S T A T E O F N E W Y O R K
________________________________________________________________________
10392
I N A S S E M B L Y
May 21, 2024
___________
Introduced by COMMITTEE ON RULES -- (at request of M. of A. Rozic,
Jensen) -- read once and referred to the Committee on Governmental
Operations
AN ACT to amend the executive law, in relation to prohibiting sharing or
selling personal data to third parties by government entities and
contractors
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The executive law is amended by adding a new article 5-A to
read as follows:
ARTICLE 5-A
SHARING AND SELLING OF PERSONAL DATA
SECTION 81. DEFINITIONS.
82. DATA COLLECTION DISCLOSURE.
83. SHARING AND SELLING OF PERSONAL INFORMATION PROHIBITED.
84. LIMITATION ON RESTRICTIONS.
§ 81. DEFINITIONS. AS USED IN THIS ARTICLE, THE FOLLOWING TERMS SHALL
HAVE THE FOLLOWING MEANINGS UNLESS OTHERWISE SPECIFIED:
1. "AGGREGATE PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT
RELATES TO A GROUP OR CATEGORY OF INDIVIDUALS, FROM WHICH INDIVIDUAL
IDENTITIES HAVE BEEN REMOVED, THAT IS NOT LINKED OR REASONABLY LINKABLE
TO ANY INDIVIDUAL OR HOUSEHOLD, INCLUDING VIA A DEVICE. "AGGREGATE
PERSONAL INFORMATION" SHALL NOT MEAN ONE OR MORE INDIVIDUAL'S RECORDS
THAT HAVE BEEN DEIDENTIFIED.
2. "COLLECTS", "COLLECTED", OR "COLLECTION" SHALL MEAN GATHERING,
OBTAINING, RECEIVING, OR ACCESSING ANY PERSONAL INFORMATION PERTAINING
TO AN INDIVIDUAL BY ANY MEANS. THIS INCLUDES RECEIVING INFORMATION FROM
SUCH INDIVIDUAL EITHER ACTIVELY OR PASSIVELY.
3. "CONTRACTOR" MEANS A CONTRACTOR, OR SUBCONTRACTOR OF A CONTRACTOR,
THAT CONTRACTS TO PROCESS INFORMATION ON BEHALF OF A GOVERNMENT ENTITY
AND TO WHICH SUCH GOVERNMENT ENTITY DISCLOSES AN INDIVIDUAL'S PERSONAL
INFORMATION FOR A LEGITIMATE GOVERNMENT PURPOSE PURSUANT TO A WRITTEN
CONTRACT, PROVIDED THAT SUCH CONTRACT PROHIBITS SUCH CONTRACTOR OR
SUBCONTRACTOR RECEIVING SUCH PERSONAL INFORMATION FROM RETAINING, USING,
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD15346-01-4
A. 10392 2
OR DISCLOSING SUCH PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN FOR
THE SPECIFIC PURPOSE OF PERFORMING THE SERVICES SPECIFIED IN SUCH
CONTRACT, OR AS OTHERWISE PERMITTED BY THIS ARTICLE, INCLUDING RETAIN-
ING, USING, OR DISCLOSING SUCH PERSONAL INFORMATION FOR A COMMERCIAL
PURPOSE OTHER THAN PROVIDING THE SERVICES SPECIFIED IN THE CONTRACT.
4. "DEIDENTIFIED" SHALL MEAN INFORMATION THAT CANNOT REASONABLY IDEN-
TIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE
LINKED TO, DIRECTLY OR INDIRECTLY, A PARTICULAR INDIVIDUAL, PROVIDED
THAT A GOVERNMENT ENTITY THAT USES SUCH DEIDENTIFIED INFORMATION:
(A) HAS IMPLEMENTED TECHNICAL SAFEGUARDS AND PROCESSES THAT PROHIBIT
REIDENTIFICATION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
(B) HAS IMPLEMENTED PROCESSES TO PREVENT INADVERTENT RELEASE OF
DEIDENTIFIED INFORMATION; AND
(C) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
5. "DEVICE" SHALL MEAN ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECT-
ING TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE.
6. "GOVERNMENT ENTITY" OR "ENTITY" SHALL MEAN ANY STATE AGENCY OR ANY
PART, BODY, OR SUBDIVISION THEREOF.
7. "INDIVIDUAL" SHALL MEAN A PERSON WHO IS A RESIDENT OF NEW YORK
STATE.
8. (A) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT IDENTIFIES,
RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSOCIATED WITH, OR COULD
REASONABLY BE LINKED TO, DIRECTLY OR INDIRECTLY, A PARTICULAR INDIVIDUAL
OR HOUSEHOLD. PERSONAL INFORMATION INCLUDES, BUT IS NOT LIMITED TO, THE
FOLLOWING:
(I) IDENTIFIERS SUCH AS A REAL NAME, ALIAS, POSTAL ADDRESS, UNIQUE
PERSONAL IDENTIFIER, INTERNET PROTOCOL ADDRESS, EMAIL ADDRESS, SOCIAL
SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT NUMBER, PHOTOGRAPH,
OR OTHER SIMILAR IDENTIFIERS;
(II) CHARACTERISTICS OF PROTECTED CLASSIFICATIONS UNDER NEW YORK OR
FEDERAL LAW;
(III) COMMERCIAL INFORMATION, INCLUDING RECORDS OF REAL OR PERSONAL
PROPERTY;
(IV) BIOMETRIC INFORMATION;
(V) AUDIO, ELECTRONIC, VISUAL, OR SIMILAR INFORMATION;
(VI) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
(VII) EDUCATION INFORMATION, DEFINED AS INFORMATION THAT IS NOT
PUBLICLY AVAILABLE PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN THE
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (20 USC 1232G);
(VIII) INFERENCES DRAWN FROM ANY OF THE INFORMATION IDENTIFIED IN THIS
PARAGRAPH TO CREATE A PROFILE ABOUT AN INDIVIDUAL REFLECTING SUCH INDI-
VIDUAL'S PREFERENCES, CHARACTERISTICS, PSYCHOLOGICAL TRENDS, PREDISPOSI-
TIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND APTITUDES; AND
(IX) FINANCIAL OR TAX INFORMATION.
(B) "PERSONAL INFORMATION" SHALL NOT INCLUDE PUBLICLY AVAILABLE INFOR-
MATION. FOR THESE PURPOSES, "PUBLICLY AVAILABLE" SHALL MEAN INFORMATION
THAT IS LAWFULLY MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT
RECORDS, OR ANY CONDITIONS ASSOCIATED WITH SUCH INFORMATION. "PUBLICLY
AVAILABLE" SHALL NOT INCLUDE AN INDIVIDUAL'S INFORMATION THAT IS DEIDEN-
TIFIED OR AGGREGATE PERSONAL INFORMATION.
9. "PROBABILISTIC IDENTIFIER" SHALL MEAN THE IDENTIFICATION OF AN
INDIVIDUAL OR A DEVICE TO A DEGREE OF CERTAINTY OF MORE PROBABLE THAN
NOT BASED ON ANY CATEGORIES OF PERSONAL INFORMATION INCLUDED IN, OR
SIMILAR TO, THE CATEGORIES ENUMERATED IN SUBDIVISION EIGHT OF THIS
SECTION.
A. 10392 3
10. "PROCESS" OR "PROCESSING" SHALL MEAN ANY OPERATION OR SET OF OPER-
ATIONS THAT ARE PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA,
WHETHER OR NOT BY AUTOMATED MEANS.
11. (A) "SELL", "SELLING", "SALE", OR "SOLD" SHALL MEAN SELLING, RENT-
ING, RELEASING, DISCLOSING, DISSEMINATING, MAKING AVAILABLE, TRANS-
FERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC
OR OTHER MEANS, AN INDIVIDUAL'S PERSONAL INFORMATION BY A GOVERNMENT
ENTITY OR CONTRACTOR TO A THIRD PARTY FOR MONETARY OR OTHER VALUABLE
CONSIDERATION.
(B) A GOVERNMENT ENTITY OR CONTRACTOR DOES NOT SELL PERSONAL INFORMA-
TION WITHIN THE MEANING OF THIS ARTICLE WHEN:
(I) AN INDIVIDUAL USES OR DIRECTS SUCH GOVERNMENT ENTITY OR CONTRACTOR
TO INTENTIONALLY DISCLOSE PERSONAL INFORMATION TO A THIRD PARTY,
PROVIDED SUCH THIRD PARTY ALSO DOES NOT SELL SUCH PERSONAL INFORMATION,
UNLESS SUCH DISCLOSURE WOULD BE CONSISTENT WITH THE PROVISIONS OF THIS
ARTICLE.
(II) SUCH GOVERNMENT ENTITY OR CONTRACTOR USES OR SHARES WITH A THIRD
PARTY PERSONAL INFORMATION OF AN INDIVIDUAL THAT IS NECESSARY TO PERFORM
A LEGITIMATE GOVERNMENT PURPOSE IF BOTH OF THE FOLLOWING CONDITIONS ARE
MET:
(1) THE GOVERNMENT ENTITY OR CONTRACTOR HAS PROVIDED NOTICE THAT
INFORMATION IS BEING USED OR SHARED; AND
(2) THE THIRD PARTY DOES NOT FURTHER COLLECT, SELL, OR USE THE
PERSONAL INFORMATION OF SUCH INDIVIDUAL EXCEPT AS NECESSARY TO PERFORM
THE BUSINESS PURPOSE FOR WHICH IT RECEIVED SUCH INFORMATION.
(III) A CONTRACTOR WHO TRANSFERS TO A THIRD PARTY AN INDIVIDUAL'S
PERSONAL INFORMATION AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION,
BANKRUPTCY, OR OTHER TRANSACTION IN WHICH SUCH CONTRACTOR OR THIRD PARTY
ASSUMES CONTROL OF ALL OR PART OF SUCH THIRD PARTY PROVIDED THAT SUCH
INFORMATION IS USED OR SHARED CONSISTENTLY WITH THIS ARTICLE. IF A THIRD
PARTY MATERIALLY ALTERS HOW IT USES OR SHARES PERSONAL INFORMATION OF AN
INDIVIDUAL IN A MANNER THAT IS MATERIALLY INCONSISTENT WITH THE PROMISES
MADE AT THE TIME OF COLLECTION, IT SHALL PROVIDE PRIOR NOTICE OF THE NEW
OR CHANGED PRACTICE TO SUCH INDIVIDUAL. SUCH NOTICE SHALL BE SUFFICIENT-
LY PROMINENT AND ROBUST TO ENSURE THAT INDIVIDUALS CAN EASILY EXERCISE
THEIR CHOICES CONSISTENTLY WITH SECTION EIGHTY-THREE OF THIS ARTICLE.
12. "SERVICE" OR "SERVICES" SHALL MEAN WORK, LABOR, AND SERVICES,
INCLUDING SERVICES FURNISHED IN CONNECTION WITH THE SALE OR REPAIR OF
GOODS.
13. "THIRD PARTY" SHALL MEAN A PERSON OR BUSINESS ENTITY WHO IS NOT
ANOTHER GOVERNMENT ENTITY OR CONTRACTOR THEREOF.
14. "UNIQUE IDENTIFIER" OR "UNIQUE PERSONAL IDENTIFIER" SHALL MEAN A
PERSISTENT IDENTIFIER THAT CAN BE USED TO RECOGNIZE AN INDIVIDUAL, A
FAMILY, OR A DEVICE THAT IS LINKED TO AN INDIVIDUAL OR FAMILY, OVER TIME
AND ACROSS DIFFERENT SERVICES, INCLUDING, BUT NOT LIMITED TO, A DEVICE
IDENTIFIER; AN INTERNET PROTOCOL ADDRESS; COOKIES, BEACONS, PIXEL TAGS,
OR SIMILAR TECHNOLOGY; UNIQUE PSEUDONYM, OR USER ALIAS; TELEPHONE
NUMBERS, OR OTHER FORMS OF PERSISTENT OR PROBABILISTIC IDENTIFIERS THAT
CAN BE USED TO IDENTIFY A PARTICULAR INDIVIDUAL OR DEVICE. FOR PURPOSES
OF THIS SUBDIVISION, "FAMILY" MEANS A CUSTODIAL PARENT OR GUARDIAN AND
ANY MINOR CHILDREN OVER WHICH SUCH PARENT OR GUARDIAN HAS CUSTODY.
§ 82. DATA COLLECTION DISCLOSURE. 1. A GOVERNMENT ENTITY OR CONTRACTOR
THAT COLLECTS AN INDIVIDUAL'S PERSONAL INFORMATION SHALL, AT OR BEFORE
THE POINT OF COLLECTION, INFORM SUCH INDIVIDUAL AS TO THE CATEGORIES OF
PERSONAL INFORMATION TO BE COLLECTED AND THE PURPOSES FOR WHICH SUCH
CATEGORIES OF PERSONAL INFORMATION SHALL BE USED. A GOVERNMENT ENTITY OR
A. 10392 4
CONTRACTOR SHALL NOT COLLECT ADDITIONAL CATEGORIES OF PERSONAL INFORMA-
TION OR USE PERSONAL INFORMATION COLLECTED FOR ADDITIONAL PURPOSES WITH-
OUT PROVIDING SUCH INDIVIDUAL WITH NOTICE CONSISTENT WITH THIS ARTICLE.
2. THIS SECTION SHALL NOT REQUIRE A GOVERNMENT ENTITY OR CONTRACTOR
TO:
(A) RETAIN ANY PERSONAL INFORMATION COLLECTED FOR A SINGLE, ONE-TIME
TRANSACTION IF SUCH INFORMATION IS NOT SHARED OR RETAINED BY SUCH
GOVERNMENT ENTITY OR CONTRACTOR; OR
(B) REIDENTIFY OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED IN
A MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION.
§ 83. SHARING AND SELLING OF PERSONAL INFORMATION PROHIBITED. 1. NO
GOVERNMENT ENTITY OR CONTRACTOR SHALL SHARE ANY INDIVIDUAL'S PERSONAL
INFORMATION WITH A CONTRACTOR OR SUBCONTRACTOR UNLESS SUCH INFORMATION
IS CRUCIAL TO THE PURPOSE FOR WHICH SUCH GOVERNMENT ENTITY OR CONTRACTOR
HAS CONTRACTED SUCH CONTRACTOR OR SUBCONTRACTOR'S SERVICES.
2. NO GOVERNMENT ENTITY OR CONTRACTOR SHALL SHARE ANY INDIVIDUAL'S
PERSONAL INFORMATION WITH ANOTHER GOVERNMENT ENTITY OR CONTRACTOR UNLESS
SUCH INFORMATION IS CRUCIAL TO THE PERFORMANCE OF SUCH OTHER GOVERNMENT
ENTITY OR CONTRACTOR'S DUTIES, AND SUCH OTHER GOVERNMENT ENTITY OR
CONTRACTOR CANNOT PROCURE SUCH PERSONAL INFORMATION ON ITS OWN WITHOUT
SERIOUS HARDSHIP.
3. NO GOVERNMENT ENTITY OR CONTRACTOR SHALL SELL PERSONAL INFORMATION
ABOUT AN INDIVIDUAL.
§ 84. LIMITATION ON RESTRICTIONS. 1. THE OBLIGATIONS IMPOSED ON
GOVERNMENT ENTITIES AND CONTRACTORS BY THIS ARTICLE SHALL NOT RESTRICT
ANY GOVERNMENT ENTITY OR CONTRACTOR'S ABILITY TO:
(A) OTHERWISE COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS;
(B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI-
GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES;
(C) COMPLY WITH A REQUEST MADE UNDER THE FREEDOM OF INFORMATION LAW;
OR
(D) EXERCISE OR DEFEND LEGAL CLAIMS.
2. THIS ARTICLE SHALL NOT APPLY TO THE SALE OF PERSONAL INFORMATION TO
OR FROM A CONSUMER REPORTING AGENCY IF SUCH INFORMATION IS TO BE
REPORTED IN, OR USED TO GENERATE, A CONSUMER REPORT AS DEFINED BY THE
FEDERAL FAIR CREDIT REPORTING ACT (15 USC 1681), AND USE OF THAT INFOR-
MATION IS LIMITED BY SUCH ACT.
3. A GOVERNMENT ENTITY THAT DISCLOSES PERSONAL INFORMATION TO A
CONTRACTOR SHALL NOT BE LIABLE UNDER THIS ARTICLE IF SUCH CONTRACTOR
USES SUCH PERSONAL INFORMATION IN VIOLATION OF THE RESTRICTIONS SET
FORTH IN THIS ARTICLE, PROVIDED THAT, AT THE TIME OF DISCLOSING SUCH
PERSONAL INFORMATION, SUCH GOVERNMENT ENTITY DOES NOT HAVE ACTUAL KNOW-
LEDGE OR REASON TO BELIEVE THAT SUCH CONTRACTOR INTENDS TO COMMIT SUCH A
VIOLATION. NO CONTRACTOR SHALL BE LIABLE UNDER THIS ARTICLE FOR THE
OBLIGATIONS OF A GOVERNMENT ENTITY FOR WHICH IT PROVIDES SERVICES AS SET
FORTH IN THIS ARTICLE.
4. THIS ARTICLE SHALL NOT BE CONSTRUED TO REQUIRE A GOVERNMENT ENTITY
TO REIDENTIFY OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED IN A
MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION.
5. THE RIGHTS AFFORDED TO INDIVIDUALS AND THE OBLIGATIONS IMPOSED ON
GOVERNMENT ENTITIES AND CONTRACTORS BY THIS ARTICLE SHALL NOT ADVERSELY
AFFECT THE RIGHTS AND FREEDOMS OF ANY OTHER PERSON.
§ 2. This act shall take effect one year after it shall have become a
law.