NY State Assembly Bill 2023-A10392

Assembly Bill A10392

2023-2024 Legislative Session

Prohibits sharing or selling personal data to third parties by government entities and contractors

download bill text pdf

Current Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
May 21, 2024	referred to governmental operations

co-Sponsors

2023-A10392 (ACTIVE) - Details

Current Committee:: Assembly Governmental Operations
Law Section:: Executive Law
Laws Affected:: Add Art 5-A §§81 - 84, Exec L

2023-A10392 (ACTIVE) - Summary

Prohibits sharing or selling personal data to third parties by government entities and contractors.

2023-A10392 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   10392
 
                           I N  A S S E M B L Y
 
                               May 21, 2024
                                ___________
 
 Introduced  by  COMMITTEE  ON  RULES  --  (at request of M. of A. Rozic,
   Jensen) -- read once and referred to  the  Committee  on  Governmental
   Operations
 
 AN ACT to amend the executive law, in relation to prohibiting sharing or
   selling  personal  data  to  third  parties by government entities and
   contractors
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The executive law is amended by adding a new article 5-A to
 read as follows:
                                 ARTICLE 5-A
                   SHARING AND SELLING OF PERSONAL DATA
 SECTION 81. DEFINITIONS.
         82. DATA COLLECTION DISCLOSURE.
         83. SHARING AND SELLING OF PERSONAL INFORMATION PROHIBITED.
         84. LIMITATION ON RESTRICTIONS.
   §  81. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS SHALL
 HAVE THE FOLLOWING MEANINGS UNLESS OTHERWISE SPECIFIED:
   1.  "AGGREGATE  PERSONAL  INFORMATION"  SHALL  MEAN  INFORMATION  THAT
 RELATES  TO  A  GROUP  OR CATEGORY OF INDIVIDUALS, FROM WHICH INDIVIDUAL
 IDENTITIES HAVE BEEN REMOVED, THAT IS NOT LINKED OR REASONABLY  LINKABLE
 TO  ANY  INDIVIDUAL  OR  HOUSEHOLD,  INCLUDING  VIA A DEVICE. "AGGREGATE
 PERSONAL INFORMATION" SHALL NOT MEAN ONE OR  MORE  INDIVIDUAL'S  RECORDS
 THAT HAVE BEEN DEIDENTIFIED.
   2.  "COLLECTS",  "COLLECTED",  OR  "COLLECTION"  SHALL MEAN GATHERING,
 OBTAINING, RECEIVING, OR ACCESSING ANY PERSONAL  INFORMATION  PERTAINING
 TO  AN INDIVIDUAL BY ANY MEANS. THIS INCLUDES RECEIVING INFORMATION FROM
 SUCH INDIVIDUAL EITHER ACTIVELY OR PASSIVELY.
   3. "CONTRACTOR" MEANS A CONTRACTOR, OR SUBCONTRACTOR OF A  CONTRACTOR,
 THAT  CONTRACTS  TO PROCESS INFORMATION ON BEHALF OF A GOVERNMENT ENTITY
 AND TO WHICH SUCH GOVERNMENT ENTITY DISCLOSES AN  INDIVIDUAL'S  PERSONAL
 INFORMATION  FOR  A  LEGITIMATE GOVERNMENT PURPOSE PURSUANT TO A WRITTEN
 CONTRACT, PROVIDED THAT  SUCH  CONTRACT  PROHIBITS  SUCH  CONTRACTOR  OR
 SUBCONTRACTOR RECEIVING SUCH PERSONAL INFORMATION FROM RETAINING, USING,
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD15346-01-4
 A. 10392                            2
 
 OR  DISCLOSING  SUCH PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN FOR
 THE SPECIFIC PURPOSE  OF  PERFORMING  THE  SERVICES  SPECIFIED  IN  SUCH
 CONTRACT,  OR  AS OTHERWISE PERMITTED BY THIS ARTICLE, INCLUDING RETAIN-
 ING,  USING,  OR  DISCLOSING  SUCH PERSONAL INFORMATION FOR A COMMERCIAL
 PURPOSE OTHER THAN PROVIDING THE SERVICES SPECIFIED IN THE CONTRACT.
   4. "DEIDENTIFIED" SHALL MEAN INFORMATION THAT CANNOT REASONABLY  IDEN-
 TIFY,  RELATE  TO,  DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE
 LINKED TO, DIRECTLY OR INDIRECTLY,  A  PARTICULAR  INDIVIDUAL,  PROVIDED
 THAT A GOVERNMENT ENTITY THAT USES SUCH DEIDENTIFIED INFORMATION:
   (A)  HAS  IMPLEMENTED TECHNICAL SAFEGUARDS AND PROCESSES THAT PROHIBIT
 REIDENTIFICATION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
   (B) HAS  IMPLEMENTED  PROCESSES  TO  PREVENT  INADVERTENT  RELEASE  OF
 DEIDENTIFIED INFORMATION; AND
   (C) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
   5. "DEVICE" SHALL MEAN ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECT-
 ING TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE.
   6.  "GOVERNMENT ENTITY" OR "ENTITY" SHALL MEAN ANY STATE AGENCY OR ANY
 PART, BODY, OR SUBDIVISION THEREOF.
   7. "INDIVIDUAL" SHALL MEAN A PERSON WHO IS  A  RESIDENT  OF  NEW  YORK
 STATE.
   8.  (A) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT IDENTIFIES,
 RELATES TO, DESCRIBES, IS CAPABLE OF BEING  ASSOCIATED  WITH,  OR  COULD
 REASONABLY BE LINKED TO, DIRECTLY OR INDIRECTLY, A PARTICULAR INDIVIDUAL
 OR  HOUSEHOLD. PERSONAL INFORMATION INCLUDES, BUT IS NOT LIMITED TO, THE
 FOLLOWING:
   (I) IDENTIFIERS SUCH AS A REAL NAME,  ALIAS,  POSTAL  ADDRESS,  UNIQUE
 PERSONAL  IDENTIFIER,  INTERNET  PROTOCOL ADDRESS, EMAIL ADDRESS, SOCIAL
 SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT  NUMBER,  PHOTOGRAPH,
 OR OTHER SIMILAR IDENTIFIERS;
   (II)  CHARACTERISTICS  OF  PROTECTED CLASSIFICATIONS UNDER NEW YORK OR
 FEDERAL LAW;
   (III) COMMERCIAL INFORMATION, INCLUDING RECORDS OF  REAL  OR  PERSONAL
 PROPERTY;
   (IV) BIOMETRIC INFORMATION;
   (V) AUDIO, ELECTRONIC, VISUAL, OR SIMILAR INFORMATION;
   (VI) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
   (VII)  EDUCATION  INFORMATION,  DEFINED  AS  INFORMATION  THAT  IS NOT
 PUBLICLY AVAILABLE PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN THE
 FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (20 USC 1232G);
   (VIII) INFERENCES DRAWN FROM ANY OF THE INFORMATION IDENTIFIED IN THIS
 PARAGRAPH TO CREATE A PROFILE ABOUT AN INDIVIDUAL REFLECTING SUCH  INDI-
 VIDUAL'S PREFERENCES, CHARACTERISTICS, PSYCHOLOGICAL TRENDS, PREDISPOSI-
 TIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND APTITUDES; AND
   (IX) FINANCIAL OR TAX INFORMATION.
   (B) "PERSONAL INFORMATION" SHALL NOT INCLUDE PUBLICLY AVAILABLE INFOR-
 MATION.  FOR THESE PURPOSES, "PUBLICLY AVAILABLE" SHALL MEAN INFORMATION
 THAT IS LAWFULLY MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT
 RECORDS, OR ANY CONDITIONS ASSOCIATED WITH SUCH INFORMATION.   "PUBLICLY
 AVAILABLE" SHALL NOT INCLUDE AN INDIVIDUAL'S INFORMATION THAT IS DEIDEN-
 TIFIED OR AGGREGATE PERSONAL INFORMATION.
   9.  "PROBABILISTIC  IDENTIFIER"  SHALL  MEAN  THE IDENTIFICATION OF AN
 INDIVIDUAL OR A DEVICE TO A DEGREE OF CERTAINTY OF  MORE  PROBABLE  THAN
 NOT  BASED  ON  ANY  CATEGORIES  OF PERSONAL INFORMATION INCLUDED IN, OR
 SIMILAR TO, THE CATEGORIES  ENUMERATED  IN  SUBDIVISION  EIGHT  OF  THIS
 SECTION.
 A. 10392                            3
 
   10. "PROCESS" OR "PROCESSING" SHALL MEAN ANY OPERATION OR SET OF OPER-
 ATIONS  THAT ARE PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA,
 WHETHER OR NOT BY AUTOMATED MEANS.
   11. (A) "SELL", "SELLING", "SALE", OR "SOLD" SHALL MEAN SELLING, RENT-
 ING,  RELEASING,  DISCLOSING,  DISSEMINATING,  MAKING  AVAILABLE, TRANS-
 FERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC
 OR OTHER MEANS, AN INDIVIDUAL'S PERSONAL  INFORMATION  BY  A  GOVERNMENT
 ENTITY  OR  CONTRACTOR  TO  A THIRD PARTY FOR MONETARY OR OTHER VALUABLE
 CONSIDERATION.
   (B) A GOVERNMENT ENTITY OR CONTRACTOR DOES NOT SELL PERSONAL  INFORMA-
 TION WITHIN THE MEANING OF THIS ARTICLE WHEN:
   (I) AN INDIVIDUAL USES OR DIRECTS SUCH GOVERNMENT ENTITY OR CONTRACTOR
 TO  INTENTIONALLY  DISCLOSE  PERSONAL  INFORMATION  TO  A  THIRD  PARTY,
 PROVIDED SUCH THIRD PARTY ALSO DOES NOT SELL SUCH PERSONAL  INFORMATION,
 UNLESS  SUCH  DISCLOSURE WOULD BE CONSISTENT WITH THE PROVISIONS OF THIS
 ARTICLE.
   (II) SUCH GOVERNMENT ENTITY OR CONTRACTOR USES OR SHARES WITH A  THIRD
 PARTY PERSONAL INFORMATION OF AN INDIVIDUAL THAT IS NECESSARY TO PERFORM
 A  LEGITIMATE GOVERNMENT PURPOSE IF BOTH OF THE FOLLOWING CONDITIONS ARE
 MET:
   (1) THE GOVERNMENT ENTITY  OR  CONTRACTOR  HAS  PROVIDED  NOTICE  THAT
 INFORMATION IS BEING USED OR SHARED; AND
   (2)  THE  THIRD  PARTY  DOES  NOT  FURTHER  COLLECT,  SELL, OR USE THE
 PERSONAL INFORMATION OF SUCH INDIVIDUAL EXCEPT AS NECESSARY  TO  PERFORM
 THE BUSINESS PURPOSE FOR WHICH IT RECEIVED SUCH INFORMATION.
   (III)  A  CONTRACTOR  WHO  TRANSFERS  TO A THIRD PARTY AN INDIVIDUAL'S
 PERSONAL INFORMATION AS AN ASSET THAT IS PART OF A MERGER,  ACQUISITION,
 BANKRUPTCY, OR OTHER TRANSACTION IN WHICH SUCH CONTRACTOR OR THIRD PARTY
 ASSUMES  CONTROL  OF  ALL OR PART OF SUCH THIRD PARTY PROVIDED THAT SUCH
 INFORMATION IS USED OR SHARED CONSISTENTLY WITH THIS ARTICLE. IF A THIRD
 PARTY MATERIALLY ALTERS HOW IT USES OR SHARES PERSONAL INFORMATION OF AN
 INDIVIDUAL IN A MANNER THAT IS MATERIALLY INCONSISTENT WITH THE PROMISES
 MADE AT THE TIME OF COLLECTION, IT SHALL PROVIDE PRIOR NOTICE OF THE NEW
 OR CHANGED PRACTICE TO SUCH INDIVIDUAL. SUCH NOTICE SHALL BE SUFFICIENT-
 LY PROMINENT AND ROBUST TO ENSURE THAT INDIVIDUALS CAN  EASILY  EXERCISE
 THEIR CHOICES CONSISTENTLY WITH SECTION EIGHTY-THREE OF THIS ARTICLE.
   12.  "SERVICE"  OR  "SERVICES"  SHALL  MEAN WORK, LABOR, AND SERVICES,
 INCLUDING SERVICES FURNISHED IN CONNECTION WITH THE SALE  OR  REPAIR  OF
 GOODS.
   13.  "THIRD  PARTY"  SHALL MEAN A PERSON OR BUSINESS ENTITY WHO IS NOT
 ANOTHER GOVERNMENT ENTITY OR CONTRACTOR THEREOF.
   14. "UNIQUE IDENTIFIER" OR "UNIQUE PERSONAL IDENTIFIER" SHALL  MEAN  A
 PERSISTENT  IDENTIFIER  THAT  CAN  BE USED TO RECOGNIZE AN INDIVIDUAL, A
 FAMILY, OR A DEVICE THAT IS LINKED TO AN INDIVIDUAL OR FAMILY, OVER TIME
 AND ACROSS DIFFERENT SERVICES, INCLUDING, BUT NOT LIMITED TO,  A  DEVICE
 IDENTIFIER;  AN INTERNET PROTOCOL ADDRESS; COOKIES, BEACONS, PIXEL TAGS,
 OR SIMILAR  TECHNOLOGY;  UNIQUE  PSEUDONYM,  OR  USER  ALIAS;  TELEPHONE
 NUMBERS,  OR OTHER FORMS OF PERSISTENT OR PROBABILISTIC IDENTIFIERS THAT
 CAN BE USED TO IDENTIFY A PARTICULAR INDIVIDUAL OR DEVICE. FOR  PURPOSES
 OF  THIS  SUBDIVISION, "FAMILY" MEANS A CUSTODIAL PARENT OR GUARDIAN AND
 ANY MINOR CHILDREN OVER WHICH SUCH PARENT OR GUARDIAN HAS CUSTODY.
   § 82. DATA COLLECTION DISCLOSURE. 1. A GOVERNMENT ENTITY OR CONTRACTOR
 THAT COLLECTS AN INDIVIDUAL'S PERSONAL INFORMATION SHALL, AT  OR  BEFORE
 THE  POINT OF COLLECTION, INFORM SUCH INDIVIDUAL AS TO THE CATEGORIES OF
 PERSONAL INFORMATION TO BE COLLECTED AND THE  PURPOSES  FOR  WHICH  SUCH
 CATEGORIES OF PERSONAL INFORMATION SHALL BE USED. A GOVERNMENT ENTITY OR
 A. 10392                            4
 
 CONTRACTOR  SHALL NOT COLLECT ADDITIONAL CATEGORIES OF PERSONAL INFORMA-
 TION OR USE PERSONAL INFORMATION COLLECTED FOR ADDITIONAL PURPOSES WITH-
 OUT PROVIDING SUCH INDIVIDUAL WITH NOTICE CONSISTENT WITH THIS ARTICLE.
   2.  THIS  SECTION  SHALL NOT REQUIRE A GOVERNMENT ENTITY OR CONTRACTOR
 TO:
   (A) RETAIN ANY PERSONAL INFORMATION COLLECTED FOR A  SINGLE,  ONE-TIME
 TRANSACTION  IF  SUCH  INFORMATION  IS  NOT  SHARED  OR RETAINED BY SUCH
 GOVERNMENT ENTITY OR CONTRACTOR; OR
   (B) REIDENTIFY OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED IN
 A MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION.
   § 83. SHARING AND SELLING OF PERSONAL INFORMATION  PROHIBITED.  1.  NO
 GOVERNMENT  ENTITY  OR  CONTRACTOR SHALL SHARE ANY INDIVIDUAL'S PERSONAL
 INFORMATION WITH A CONTRACTOR OR SUBCONTRACTOR UNLESS  SUCH  INFORMATION
 IS CRUCIAL TO THE PURPOSE FOR WHICH SUCH GOVERNMENT ENTITY OR CONTRACTOR
 HAS CONTRACTED SUCH CONTRACTOR OR SUBCONTRACTOR'S SERVICES.
   2.  NO  GOVERNMENT  ENTITY  OR CONTRACTOR SHALL SHARE ANY INDIVIDUAL'S
 PERSONAL INFORMATION WITH ANOTHER GOVERNMENT ENTITY OR CONTRACTOR UNLESS
 SUCH INFORMATION IS CRUCIAL TO THE PERFORMANCE OF SUCH OTHER  GOVERNMENT
 ENTITY  OR  CONTRACTOR'S  DUTIES,  AND  SUCH  OTHER GOVERNMENT ENTITY OR
 CONTRACTOR CANNOT PROCURE SUCH PERSONAL INFORMATION ON ITS  OWN  WITHOUT
 SERIOUS HARDSHIP.
   3.  NO GOVERNMENT ENTITY OR CONTRACTOR SHALL SELL PERSONAL INFORMATION
 ABOUT AN INDIVIDUAL.
   § 84. LIMITATION  ON  RESTRICTIONS.  1.  THE  OBLIGATIONS  IMPOSED  ON
 GOVERNMENT  ENTITIES  AND CONTRACTORS BY THIS ARTICLE SHALL NOT RESTRICT
 ANY GOVERNMENT ENTITY OR CONTRACTOR'S ABILITY TO:
   (A) OTHERWISE COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS;
   (B) COMPLY WITH A CIVIL, CRIMINAL,  OR  REGULATORY  INQUIRY,  INVESTI-
 GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES;
   (C)  COMPLY  WITH A REQUEST MADE UNDER THE FREEDOM OF INFORMATION LAW;
 OR
   (D) EXERCISE OR DEFEND LEGAL CLAIMS.
   2. THIS ARTICLE SHALL NOT APPLY TO THE SALE OF PERSONAL INFORMATION TO
 OR FROM A CONSUMER  REPORTING  AGENCY  IF  SUCH  INFORMATION  IS  TO  BE
 REPORTED  IN,  OR  USED TO GENERATE, A CONSUMER REPORT AS DEFINED BY THE
 FEDERAL FAIR CREDIT REPORTING ACT (15 USC 1681), AND USE OF THAT  INFOR-
 MATION IS LIMITED BY SUCH ACT.
   3.  A  GOVERNMENT  ENTITY  THAT  DISCLOSES  PERSONAL  INFORMATION TO A
 CONTRACTOR SHALL NOT BE LIABLE UNDER THIS  ARTICLE  IF  SUCH  CONTRACTOR
 USES  SUCH  PERSONAL  INFORMATION  IN  VIOLATION OF THE RESTRICTIONS SET
 FORTH IN THIS ARTICLE, PROVIDED THAT, AT THE  TIME  OF  DISCLOSING  SUCH
 PERSONAL  INFORMATION, SUCH GOVERNMENT ENTITY DOES NOT HAVE ACTUAL KNOW-
 LEDGE OR REASON TO BELIEVE THAT SUCH CONTRACTOR INTENDS TO COMMIT SUCH A
 VIOLATION. NO CONTRACTOR SHALL BE LIABLE  UNDER  THIS  ARTICLE  FOR  THE
 OBLIGATIONS OF A GOVERNMENT ENTITY FOR WHICH IT PROVIDES SERVICES AS SET
 FORTH IN THIS ARTICLE.
   4.  THIS ARTICLE SHALL NOT BE CONSTRUED TO REQUIRE A GOVERNMENT ENTITY
 TO REIDENTIFY OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED IN  A
 MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION.
   5.  THE  RIGHTS AFFORDED TO INDIVIDUALS AND THE OBLIGATIONS IMPOSED ON
 GOVERNMENT ENTITIES AND CONTRACTORS BY THIS ARTICLE SHALL NOT  ADVERSELY
 AFFECT THE RIGHTS AND FREEDOMS OF ANY OTHER PERSON.
   §  2. This act shall take effect one year after it shall have become a
 law.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Assembly Bill A10392

Share this bill

Sponsored By

ROZIC