THIRD  PARTY  TO  WHOM  THE CONTROLLER
 DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECED-
 ING THE CONSUMER'S REQUEST AND TO  REQUIRE  THOSE  PROCESSORS  OR  THIRD
 PARTIES  TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD PARTIES THEY
 DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A
 PROCESSOR OF THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO  (I)  COMMUNI-
 CATE  THE  CONSUMER'S  REQUEST  FOR  DELETION  TO THE PROCESSOR, OR (II)
 REQUEST THAT THE PROCESSOR RETURN TO THE CONTROLLER  THE  PERSONAL  DATA
 THAT  IS  THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE SUCH PERSONAL
 DATA UPON RECEIPT OF THE REQUEST.
   (C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A
 REQUEST TO THE CONTROLLER TO DELETE  ALL  OF  THAT  CONSUMER'S  PERSONAL
 DATA.
   (D)  A  CONTROLLER  MUST  MAINTAIN  REASONABLE  PROCEDURES DESIGNED TO
 PREVENT THE REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA  IT  DISCLOSES,
 TRANSFERS,  OR  SELLS TO ANY PROCESSOR OR THIRD PARTY, THE PERSONAL DATA
 THAT IS DELETED PURSUANT TO THIS SUBDIVISION.
 S. 6701--A                         11
 
   (E) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A  CONSUMER'S  REQUEST
 TO DELETE PERSONAL DATA IF:
   (I)  COMPLYING  WITH  THE  REQUEST  WOULD  PREVENT THE CONTROLLER FROM
 PERFORMING ACCOUNTING  FUNCTIONS,  PROCESSING  REFUNDS,  EFFECTUATING  A
 PRODUCT  RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING WARRANTY
 CLAIMS, PROVIDED THAT THE PERSONAL DATA  THAT  IS  THE  SUBJECT  OF  THE
 REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV-
 ITIES; OR
   (II)  IT  IS  NECESSARY  FOR THE CONTROLLER TO MAINTAIN THE CONSUMER'S
 PERSONAL DATA TO ENGAGE IN PUBLIC OR PEER-REVIEWED  SCIENTIFIC,  HISTOR-
 ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL
 OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION
 OF  THE  INFORMATION  IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR
 THE ACHIEVEMENT OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER  HAS  GIVEN
 INFORMED  CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY PURPOSE
 OTHER THAN SUCH RESEARCH.
   7. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO-
 MATED DECISION INVOLVING SOLELY  AUTOMATED  PROCESSING  THAT  MATERIALLY
 CONTRIBUTES  TO  A  DENIAL  OF  FINANCIAL  OR LENDING SERVICES, HOUSING,
 PUBLIC ACCOMMODATION, INSURANCE, HEALTH  CARE  SERVICES,  OR  ACCESS  TO
 BASIC NECESSITIES, SUCH AS FOOD AND WATER, THE CONTROLLER MUST:
   (I)  DISCLOSE  IN  A  CLEAR, CONSPICUOUS, AND CONSUMER-FRIENDLY MANNER
 THAT THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS;
   (II) PROVIDE AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL  THE  DECI-
 SION,  WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO (A) FORMALLY
 CONTEST THE DECISION, (B) PROVIDE INFORMATION TO SUPPORT THEIR POSITION,
 AND (C) OBTAIN MEANINGFUL HUMAN REVIEW OF THE DECISION; AND
   (III) EXPLAIN THE PROCESS TO APPEAL THE DECISION.
   (B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE
 DAYS OF RECEIPT OF THE APPEAL. THAT  PERIOD  MAY  BE  EXTENDED  ONCE  BY
 FORTY-FIVE  ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING INTO
 ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM
 THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT  OF
 THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY.
   (C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING
 AFFECTING  FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION,
 INSURANCE, EDUCATION ENROLLMENT, EMPLOYMENT, HEALTH  CARE  SERVICES,  OR
 ACCESS  TO  BASIC  NECESSITIES,  SUCH  AS  FOOD AND WATER, OR ENGAGED IN
 ASSISTING OTHERS IN AUTOMATED  DECISION-MAKING  IN  THOSE  FIELDS,  MUST
 ANNUALLY  CONDUCT AN IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING
 THAT:
   (A) DESCRIBES AND EVALUATES THE  OBJECTIVES  AND  DEVELOPMENT  OF  THE
 AUTOMATED  DECISION-MAKING  PROCESSES  INCLUDING THE DESIGN AND TRAINING
 DATA USED TO DEVELOP THE  AUTOMATED  DECISION-MAKING  PROCESS,  HOW  THE
 AUTOMATED  DECISION-MAKING  PROCESS  WAS  TESTED FOR ACCURACY, FAIRNESS,
 BIAS AND DISCRIMINATION; AND
   (B) ASSESSES WHETHER THE  AUTOMATED  DECISION-MAKING  SYSTEM  PRODUCES
 DISCRIMINATORY  RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM-
 ERS' ACTUAL OR PERCEIVED  RACE,  COLOR,  ETHNICITY,  RELIGION,  NATIONAL
 ORIGIN,  SEX,  GENDER,  GENDER  IDENTITY,  SEXUAL  ORIENTATION, FAMILIAL
 STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF INCOME, OR DISABILITY.
   (II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN  EXTERNAL,  INDEPENDENT
 AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS.
   (III)  A  CONTROLLER  OR  PROCESSOR  MUST MAKE PUBLICLY AVAILABLE IN A
 MANNER ACCESSIBLE ONLINE ALL IMPACT  ASSESSMENTS  PREPARED  PURSUANT  TO
 THIS SECTION, RETAIN ALL SUCH IMPACT ASSESSMENTS FOR AT LEAST SIX YEARS,
 S. 6701--A                         12
 
 AND  MAKE  ANY  SUCH RETAINED IMPACT ASSESSMENTS AVAILABLE TO ANY STATE,
 FEDERAL, OR LOCAL GOVERNMENT AUTHORITY UPON REQUEST.
   (IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL
 SCOPE  SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF SECTION
 ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY.
   8. RESPONDING TO REQUESTS. (A) A CONTROLLER  MUST  TAKE  ACTION  UNDER
 SUBDIVISIONS  THREE  THROUGH SIX OF THIS SECTION AND INFORM THE CONSUMER
 OF ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN  FORTY-
 FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY
 FORTY-FIVE  ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING INTO
 ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE  CONTROLLER  MUST
 INFORM  THE  CONSUMER  OF  ANY  SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF
 RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN  A
 CONTROLLER  DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD DISCLOSE
 TO THE CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS  FOR  THE
 DENIAL.
   (B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS
 OBLIGATIONS  SET FORTH IN SUBDIVISIONS THREE THROUGH SIX OF THIS SECTION
 FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE  REQUESTS
 FROM  A  CONSUMER  ARE  MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR
 BECAUSE OF THEIR REPETITIVE CHARACTER, THE  CONTROLLER  MAY  EITHER  (I)
 CHARGE  A  REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING
 WITH THE REQUEST OR (II) REFUSE TO ACT ON THE  REQUEST  AND  NOTIFY  THE
 CONSUMER  OF  THE  REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS
 THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE  CHAR-
 ACTER OF THE REQUEST.
   (C)  (I)  A  CONTROLLER  SHALL  PROMPTLY  ATTEMPT,  USING COMMERCIALLY
 REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE  ANY  RIGHTS
 SET  FORTH  IN  ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST
 WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON
 LAWFULLY EXERCISING THE RIGHT ON BEHALF  OF  THE  CONSUMER  WHO  IS  THE
 SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED
 BASED  ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF THE
 DATA IMPLICATED BY THE REQUEST.
   (II) A CONTROLLER MAY  REQUIRE  THE  CONSUMER  TO  PROVIDE  ADDITIONAL
 INFORMATION  ONLY  IF  THE REQUEST CANNOT REASONABLY BE VERIFIED WITHOUT
 THE PROVISION OF SUCH ADDITIONAL  INFORMATION.  A  CONTROLLER  MUST  NOT
 TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO
 THIS  SECTION  FOR ANY OTHER PURPOSE AND MUST DELETE ANY SUCH ADDITIONAL
 INFORMATION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE  DAYS
 AFTER  THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN ACTION
 ON A REQUEST UNDER SUBDIVISIONS TWO THROUGH  FIVE  OF  THIS  SECTION  AS
 DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION.
   (III)  IF  A  CONTROLLER  DISCLOSES THIS ADDITIONAL INFORMATION TO ANY
 PROCESSOR OR THIRD  PARTY  FOR  THE  PURPOSE  OF  VERIFYING  A  CONSUMER
 REQUEST,  IT  MUST  NOTIFY THE RECEIVING PROCESSOR OR THIRD PARTY AT THE
 TIME OF SUCH DISCLOSURE, OR AS CLOSE IN TIME TO  THE  DISCLOSURE  AS  IS
 REASONABLY  PRACTICABLE,  THAT  SUCH  INFORMATION  WAS  PROVIDED  BY THE
 CONSUMER FOR THE SOLE PURPOSE OF VERIFICATION AND  CANNOT  BE  PROCESSED
 FOR ANY PURPOSE OTHER THAN VERIFICATION.
   9.  IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY ACCESSI-
 BLE AND CONVENIENT MEANS FOR CONSUMERS TO EXERCISE  THEIR  RIGHTS  UNDER
 THIS ARTICLE.
   10.  NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT OF
 ANY KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S  RIGHTS
 S. 6701--A                         13
 
 UNDER  THIS  ARTICLE  IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNEN-
 FORCEABLE.
   §  1103.   CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES. 1.
 CONTROLLER RESPONSIBILITIES. (A) DATA PROTECTION ASSESSMENT. A  CONTROL-
 LER  SHALL  REGULARLY  CONDUCT AND DOCUMENT A DATA PROTECTION ASSESSMENT
 FOR PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO  THE
 CONSUMER.  SUCH ASSESSMENT MUST IDENTIFY AND WEIGH THE BENEFITS THAT MAY
 FLOW, DIRECTLY AND INDIRECTLY, FROM THE PROCESSING  TO  THE  CONTROLLER,
 THE  CONSUMER,  OTHER STAKEHOLDERS, AND THE PUBLIC AGAINST THE POTENTIAL
 RISKS TO THE RIGHTS OF THE CONSUMER, OR CLASS OF  CONSUMERS,  ASSOCIATED
 WITH  THE PROCESSING, AS MITIGATED BY SAFEGUARDS THAT THE CONTROLLER CAN
 EMPLOY TO REDUCE THE  RISKS.  THE  CONTROLLER  SHALL  FACTOR  INTO  THIS
 ASSESSMENT  THE USE OF DEIDENTIFIED DATA AND THE REASONABLE EXPECTATIONS
 OF CONSUMERS, AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATION-
 SHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE
 PROCESSED, WITH THE GOAL OF RESTRICTING OR PROHIBITING  SUCH  PROCESSING
 IF  THE  RISKS  OF  HARM TO THE CONSUMER OUTWEIGH THE BENEFITS RESULTING
 FROM THE PROCESSING TO THE CONSUMER.  PROCESSING THAT PRESENTS A HEIGHT-
 ENED RISK OF HARM TO THE CONSUMER INCLUDES THE FOLLOWING:
   (I) PROCESSING THAT MAY BENEFIT THE CONTROLLER TO THE DETRIMENT OF THE
 CONSUMER;
   (II) PROCESSING THAT WOULD BE UNEXPECTED AND  HIGHLY  OFFENSIVE  TO  A
 REASONABLE CONSUMER;
   (III) PROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING;
   (IV) SALE OF PERSONAL DATA; AND
   (V)  PROCESSING OF PERSONAL DATA FOR PURPOSES OF PROFILING, WHERE SUCH
 PROFILING PRESENTS A REASONABLY FORESEEABLE RISK OF:
   (A) UNFAIR OR DECEPTIVE TREATMENT, OR UNLAWFUL  DISPARATE  IMPACT  ON,
 CONSUMERS OR A CLASS OF CONSUMERS;
   (B)  FINANCIAL,  PHYSICAL,  PSYCHOLOGICAL  OR  REPUTATIONAL  INJURY TO
 CONSUMERS, OR A CLASS OF CONSUMERS;
   (C) A PHYSICAL OR OTHERWISE INTRUSION UPON THE SOLITUDE OR  SECLUSION,
 OR  THE  PRIVATE AFFAIRS OR CONCERNS, OF CONSUMERS, WHERE SUCH INTRUSION
 WOULD BE OFFENSIVE TO A REASONABLE PERSON; OR
   (D) OTHER SUBSTANTIAL INJURY TO CONSUMERS.
   (B) DUTY OF LOYALTY. (I) A CONTROLLER MUST  NOTIFY  THE  CONSUMER,  OR
 CLASS  OF  CONSUMERS,  OF  THE INTEREST THAT MAY BE HARMED IN ADVANCE OF
 REQUESTING CONSENT AND AS CLOSE IN TIME TO THE PROCESSING AS PRACTICABLE
 WHERE IT IS REASONABLY FORESEEABLE TO  THE  CONTROLLER  THAT  A  PROCESS
 PRESENTS  A  HEIGHTENED RISK OF HARM TO THE CONSUMER OR CLASS OF CONSUM-
 ERS.
   (II) CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS
 OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE  PROCESSING
 OF  PERSONAL  DATA,  AND  A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS
 ARTICLE, INCLUDING WITHOUT LIMITATION:
   (A) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL  EFFECT
 OF  DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE,
 OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE  IN
 ORDER TO OBTAIN CONSENT; OR
   (B)  OBTAINING  CONSENT IN A MANNER DESIGNED TO OVERPOWER A CONSUMER'S
 RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT.
   (C) DUTY OF CARE. (I) (A) CONTROLLERS MUST,  ON  AT  LEAST  AN  ANNUAL
 BASIS,  CONDUCT  AND DOCUMENT RISK ASSESSMENTS OF ALL CURRENT PROCESSING
 OF PERSONAL DATA.
   (B) RISK ASSESSMENTS MUST ASSESS AT A MINIMUM:
 S. 6701--A                         14
 
   (I) THE NATURE, SENSITIVITY AND CONTEXT OF THE PERSONAL DATA THAT  THE
 CONTROLLER PROCESSES;
   (II) THE NATURE, PURPOSE, AND VALUE OF THE PROCESSES;
   (III)  ANY RISKS OR HARMS TO CONSUMERS ACTUALLY OR POTENTIALLY ARISING
 OUT OF THE PROCESSES, INCLUDING PHYSICAL, FINANCIAL,  PSYCHOLOGICAL,  OR
 REPUTATIONAL HARMS;
   (IV) THE ADEQUACY AND EFFECT OF SAFEGUARDS IMPLEMENTED BY THE CONTROL-
 LERS;
   (V)  THE  SUFFICIENCY  OF  THE  CONTROLLER'S  NOTICES  TO CONSUMERS AT
 DESCRIBING AND OBTAINING CONSENT CONCERNING THE PROCESSES; AND
   (VI) THE ADEQUACY  OF  THE  SAFEGUARDS  AND  MONITORING  PRACTICES  OF
 PROCESSORS  AND  THIRD  PARTIES  TO  WHOM  THE  CONTROLLER  HAS PROVIDED
 PERSONAL DATA.
   (C) THE CONTROLLER MUST RETAIN RISK ASSESSMENTS FOR AT LEAST SIX YEARS
 AND MAKE  RISK  ASSESSMENTS  AVAILABLE  TO  THE  ATTORNEY  GENERAL  UPON
 REQUEST.
   (II)  CONTROLLERS  MUST  DEVELOP,  IMPLEMENT,  AND MAINTAIN REASONABLE
 SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
 PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE,
 TECHNICAL AND PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME  AND  NATURE
 OF THE PERSONAL DATA AT ISSUE.
   (III)  (A) A CONTROLLER SHALL LIMIT THE USE AND RETENTION OF A CONSUM-
 ER'S PERSONAL DATA TO WHAT IS NECESSARY TO PROVIDE  A  SERVICE  OR  GOOD
 REQUESTED  BY  A  CONSUMER  OR  FOR  PURPOSES FOR WHICH THE CONSUMER HAS
 PROVIDED  FREELY  GIVEN,  SPECIFIC,  INFORMED,  AND  UNAMBIGUOUS  OPT-IN
 CONSENT.
   (B)  AT  LEAST ANNUALLY, A CONTROLLER SHALL REVIEW ITS RETENTION PRAC-
 TICES FOR THE PURPOSE OF ENSURING THAT IT  IS  MAINTAINING  THE  MINIMUM
 AMOUNT  OF  PERSONAL DATA AS IS NECESSARY FOR THE OPERATION OF ITS BUSI-
 NESS. A CONTROLLER MUST DISPOSE OF ALL PERSONAL DATA THAT IS  NO  LONGER
 (I)  NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUM-
 ER, (II) NECESSARY FOR THE INTERNAL BUSINESS OPERATIONS OF THE  CONTROL-
 LER AND CONSISTENT WITH THE DISCLOSURES MADE TO THE CONSUMER PURSUANT TO
 SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR (III) NECESSARY TO COMPLY
 WITH THE LEGAL OBLIGATIONS OF THE CONTROLLER.
   (IV)  CONTROLLERS  SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN
 REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES  FOR  CIRCUMSTANCES  THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO  UPDATE  THEIR  CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
 ACCORDINGLY.
   (D) NON-DISCRIMINATION. (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST
 A CONSUMER FOR EXERCISING RIGHTS  UNDER  THIS  ACT,  INCLUDING  BUT  NOT
 LIMITED TO, BY:
   (A) DENYING SERVICES OR GOODS TO CONSUMERS;
   (B) CHARGING DIFFERENT PRICES FOR SERVICES OR GOODS, INCLUDING THROUGH
 THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING PENALTIES; OR PROVIDING
 A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR
   (C)  SUGGESTING  THAT  THE  CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
 RATE FOR SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY  OF  SERVICES
 OR GOODS.
   (II)  THIS  PARAGRAPH  DOES  NOT  APPLY TO A CONTROLLER'S CONDUCT WITH
 RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH  (J)  OF  SUBDIVISION
 TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE GOVERNS.
   (E)  AGREEMENTS  WITH  PROCESSORS.  (I)  BEFORE MAKING ANY DISCLOSURE,
 TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST
 ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT
 S. 6701--A                         15
 
 MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING  DATA,
 THE  NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC-
 ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS  AND  OBLIGATIONS  OF
 BOTH  PARTIES.  THE  CONTRACT  MUST  ALSO  INCLUDE REQUIREMENTS THAT THE
 PROCESSOR MUST:
   (A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT  TO  A
 DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA;
   (B)  PROTECT  THE DATA IN A MANNER CONSISTENT WITH THE REQUIREMENTS OF
 THIS ACT AND AT LEAST EQUAL TO THE SECURITY REQUIREMENTS OF THE CONTROL-
 LER SET FORTH IN THEIR PUBLICLY AVAILABLE POLICIES, NOTICES, OR  SIMILAR
 STATEMENTS;
   (C)  PROCESS  THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY TO COMPLY
 WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY
 AUTHORIZED BY THE CONTROLLER;
   (D) NOT COMBINE THE PERSONAL DATA WHICH THE PROCESSOR RECEIVES FROM OR
 ON BEHALF OF THE CONTROLLER  WITH  PERSONAL  DATA  WHICH  THE  PROCESSOR
 RECEIVES  FROM  OR  ON BEHALF OF ANOTHER PERSON OR COLLECTS FROM ITS OWN
 INTERACTION WITH CONSUMERS;
   (E) COMPLY WITH ANY EXERCISES OF A  CONSUMER'S  RIGHTS  UNDER  SECTION
 ELEVEN  HUNDRED  TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER,
 SUBJECT TO THE LIMITATIONS SET FORTH IN SECTION ELEVEN HUNDRED  FIVE  OF
 THIS ARTICLE;
   (F)  AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA
 TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF  SERVICES,
 UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW;
   (G)  UPON  THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO
 THE CONTROLLER ALL DATA IN ITS POSSESSION NECESSARY TO  DEMONSTRATE  THE
 PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ACT;
   (H)  ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE CONTROL-
 LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS-
 OR MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT ASSESSOR  TO  CONDUCT  AN
 ASSESSMENT  OF THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL
 MEASURES IN SUPPORT OF THE  OBLIGATIONS  UNDER  THIS  ARTICLE  USING  AN
 APPROPRIATE  AND  ACCEPTED  CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT
 PROCEDURE FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT  OF
 SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE
 DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED
 DISCLOSURE  OR  TRANSFER  AND  PROVIDE  THE CONTROLLER AN OPPORTUNITY TO
 APPROVE OR REJECT THE PROPOSAL; AND
   (J) ENGAGE  ANY  FURTHER  PROCESSOR  PURSUANT  TO  A  WRITTEN,  SIGNED
 CONTRACT  THAT  INCLUDES  THE  CONTRACTUAL REQUIREMENTS PROVIDED IN THIS
 PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR
 HAS ENTERED INTO WITH REGARD TO THE DATA.
   (II) A CONTROLLER MUST NOT AGREE  TO  INDEMNIFY,  DEFEND,  OR  HOLD  A
 PROCESSOR  HARMLESS,  OR  AGREE  TO  A  PROVISION THAT HAS THE EFFECT OF
 INDEMNIFYING, DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM  CLAIMS
 OR  LIABILITY  ARISING  FROM  THE  PROCESSOR'S  BREACH  OF  THE CONTRACT
 REQUIRED BY CLAUSE (A) OF  SUBPARAGRAPH  (I)  OF  THIS  PARAGRAPH  OR  A
 VIOLATION  OF THIS ACT. ANY PROVISION OF AN AGREEMENT THAT VIOLATES THIS
 SUBPARAGRAPH IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNENFORCEABLE.
   (III) NOTHING IN THIS PARAGRAPH RELIEVES A CONTROLLER OR  A  PROCESSOR
 FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS-
 ING RELATIONSHIP AS DEFINED BY THIS ARTICLE.
   (IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES-
 SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER-
 S. 6701--A                         16
 
 MINATION  THAT  DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS TO BE
 PROCESSED. A PROCESSOR  THAT  CONTINUES  TO  ADHERE  TO  A  CONTROLLER'S
 INSTRUCTIONS  WITH  RESPECT  TO  A  SPECIFIC PROCESSING OF PERSONAL DATA
 REMAINS A PROCESSOR.
   (F)  THIRD  PARTIES. (I) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANS-
 FER, OR SELL PERSONAL DATA, OR  FACILITATE  OR  ENABLE  THE  PROCESSING,
 DISCLOSURE,  TRANSFER,  OR  SALE  OF  PERSONAL DATA TO A THIRD PARTY FOR
 WHICH CONSENT OF THE CONSUMER PURSUANT TO  SUBDIVISION  TWO  OF  SECTION
 ELEVEN  HUNDRED  TWO  OF  THIS  ARTICLE, HAS NOT BEEN OBTAINED OR IS NOT
 CURRENTLY IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE,  TRANS-
 FER,  OR  SELL PERSONAL DATA, OR TO FACILITATE OR ENABLE THE PROCESSING,
 DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA TO  A  THIRD  PARTY  MUST
 CLEARLY  INCLUDE  THE  IDENTITY  OF  THE  THIRD PARTY AND THE PROCESSING
 PURPOSES FOR WHICH THE THIRD PARTY MAY USE THE PERSONAL DATA.
   (II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL
 DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE,  TRANSFER,  OR
 SALE OF PERSONAL DATA IF IT CAN REASONABLY EXPECT THE PERSONAL DATA OF A
 CONSUMER  TO BE USED FOR PURPOSES THAT THE CONSUMER HAS NOT CONSENTED TO
 PURSUANT TO SUBDIVISION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS  ARTI-
 CLE,  OR  IF  IT  CAN  REASONABLY EXPECT THAT ANY RIGHTS OF THE CONSUMER
 PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED AS A RESULT OF SUCH TRANS-
 ACTION.
   (III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA
 TO ANY THIRD PARTY, THE CONTROLLER MUST ENTER  INTO  A  WRITTEN,  SIGNED
 CONTRACT.  SUCH  CONTRACT  MUST  BE  BINDING  AND THE SCOPE, NATURE, AND
 PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA-
 TION OF PROCESSING, AND THE RIGHTS  AND  OBLIGATIONS  OF  BOTH  PARTIES.
 SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY:
   (A)  PROCESS  THAT  DATA ONLY TO THE EXTENT PERMITTED BY THE AGREEMENT
 ENTERED INTO WITH THE CONTROLLER; AND
   (B) PROVIDE A MECHANISM TO COMPLY WITH ANY EXERCISES OF  A  CONSUMER'S
 RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST
 OF  THE  CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY
 THIS ARTICLE; AND
   (C) TO THE EXTENT THE DISCLOSURE, TRANSFER, OR SALE  OF  THE  PERSONAL
 DATA  CAUSES  THE  THIRD  PARTY  TO BECOME A CONTROLLER, COMPLY WITH ALL
 OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE.
   2. PROCESSOR RESPONSIBILITIES. (A)  FOR  ANY  PERSONAL  DATA  THAT  IS
 OBTAINED,  RECEIVED,  PURCHASED,  OR  OTHERWISE ACQUIRED BY A PROCESSOR,
 WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR,
 THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A)
 THROUGH (J) OF SUBPARAGRAPH (I) OF PARAGRAPH (E) OF SUBDIVISION  ONE  OF
 THIS SECTION.
   (B)  A  PROCESSOR  IS  NOT  REQUIRED  TO  COMPLY WITH A REQUEST BY THE
 CONSUMER SUBMITTED PURSUANT TO THIS ARTICLE BY A  CONSUMER  DIRECTLY  TO
 THE PROCESSOR TO THE EXTENT THAT THE PROCESSOR HAS PROCESSED THE CONSUM-
 ER'S PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER.
   (C)  PROCESSORS  SHALL  BE  UNDER A CONTINUING OBLIGATION TO ENGAGE IN
 REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES  FOR  CIRCUMSTANCES  THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO  UPDATE  THEIR  CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
 ACCORDINGLY.
   (D) A PROCESSOR SHALL NOT ENGAGE IN ANY SALE OF  PERSONAL  DATA  OTHER
 THAN  ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED INTO
 WITH THE CONTROLLER.
 S. 6701--A                         17
 
   3. THIRD PARTY RESPONSIBILITIES. (A) FOR ANY  PERSONAL  DATA  THAT  IS
 OBTAINED,  RECEIVED,  PURCHASED,  OR OTHERWISE ACQUIRED OR ACCESSED BY A
 THIRD PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD PARTY MUST:
   (I)  PROCESS  THAT DATA ONLY TO THE EXTENT PERMITTED BY ANY AGREEMENTS
 ENTERED INTO WITH THE CONTROLLER;
   (II) PROCESS ONLY THE PERSONAL DATA NECESSARY FOR PURPOSES  FOR  WHICH
 FREELY  GIVEN,  SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT IS IN
 EFFECT, AS CONVEYED BY THE CONTROLLER, LIMIT THE USE  AND  RETENTION  OF
 THAT  DATA TO WHAT IS NECESSARY FOR SUCH PURPOSES, AND SHALL IMMEDIATELY
 DELETE SUCH PERSONAL DATA WHEN NOTIFIED THAT THE  CONSENT  IS  WITHHELD,
 DENIED, OR WITHDRAWN;
   (III)  COMPLY  WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR
 PROCESSOR, SUBJECT TO ANY LIMITATIONS  THEREON  AS  AUTHORIZED  BY  THIS
 ARTICLE; AND
   (IV)  TO  THE EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR PERSONAL
 DATA, COMPLY WITH ALL OBLIGATIONS  IMPOSED  ON  CONTROLLERS  UNDER  THIS
 ARTICLE.
   4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE:
   (A) THE PROCESSING IS REQUIRED BY LAW;
   (B)  THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL, STATE,
 OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR
   (C) THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST  CRIMINAL
 OR TORTIOUS ACTIVITY.
   § 1104. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE,
 MUST:
   (A)  ANNUALLY,  ON  OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
 WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
   (I) REGISTER WITH THE ATTORNEY GENERAL;
   (II) PAY A REGISTRATION FEE OF ONE HUNDRED  DOLLARS  OR  AS  OTHERWISE
 DETERMINED  BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY
 GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT  TO  EXCEED  THE
 REASONABLE  COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (III) PROVIDE THE FOLLOWING INFORMATION:
   (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
 OF THE DATA BROKER;
   (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
 THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
 BROKER;
   (C) A STATEMENT DESCRIBING THE METHOD FOR EXERCISING CONSUMERS  RIGHTS
 UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
   (D) A STATEMENT WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER CREDEN-
 TIALING PROCESS; AND
   (E)  ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER
 THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST:
   (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING  A  YEAR  IN
 WHICH  A  PERSON MEETS THE DEFINITION OF CONTROLLER IN THIS ACT, PROVIDE
 TO THE ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS REASONABLY
 BELIEVED TO BE DATA BROKERS TO WHICH THE  CONTROLLER  PROVIDED  PERSONAL
 DATA IN THE PRECEDING YEAR; AND
   (B)  NOT  SELL A CONSUMER'S PERSONAL DATA TO A DATA BROKER THAT IS NOT
 REGISTERED WITH THE ATTORNEY GENERAL.
 S. 6701--A                         18

   3. THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A  STATE-
 WIDE  REGISTRY  ON ITS INTERNET WEBSITE, WHICH SHALL LIST ALL REGISTERED
 DATA BROKERS AND MAKE ACCESSIBLE  TO  THE  PUBLIC  ALL  THE  INFORMATION
 PROVIDED  BY  DATA BROKERS PURSUANT TO THIS SECTION. PRINTED HARD COPIES
 OF  SUCH  REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT OF A
 FEE TO BE DETERMINED BY THE ATTORNEY GENERAL.
   4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR
 SUBMITS FALSE INFORMATION IN ITS REGISTRATION IS,  IN  ADDITION  TO  ANY
 OTHER  INJUNCTION,  PENALTY, OR LIABILITY THAT MAY BE IMPOSED UNDER THIS
 ARTICLE, LIABLE FOR CIVIL  PENALTIES,  FEES,  AND  COSTS  IN  AN  ACTION
 BROUGHT  BY  THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY OF ONE
 THOUSAND DOLLARS FOR EACH DAY THE  DATA  BROKER  FAILS  TO  REGISTER  AS
 REQUIRED  BY  THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION, (B) AN
 AMOUNT EQUAL TO THE FEES THAT WERE DUE DURING THE PERIOD  IT  FAILED  TO
 REGISTER,  AND  (C)  EXPENSES  INCURRED  BY  THE ATTORNEY GENERAL IN THE
 INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI-
 ATE.
   § 1105. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER  OR
 PROCESSOR  TO  DO  ANY OF THE FOLLOWING SOLELY FOR PURPOSES OF COMPLYING
 WITH THIS ARTICLE:
   (A) REIDENTIFY DEIDENTIFIED DATA;
   (B) COMPLY WITH A VERIFIED CONSUMER REQUEST  TO  ACCESS,  CORRECT,  OR
 DELETE  PERSONAL  DATA  PURSUANT TO THIS ARTICLE IF ALL OF THE FOLLOWING
 ARE TRUE:
   (I) THE CONTROLLER  IS  NOT  REASONABLY  CAPABLE  OF  ASSOCIATING  THE
 REQUEST WITH THE PERSONAL DATA;
   (II)  THE  CONTROLLER  DOES NOT ASSOCIATE THE PERSONAL DATA WITH OTHER
 PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER AS  PART  OF  ITS  NORMAL
 BUSINESS PRACTICE; AND
   (III)  THE  CONTROLLER  DOES  NOT  SELL THE PERSONAL DATA TO ANY THIRD
 PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO
 ANY PROCESSOR OR THIRD PARTY, EXCEPT  AS  OTHERWISE  PERMITTED  IN  THIS
 ARTICLE; OR
   (C)  MAINTAIN  PERSONAL DATA IN IDENTIFIABLE FORM, OR COLLECT, OBTAIN,
 RETAIN, OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE  CAPA-
 BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA.
   2.  THE  OBLIGATIONS  IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS
 ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO  ANY
 OF  THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S PERSONAL
 DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES:
   (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS;
   (B) COMPLY WITH A CIVIL, CRIMINAL,  OR  REGULATORY  INQUIRY,  INVESTI-
 GATION,  SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN-
 MENTAL AUTHORITIES;
   (C) COOPERATE WITH LAW  ENFORCEMENT  AGENCIES  CONCERNING  CONDUCT  OR
 ACTIVITY  THAT  THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH
 BELIEVES MAY VIOLATE FEDERAL, STATE, OR  LOCAL  LAWS,  RULES,  OR  REGU-
 LATIONS;
   (D)  INVESTIGATE,  ESTABLISH,  EXERCISE,  PREPARE FOR, OR DEFEND LEGAL
 CLAIMS;
   (E) PROCESS PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES  OR  GOODS
 REQUESTED  BY  A CONSUMER; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A
 PARTY; OR TAKE STEPS AT THE REQUEST OF THE CONSUMER  PRIOR  TO  ENTERING
 INTO A CONTRACT;
 S. 6701--A                         19
 
   (F) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE
 CONSUMER  OR  OF ANOTHER NATURAL PERSON, AND WHERE THE PROCESSING CANNOT
 BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS;
   (G)  PREVENT,  DETECT,  PROTECT  AGAINST, OR RESPOND TO SECURITY INCI-
 DENTS, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE  ACTIV-
 ITIES,  OR  ANY  ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY OF
 SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR  ANY
 SUCH ACTION;
   (H)  IDENTIFY  AND  REPAIR  TECHNICAL  ERRORS  THAT IMPAIR EXISTING OR
 INTENDED FUNCTIONALITY; OR
   (I) PROCESS BUSINESS CONTACT INFORMATION, INCLUDING A NATURAL PERSON'S
 NAME, POSITION  NAME  OR  TITLE,  BUSINESS  TELEPHONE  NUMBER,  BUSINESS
 ADDRESS, BUSINESS ELECTRONIC MAIL ADDRESS, BUSINESS FAX NUMBER, OR QUAL-
 IFICATIONS AND ANY OTHER SIMILAR INFORMATION ABOUT THE NATURAL PERSON.
   3.  THE  OBLIGATIONS  IMPOSED  ON CONTROLLERS OR PROCESSORS UNDER THIS
 ARTICLE DO NOT APPLY WHERE COMPLIANCE BY  THE  CONTROLLER  OR  PROCESSOR
 WITH  THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK
 LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL
 DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY  PRIVI-
 LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION.
   4. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS THREE
 THROUGH SIX OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR A PROCESS-
 OR  OR THIRD PARTY TO WHOM A CONTROLLER COMMUNICATES SUCH A REQUEST, MAY
 DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF:
   (A) THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY  THE
 REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH
 (C) OF SUBDIVISION EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
   (B)  COMPLYING  WITH THE REQUEST WOULD BE DEMONSTRABLY IMPOSSIBLE (FOR
 PURPOSES OF THIS PARAGRAPH, THE RECEIPT OF A LARGE  NUMBER  OF  VERIFIED
 REQUESTS,  ON  ITS  OWN,  IS  NOT SUFFICIENT TO RENDER COMPLIANCE WITH A
 REQUEST DEMONSTRABLY IMPOSSIBLE);
   (C) COMPLYING WITH THE REQUEST WOULD IMPAIR  THE  PRIVACY  OF  ANOTHER
 INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR
   (D)  THE  PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER THAN THE
 CONSUMER MAKING THE REQUEST AND IS BEING PROCESSED FOR  THE  PURPOSE  OF
 FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION.
   §  1106.  ENFORCEMENT  AND  PRIVATE  RIGHT  OF  ACTION. 1. WHENEVER IT
 APPEARS TO THE ATTORNEY GENERAL, EITHER  UPON  COMPLAINT  OR  OTHERWISE,
 THAT  ANY  PERSON OR PERSONS HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY
 OF THE ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS  ARTICLE,  THE
 ATTORNEY  GENERAL  MAY BRING AN ACTION OR SPECIAL PROCEEDING IN THE NAME
 AND ON BEHALF OF THE PEOPLE OF THE STATE  OF  NEW  YORK  TO  ENJOIN  ANY
 VIOLATION  OF THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR PROP-
 ERTY OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH  VIOLATION,  TO  OBTAIN
 DISGORGEMENT  OF ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH
 VIOLATION, TO OBTAIN CIVIL PENALTIES OF NOT MORE THAN  FIFTEEN  THOUSAND
 DOLLARS  PER  VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND FURTHER RELIEF
 AS THE COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF.
   (A) ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE  ATTORNEY  GENERAL
 PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS.
   (B)  EACH  INSTANCE  OF  UNLAWFUL  PROCESSING  COUNTS  AS  A  SEPARATE
 VIOLATION. UNLAWFUL PROCESSING OF THE PERSONAL DATA  OF  MORE  THAN  ONE
 CONSUMER  COUNTS  AS  A  SEPARATE  VIOLATION  AS  TO EACH CONSUMER. EACH
 PROVISION OF  THIS  ARTICLE  THAT  IS  VIOLATED  COUNTS  AS  A  SEPARATE
 VIOLATION.
 S. 6701--A                         20
 
   (C)  IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER ANY
 ONE OR MORE OF THE  RELEVANT  CIRCUMSTANCES  PRESENTED  BY  ANY  OF  THE
 PARTIES,  INCLUDING,  BUT  NOT LIMITED TO, THE NATURE AND SERIOUSNESS OF
 THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON-
 DUCT,  THE  LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED, THE WILL-
 FULNESS OF THE  VIOLATOR'S  MISCONDUCT,  AND  THE  VIOLATOR'S  FINANCIAL
 CONDITION.
   2.  IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
 THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND  MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE  WITH  THE  CIVIL PRACTICE LAW AND RULES.  THE ATTORNEY GENERAL MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT AND MAY REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER  OATH.    SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF  ANY  ACTION  OR  SPECIAL  PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 UNDER THIS ARTICLE.
   3. ANY PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE  ATTORNEY  GENERAL
 BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS,
 OR  OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR PRACTICES
 STATED TO BE UNLAWFUL IN THIS ARTICLE IS SUBJECT TO  THE  SERVICE  OF  A
 SUBPOENA  ISSUED  BY  THE  ATTORNEY  GENERAL  PURSUANT  TO THIS SECTION.
 SERVICE MAY BE MADE IN ANY MANNER THAT IS AUTHORIZED FOR  SERVICE  OF  A
 SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE.
   4.  (A)  FAILURE  TO    COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS
 SECTION WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF  LIMI-
 TATIONS  IN  ANY  ACTION  OR  SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY
 GENERAL AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE  ATTORNEY
 GENERAL'S INVESTIGATION.
   (B)  IF  A  PERSON  FAILS TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO
 THIS SECTION, THE ATTORNEY GENERAL MAY MOVE  IN  THE  SUPREME  COURT  TO
 COMPEL COMPLIANCE.  IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED,
 IT  SHALL  ORDER COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP TO FIVE
 HUNDRED DOLLARS PER DAY OF NONCOMPLIANCE.
   (C) SUCH TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO  ANY  OTHER
 PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA.
   5.  THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL UNDER
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS  STATE  UNDER
 WHICH  THE  ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT
 ANY INQUIRY.
   6. ANY CONSUMER WHO HAS BEEN INJURED BY  A  VIOLATION  OF  SUBDIVISION
 TWO,  SEVEN  OR  EIGHT OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE MAY
 BRING AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH  UNLAWFUL  ACT  OR
 PRACTICE  AND  TO  RECOVER  HIS  OR  HER  ACTUAL DAMAGES OR ONE THOUSAND
 DOLLARS, WHICHEVER IS GREATER.  THE  COURT  MAY  ALSO  AWARD  REASONABLE
 ATTORNEYS'  FEES  TO  A PREVAILING PLAINTIFF.   ACTIONS PURSUANT TO THIS
 SECTION MAY BE BROUGHT ON A CLASS-WIDE BASIS.
   § 1107. MISCELLANEOUS. 1. PREEMPTION: THIS  ARTICLE  DOES  NOT  ANNUL,
 ALTER,  OR  AFFECT  THE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT
 ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS-
 FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR
 PROCESSOR SUBJECT TO THIS ARTICLE, EXCEPT  TO  THE  EXTENT  THOSE  LAWS,
 ORDINANCES,  REGULATIONS, OR THE EQUIVALENT CREATE REQUIREMENTS OR OBLI-
 GATIONS THAT CONFLICT WITH OR REDUCE THE PROTECTIONS AFFORDED TO CONSUM-
 ERS UNDER THIS ARTICLE.
 S. 6701--A                         21
 
   2. IMPACT REPORT: THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING
 THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR  PERSONS,  THE
 LIABILITY  AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT
 LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO  ENFORCE  THIS  ARTICLE,
 AND  ANY  RECOMMENDATIONS  FOR  CHANGES TO SUCH PROVISIONS. THE ATTORNEY
 GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT
 OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE  COMMIT-
 TEES  OF  THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS
 SECTION.
   3. REGULATORY AUTHORITY: (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED
 AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND
 REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES
 GOVERNING THE FORM AND CONTENT  OF  ANY  DISCLOSURES  OR  COMMUNICATIONS
 REQUIRED BY THIS ARTICLE.
   (B)  THE  ATTORNEY  GENERAL  MAY  REQUEST  DATA  AND  INFORMATION FROM
 CONTROLLERS CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK  STATE
 GOVERNMENT  ENTITIES  ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER
 PROTECTION AND PRIVACY ADVOCATES  AND  RESEARCHERS,  INTERNET  STANDARDS
 SETTING  BODIES,  SUCH  AS  THE  INTERNET  ENGINEERING TASKFORCE AND THE
 INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS,  AND  OTHER  RELEVANT
 SOURCES,  TO  CONDUCT  STUDIES TO INFORM SUITABLE RULES AND REGULATIONS.
 THE ATTORNEY GENERAL SHALL RECEIVE, UPON REQUEST, DATA  FROM  OTHER  NEW
 YORK STATE GOVERNMENTAL ENTITIES.
   4.  EXERCISE  OF  RIGHTS: ANY CONSUMER RIGHT SET FORTH IN THIS ARTICLE
 MAY BE EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT  OF  THE
 DATA  OR  BY  A  PARENT OR GUARDIAN AUTHORIZED BY LAW TO TAKE ACTIONS OF
 LEGAL CONSEQUENCE ON BEHALF OF THE CONSUMER WHO IS THE  SUBJECT  OF  THE
 DATA. AN AGENT AUTHORIZED BY A CONSUMER MAY EXERCISE THE CONSUMER RIGHTS
 SET  FORTH  IN  SUBDIVISIONS THREE THROUGH SIX OF SECTION ELEVEN HUNDRED
 TWO OF THIS ACT ON THE CONSUMERS BEHALF.
   § 4. This act shall take effect immediately; provided,  however,  that
 sections  1101,  1102, 1103, 1105, 1106 and 1107 of the general business
 law, as added by section three of this act, shall take effect two  years
 after it shall have become a law but the private right of action author-
 ized  by subdivision 6 of section 1106 of the general business law shall
 take effect three years after such section shall have become a law.

co-Sponsors

View additional co-sponsors

2021-S6701B (ACTIVE) - Details

Current Committee:: Senate Internet And Technology
Law Section:: General Business Law
Laws Affected:: Add Art 42 §§1100 - 1107, Gen Bus L
Versions Introduced in 2023-2024 Legislative Session:: S365

2021-S6701B (ACTIVE) - Summary

2021-S6701B (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S6701B

SPONSOR: THOMAS
 
TITLE OF BILL:

An act to amend the general business law, in relation to the management
and oversight of personal data

 
PURPOSE GENERAL IDEA OF BILL:

The purpose of the bill is to help New Yorkers regain their privacy.
The bill, cited as the NY Privacy Act, will require the companies to
obtain consent from consumers before processing the personal data of
consumers.

 
SUMMARY OF PROVISIONS:

Section 1 of the bill defines the act as the "New York Privacy Act".

Section 2 of the bill contains the legislative intent.

Section 3 of the bill amends the general business law by adding a new

article 42.

Section 1100 of the new article 42 provides definitions of relevant
terms to be used in this act.

Section 1101 of the new article 42 states that the jurisdictional scope
of this article applies to legal persons that conduct business in New
York State or produce products or services intentionally targeted to
residents in New York State and that satisfy one or more of the required
thresholds. This section also contains exemptions.

Section 1102 of the new article 42 delineates consumer rights including
notice of how their data is being processed and sold, the right to opt-
out, the right to opt-in for sensitive data, the ability to request
access and obtain a copy of their data in a commonly used electronic
format, the ability to request the correction of inaccurate data and
deletion of data, and the ability to challenge certain automated deci-
sions.

Section 1103 of the new article 42 defines the responsibilities and
obligations assigned to controllers, processors and third parties.

First, controllers have an obligation to regularly conduct data
protection assessments for processing activities that present a height-
ened risk of harm to consumers. Controllers owe a duty of loyalty to
consumers which requires controllers to notify the consumer of any
interest that may be harmed before requesting consent. The duty of
loyalty also prohibits controllers from engaging in unfair, deceptive,
or abusive acts or practices with respect to obtaining consumer consent,
the processing of personal data, and a consumer's exercise of any rights
of this article. Additionally, controllers owe consumer's a duty of care
which requires controllers to conduct and document risk assessments of
all current processes of personal data at least once a year. The duty of
care also requires controllers to develop, implement, and maintain
reasonable safeguards to protect the security, confidentiality and
integrity of the consumer data the controller collects and to limit data
use and retention. Furthermore, controllers cannot discriminate against
consumers for exercising their data rights; and prior to sharing a
consumer's personal data, the controller must enter into a written and
signed contract with a processor before it provides the consumer's
personal data.

Next, processors must act in accordance with the written contract it has
entered into with a controller. Each contract must set forth
instructions for processing data; the nature and purpose of the process-
ing; the type of data subject to processing; the duration of the proc-
essing; and the rights and obligations of the controller and processor.
In addition, processors are under a continuing obligation to engage in
reasonable measures to review their processing activities with respect
to data identification.

Lastly, for any data acquired or accessed by a third-party from a
controller or processor, the third-party can only process that data to
the extent permitted by the provisions of the written contract and after
the consumer has consented to the individual third party and the purpose
for third party processing.

Section 1104 of the new article 42 requires data brokers to register and
pay an annual fee to the Attorney General and submit information regard-
ing the data broker's data use practices and contact information. The
Attorney General will maintain a data broker registry on its website.
Additionally, controllers must annually submit a list of all known data
brokers or persons reasonably believed to be data brokers with whom the
controller provided personal data in the preceding year. Controllers are
prohibited from sharing personal data with an unregistered data broker.

Section 1105 of the new article 42 describes when controllers and
processors are exempt from complying with the obligations set forth in
Section 1103.

Section 1106 of the new article 42 authorizes the Attorney General to
bring an action or special proceeding whenever it appears that a person
has engaged in or is about to engage in a violation of the article. The
section also authorizes private rights of action and class actions.

Section 1107 of the new article 42 contains miscellaneous provisions
including a conflict preemption clause, timing for the Attorney General
to submit a report on the effectiveness of the article, regulatory
authority for the Attorney General, and how consumers can exercise their
rights under this article.

Section 4 of the bill states that the act will take effect immediately;
provided however, that sections 1101, 1102, 1103, 1105, 1106 and 1107 of
the general business law, as added by section three of this act, shall
take effect two years after the effective date but the private right of
action authorized in subdivision 6 of section 1106 will take effect
three years after the effective date.

 
JUSTIFICATION:

According to a Pew survey from 2018, 69% of American adults use at least
one social media platform, up from 5% in 2005. Americans use these plat-
forms to engage with friends and family, to connect with social and
political organizations, and to follow news and current events. Despite
the platforms' usefulness, many social media users have reservations
about the handling of their personal information. A 2014 Pew survey
found that 91% of Americans believe that people have lost control over
how their personal information is collected and used. Some 8()% of
social media users said they were concerned about advertisers and busi-
nesses accessing and using data that they share on social media plat-
forms. Around 64% of people in this survey also said that the government
should do more to address this issue.

Social media companies obtain their revenues through targeted advertis-
ing based on users' likes, shares, searches, phone numbers, emails, and
other information provided while they use these platforms. According to
The New York Times, some of the largest social media companies fail to
inform or obtain consent from users regarding the sharing of their
personal data. It found that in some instances, these social media
companies share the information of hundreds of millions of users without
notifying their consumers. It also found that if users were to choose
the most restrictive privacy settings made available, their personal
data was still shareable with some external companies or affiliates.
What's more, according to these large social media companies, any infor-
mation shared on these platforms can be given to other companies without
any additional consent.

Currently, there are no federal regulations addressing this privacy
issue, and the few attempts of self-regulation by these companies have
been frail and fall well short of addressing consumers' concerns. Hence,
New York must join the increasing number of other states to fill this
void.

 
PRIOR LEGISLATIVE HISTORY:

2019-20: S.5642 (Thomas) / A.8526 (L. Rosenthal) - Advanced to third
reading calendar.

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

None to the state.

 
EFFECTIVE DATE:
This act shall take effect immediately; provided however, that sections
1101, 1102, 1103, 1105, 1106 and 1107 of the general business law, added
by section three of this act, shall take effect two years after it shall
have become law but the private right of action authorized by subdivi-
sion 6 of section 1106 of the general business law shall take effect
three years after such section shall have become law.

2021-S6701B (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  6701--B
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                               May 12, 2021
                                ___________
 
 Introduced by Sens. THOMAS, BIAGGI, COMRIE, JACKSON, KRUEGER, MAY, RAMOS
   -- read twice and ordered printed, and when printed to be committed to
   the  Committee  on Consumer Protection -- recommitted to the Committee
   on Consumer Protection in accordance with Senate Rule  6,  sec.  8  --
   committee  discharged,  bill amended, ordered reprinted as amended and
   recommitted to said committee -- reported favorably from said  commit-
   tee  and  committed  to  the  Committee  on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted to said committee
 
 AN  ACT to amend the general business law, in relation to the management
   and oversight of personal data
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Short  title. This act shall be known and may be cited as
 the "New York privacy act".
   § 2. Legislative intent. 1. Privacy is  a  fundamental  right  and  an
 essential element of freedom. Advances in technology have produced ramp-
 ant  growth  in  the amount and categories of personal data being gener-
 ated,  collected,  stored,  analyzed,  and  potentially  shared,   which
 presents  both  promise  and peril. Companies collect, use and share our
 personal data in ways that can be difficult for  ordinary  consumers  to
 understand. Opaque data processing policies make it impossible to evalu-
 ate  risks  and  compare  privacy-related  protections  across services,
 stifling competition. Algorithms quietly make  decisions  with  critical
 consequences for New York consumers, often with no human accountability.
 Behavioral advertising generates profits by turning people into products
 and  their  activity into assets. New York consumers deserve more notice
 and more control over their data and their digital privacy.
   2. This act seeks to help New York consumers regain their privacy.  It
 gives New York consumers the ability to exercise more control over their
 personal data and requires businesses to be responsible, thoughtful, and

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD11397-08-2

 S. 6701--B                          2
 
 accountable managers of that information.  To  achieve  this,  this  act
 provides  New  York  consumers  a  number of new rights, including clear
 notice of how their data is being used, processed and shared; the abili-
 ty  to  access  and obtain a copy of their data in a commonly used elec-
 tronic format, with the ability to transfer  it  between  services;  the
 ability  to  correct  inaccurate  data and to delete their data; and the
 ability to challenge certain automated decisions. This act also  imposes
 obligations  upon  businesses  to  maintain reasonable data security for
 personal data, to notify New York consumers of foreseeable harms arising
 from use of their data and to obtain specific consent for that use,  and
 to conduct regular assessments to ensure that data is not being used for
 unacceptable purposes. These data assessments can be obtained and evalu-
 ated  by the New York State Attorney General, who is empowered to obtain
 penalties for violations of this act and prevent future violations. This
 act also grants New York consumers who have been injured as  the  result
 of  a  violation  a  private  right of action, which includes reasonable
 attorneys' fees to a prevailing plaintiff.
   § 3. The general business law is amended by adding a new article 42 to
 read as follows:
                                ARTICLE 42
                           NEW YORK PRIVACY ACT
 SECTION 1100. DEFINITIONS.
         1101. JURISDICTIONAL SCOPE.
         1102. CONSUMER RIGHTS.
         1103. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES.
         1104. DATA BROKERS.
         1105. LIMITATIONS.
         1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION.
         1107. MISCELLANEOUS.
   § 1100. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY  THROUGHOUT  THIS
 ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1.  "AUTOMATED DECISION-MAKING" OR "AUTOMATED DECISION" MEANS A COMPU-
 TATIONAL PROCESS, INCLUDING ONE DERIVED FROM MACHINE  LEARNING,  ARTIFI-
 CIAL  INTELLIGENCE,  OR  ANY OTHER AUTOMATED PROCESS, INVOLVING PERSONAL
 DATA THAT RESULTS IN A DECISION AFFECTING A CONSUMER.
   2. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM  THE
 MEASUREMENT  OR  SPECIFIC TECHNOLOGICAL PROCESSING OF A NATURAL PERSON'S
 BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS  THAT  ALLOWS  OR
 CONFIRMS  THE UNIQUE IDENTIFICATION OF A NATURAL PERSON, INCLUDING FING-
 ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
 DEOXYRIBONUCLEIC ACID (DNA) INFORMATION, AND GAIT.
   3. "BUSINESS ASSOCIATE" HAS THE SAME MEANING AS IN  TITLE  45  OF  THE
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   4.  "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT
 TO THE PROCESSING OF DATA RELATING TO THE  CONSUMER.    CONSENT  MAY  BE
 WITHDRAWN AT ANY TIME, AND A CONTROLLER MUST PROVIDE CLEAR, CONSPICUOUS,
 AND  CONSUMER-FRIENDLY  MEANS  TO WITHDRAW CONSENT. THE BURDEN OF ESTAB-
 LISHING CONSENT IS ON THE CONTROLLER.  CONSENT DOES NOT INCLUDE: (A)  AN
 AGREEMENT  OF GENERAL TERMS OF USE OR A SIMILAR DOCUMENT THAT REFERENCES
 UNRELATED INFORMATION IN ADDITION TO PERSONAL DATA  PROCESSING;  (B)  AN
 AGREEMENT  OBTAINED THROUGH FRAUD, DECEIT OR DECEPTION; (C) ANY ACT THAT
 DOES NOT CONSTITUTE A USER'S INTENT TO INTERACT WITH ANOTHER PARTY  SUCH
 AS  HOVERING  OVER, PAUSING OR CLOSING ANY CONTENT; OR (D) A PRE-CHECKED
 BOX OR SIMILAR DEFAULT.
 S. 6701--B                          3

   5. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
 ONLY IN AN INDIVIDUAL OR  HOUSEHOLD  CONTEXT.  IT  DOES  NOT  INCLUDE  A
 NATURAL  PERSON  KNOWN  TO  BE  ACTING  IN  A PROFESSIONAL OR EMPLOYMENT
 CONTEXT.
   6.  "CONTROLLER"  MEANS  THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS,
 DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA.
   7. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R.,
 ESTABLISHED PURSUANT TO THE FEDERAL  HEALTH  INSURANCE  PORTABILITY  AND
 ACCOUNTABILITY ACT OF 1996.
   8.  "DATA  BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A LEGAL ENTITY,
 SEPARATELY OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK  AND
 KNOWINGLY  COLLECTS,  AND  SELLS  TO  CONTROLLERS  OR THIRD PARTIES, THE
 PERSONAL DATA OF A  CONSUMER  WITH  WHOM  IT  DOES  NOT  HAVE  A  DIRECT
 RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING:
   (A)  A  CONSUMER  REPORTING AGENCY TO THE EXTENT THAT IT IS COVERED BY
 THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR
   (B) A FINANCIAL INSTITUTION TO THE EXTENT THAT IT IS  COVERED  BY  THE
 GRAMM-LEACH-BLILEY  ACT  (PUBLIC  LAW  106-102)  AND  IMPLEMENTING REGU-
 LATIONS.
   9. "DECISIONS THAT PRODUCE LEGAL  OR  SIMILARLY  SIGNIFICANT  EFFECTS"
 MEANS  DECISIONS  MADE BY THE CONTROLLER THAT RESULT IN THE PROVISION OR
 DENIAL BY THE CONTROLLER OF  FINANCIAL  OR  LENDING  SERVICES,  HOUSING,
 INSURANCE,   EDUCATION  ENROLLMENT  OR  OPPORTUNITY,  CRIMINAL  JUSTICE,
 EMPLOYMENT OPPORTUNITIES, HEALTH CARE SERVICES OR  ACCESS  TO  ESSENTIAL
 GOODS OR SERVICES.
   10.  "DEIDENTIFIED  DATA" MEANS DATA THAT CANNOT REASONABLY BE USED TO
 INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR  CONSUM-
 ER,  HOUSEHOLD OR DEVICE, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT
 POSSESSES THE DATA:
   (A) IMPLEMENTS REASONABLE TECHNICAL SAFEGUARDS TO ENSURE THAT THE DATA
 CANNOT BE ASSOCIATED WITH A CONSUMER, HOUSEHOLD OR DEVICE;
   (B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND
 NOT ATTEMPT TO REIDENTIFY  THE  DATA,  EXCEPT  THAT  THE  CONTROLLER  OR
 PROCESSOR  MAY  ATTEMPT  TO  REIDENTIFY  THE  INFORMATION SOLELY FOR THE
 PURPOSE OF DETERMINING WHETHER ITS  DEIDENTIFICATION  PROCESSES  SATISFY
 THE REQUIREMENTS OF THIS SUBDIVISION; AND
   (C)  CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY WITH
 ALL PROVISIONS OF THIS ARTICLE.
   11. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE  OF  CONNECTING
 TO  THE  INTERNET,  DIRECTLY  OR INDIRECTLY, OR TO ANOTHER DEVICE AND IS
 INTENDED FOR USE BY A NATURAL PERSON OR HOUSEHOLD OR,  IF  USED  OUTSIDE
 THE HOME, FOR USE BY THE GENERAL PUBLIC.
   12.  "IDENTIFIED  OR  IDENTIFIABLE"  MEANS A NATURAL PERSON WHO CAN BE
 IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO AN IDENTIFI-
 ER SUCH AS A NAME, AN IDENTIFICATION NUMBER, LOCATION DATA, OR AN ONLINE
 OR DEVICE IDENTIFIER.
   13. "MEANINGFUL HUMAN REVIEW" MEANS REVIEW OR OVERSIGHT BY ONE OR MORE
 INDIVIDUALS WHO (A) ARE TRAINED IN THE CAPABILITIES AND  LIMITATIONS  OF
 THE  ALGORITHM  AT  ISSUE AND THE PROCEDURES TO INTERPRET AND ACT ON THE
 OUTPUT OF THE ALGORITHM, AND (B) HAVE THE AUTHORITY TO ALTER  THE  AUTO-
 MATED DECISION UNDER REVIEW.
   14. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID-
 UAL  OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO
 BE ACTING IN A PROFESSIONAL OR EMPLOYMENT CONTEXT.
   15. "PERSON" MEANS A NATURAL PERSON OR A LEGAL ENTITY,  INCLUDING  BUT
 NOT  LIMITED  TO  A  PROPRIETORSHIP,  PARTNERSHIP,  LIMITED PARTNERSHIP,
 S. 6701--B                          4
 
 CORPORATION, COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION,  ASSOCI-
 ATION,  OR  OTHER  FIRM  OR SIMILAR BODY, OR ANY UNIT, DIVISION, AGENCY,
 DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF.
   16. "PERSONAL DATA" MEANS ANY DATA THAT IDENTIFIES OR COULD REASONABLY
 BE  LINKED,  DIRECTLY  OR  INDIRECTLY,  WITH  A SPECIFIC NATURAL PERSON,
 HOUSEHOLD, OR DEVICE.  PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED DATA.
   17. "PRECISE GEOLOCATION DATA" MEANS INFORMATION DERIVED FROM TECHNOL-
 OGY, INCLUDING, BUT NOT LIMITED TO, GLOBAL POSITION SYSTEM  LEVEL  LATI-
 TUDE  AND LONGITUDE COORDINATES OR OTHER MECHANISMS, THAT DIRECTLY IDEN-
 TIFIES THE  SPECIFIC  LOCATION  OF  AN  INDIVIDUAL  WITH  PRECISION  AND
 ACCURACY  WITHIN  A  RADIUS  OF  ONE  THOUSAND SEVEN HUNDRED FIFTY FEET,
 EXCEPT AS PRESCRIBED BY REGULATIONS. PRECISE GEOLOCATION DATA  DOES  NOT
 INCLUDE  THE  CONTENT  OF  COMMUNICATIONS  OR  ANY  DATA GENERATED BY OR
 CONNECTED TO ADVANCE UTILITY METERING INFRASTRUCTURE SYSTEMS  OR  EQUIP-
 MENT FOR USE BY A UTILITY.
   18.  "PROCESS",  "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET
 OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA,  INCLUDING
 BUT  NOT  LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION,
 ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN-
 IZATION,  STRUCTURING,  STORAGE,  DISCLOSURE,  TRANSMISSION,   ANALYSIS,
 DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI-
 CATION OF DATA.
   19.  "PROCESSOR"  MEANS  A PERSON THAT PROCESSES DATA ON BEHALF OF THE
 CONTROLLER.
   20. "PROFILING" MEANS ANY FORM OF AUTOMATED  PROCESSING  PERFORMED  ON
 PERSONAL  DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS RELATED
 TO AN IDENTIFIED OR IDENTIFIABLE NATURAL  PERSON'S  ECONOMIC  SITUATION,
 HEALTH,   PERSONAL   PREFERENCES,   INTERESTS,   RELIABILITY,  BEHAVIOR,
 LOCATION, OR MOVEMENTS.  PROFILING DOES NOT INCLUDE  EVALUATION,  ANALY-
 SIS,  OR  PREDICTION BASED SOLELY UPON A NATURAL PERSON'S CURRENT SEARCH
 QUERY OR CURRENT VISIT  TO  A  WEBSITE  OR  ONLINE  APPLICATION,  IF  NO
 PERSONAL  DATA  IS RETAINED AFTER THE COMPLETION OF THE ACTIVITY FOR THE
 PURPOSES IDENTIFIED IN THIS SUBDIVISION.
   21. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   22. "SALE", "SELL", OR "SOLD" MEANS THE DISCLOSURE, TRANSFER,  CONVEY-
 ANCE,  SHARING,  LICENSING,  MAKING  AVAILABLE,  PROCESSING, GRANTING OF
 PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER  EXCHANGE  OF  PERSONAL
 DATA,  OR  PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU-
 ABLE CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY.  "SALE"  INCLUDES
 ENABLING, FACILITATING OR PROVIDING ACCESS TO PERSONAL DATA FOR TARGETED
 ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING:
   (A)  THE  DISCLOSURE  OF DATA TO A PROCESSOR WHO PROCESSES THE DATA ON
 BEHALF OF THE CONTROLLER AND  WHICH  IS  CONTRACTUALLY  PROHIBITED  FROM
 USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER; OR
   (B)  THE  DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART OF A
 MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN  WHICH  ANOTHER
 ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL-
 LER'S ASSETS.
    23."SENSITIVE DATA" MEANS PERSONAL DATA THAT REVEALS:
   (A)  RACIAL  OR  ETHNIC  ORIGIN, RELIGIOUS BELIEFS, MENTAL OR PHYSICAL
 HEALTH CONDITION OR DIAGNOSIS, SEX LIFE, SEXUAL ORIENTATION, OR CITIZEN-
 SHIP OR IMMIGRATION STATUS;
   (B) GENETIC OR BIOMETRIC INFORMATION FOR THE PURPOSE OF UNIQUELY IDEN-
 TIFYING A NATURAL PERSON; OR
 S. 6701--B                          5
 
   (C) PRECISE GEOLOCATION DATA.
   24. "TARGETED ADVERTISING" MEANS ADVERTISING BASED UPON PROFILING.
   25.  "THIRD  PARTY" MEANS, WITH RESPECT TO A PARTICULAR INTERACTION OR
 OCCURRENCE, A PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER  THAN  THE
 CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER.  A THIRD PARTY
 MAY  ALSO  BE  A  CONTROLLER  IF  THE THIRD PARTY, ALONE OR JOINTLY WITH
 OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF  PERSONAL
 DATA.
   26. "VERIFIED REQUEST" MEANS A REQUEST BY A CONSUMER OR THEIR AGENT TO
 EXERCISE  A  RIGHT AUTHORIZED BY THIS ARTICLE, THE AUTHENTICITY OF WHICH
 HAS BEEN ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH  (C)
 OF SUBDIVISION NINE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE.
   § 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS
 THAT  CONDUCT  BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR SERVICES THAT
 ARE TARGETED TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR  MORE  OF
 THE FOLLOWING THRESHOLDS:
   (A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE;
   (B)  CONTROLS  OR  PROCESSES  PERSONAL  DATA  OF  ONE HUNDRED THOUSAND
 CONSUMERS OR MORE;
   (C) CONTROLS OR PROCESSES  PERSONAL  DATA  OF  FIVE  HUNDRED  THOUSAND
 NATURAL  PERSONS  OR MORE NATIONWIDE, AND CONTROLS OR PROCESSES PERSONAL
 DATA OF TEN THOUSAND CONSUMERS OR MORE; OR
   (D) DERIVES OVER FIFTY PERCENT OF  GROSS  REVENUE  FROM  THE  SALE  OF
 PERSONAL  DATA,  AND  CONTROLS OR PROCESSES PERSONAL DATA OF TWENTY-FIVE
 THOUSAND CONSUMERS OR MORE.
   2. THIS ARTICLE DOES NOT APPLY TO:
   (A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC-
 IPAL CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND  PROCESSING
 FEES ARE NOT SALE);
   (B)  A  NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT TO SECTION
 15A OF THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED,  OR  REGULATIONS
 ADOPTED  THEREUNDER  OR  A  REGISTERED FUTURES ASSOCIATION SO DESIGNATED
 PURSUANT TO SECTION 17 OF THE COMMODITY EXCHANGE ACT, AS AMENDED, OR ANY
 REGULATIONS ADOPTED THEREUNDER;
   (C) INFORMATION THAT MEETS THE FOLLOWING CRITERIA:
   (I) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO
 AND  IN  COMPLIANCE  WITH  THE  FEDERAL  GRAMM-LEACH-BLILEY  ACT   (P.L.
 106-102), AND IMPLEMENTING REGULATIONS;
   (II)  PERSONAL  DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT
 TO THE FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18  U.S.C.  SEC.
 2721  ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN
 COMPLIANCE WITH THAT LAW;
   (III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS
 AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS;
   (IV) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR  DISCLOSED  PURSUANT
 TO  THE  FEDERAL  FARM  CREDIT ACT OF 1971 (AS AMENDED IN 12 U.S.C. SEC.
 2001-2279CC) AND ITS IMPLEMENTING REGULATIONS (12  C.F.R.  PART  600  ET
 SEQ.)  IF  THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLI-
 ANCE WITH THAT LAW;
   (V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW;
   (VI) DATA MAINTAINED AS EMPLOYMENT RECORDS, FOR  PURPOSES  OTHER  THAN
 SALE;
   (VII)  PROTECTED  HEALTH  INFORMATION  THAT IS LAWFULLY COLLECTED BY A
 COVERED ENTITY OR BUSINESS ASSOCIATE AND IS  GOVERNED  BY  THE  PRIVACY,
 SECURITY,  AND  BREACH  NOTIFICATION  RULES  ISSUED BY THE UNITED STATES
 DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF  TITLE  45
 S. 6701--B                          6
 
 OF  THE  CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH
 INSURANCE  PORTABILITY  AND  ACCOUNTABILITY  ACT  OF  1996  (PUBLIC  LAW
 104-191)  ("HIPAA")  AND  THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC
 AND CLINICAL HEALTH ACT (PUBLIC LAW 111-5);
   (VIII)  PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART
 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2, AS LONG AS SUCH  DATA
 IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR FEDERAL LAW;
   (IX)  INFORMATION  AND  DOCUMENTS LAWFULLY CREATED FOR PURPOSES OF THE
 FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND  RELATED  REGU-
 LATIONS;
   (X) PATIENT SAFETY WORK PRODUCT CREATED FOR PURPOSES OF 42 C.F.R. PART
 3, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26;
   (XI)  INFORMATION  THAT  IS  TREATED IN THE SAME MANNER AS INFORMATION
 EXEMPT UNDER SUBPARAGRAPH (VII) OF THIS PARAGRAPH THAT IS MAINTAINED  BY
 A  COVERED ENTITY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM
 OR A QUALIFIED SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C.  §  290DD-2,
 AS  LONG  AS SUCH DATA IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR
 FEDERAL LAW;
   (XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE  FOLLOWING
 CONDITIONS:
   (A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN-
 TIFICATION  SET  FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE
 CODE OF FEDERAL REGULATIONS;
   (B) IT IS DERIVED  FROM  PROTECTED  HEALTH  INFORMATION,  INDIVIDUALLY
 IDENTIFIABLE  HEALTH  INFORMATION,  OR  IDENTIFIABLE PRIVATE INFORMATION
 COMPLIANT WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN  SUBJECTS,
 ALSO KNOWN AS THE COMMON RULE; AND
   (C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN-
 TIFY  THE  INFORMATION  NOR  DO THEY ACTUALLY REIDENTIFY THE INFORMATION
 EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW;
   (XIII) INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS  ASSOCI-
 ATE  GOVERNED  BY  THE  PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES
 ISSUED BY THE UNITED STATES DEPARTMENT OF  HEALTH  AND  HUMAN  SERVICES,
 PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS, ESTAB-
 LISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
 ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE  COVERED  ENTITY  OR
 BUSINESS  ASSOCIATE  MAINTAINS  THE  INFORMATION  IN  THE SAME MANNER AS
 PROTECTED HEALTH INFORMATION AS DESCRIBED IN SUBPARAGRAPH (VII) OF  THIS
 PARAGRAPH;
   (XIV)  DATA  COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A
 CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR  THE
 PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO
 GOOD  CLINICAL  PRACTICE  GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL
 FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT  PROTECTION  REQUIREMENTS
 OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR
   (XV)  PERSONAL  DATA  PROCESSED  ONLY FOR ONE OR MORE OF THE FOLLOWING
 PURPOSES:
   (A) PRODUCT  REGISTRATION  AND  TRACKING  CONSISTENT  WITH  APPLICABLE
 UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE;
   (B)  PUBLIC  HEALTH  ACTIVITIES  AND  PURPOSES AS DESCRIBED IN SECTION
 164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR
   (C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS  REGULATED
 BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION;
   (D) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE,
 SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S
 CREDIT  WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL
 S. 6701--B                          7
 
 REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING  BY  A  CONSUMER
 REPORTING  AGENCY,  AS  DEFINED  IN  TITLE 15 U.S.C. SEC. 1681A(F), BY A
 FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC.  1681S-2,
 WHO  PROVIDES  INFORMATION  FOR  USE IN A CONSUMER REPORT, AS DEFINED IN
 TITLE 15 U.S.C. SEC. 1861A(D), AND BY A USER OF A  CONSUMER  REPORT,  AS
 SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND
   (II)  THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH ACTIVITY
 INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE,  COMMUNICATION,
 OR  USE  OF  SUCH  DATA BY THAT AGENCY, FURNISHER, OR USER IS SUBJECT TO
 REGULATION UNDER THE FAIR CREDIT REPORTING ACT,  TITLE  15  U.S.C.  SEC.
 1681  ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED, COMMUNI-
 CATED, DISCLOSED, OR SOLD  EXCEPT  AS  AUTHORIZED  BY  THE  FAIR  CREDIT
 REPORTING ACT.
   § 1102. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL-
 LER  THAT  PROCESSES  A  CONSUMER'S PERSONAL DATA MUST MAKE PUBLICLY AND
 PERSISTENTLY AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE  MANNER,
 A NOTICE CONTAINING THE FOLLOWING:
   (I)  A  DESCRIPTION  OF  THE  CONSUMER'S RIGHTS UNDER SUBDIVISIONS TWO
 THROUGH SEVEN OF THIS SECTION AND HOW  A  CONSUMER  MAY  EXERCISE  THOSE
 RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT;
   (II)  THE  CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER AND
 BY ANY PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF  THE  CONTROL-
 LER;
   (III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED;
   (IV) THE PURPOSES FOR PROCESSING PERSONAL DATA;
   (V)  THE CATEGORIES OF THIRD PARTIES TO WHOM THE CONTROLLER DISCLOSED,
 SHARED, TRANSFERRED OR SOLD PERSONAL DATA  AND,  FOR  EACH  CATEGORY  OF
 THIRD   PARTY,  (A)  THE  CATEGORIES  OF  PERSONAL  DATA  BEING  SHARED,
 DISCLOSED, TRANSFERRED, OR SOLD TO THE THIRD PARTY, (B) THE PURPOSES FOR
 WHICH PERSONAL DATA IS BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD  TO
 THE  THIRD PARTY, (C) ANY APPLICABLE RETENTION PERIODS FOR EACH CATEGORY
 OF PERSONAL DATA PROCESSED BY THE THIRD PARTIES OR  PROCESSED  ON  THEIR
 BEHALF,  OR  IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THE
 PERIOD, AND (D) WHETHER THE THIRD PARTIES MAY USE THE PERSONAL DATA  FOR
 TARGETED ADVERTISING;
   (VI)  THE  CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL
 DATA THAT THEY PROCESS OR IS PROCESSED ON THEIR BEHALF, OR  IF  THAT  IS
 NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD; AND
   (VII)  FOR  CONTROLLERS  ENGAGING  IN  TARGETED  ADVERTISING,  AVERAGE
 EXPECTED REVENUE PER USER (ARPU) OR A SIMILAR METRIC FOR THE MOST RECENT
 FISCAL YEAR FOR THE REGION THAT COVERS NEW YORK.
   (B) NOTICE REQUIREMENTS.
   (I) THE NOTICE MUST BE WRITTEN IN EASY-TO-UNDERSTAND  LANGUAGE  AT  AN
 EIGHTH GRADE READING LEVEL OR BELOW.
   (II)  THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR WHICH
 EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED AT A LEVEL
 SPECIFIC ENOUGH TO ENABLE A CONSUMER TO EXERCISE MEANINGFUL CONTROL OVER
 THEIR PERSONAL DATA BUT NOT SO SPECIFIC AS TO RENDER THE NOTICE  UNHELP-
 FUL TO A REASONABLE CONSUMER.
   (III)  THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED AT
 LEAST ANNUALLY.   WHEN THE INFORMATION REQUIRED TO  BE  DISCLOSED  TO  A
 CONSUMER  PURSUANT  TO PARAGRAPH (A) OF THIS SUBDIVISION HAS NOT CHANGED
 SINCE THE IMMEDIATELY  PREVIOUS  NOTICE  (WHETHER  INITIAL,  ANNUAL,  OR
 REVISED)  PROVIDED  TO  THE CONSUMER, A CONTROLLER MAY ISSUE A STATEMENT
 THAT NO CHANGES HAVE BEEN MADE.
 S. 6701--B                          8
 
   (IV) THE NOTICE, AS WELL AS EACH VERSION OF THE NOTICE  IN  EFFECT  IN
 THE  PRECEDING  SIX  YEARS,   MUST BE EASILY ACCESSIBLE TO CONSUMERS AND
 CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME.
   2.  RIGHT TO OPT OUT.  (A) A CONTROLLER MUST ALLOW CONSUMERS THE RIGHT
 TO OPT OUT, AT ANY TIME, OF  PROCESSING  PERSONAL  DATA  CONCERNING  THE
 CONSUMER FOR THE PURPOSES OF:
   (I) TARGETED ADVERTISING;
   (II) THE SALE OF PERSONAL DATA; AND
   (III)  PROFILING  IN  FURTHERANCE  OF  DECISIONS THAT PRODUCE LEGAL OR
 SIMILARLY SIGNIFICANT EFFECTS CONCERNING A CONSUMER.
   (B) A CONTROLLER MUST PROVIDE CLEAR  AND  CONSPICUOUS  MEANS  FOR  THE
 CONSUMER  OR THEIR AGENT TO OPT OUT OF PROCESSING AND CLEARLY PRESENT AS
 THE MOST CONSPICUOUS CHOICE AN OPTION TO SIMULTANEOUSLY OPT OUT  OF  ALL
 PROCESSING PURPOSES SET FORTH IN PARAGRAPH (A) OF THIS SUBDIVISION.
   (C)  A  CONTROLLER MUST NOT PROCESS PERSONAL DATA FOR ANY PURPOSE FROM
 WHICH THE CONSUMER HAS OPTED OUT.
   (D) A CONTROLLER MUST NOT REQUEST THAT A CONSUMER WHO HAS OPTED OUT OF
 CERTAIN PURPOSES OF PROCESSING PERSONAL DATA OPT BACK IN,  UNLESS  THOSE
 PURPOSES  SUBSEQUENTLY BECOME NECESSARY TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY A CONSUMER. TARGETED ADVERTISING AND SALE OF PERSONAL  DATA
 SHALL  NOT  BE  CONSIDERED  PROCESSING  PURPOSES  THAT  ARE NECESSARY TO
 PROVIDE SERVICE OR GOODS REQUESTED BY A CONSUMER.
   (E) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER,
 BROWSER  PLUG-IN,  SMARTPHONE  APPLICATION,  OPERATING  SYSTEM,   DEVICE
 SETTING,  OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S
 CHOICE NOT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA IN  FURTHERANCE
 OF  TARGETED  ADVERTISING, THE SALE OF THEIR PERSONAL DATA, OR PROFILING
 IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY  SIGNIFICANT
 EFFECTS CONCERNING THE CONSUMER AS AN OPT OUT UNDER THIS ARTICLE. TO THE
 EXTENT THAT THE PRIVACY CONTROL CONFLICTS WITH A CONSUMER'S CONSENT, THE
 PRIVACY  CONTROL  SETTINGS  GOVERN,  UNLESS THE CONSUMER PROVIDES FREELY
 GIVEN, SPECIFIC, INFORMED,  AND  UNAMBIGUOUS  CONSENT  TO  OVERRIDE  THE
 PRIVACY CONTROL.
   3.  SENSITIVE DATA. (A) A CONTROLLER MUST OBTAIN FREELY GIVEN, SPECIF-
 IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO:
   (I) PROCESS THE CONSUMER'S SENSITIVE DATA RELATED TO THAT CONSUMER FOR
 ANY PURPOSE OTHER THAN  THOSE  IN  SUBDIVISION  TWO  OF  SECTION  ELEVEN
 HUNDRED FIVE OF THIS ARTICLE; OR
   (II)  MAKE  ANY  CHANGES  TO  THE  EXISTING  PROCESSING  OR PROCESSING
 PURPOSE, INCLUDING THOSE REGARDING THE METHOD AND SCOPE  OF  COLLECTION,
 OF  THE  CONSUMER'S  SENSITIVE  DATA  THAT MAY BE LESS PROTECTIVE OF THE
 CONSUMER'S SENSITIVE DATA THAN THE PROCESSING TO WHICH THE CONSUMER  HAS
 PREVIOUSLY GIVEN THEIR FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
 OPT-IN CONSENT.
   (B) ANY REQUEST FOR CONSENT TO PROCESS SENSITIVE DATA MUST BE PROVIDED
 TO  THE  CONSUMER, PRIOR TO PROCESSING THEIR SENSITIVE DATA, IN A STAND-
 ALONE DISCLOSURE THAT IS SEPARATE AND APART FROM ANY CONTRACT OR PRIVACY
 POLICY. THE REQUEST FOR CONSENT MUST:
   (I) INCLUDE A CLEAR AND CONSPICUOUS DESCRIPTION OF  EACH  CATEGORY  OF
 DATA AND PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT;
   (II)  CLEARLY  IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF DATA AND
 PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR  GOODS
 REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES
 THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
 CONSUMER;
 S. 6701--B                          9
 
   (III)  ENABLE  A REASONABLE CONSUMER TO EASILY IDENTIFY THE CATEGORIES
 OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT;
   (IV)  CLEARLY  PRESENT  AS  THE  MOST  CONSPICUOUS CHOICE AN OPTION TO
 PROVIDE ONLY THE CONSENT NECESSARY TO  PROVIDE  THE  SERVICES  OR  GOODS
 REQUESTED BY THE CONSUMER;
   (V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND
   (VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER,
 OR  SALE  OF SENSITIVE DATA TO THIRD PARTIES, IDENTIFY THE CATEGORIES OF
 SUCH THIRD PARTIES, THE CATEGORIES OF DATA SOLD OR SHARED WITH THEM, THE
 PROCESSING PURPOSES, THE RETENTION PERIOD, OR IF THAT IS  NOT  POSSIBLE,
 THE  CRITERIA  USED  TO DETERMINE THE PERIOD, AND STATE IF SUCH SHARING,
 DISCLOSURE, TRANSFER, OR SALE ENABLES OR INVOLVES TARGETED  ADVERTISING.
 THE  DETAILS OF THE CATEGORIES OF SUCH THIRD PARTIES, AND THE CATEGORIES
 OF DATA, PROCESSING PURPOSES, AND THE RETENTION PERIOD, MAY BE SET FORTH
 IN A  DIFFERENT  DISCLOSURE,  PROVIDED  THAT  THE  REQUEST  FOR  CONSENT
 CONTAINS A CONSPICUOUS AND DIRECTLY ACCESSIBLE LINK TO THAT DISCLOSURE.
   (C)  TARGETED  ADVERTISING  AND  SALE  OF  PERSONAL  DATA SHALL NOT BE
 CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR
 GOODS REQUESTED BY A CONSUMER.
   (D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND
 UNAMBIGUOUS OPT-IN CONSENT TO PROCESS THEIR SENSITIVE DATA FOR  A  PROC-
 ESSING  PURPOSE, A CONTROLLER MAY RELY ON SUCH CONSENT UNTIL IT IS WITH-
 DRAWN.
   (E) A CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER  TO  WITHDRAW
 PREVIOUSLY  GIVEN  CONSENT  AT ANY TIME. SUCH MECHANISM SHALL MAKE IT AS
 EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER
 TO PROVIDE CONSENT.
   (F) A CONTROLLER MUST NOT INFER THAT A CONSUMER  HAS  PROVIDED  FREELY
 GIVEN,  SPECIFIC,  INFORMED,  AND  UNAMBIGUOUS  OPT-IN  CONSENT FROM THE
 CONSUMER'S INACTION OR THE CONSUMER'S CONTINUED  USE  OF  A  SERVICE  OR
 PRODUCT PROVIDED BY THE CONTROLLER.
   (G)  CONTROLLERS  MUST  NOT  REQUEST  CONSENT  FROM A CONSUMER WHO HAS
 PREVIOUSLY WITHHELD OR DENIED CONSENT TO PROCESS SENSITIVE DATA,  UNLESS
 CONSENT  IS  NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
 CONSUMER.
   (H) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLLERS IN A BROW-
 SER, BROWSER PLUG-IN, SMARTPHONE APPLICATION, OPERATING  SYSTEM,  DEVICE
 SETTING,  OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S
 CHOICES TO OPT OUT OF THE PROCESSING OF PERSONAL DATA IN FURTHERANCE  OF
 TARGETED  ADVERTISING,  THE SALE OF THEIR PERSONAL DATA, OR PROFILING IN
 FURTHERANCE OF DECISIONS THAT PRODUCE  LEGAL  OR  SIMILARLY  SIGNIFICANT
 EFFECTS CONCERNING THE CONSUMER AS A DENIAL OF CONSENT TO PROCESS SENSI-
 TIVE  DATA  UNDER  THIS  ARTICLE. TO THE EXTENT THAT THE PRIVACY CONTROL
 CONFLICTS WITH  A  CONSUMER'S  CONSENT,  THE  PRIVACY  CONTROL  SETTINGS
 GOVERN,  UNLESS  THE CONSUMER PROVIDES FREELY GIVEN, SPECIFIC, INFORMED,
 AND UNAMBIGOUS OPT-IN CONSENT TO OVERRIDE THE PRIVACY CONTROL.
   (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A  CONSUMER  FOR  WITH-
 HOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY:
   (I)  DENYING  SERVICES  OR  GOODS TO THE CONSUMER, UNLESS THE CONSUMER
 DOES NOT CONSENT TO PROCESSING NECESSARY  TO  PROVIDE  THE  SERVICES  OR
 GOODS REQUESTED BY THE CONSUMER;
   (II)  CHARGING  DIFFERENT  PRICES  FOR  GOODS  OR  SERVICES, INCLUDING
 THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING  PENALTIES,  OR
 PROVIDING  A  DIFFERENT  LEVEL  OR  QUALITY  OF SERVICES OR GOODS TO THE
 CONSUMER; OR
 S. 6701--B                         10
 
   (III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT  PRICE  OR
 RATE  FOR  GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF SERVICES
 OR GOODS.
   (J)  A  CONTROLLER  MAY,  WITH  THE CONSUMER'S FREELY GIVEN, SPECIFIC,
 INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION,
 OPERATE A PROGRAM IN WHICH INFORMATION, PRODUCTS, OR  SERVICES  SOLD  TO
 THE  CONSUMER  ARE  DISCOUNTED  BASED  SOLELY  ON  SUCH CONSUMER'S PRIOR
 PURCHASES FROM THE CONTROLLER, PROVIDED THAT ANY SENSITIVE DATA USED  TO
 OPERATE  SUCH  PROGRAM  IS PROCESSED SOLELY FOR THE PURPOSE OF OPERATING
 SUCH PROGRAM.
   (K) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS-
 ACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP  OF  ALL  OR
 MAJORITY  OF  THE  CONTROLLER'S  ASSETS,  ANY  CONSENT  PROVIDED  TO THE
 CONTROLLER BY A CONSUMER PRIOR TO SUCH TRANSACTION SHALL BE DEEMED WITH-
 DRAWN.
   4. RIGHT TO ACCESS.  UPON  THE  VERIFIED  REQUEST  OF  A  CONSUMER,  A
 CONTROLLER SHALL:
   (A)  CONFIRM  WHETHER OR NOT THE CONTROLLER IS PROCESSING OR HAS PROC-
 ESSED PERSONAL DATA OF THAT CONSUMER, AND PROVIDE ACCESS TO  A  COPY  OF
 ANY  SUCH  PERSONAL  DATA  IN  A  MANNER  UNDERSTANDABLE TO A REASONABLE
 CONSUMER WHEN REQUESTED; AND
   (B) PROVIDE THE CATEGORY OF EACH PROCESSOR OR THIRD PARTY TO WHOM  THE
 CONTROLLER  DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL DATA
 AND, FOR EACH CATEGORY OF PROCESSOR OR THIRD PARTY, (I)  THE  CATEGORIES
 OF  THE CONSUMER'S PERSONAL DATA DISCLOSED, TRANSFERRED, OR SOLD TO EACH
 PROCESSOR OR THIRD PARTY AND (II) THE PURPOSES FOR WHICH  EACH  CATEGORY
 OF  THE  CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO
 EACH PROCESSOR OR THIRD PARTY.
   5. RIGHT TO PORTABLE DATA.  UPON A VERIFIED REQUEST, AND TO THE EXTENT
 TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A
 COPY OF ALL OF, OR A PORTION OF, AS DESIGNATED IN  A  VERIFIED  REQUEST,
 THE  CONSUMER'S  PERSONAL  DATA  IN  A  STRUCTURED,  COMMONLY  USED  AND
 MACHINE-READABLE FORMAT AND (B) TRANSMIT THE DATA TO ANOTHER  PERSON  OF
 THE CONSUMER'S OR THEIR AGENT'S DESIGNATION WITHOUT HINDRANCE.
   6.  RIGHT  TO  CORRECT. (A) UPON THE VERIFIED REQUEST OF A CONSUMER OR
 THEIR AGENT, A CONTROLLER MUST CONDUCT  A  REASONABLE  INVESTIGATION  TO
 DETERMINE  WHETHER  PERSONAL  DATA, THE ACCURACY OF WHICH IS DISPUTED BY
 THE CONSUMER, IS INACCURATE, WITH SUCH  INVESTIGATION  TO  BE  CONCLUDED
 WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION NINE OF
 THIS SECTION.
   (B)  NOTWITHSTANDING  PARAGRAPH  (A) OF THIS SUBDIVISION, A CONTROLLER
 MAY TERMINATE AN INVESTIGATION INITIATED PURSUANT TO SUCH  PARAGRAPH  IF
 THE  CONTROLLER REASONABLY AND IN GOOD FAITH DETERMINES THAT THE DISPUTE
 BY THE CONSUMER IS WHOLLY WITHOUT MERIT, INCLUDING BY REASON OF A  FAIL-
 URE  BY  A CONSUMER TO PROVIDE SUFFICIENT INFORMATION TO INVESTIGATE THE
 DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH
 THIS PARAGRAPH THAT A DISPUTE IS  WHOLLY  WITHOUT  MERIT,  A  CONTROLLER
 MUST,  WITHIN  THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION
 NINE OF THIS SECTION, PROVIDE THE AFFECTED CONSUMER A STATEMENT IN WRIT-
 ING THAT INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR  THE  DETERMI-
 NATION,  AND  IDENTIFICATION  OF ANY INFORMATION REQUIRED TO INVESTIGATE
 THE DISPUTED PERSONAL DATA, WHICH MAY CONSIST  OF  A  STANDARDIZED  FORM
 DESCRIBING THE GENERAL NATURE OF SUCH INFORMATION.
   (C)  IF,  AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF THIS SUBDIVI-
 SION OF ANY PERSONAL DATA  DISPUTED  BY  A  CONSUMER,  AN  ITEM  OF  THE
 S. 6701--B                         11
 
 PERSONAL  DATA  IS  FOUND  TO  BE INACCURATE OR INCOMPLETE, OR CANNOT BE
 VERIFIED, THE CONTROLLER MUST:
   (I)  CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE CONSUM-
 ER; AND
   (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE  EFFORT,
 COMMUNICATE  SUCH  REQUEST  TO EACH PROCESSOR OR THIRD PARTY TO WHOM THE
 CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN  ONE
 YEAR  PRECEDING  THE CONSUMER'S REQUEST, AND TO REQUIRE THOSE PROCESSORS
 OR THIRD PARTIES TO DO THE SAME FOR  ANY  FURTHER  PROCESSORS  OR  THIRD
 PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (D)  IF  THE  INVESTIGATION DOES NOT RESOLVE THE DISPUTE, THE CONSUMER
 MAY FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE  NATURE
 OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE
 EXISTS  REASONABLE  GROUNDS  TO BELIEVE THAT IT IS WHOLLY WITHOUT MERIT,
 THE CONTROLLER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE
 EITHER THE CONSUMER'S STATEMENT OR A CLEAR AND ACCURATE CODIFICATION  OR
 SUMMARY   THEREOF  WITH  THE  DISPUTED  PERSONAL  DATA  WHENEVER  IT  IS
 DISCLOSED, TRANSFERRED, OR SOLD TO ANY PROCESSOR OR THIRD PARTY.
   7. RIGHT TO DELETE. (A) UPON THE VERIFIED REQUEST  OF  A  CONSUMER,  A
 CONTROLLER MUST:
   (I)  WITHIN  FORTY-FIVE  DAYS  AFTER  RECEIVING  THE VERIFIED REQUEST,
 DELETE ANY OR ALL OF THE CONSUMER'S PERSONAL DATA, AS  DIRECTED  BY  THE
 CONSUMER OR THEIR AGENT,  THAT THE CONTROLLER POSSESSES OR CONTROLS; AND
   (II)  UNLESS  IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
 THAT IS DOCUMENTED  IN  WRITING  BY  THE  CONTROLLER,  COMMUNICATE  SUCH
 REQUEST  TO  EACH  PROCESSOR  OR  THIRD  PARTY  TO  WHOM  THE CONTROLLER
 DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECED-
 ING THE CONSUMER'S REQUEST AND TO  REQUIRE  THOSE  PROCESSORS  OR  THIRD
 PARTIES  TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD PARTIES THEY
 DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A
 PROCESSOR OF THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO  (I)  COMMUNI-
 CATE  THE  CONSUMER'S  REQUEST  FOR  DELETION  TO THE PROCESSOR, OR (II)
 REQUEST THAT THE PROCESSOR RETURN TO THE CONTROLLER  THE  PERSONAL  DATA
 THAT  IS  THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE SUCH PERSONAL
 DATA UPON RECEIPT OF THE REQUEST.
   (C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A
 REQUEST TO THE CONTROLLER TO DELETE  ALL  OF  THAT  CONSUMER'S  PERSONAL
 DATA.
   (D)  A  CONTROLLER  MUST  MAINTAIN  REASONABLE  PROCEDURES DESIGNED TO
 PREVENT THE REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA  IT  DISCLOSES,
 TRANSFERS,  OR  SELLS TO ANY PROCESSOR OR THIRD PARTY, THE PERSONAL DATA
 THAT IS DELETED PURSUANT TO THIS SUBDIVISION.
   (E) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A  CONSUMER'S  REQUEST
 TO DELETE PERSONAL DATA IF:
   (I)  COMPLYING  WITH  THE  REQUEST  WOULD  PREVENT THE CONTROLLER FROM
 PERFORMING ACCOUNTING  FUNCTIONS,  PROCESSING  REFUNDS,  EFFECTUATING  A
 PRODUCT  RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING WARRANTY
 CLAIMS, PROVIDED THAT THE PERSONAL DATA  THAT  IS  THE  SUBJECT  OF  THE
 REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV-
 ITIES; OR
   (II)  IT  IS  NECESSARY  FOR THE CONTROLLER TO MAINTAIN THE CONSUMER'S
 PERSONAL DATA TO ENGAGE IN PUBLIC OR PEER-REVIEWED  SCIENTIFIC,  HISTOR-
 ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL
 OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION
 OF  THE  INFORMATION  IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR
 S. 6701--B                         12
 
 THE ACHIEVEMENT OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER  HAS  GIVEN
 INFORMED  CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY PURPOSE
 OTHER THAN SUCH RESEARCH.
   8. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO-
 MATED  DECISION  INVOLVING  SOLELY  AUTOMATED PROCESSING THAT MATERIALLY
 CONTRIBUTES TO A DENIAL  OF  FINANCIAL  OR  LENDING  SERVICES,  HOUSING,
 PUBLIC  ACCOMMODATION,  INSURANCE,  HEALTH  CARE  SERVICES, OR ACCESS TO
 BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR PRODUCES LEGAL OR SIMILAR-
 LY SIGNIFICANT EFFECTS THE CONTROLLER MUST:
   (I) DISCLOSE IN A CLEAR,  CONSPICUOUS,  AND  CONSUMER-FRIENDLY  MANNER
 THAT THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS;
   (II)  PROVIDE  AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL THE DECI-
 SION, WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO (A)  FORMALLY
 CONTEST THE DECISION, (B) PROVIDE INFORMATION TO SUPPORT THEIR POSITION,
 AND (C) OBTAIN MEANINGFUL HUMAN REVIEW OF THE DECISION; AND
   (III) EXPLAIN THE PROCESS TO APPEAL THE DECISION.
   (B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE
 DAYS  OF  RECEIPT  OF  THE  APPEAL.  THAT PERIOD MAY BE EXTENDED ONCE BY
 FORTY-FIVE ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING  INTO
 ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM
 THE  CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF
 THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY.
   (C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING
 AFFECTING FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC  ACCOMMODATION,
 INSURANCE,  EDUCATION  ENROLLMENT,  EMPLOYMENT, HEALTH CARE SERVICES, OR
 ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR PRODUCING  LEGAL
 OR OTHER SIMILARLY SIGNIFICANT EFFECTS OR ENGAGED IN ASSISTING OTHERS IN
 AUTOMATED  DECISION-MAKING  IN  THOSE  FIELDS,  MUST ANNUALLY CONDUCT AN
 IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING THAT:
   (A) DESCRIBES AND EVALUATES THE  OBJECTIVES  AND  DEVELOPMENT  OF  THE
 AUTOMATED  DECISION-MAKING  PROCESSES  INCLUDING THE DESIGN AND TRAINING
 DATA USED TO DEVELOP THE  AUTOMATED  DECISION-MAKING  PROCESS,  HOW  THE
 AUTOMATED  DECISION-MAKING  PROCESS  WAS  TESTED FOR ACCURACY, FAIRNESS,
 BIAS AND DISCRIMINATION; AND
   (B) ASSESSES WHETHER THE  AUTOMATED  DECISION-MAKING  SYSTEM  PRODUCES
 DISCRIMINATORY  RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM-
 ERS' ACTUAL OR PERCEIVED  RACE,  COLOR,  ETHNICITY,  RELIGION,  NATIONAL
 ORIGIN,  SEX,  GENDER,  GENDER  IDENTITY,  SEXUAL  ORIENTATION, FAMILIAL
 STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF  INCOME,  OR  DISABILITY
 AND  OUTLINES  MITIGATIONS  FOR  ANY  IDENTIFIED PERFORMANCE DIFFERENCES
 ACROSS RELEVANT GROUPS IMPACTED BY THE SYSTEM. SUCH  EVALUATIONS  SHOULD
 BE  CONDUCTED ON A SYSTEM PRIOR TO DEPLOYMENT, INCLUDING IN THE ENVIRON-
 MENT IN WHICH A SYSTEM IS GOING TO BE USED, AND THROUGHOUT THE LIFECYCLE
 OF A SYSTEM.
   (II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN  EXTERNAL,  INDEPENDENT
 AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS.
   (III)  A  CONTROLLER  OR  PROCESSOR  MUST MAKE PUBLICLY AVAILABLE IN A
 MANNER ACCESSIBLE ONLINE ALL IMPACT  ASSESSMENTS  PREPARED  PURSUANT  TO
 THIS SECTION, RETAIN ALL SUCH IMPACT ASSESSMENTS FOR AT LEAST SIX YEARS,
 AND  MAKE  ANY  SUCH RETAINED IMPACT ASSESSMENTS AVAILABLE TO ANY STATE,
 FEDERAL, OR LOCAL GOVERNMENT AUTHORITY UPON REQUEST.
   (IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL
 SCOPE SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF  SECTION
 ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY.
   9.  RESPONDING  TO  REQUESTS.  (A) A CONTROLLER MUST TAKE ACTION UNDER
 SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION AND INFORM THE  CONSUMER
 S. 6701--B                         13

 OF  ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-
 FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY
 FORTY-FIVE ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING  INTO
 ACCOUNT  THE  COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER MUST
 INFORM THE CONSUMER OF ANY SUCH  EXTENSION  WITHIN  FORTY-FIVE  DAYS  OF
 RECEIPT  OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN A
 CONTROLLER DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD  DISCLOSE
 TO  THE  CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS FOR THE
 DENIAL.
   (B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS
 OBLIGATIONS SET FORTH IN SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION
 FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE  REQUESTS
 FROM  A  CONSUMER  ARE  MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR
 BECAUSE OF THEIR REPETITIVE CHARACTER, THE  CONTROLLER  MAY  EITHER  (I)
 CHARGE  A  REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING
 WITH THE REQUEST OR (II) REFUSE TO ACT ON THE  REQUEST  AND  NOTIFY  THE
 CONSUMER  OF  THE  REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS
 THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE  CHAR-
 ACTER OF THE REQUEST.
   (C)  (I)  A  CONTROLLER  SHALL  PROMPTLY  ATTEMPT,  USING COMMERCIALLY
 REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE  ANY  RIGHTS
 SET  FORTH  IN  ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST
 WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON
 LAWFULLY EXERCISING THE RIGHT ON BEHALF  OF  THE  CONSUMER  WHO  IS  THE
 SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED
 BASED  ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF THE
 DATA IMPLICATED BY THE REQUEST.
   (II) A CONTROLLER MAY  REQUIRE  THE  CONSUMER  TO  PROVIDE  ADDITIONAL
 INFORMATION  ONLY  IF  THE REQUEST CANNOT REASONABLY BE VERIFIED WITHOUT
 THE PROVISION OF SUCH ADDITIONAL  INFORMATION.  A  CONTROLLER  MUST  NOT
 TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO
 THIS  SECTION  FOR ANY OTHER PURPOSE AND MUST DELETE ANY SUCH ADDITIONAL
 INFORMATION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE  DAYS
 AFTER  THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN ACTION
 ON A REQUEST UNDER SUBDIVISIONS FOUR THROUGH SEVEN OF  THIS  SECTION  AS
 DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION.
   (III)  IF  A  CONTROLLER  DISCLOSES THIS ADDITIONAL INFORMATION TO ANY
 PROCESSOR OR THIRD  PARTY  FOR  THE  PURPOSE  OF  VERIFYING  A  CONSUMER
 REQUEST,  IT  MUST  NOTIFY THE RECEIVING PROCESSOR OR THIRD PARTY AT THE
 TIME OF SUCH DISCLOSURE, OR AS CLOSE IN TIME TO  THE  DISCLOSURE  AS  IS
 REASONABLY  PRACTICABLE,  THAT  SUCH  INFORMATION  WAS  PROVIDED  BY THE
 CONSUMER FOR THE SOLE PURPOSE OF VERIFICATION AND  CANNOT  BE  PROCESSED
 FOR ANY PURPOSE OTHER THAN VERIFICATION.
   10. IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY ACCESSI-
 BLE  AND  CONVENIENT  MEANS FOR CONSUMERS TO EXERCISE THEIR RIGHTS UNDER
 THIS ARTICLE.
   11. NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT  OF
 ANY  KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS
 UNDER THIS ARTICLE IS CONTRARY TO PUBLIC POLICY AND IS  VOID  AND  UNEN-
 FORCEABLE.
   §  1103.   CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES. 1.
 CONTROLLER RESPONSIBILITIES. (A) DATA PROTECTION ASSESSMENT. A  CONTROL-
 LER  SHALL  REGULARLY  CONDUCT AND DOCUMENT A DATA PROTECTION ASSESSMENT
 FOR PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO  THE
 CONSUMER.  SUCH ASSESSMENT MUST IDENTIFY AND WEIGH THE BENEFITS THAT MAY
 FLOW, DIRECTLY AND INDIRECTLY, FROM THE PROCESSING  TO  THE  CONTROLLER,
 S. 6701--B                         14
 
 THE  CONSUMER,  OTHER STAKEHOLDERS, AND THE PUBLIC AGAINST THE POTENTIAL
 RISKS TO THE RIGHTS OF THE CONSUMER, OR CLASS OF  CONSUMERS,  ASSOCIATED
 WITH  THE PROCESSING, AS MITIGATED BY SAFEGUARDS THAT THE CONTROLLER CAN
 EMPLOY  TO  REDUCE  THE  RISKS.  THE  CONTROLLER  SHALL FACTOR INTO THIS
 ASSESSMENT THE USE OF DEIDENTIFIED DATA AND THE REASONABLE  EXPECTATIONS
 OF CONSUMERS, AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATION-
 SHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE
 PROCESSED,  WITH  THE GOAL OF RESTRICTING OR PROHIBITING SUCH PROCESSING
 IF THE RISKS OF HARM TO THE CONSUMER  OUTWEIGH  THE  BENEFITS  RESULTING
 FROM THE PROCESSING TO THE CONSUMER.  PROCESSING THAT PRESENTS A HEIGHT-
 ENED RISK OF HARM TO THE CONSUMER INCLUDES THE FOLLOWING:
   (I) PROCESSING THAT MAY BENEFIT THE CONTROLLER TO THE DETRIMENT OF THE
 CONSUMER;
   (II)  PROCESSING  THAT  WOULD  BE UNEXPECTED AND HIGHLY OFFENSIVE TO A
 REASONABLE CONSUMER;
   (III) PROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING;
   (IV) SALE OF PERSONAL DATA;
   (V) PROCESSING SENSITIVE DATA; AND
   (VI) PROCESSING OF PERSONAL DATA FOR PURPOSES OF PROFILING, WHERE SUCH
 PROFILING PRESENTS A REASONABLY FORESEEABLE RISK OF:
   (A) UNFAIR OR DECEPTIVE TREATMENT, OR UNLAWFUL  DISPARATE  IMPACT  ON,
 CONSUMERS OR A CLASS OF CONSUMERS;
   (B)  FINANCIAL,  PHYSICAL,  PSYCHOLOGICAL  OR  REPUTATIONAL  INJURY TO
 CONSUMERS, OR A CLASS OF CONSUMERS;
   (C) A PHYSICAL OR OTHERWISE INTRUSION UPON THE SOLITUDE OR  SECLUSION,
 OR  THE  PRIVATE AFFAIRS OR CONCERNS, OF CONSUMERS, WHERE SUCH INTRUSION
 WOULD BE OFFENSIVE TO A REASONABLE PERSON; OR
   (D) OTHER SUBSTANTIAL INJURY TO CONSUMERS.
   (B) DUTY OF LOYALTY. (I) A CONTROLLER MUST  NOTIFY  THE  CONSUMER,  OR
 CLASS  OF  CONSUMERS,  OF  THE INTEREST THAT MAY BE HARMED IN ADVANCE OF
 REQUESTING CONSENT AND AS CLOSE IN TIME TO THE PROCESSING AS PRACTICABLE
 WHERE IT IS REASONABLY FORESEEABLE TO  THE  CONTROLLER  THAT  A  PROCESS
 PRESENTS  A  HEIGHTENED RISK OF HARM TO THE CONSUMER OR CLASS OF CONSUM-
 ERS.
   (II) CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS
 OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE  PROCESSING
 OF  PERSONAL  DATA,  AND  A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS
 ARTICLE, INCLUDING WITHOUT LIMITATION:
   (A) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL  EFFECT
 OF  DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE,
 OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE; OR
   (B) OBTAINING CONSENT IN A MANNER DESIGNED TO OVERPOWER  A  CONSUMER'S
 RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT.
   (C)  DUTY  OF  CARE.  (I)  (A) CONTROLLERS MUST, ON AT LEAST AN ANNUAL
 BASIS, CONDUCT AND DOCUMENT RISK ASSESSMENTS OF ALL  CURRENT  PROCESSING
 OF PERSONAL DATA.
   (B) RISK ASSESSMENTS MUST ASSESS AT A MINIMUM:
   (I)  THE NATURE, SENSITIVITY AND CONTEXT OF THE PERSONAL DATA THAT THE
 CONTROLLER PROCESSES;
   (II) THE NATURE, PURPOSE, AND VALUE OF THE PROCESSES;
   (III) ANY RISKS OR HARMS TO CONSUMERS ACTUALLY OR POTENTIALLY  ARISING
 OUT  OF  THE PROCESSES, INCLUDING PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR
 REPUTATIONAL HARMS;
   (IV) THE ADEQUACY AND EFFECT OF SAFEGUARDS IMPLEMENTED BY THE CONTROL-
 LERS;
 S. 6701--B                         15
 
   (V) THE SUFFICIENCY  OF  THE  CONTROLLER'S  NOTICES  TO  CONSUMERS  AT
 DESCRIBING AND OBTAINING CONSENT CONCERNING THE PROCESSES; AND
   (VI)  THE  ADEQUACY  OF  THE  SAFEGUARDS  AND  MONITORING PRACTICES OF
 PROCESSORS AND  THIRD  PARTIES  TO  WHOM  THE  CONTROLLER  HAS  PROVIDED
 PERSONAL DATA.
   (C) THE CONTROLLER MUST RETAIN RISK ASSESSMENTS FOR AT LEAST SIX YEARS
 AND  MAKE  RISK  ASSESSMENTS  AVAILABLE  TO  THE  ATTORNEY  GENERAL UPON
 REQUEST.
   (II) CONTROLLERS MUST  DEVELOP,  IMPLEMENT,  AND  MAINTAIN  REASONABLE
 SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
 PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE,
 TECHNICAL  AND  PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME AND NATURE
 OF THE PERSONAL DATA AT ISSUE.
   (III) (A) A CONTROLLER SHALL LIMIT THE USE AND RETENTION OF A  CONSUM-
 ER'S  PERSONAL  DATA TO WHAT IS (I) NECESSARY TO PROVIDE THE SERVICES OR
 GOODS REQUESTED BY THE CONSUMER, (II) NECESSARY FOR THE  INTERNAL  BUSI-
 NESS  OPERATIONS  OF  THE CONTROLLER AND CONSISTENT WITH THE DISCLOSURES
 MADE TO THE CONSUMER PURSUANT TO SECTION  ELEVEN  HUNDRED  TWO  OF  THIS
 ARTICLE,  OR (III) NECESSARY TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE
 CONTROLLER.
   (B) AT LEAST ANNUALLY, A CONTROLLER SHALL REVIEW ITS  RETENTION  PRAC-
 TICES  FOR  THE  PURPOSE  OF ENSURING THAT IT IS MAINTAINING THE MINIMUM
 AMOUNT OF PERSONAL DATA AS IS NECESSARY FOR THE OPERATION OF  ITS  BUSI-
 NESS. A CONTROLLER MUST SECURELY DISPOSE OF ALL PERSONAL DATA THAT IS NO
 LONGER  (I)  NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
 CONSUMER, (II) NECESSARY FOR THE INTERNAL  BUSINESS  OPERATIONS  OF  THE
 CONTROLLER  AND  CONSISTENT  WITH  THE  DISCLOSURES MADE TO THE CONSUMER
 PURSUANT TO SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR (III)  NECES-
 SARY TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE CONTROLLER.
   (IV)  CONTROLLERS  SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN
 REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES  FOR  CIRCUMSTANCES  THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO  UPDATE  THEIR  CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
 ACCORDINGLY.
   (D) NON-DISCRIMINATION. (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST
 A CONSUMER FOR EXERCISING RIGHTS UNDER THIS ARTICLE, INCLUDING  BUT  NOT
 LIMITED TO, BY:
   (A) DENYING SERVICES OR GOODS TO CONSUMERS;
   (B) CHARGING DIFFERENT PRICES FOR SERVICES OR GOODS, INCLUDING THROUGH
 THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING PENALTIES; OR PROVIDING
 A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR
   (C)  SUGGESTING  THAT  THE  CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
 RATE FOR SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY  OF  SERVICES
 OR GOODS.
   (II)  THIS  PARAGRAPH  DOES  NOT  APPLY TO A CONTROLLER'S CONDUCT WITH
 RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH  (J)  OF  SUBDIVISION
 THREE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE GOVERNS.
   (E)  AGREEMENTS  WITH  PROCESSORS.  (I)  BEFORE MAKING ANY DISCLOSURE,
 TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST
 ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT
 MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING  DATA,
 THE  NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC-
 ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS  AND  OBLIGATIONS  OF
 BOTH  PARTIES.  THE  CONTRACT  MUST  ALSO  INCLUDE REQUIREMENTS THAT THE
 PROCESSOR MUST:
 S. 6701--B                         16
 
   (A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT  TO  A
 DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA;
   (B)  PROTECT  THE DATA IN A MANNER CONSISTENT WITH THE REQUIREMENTS OF
 THIS ARTICLE AND AT LEAST EQUAL TO  THE  SECURITY  REQUIREMENTS  OF  THE
 CONTROLLER  SET  FORTH IN THEIR PUBLICLY AVAILABLE POLICIES, NOTICES, OR
 SIMILAR STATEMENTS;
   (C) PROCESS THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY  TO  COMPLY
 WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY
 AUTHORIZED BY THE CONTROLLER;
   (D) NOT COMBINE THE PERSONAL DATA WHICH THE PROCESSOR RECEIVES FROM OR
 ON  BEHALF  OF  THE  CONTROLLER  WITH  PERSONAL DATA WHICH THE PROCESSOR
 RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR COLLECTS  FROM  ITS  OWN
 INTERACTION WITH CONSUMERS;
   (E)  COMPLY  WITH  ANY  EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
 ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF  THE  CONTROLLER,
 SUBJECT  TO  THE LIMITATIONS SET FORTH IN SECTION ELEVEN HUNDRED FIVE OF
 THIS ARTICLE;
   (F) AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL  DATA
 TO  THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICES,
 UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW;
   (G) UPON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE  AVAILABLE  TO
 THE  CONTROLLER  ALL DATA IN ITS POSSESSION NECESSARY TO DEMONSTRATE THE
 PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ARTICLE;
   (H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE  CONTROL-
 LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS-
 OR  MAY  ARRANGE  FOR A QUALIFIED AND INDEPENDENT ASSESSOR TO CONDUCT AN
 ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECHNICAL AND  ORGANIZATIONAL
 MEASURES  IN  SUPPORT  OF  THE  OBLIGATIONS  UNDER THIS ARTICLE USING AN
 APPROPRIATE AND ACCEPTED CONTROL STANDARD OR  FRAMEWORK  AND  ASSESSMENT
 PROCEDURE  FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT OF
 SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE
 DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED
 DISCLOSURE OR TRANSFER AND PROVIDE  THE  CONTROLLER  AN  OPPORTUNITY  TO
 APPROVE OR REJECT THE PROPOSAL; AND
   (J)  ENGAGE  ANY  FURTHER  PROCESSOR  PURSUANT  TO  A  WRITTEN, SIGNED
 CONTRACT THAT INCLUDES THE CONTRACTUAL  REQUIREMENTS  PROVIDED  IN  THIS
 PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR
 HAS ENTERED INTO WITH REGARD TO THE DATA.
   (II)  A  CONTROLLER  MUST  NOT  AGREE  TO INDEMNIFY, DEFEND, OR HOLD A
 PROCESSOR HARMLESS, OR AGREE TO A  PROVISION  THAT  HAS  THE  EFFECT  OF
 INDEMNIFYING,  DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM CLAIMS
 OR LIABILITY  ARISING  FROM  THE  PROCESSOR'S  BREACH  OF  THE  CONTRACT
 REQUIRED  BY  CLAUSE  (A)  OF  SUBPARAGRAPH  (I)  OF THIS PARAGRAPH OR A
 VIOLATION OF THIS ARTICLE. ANY PROVISION OF AN AGREEMENT  THAT  VIOLATES
 THIS  SUBPARAGRAPH  IS  CONTRARY  TO PUBLIC POLICY AND IS VOID AND UNEN-
 FORCEABLE.
   (III) NOTHING IN THIS PARAGRAPH RELIEVES A CONTROLLER OR  A  PROCESSOR
 FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS-
 ING RELATIONSHIP AS DEFINED BY THIS ARTICLE.
   (IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES-
 SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER-
 MINATION  THAT  DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS TO BE
 PROCESSED. A PROCESSOR  THAT  CONTINUES  TO  ADHERE  TO  A  CONTROLLER'S
 INSTRUCTIONS  WITH  RESPECT  TO  A  SPECIFIC PROCESSING OF PERSONAL DATA
 REMAINS A PROCESSOR.
 S. 6701--B                         17
 
   (F) THIRD PARTIES. (I) A CONTROLLER MUST NOT SHARE,  DISCLOSE,  TRANS-
 FER,  OR  SELL  PERSONAL  DATA,  OR FACILITATE OR ENABLE THE PROCESSING,
 DISCLOSURE, TRANSFER, OR SALE TO A THIRD  PARTY  OF  PERSONAL  DATA  FOR
 WHICH A CONSUMER HAS EXERCISED THEIR OPT-OUT RIGHTS PURSUANT TO SUBDIVI-
 SION  TWO  OF  SECTION  ELEVEN HUNDRED TWO OF THIS ARTICLE, OR FOR WHICH
 CONSENT OF THE CONSUMER PURSUANT TO SUBDIVISION THREE OF SECTION  ELEVEN
 HUNDRED  TWO  OF THIS ARTICLE, HAS NOT BEEN OBTAINED OR IS NOT CURRENTLY
 IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE, TRANSFER, OR SELL
 PERSONAL DATA, OR TO FACILITATE OR ENABLE  THE  PROCESSING,  DISCLOSURE,
 TRANSFER,  OR SALE OF PERSONAL DATA TO A THIRD PARTY OF PERSONAL DATA TO
 A THIRD PARTY MUST CLEARLY INCLUDE THE CATEGORY OF THE THIRD  PARTY  AND
 THE  PROCESSING  PURPOSES FOR WHICH THE THIRD PARTY MAY USE THE PERSONAL
 DATA.
   (II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL
 DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE,  TRANSFER,  OR
 SALE  TO  A THIRD PARTY OF PERSONAL DATA IF IT CAN REASONABLY EXPECT THE
 PERSONAL DATA OF A CONSUMER TO BE USED FOR PURPOSES FOR WHICH A CONSUMER
 HAS EXERCISED THEIR  OPT-OUT  RIGHTS  PURSUANT  TO  SUBDIVISION  TWO  OF
 SECTION  ELEVEN  HUNDRED  TWO OF THIS ARTICLE, OR FOR WHICH THE CONSUMER
 HAS NOT CONSENTED TO PURSUANT TO SUBDIVISION  THREE  OF  SECTION  ELEVEN
 HUNDRED  TWO  OF  THIS  ARTICLE, OR IF IT CAN REASONABLY EXPECT THAT ANY
 RIGHTS OF THE CONSUMER PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED  AS
 A RESULT OF SUCH TRANSACTION.
   (III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA
 TO  ANY  THIRD  PARTY,  THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED
 CONTRACT. SUCH CONTRACT MUST BE  BINDING  AND  THE  SCOPE,  NATURE,  AND
 PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA-
 TION  OF  PROCESSING,  AND  THE  RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
 SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY:
   (A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED  BY  THE  AGREEMENT
 ENTERED INTO WITH THE CONTROLLER; AND
   (B)  PROVIDE  A MECHANISM TO COMPLY WITH ANY EXERCISES OF A CONSUMER'S
 RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST
 OF THE CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS  AUTHORIZED  BY
 THIS ARTICLE; AND
   (C)  TO  THE  EXTENT THE DISCLOSURE, TRANSFER, OR SALE OF THE PERSONAL
 DATA CAUSES THE THIRD PARTY TO BECOME  A  CONTROLLER,  COMPLY  WITH  ALL
 OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE.
   2.  PROCESSOR  RESPONSIBILITIES.  (A)  FOR  ANY  PERSONAL DATA THAT IS
 OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE  ACQUIRED  BY  A  PROCESSOR,
 WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR,
 THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A)
 THROUGH  (J)  OF SUBPARAGRAPH (I) OF PARAGRAPH (E) OF SUBDIVISION ONE OF
 THIS SECTION.
   (B) A PROCESSOR IS NOT REQUIRED  TO  COMPLY  WITH  A  REQUEST  BY  THE
 CONSUMER  SUBMITTED  PURSUANT  TO THIS ARTICLE BY A CONSUMER DIRECTLY TO
 THE PROCESSOR TO THE EXTENT THAT THE PROCESSOR HAS PROCESSED THE CONSUM-
 ER'S PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER.
   (C) PROCESSORS SHALL BE UNDER A CONTINUING  OBLIGATION  TO  ENGAGE  IN
 REASONABLE  MEASURES  TO  REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO UPDATE THEIR CLASSIFICATIONS OF DATA AS  IDENTIFIED  OR  IDENTIFIABLE
 ACCORDINGLY.
   (D)  A  PROCESSOR  SHALL NOT ENGAGE IN ANY SALE OF PERSONAL DATA OTHER
 THAN ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED  INTO
 WITH THE CONTROLLER.
 S. 6701--B                         18
 
   3.  THIRD  PARTY  RESPONSIBILITIES.  (A) FOR ANY PERSONAL DATA THAT IS
 OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED OR  ACCESSED  BY  A
 THIRD PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD PARTY MUST:
   (I)  PROCESS  THAT DATA ONLY TO THE EXTENT PERMITTED BY ANY AGREEMENTS
 ENTERED INTO WITH THE CONTROLLER;
   (II) COMPLY WITH ANY EXERCISES OF A CONSUMER'S  RIGHTS  UNDER  SECTION
 ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR
 PROCESSOR,  SUBJECT  TO  ANY  LIMITATIONS  THEREON AS AUTHORIZED BY THIS
 ARTICLE; AND
   (III) TO THE EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR  PERSONAL
 DATA,  COMPLY  WITH  ALL  OBLIGATIONS  IMPOSED ON CONTROLLERS UNDER THIS
 ARTICLE.
   4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE:
   (A) THE PROCESSING IS REQUIRED BY LAW;
   (B) THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL,  STATE,
 OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR
   (C)  THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST CRIMINAL
 OR TORTIOUS ACTIVITY.
   § 1104. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE,
 MUST:
   (A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING  A  YEAR  IN
 WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
   (I) REGISTER WITH THE ATTORNEY GENERAL;
   (II)  PAY  A  REGISTRATION  FEE OF ONE HUNDRED DOLLARS OR AS OTHERWISE
 DETERMINED BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY  AUTHORITY
 GRANTED  TO  THE  ATTORNEY GENERAL UNDER THIS ARTICLE, NOT TO EXCEED THE
 REASONABLE COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND  INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (III) PROVIDE THE FOLLOWING INFORMATION:
   (A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
 OF THE DATA BROKER;
   (B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
 THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
 BROKER;
   (C)  A STATEMENT DESCRIBING THE METHOD FOR EXERCISING CONSUMERS RIGHTS
 UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
   (D) A STATEMENT WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER CREDEN-
 TIALING PROCESS; AND
   (E) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER  CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER
 THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST:
   (A)  ANNUALLY,  ON  OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
 WHICH A PERSON MEETS THE DEFINITION OF CONTROLLER IN THIS  ACT,  PROVIDE
 TO THE ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS REASONABLY
 BELIEVED  TO  BE  DATA BROKERS TO WHICH THE CONTROLLER PROVIDED PERSONAL
 DATA IN THE PRECEDING YEAR; AND
   (B) NOT SELL A  CONSUMER'S  PERSONAL  DATA  TO  AN  ENTITY  REASONABLY
 BELIEVED  TO  BE  A DATA BROKER THAT IS NOT REGISTERED WITH THE ATTORNEY
 GENERAL.
   3. THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A  STATE-
 WIDE  REGISTRY  ON ITS INTERNET WEBSITE, WHICH SHALL LIST ALL REGISTERED
 DATA BROKERS AND MAKE ACCESSIBLE  TO  THE  PUBLIC  ALL  THE  INFORMATION
 PROVIDED  BY  DATA BROKERS PURSUANT TO THIS SECTION. PRINTED HARD COPIES
 OF SUCH REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT  OF  A
 FEE TO BE DETERMINED BY THE ATTORNEY GENERAL.
 S. 6701--B                         19
 
   4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR
 SUBMITS  FALSE  INFORMATION  IN  ITS REGISTRATION IS, IN ADDITION TO ANY
 OTHER INJUNCTION, PENALTY, OR LIABILITY THAT MAY BE IMPOSED  UNDER  THIS
 ARTICLE,  LIABLE  FOR  CIVIL  PENALTIES,  FEES,  AND  COSTS IN AN ACTION
 BROUGHT  BY  THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY OF ONE
 THOUSAND DOLLARS FOR EACH DAY THE  DATA  BROKER  FAILS  TO  REGISTER  AS
 REQUIRED  BY  THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION, (B) AN
 AMOUNT EQUAL TO THE FEES THAT WERE DUE DURING THE PERIOD  IT  FAILED  TO
 REGISTER,  AND  (C)  EXPENSES  INCURRED  BY  THE ATTORNEY GENERAL IN THE
 INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI-
 ATE.
   § 1105. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER  OR
 PROCESSOR  TO  DO  ANY OF THE FOLLOWING SOLELY FOR PURPOSES OF COMPLYING
 WITH THIS ARTICLE:
   (A) REIDENTIFY DEIDENTIFIED DATA;
   (B) COMPLY WITH A VERIFIED CONSUMER REQUEST  TO  ACCESS,  CORRECT,  OR
 DELETE  PERSONAL  DATA  PURSUANT TO THIS ARTICLE IF ALL OF THE FOLLOWING
 ARE TRUE:
   (I) THE CONTROLLER  IS  NOT  REASONABLY  CAPABLE  OF  ASSOCIATING  THE
 REQUEST WITH THE PERSONAL DATA;
   (II)  THE  CONTROLLER  DOES NOT ASSOCIATE THE PERSONAL DATA WITH OTHER
 PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER AS  PART  OF  ITS  NORMAL
 BUSINESS PRACTICE; AND
   (III)  THE  CONTROLLER  DOES  NOT  SELL THE PERSONAL DATA TO ANY THIRD
 PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO
 ANY PROCESSOR OR THIRD PARTY, EXCEPT  AS  OTHERWISE  PERMITTED  IN  THIS
 ARTICLE; OR
   (C)  MAINTAIN  PERSONAL DATA IN IDENTIFIABLE FORM, OR COLLECT, OBTAIN,
 RETAIN, OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE  CAPA-
 BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA.
   2.  THE  OBLIGATIONS  IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS
 ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO  ANY
 OF  THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S PERSONAL
 DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES:
   (A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS;
   (B) COMPLY WITH A CIVIL, CRIMINAL,  OR  REGULATORY  INQUIRY,  INVESTI-
 GATION,  SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN-
 MENTAL AUTHORITIES;
   (C) COOPERATE WITH LAW  ENFORCEMENT  AGENCIES  CONCERNING  CONDUCT  OR
 ACTIVITY  THAT  THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH
 BELIEVES MAY VIOLATE FEDERAL, STATE, OR  LOCAL  LAWS,  RULES,  OR  REGU-
 LATIONS;
   (D)  INVESTIGATE,  ESTABLISH,  EXERCISE,  PREPARE FOR, OR DEFEND LEGAL
 CLAIMS;
   (E) PROCESS PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES  OR  GOODS
 REQUESTED  BY  A CONSUMER; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A
 PARTY; OR TAKE STEPS AT THE REQUEST OF THE CONSUMER  PRIOR  TO  ENTERING
 INTO A CONTRACT;
   (F) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE
 CONSUMER  OR  OF ANOTHER NATURAL PERSON, AND WHERE THE PROCESSING CANNOT
 BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS;
   (G) PREVENT, DETECT, PROTECT AGAINST, OR  RESPOND  TO  SECURITY  INCI-
 DENTS,  IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIV-
 ITIES, OR ANY ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY  OR  SECURITY  OF
 SYSTEMS;  OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR ANY
 SUCH ACTION;
 S. 6701--B                         20
 
   (H) IDENTIFY AND REPAIR  TECHNICAL  ERRORS  THAT  IMPAIR  EXISTING  OR
 INTENDED FUNCTIONALITY; OR
   (I) PROCESS BUSINESS CONTACT INFORMATION, INCLUDING A NATURAL PERSON'S
 NAME,  POSITION  NAME  OR  TITLE,  BUSINESS  TELEPHONE  NUMBER, BUSINESS
 ADDRESS, BUSINESS ELECTRONIC MAIL ADDRESS, BUSINESS FAX NUMBER, OR QUAL-
 IFICATIONS AND ANY OTHER SIMILAR INFORMATION ABOUT THE NATURAL PERSON.
   3. THE OBLIGATIONS IMPOSED ON CONTROLLERS  OR  PROCESSORS  UNDER  THIS
 ARTICLE  DO  NOT  APPLY  WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR
 WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW  YORK
 LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL
 DATA  CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI-
 LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION.
   4. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS  FOUR
 THROUGH  SEVEN  OF  SECTION  ELEVEN  HUNDRED  TWO  OF THIS ARTICLE, OR A
 PROCESSOR OR THIRD PARTY  TO  WHOM  A  CONTROLLER  COMMUNICATES  SUCH  A
 REQUEST, MAY DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF:
   (A)  THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY THE
 REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH
 (C) OF SUBDIVISION NINE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
   (B) COMPLYING WITH THE REQUEST WOULD BE DEMONSTRABLY  IMPOSSIBLE  (FOR
 PURPOSES  OF  THIS  PARAGRAPH, THE RECEIPT OF A LARGE NUMBER OF VERIFIED
 REQUESTS, ON ITS OWN, IS NOT SUFFICIENT  TO  RENDER  COMPLIANCE  WITH  A
 REQUEST DEMONSTRABLY IMPOSSIBLE);
   (C)  COMPLYING  WITH  THE  REQUEST WOULD IMPAIR THE PRIVACY OF ANOTHER
 INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR
   (D) THE PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER  THAN  THE
 CONSUMER  MAKING  THE  REQUEST AND IS BEING PROCESSED FOR THE PURPOSE OF
 FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION.
   § 1106. ENFORCEMENT AND  PRIVATE  RIGHT  OF  ACTION.  1.  WHENEVER  IT
 APPEARS  TO  THE  ATTORNEY  GENERAL, EITHER UPON COMPLAINT OR OTHERWISE,
 THAT ANY PERSON OR PERSONS HAS ENGAGED IN OR IS ABOUT TO ENGAGE  IN  ANY
 OF  THE  ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE
 ATTORNEY GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN  THE  NAME
 AND  ON  BEHALF  OF  THE  PEOPLE  OF THE STATE OF NEW YORK TO ENJOIN ANY
 VIOLATION OF THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR  PROP-
 ERTY  OBTAINED  DIRECTLY  OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN
 DISGORGEMENT OF ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY  SUCH
 VIOLATION,  TO  OBTAIN CIVIL PENALTIES OF NOT MORE THAN FIFTEEN THOUSAND
 DOLLARS PER VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND  FURTHER  RELIEF
 AS THE COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF.
   (A)  ANY  ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
 PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS.
   (B)  EACH  INSTANCE  OF  UNLAWFUL  PROCESSING  COUNTS  AS  A  SEPARATE
 VIOLATION.  UNLAWFUL  PROCESSING  OF  THE PERSONAL DATA OF MORE THAN ONE
 CONSUMER COUNTS AS A  SEPARATE  VIOLATION  AS  TO  EACH  CONSUMER.  EACH
 PROVISION  OF  THIS  ARTICLE  THAT  IS  VIOLATED  COUNTS  AS  A SEPARATE
 VIOLATION.
   (C) IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER  ANY
 ONE  OR  MORE  OF  THE  RELEVANT  CIRCUMSTANCES  PRESENTED BY ANY OF THE
 PARTIES, INCLUDING, BUT NOT LIMITED TO, THE NATURE  AND  SERIOUSNESS  OF
 THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON-
 DUCT,  THE  LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED, THE WILL-
 FULNESS OF THE  VIOLATOR'S  MISCONDUCT,  AND  THE  VIOLATOR'S  FINANCIAL
 CONDITION.
   2.  IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
 THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND  MAKE
 S. 6701--B                         21
 
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE  WITH  THE  CIVIL PRACTICE LAW AND RULES.  THE ATTORNEY GENERAL MAY
 ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
 VANT  AND  MAY  REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH.  SUCH
 POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
 OF ANY ACTION OR SPECIAL PROCEEDING  BROUGHT  BY  THE  ATTORNEY  GENERAL
 UNDER THIS ARTICLE.
   3.  ANY  PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE ATTORNEY GENERAL
 BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS,
 OR OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR  PRACTICES
 STATED  TO  BE  UNLAWFUL  IN THIS ARTICLE IS SUBJECT TO THE SERVICE OF A
 SUBPOENA ISSUED BY  THE  ATTORNEY  GENERAL  PURSUANT  TO  THIS  SECTION.
 SERVICE  MAY  BE  MADE IN ANY MANNER THAT IS AUTHORIZED FOR SERVICE OF A
 SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE.
   4. (A) FAILURE TO   COMPLY WITH A SUBPOENA  ISSUED  PURSUANT  TO  THIS
 SECTION  WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF LIMI-
 TATIONS IN ANY ACTION OR SPECIAL  PROCEEDING  BROUGHT  BY  THE  ATTORNEY
 GENERAL  AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE ATTORNEY
 GENERAL'S INVESTIGATION.
   (B) IF A PERSON FAILS TO COMPLY WITH A  SUBPOENA  ISSUED  PURSUANT  TO
 THIS  SECTION,  THE  ATTORNEY  GENERAL  MAY MOVE IN THE SUPREME COURT TO
 COMPEL COMPLIANCE.  IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED,
 IT SHALL ORDER COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP  TO  FIVE
 HUNDRED DOLLARS PER DAY OF NONCOMPLIANCE.
   (C)  SUCH  TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO ANY OTHER
 PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA.
   5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL  UNDER
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL  NOT  SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
 WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION  OR  CONDUCT
 ANY INQUIRY.
   6.  ANY  CONSUMER  WHO  HAS BEEN INJURED BY A VIOLATION OF SUBDIVISION
 TWO, THREE, EIGHT OR NINE OF SECTION ELEVEN HUNDRED TWO OF THIS  ARTICLE
 MAY  BRING  AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH UNLAWFUL ACT
 OR PRACTICE AND TO RECOVER HIS OR  HER  ACTUAL  DAMAGES  SUFFERED  AS  A
 RESULT  OF THE VIOLATION. THE COURT MAY ALSO AWARD REASONABLE ATTORNEYS'
 FEES TO A PREVAILING PLAINTIFF.  ACTIONS PURSUANT TO THIS SECTION MAY BE
 BROUGHT ON A CLASS-WIDE BASIS.
   § 1107. MISCELLANEOUS. 1. PREEMPTION: THIS  ARTICLE  DOES  NOT  ANNUL,
 ALTER,  OR  AFFECT  THE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT
 ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS-
 FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR
 PROCESSOR SUBJECT TO THIS ARTICLE, EXCEPT  TO  THE  EXTENT  THOSE  LAWS,
 ORDINANCES,  REGULATIONS, OR THE EQUIVALENT CREATE REQUIREMENTS OR OBLI-
 GATIONS THAT CONFLICT WITH OR REDUCE THE PROTECTIONS AFFORDED TO CONSUM-
 ERS UNDER THIS ARTICLE.
   2. IMPACT REPORT: THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING
 THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR  PERSONS,  THE
 LIABILITY  AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT
 LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO  ENFORCE  THIS  ARTICLE,
 AND  ANY  RECOMMENDATIONS  FOR  CHANGES TO SUCH PROVISIONS. THE ATTORNEY
 GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT
 OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE  COMMIT-
 TEES  OF  THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS
 SECTION.
 S. 6701--B                         22
 
   3. REGULATORY AUTHORITY: (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED
 AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND
 REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES
 GOVERNING THE FORM AND CONTENT  OF  ANY  DISCLOSURES  OR  COMMUNICATIONS
 REQUIRED BY THIS ARTICLE.
   (B)  THE  ATTORNEY  GENERAL  MAY  REQUEST  DATA  AND  INFORMATION FROM
 CONTROLLERS CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK  STATE
 GOVERNMENT  ENTITIES  ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER
 PROTECTION AND PRIVACY ADVOCATES  AND  RESEARCHERS,  INTERNET  STANDARDS
 SETTING  BODIES,  SUCH  AS  THE  INTERNET  ENGINEERING TASKFORCE AND THE
 INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS,  AND  OTHER  RELEVANT
 SOURCES,  TO  CONDUCT  STUDIES TO INFORM SUITABLE RULES AND REGULATIONS.
 THE ATTORNEY GENERAL SHALL RECEIVE, UPON REQUEST, DATA  FROM  OTHER  NEW
 YORK STATE GOVERNMENTAL ENTITIES.
   4.  EXERCISE  OF  RIGHTS: ANY CONSUMER RIGHT SET FORTH IN THIS ARTICLE
 MAY BE EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT  OF  THE
 DATA  OR  BY  A  PARENT OR GUARDIAN AUTHORIZED BY LAW TO TAKE ACTIONS OF
 LEGAL CONSEQUENCE ON BEHALF OF THE CONSUMER WHO IS THE  SUBJECT  OF  THE
 DATA. AN AGENT AUTHORIZED BY A CONSUMER MAY EXERCISE THE CONSUMER RIGHTS
 SET  FORTH  IN SUBDIVISIONS FOUR THROUGH SEVEN OF SECTION ELEVEN HUNDRED
 TWO OF THIS ARTICLE ON THE CONSUMERS BEHALF.
   § 4. This act shall take effect immediately; provided,  however,  that
 sections  1101,  1102, 1103, 1105, 1106 and 1107 of the general business
 law, as added by section three of this act, shall take effect two  years
 after it shall have become a law but the private right of action author-
 ized  by subdivision 6 of section 1106 of the general business law shall
 take effect three years after such section shall have become a law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S6701B

Sponsored By

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Feb 8, 2022 - Consumer Protection Committee Vote

Consumer Protection Committee Vote: Feb 8, 2022

May 18, 2021 - Consumer Protection Committee Vote

Consumer Protection Committee Vote: May 18, 2021

Bill Amendments

co-Sponsors

2021-S6701 - Details

2021-S6701 - Summary

2021-S6701 - Sponsor Memo

2021-S6701 - Bill Text download pdf

co-Sponsors

2021-S6701A - Details

2021-S6701A - Summary

2021-S6701A - Sponsor Memo

2021-S6701A - Bill Text download pdf

co-Sponsors

2021-S6701B (ACTIVE) - Details

2021-S6701B (ACTIVE) - Summary

2021-S6701B (ACTIVE) - Sponsor Memo

2021-S6701B (ACTIVE) - Bill Text download pdf

Comments

Senate Bill S6701B

Share this bill

Sponsored By

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Bill Amendments

co-Sponsors

2021-S6701 - Details

2021-S6701 - Summary

2021-S6701 - Sponsor Memo

2021-S6701 - Bill Text download pdf

co-Sponsors

2021-S6701A - Details

2021-S6701A - Summary

2021-S6701A - Sponsor Memo

2021-S6701A - Bill Text download pdf

co-Sponsors

2021-S6701B (ACTIVE) - Details

2021-S6701B (ACTIVE) - Summary

2021-S6701B (ACTIVE) - Sponsor Memo

2021-S6701B (ACTIVE) - Bill Text download pdf

Comments