S T A T E O F N E W Y O R K
________________________________________________________________________
8149--A
2023-2024 Regular Sessions
I N A S S E M B L Y
October 13, 2023
___________
Introduced by M. of A. ROZIC, REYES, SHIMSKY, MAGNARELLI, HEVESI,
BUTTENSCHON, FAHY, DICKENS, McMAHON, GLICK, DE LOS SANTOS, DURSO,
McDONOUGH, GANDOLFO, SIMON, ZACCARO, DeSTEFANO, WALLACE, BERGER,
BURDICK, SEAWRIGHT, McDONALD, BEEPHAN, SMULLEN, MANKTELOW,
J. A. GIGLIO, SLATER, ARDILA, SILLITTI, DARLING, K. BROWN, EPSTEIN,
LEVENBERG, WEPRIN, BICHOTTE HERMELYN, LUPARDO, MIKULIN, PAULIN, SOLAG-
ES, SANTABARBARA, L. ROSENTHAL, DAVILA, BURGOS, CHANDLER-WATERMAN,
TAYLOR, ZEBROWSKI, JENSEN, KIM, RIVERA, ZINERMAN, MAHER, WALKER,
CUNNINGHAM, CONRAD, CLARK, JACKSON, DAIS, RAJKUMAR, FALL, LUNSFORD,
FORREST, LEE, GIBBS, ANDERSON, LAVINE, STERN, BRAUNSTEIN, DINOWITZ,
JEAN-PIERRE, SEPTIMO, KELLES, CARROLL, MAMDANI, HUNTER, BARRETT, BRON-
SON, PHEFFER AMATO, O'DONNELL, COOK, GUNTHER, BURKE, AUBRY, JONES,
STIRPE, SAYEGH, RAGA, GALLAHAN, TAPIA, THIELE, GALLAGHER, ALVAREZ,
SIMONE, EICHENSTEIN, PRETLOW, MORINELLO, SHRESTHA, EACHUS, MEEKS,
JACOBSON, BRABENEC -- Multi-Sponsored by -- M. of A. GONZALEZ-ROJAS,
WOERNER -- read once and referred to the Committee on Science and
Technology -- recommitted to the Committee on Science and Technology
in accordance with Assembly Rule 3, sec. 2 -- committee discharged,
bill amended, ordered reprinted as amended and recommitted to said
committee
AN ACT to amend the general business law, in relation to establishing
the New York child data protection act
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The general business law is amended by adding a new article
39-FF to read as follows:
ARTICLE 39-FF
NEW YORK CHILD DATA PROTECTION ACT
SECTION 899-EE. DEFINITIONS.
899-FF. PRIVACY PROTECTION BY DEFAULT.
899-GG. PROCESSORS.
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD13150-12-4
A. 8149--A 2
899-HH. ONGOING COVERAGE.
899-II. RESPECTING USER-PROVIDED AGE FLAGS.
899-JJ. PROTECTIONS FOR THIRD-PARTY OPERATORS.
899-KK. RULEMAKING AUTHORITY.
899-LL. SCOPE.
899-MM. REMEDIES.
§ 899-EE. DEFINITIONS. FOR PURPOSES OF THIS ARTICLE, THE FOLLOWING
TERMS SHALL HAVE THE FOLLOWING MEANINGS:
1. "COVERED USER" SHALL MEAN A USER OF A WEBSITE, ONLINE SERVICE,
ONLINE APPLICATION, MOBILE APPLICATION, OR CONNECTED DEVICE, OR PORTION
THEREOF, IN THE STATE OF NEW YORK WHO IS:
(A) ACTUALLY KNOWN BY THE OPERATOR OF SUCH WEBSITE, ONLINE SERVICE,
ONLINE APPLICATION, MOBILE APPLICATION, OR CONNECTED DEVICE TO BE A
MINOR; OR
(B) USING A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLI-
CATION, OR CONNECTED DEVICE PRIMARILY DIRECTED TO MINORS.
2. "MINOR" SHALL MEAN A NATURAL PERSON UNDER THE AGE OF EIGHTEEN.
3. "OPERATOR" SHALL MEAN ANY PERSON WHO OPERATES OR PROVIDES A WEBSITE
ON THE INTERNET, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICATION,
OR CONNECTED DEVICE, AND WHO, ALONE OR JOINTLY WITH OTHERS, CONTROLS THE
PURPOSES AND MEANS OF PROCESSING PERSONAL DATA. A PERSON THAT ACTS AS
BOTH AN OPERATOR AND PROCESSOR SHALL COMPLY WITH THE APPLICABLE OBLI-
GATIONS OF AN OPERATOR AND THE OBLIGATIONS OF A PROCESSOR, DEPENDING ON
ITS ROLE WITH RESPECT TO EACH SPECIFIC PROCESSING OF PERSONAL DATA.
4. "PERSONAL DATA" SHALL MEAN ANY DATA THAT IDENTIFIES OR COULD
REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL
PERSON OR DEVICE.
5. "PROCESS" OR "PROCESSING" SHALL MEAN AN OPERATION OR SET OF OPER-
ATIONS PERFORMED ON PERSONAL DATA, INCLUDING BUT NOT LIMITED TO THE
COLLECTION, USE, ACCESS, SHARING, SALE, MONETIZATION, ANALYSIS,
RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGANIZATION,
STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION, DISPOSAL, LICENSING,
DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFICATION OF PERSONAL
DATA.
6. "PRIMARILY DIRECTED TO MINORS" SHALL MEAN A WEBSITE, ONLINE
SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, OR CONNECTED DEVICE, OR
A PORTION THEREOF, THAT IS TARGETED TO MINORS. A WEBSITE, ONLINE
SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, OR CONNECTED DEVICE, OR
PORTION THEREOF, SHALL NOT BE DEEMED DIRECTED PRIMARILY TO MINORS SOLELY
BECAUSE SUCH WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLI-
CATION, OR CONNECTED DEVICE, OR PORTION THEREOF REFERS OR LINKS TO ANY
OTHER WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICATION,
OR CONNECTED DEVICE DIRECTED TO MINORS BY USING INFORMATION LOCATION
TOOLS, INCLUDING A DIRECTORY, INDEX, REFERENCE, POINTER, OR HYPERTEXT
LINK. A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICATION,
OR CONNECTED DEVICE, OR PORTION THEREOF, SHALL BE DEEMED DIRECTED TO
MINORS WHEN IT HAS ACTUAL KNOWLEDGE THAT IT IS COLLECTING PERSONAL DATA
OF USERS DIRECTLY FROM USERS OF ANOTHER WEBSITE, ONLINE SERVICE, ONLINE
APPLICATION, MOBILE APPLICATION, OR CONNECTED DEVICE PRIMARILY DIRECTED
TO MINORS.
7. "SELL" SHALL MEAN TO SHARE PERSONAL DATA FOR MONETARY OR OTHER
VALUABLE CONSIDERATION. "SELLING" SHALL NOT INCLUDE THE SHARING OF
PERSONAL DATA FOR MONETARY OR OTHER VALUABLE CONSIDERATION TO ANOTHER
PERSON AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION, BANKRUPTCY, OR
OTHER TRANSACTION IN WHICH THAT PERSON ASSUMES CONTROL OF ALL OR PART OF
THE OPERATOR'S ASSETS OR THE SHARING OF PERSONAL DATA WITH A PROCESSOR.
A. 8149--A 3
8. "PROCESSOR" SHALL MEAN ANY PERSON WHO PROCESSES DATA ON BEHALF OF
THE OPERATOR. A PERSON THAT ACTS AS BOTH AN OPERATOR AND PROCESSOR SHALL
COMPLY WITH THE APPLICABLE OBLIGATIONS OF AN OPERATOR AND THE OBLI-
GATIONS OF A PROCESSOR, DEPENDING ON ITS ROLE WITH RESPECT TO EACH
SPECIFIC PROCESSING OF PERSONAL DATA.
9. "THIRD-PARTY OPERATOR" SHALL MEAN AN OPERATOR WHO IS NOT THE OPER-
ATOR:
(A) WITH WHOM THE USER INTENTIONALLY AND DIRECTLY INTERACTS; OR
(B) THAT COLLECTS PERSONAL DATA FROM THE DIRECT AND CURRENT INTER-
ACTIONS WITH THE USER.
§ 899-FF. PRIVACY PROTECTION BY DEFAULT. 1. EXCEPT AS PROVIDED FOR IN
SUBDIVISION SIX OF THIS SECTION AND SECTION EIGHT HUNDRED NINETY-NINE-JJ
OF THIS ARTICLE, AN OPERATOR SHALL NOT PROCESS, OR ALLOW A PROCESSOR TO
PROCESS, THE PERSONAL DATA OF A COVERED USER COLLECTED THROUGH THE USE
OF A WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, OR
CONNECTED DEVICE, OR ALLOW A THIRD-PARTY OPERATOR TO COLLECT THE
PERSONAL DATA OF A COVERED USER COLLECTED THROUGH THE OPERATOR'S
WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, OR
CONNECTED DEVICE UNLESS AND TO THE EXTENT:
(A) THE COVERED USER IS TWELVE YEARS OF AGE OR YOUNGER AND PROCESSING
IS PERMITTED UNDER 15 U.S.C. § 6502 AND ITS IMPLEMENTING REGULATIONS; OR
(B) THE COVERED USER IS THIRTEEN YEARS OF AGE OR OLDER AND PROCESSING
IS STRICTLY NECESSARY FOR AN ACTIVITY SET FORTH IN SUBDIVISION TWO OF
THIS SECTION, OR INFORMED CONSENT HAS BEEN OBTAINED AS SET FORTH IN
SUBDIVISION THREE OF THIS SECTION.
2. FOR THE PURPOSES OF PARAGRAPH (B) OF SUBDIVISION ONE OF THIS
SECTION, THE PROCESSING OF PERSONAL DATA OF A COVERED USER IS PERMISSI-
BLE WHERE IT IS STRICTLY NECESSARY FOR THE FOLLOWING PERMISSIBLE
PURPOSES:
(A) PROVIDING OR MAINTAINING A SPECIFIC PRODUCT OR SERVICE REQUESTED
BY THE COVERED USER;
(B) CONDUCTING THE OPERATOR'S INTERNAL BUSINESS OPERATIONS. FOR
PURPOSES OF THIS PARAGRAPH, SUCH INTERNAL BUSINESS OPERATIONS SHALL NOT
INCLUDE ANY ACTIVITIES RELATED TO MARKETING, ADVERTISING, RESEARCH AND
DEVELOPMENT, PROVIDING PRODUCTS OR SERVICES TO THIRD PARTIES, OR PROMPT-
ING COVERED USERS TO USE THE WEBSITE, ONLINE SERVICE, ONLINE APPLICA-
TION, MOBILE APPLICATION, OR CONNECTED DEVICE WHEN IT IS NOT IN USE;
(C) IDENTIFYING AND REPAIRING TECHNICAL ERRORS THAT IMPAIR EXISTING OR
INTENDED FUNCTIONALITY;
(D) PROTECTING AGAINST MALICIOUS, FRAUDULENT, OR ILLEGAL ACTIVITY;
(E) INVESTIGATING, ESTABLISHING, EXERCISING, PREPARING FOR, OR DEFEND-
ING LEGAL CLAIMS;
(F) COMPLYING WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGU-
LATIONS;
(G) COMPLYING WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI-
GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN-
MENTAL AUTHORITIES;
(H) DETECTING, RESPONDING TO, OR PREVENTING SECURITY INCIDENTS OR
THREATS; OR
(I) PROTECTING THE VITAL INTERESTS OF A NATURAL PERSON.
3. (A) FOR THE PURPOSES OF PARAGRAPH (B) OF SUBDIVISION ONE OF THIS
SECTION, TO PROCESS PERSONAL DATA OF A COVERED USER WHERE SUCH PROCESS-
ING IS NOT STRICTLY NECESSARY UNDER SUBDIVISION TWO OF THIS SECTION,
INFORMED CONSENT MUST BE OBTAINED FROM THE COVERED USER EITHER THROUGH A
DEVICE COMMUNICATION OR SIGNAL PURSUANT TO THE PROVISIONS OF SUBDIVISION
A. 8149--A 4
TWO OF SECTION EIGHT HUNDRED NINETY-NINE-II OF THIS ARTICLE OR THROUGH A
REQUEST. REQUESTS FOR SUCH INFORMED CONSENT SHALL:
(I) BE MADE SEPARATELY FROM ANY OTHER TRANSACTION OR PART OF A TRANS-
ACTION;
(II) BE MADE IN THE ABSENCE OF ANY MECHANISM THAT HAS THE PURPOSE OR
SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR IMPAIRING A COVERED
USER'S DECISION-MAKING REGARDING AUTHORIZATION FOR THE PROCESSING;
(III) CLEARLY AND CONSPICUOUSLY STATE THAT THE PROCESSING FOR WHICH
THE CONSENT IS REQUESTED IS NOT STRICTLY NECESSARY, AND THAT THE COVERED
USER MAY DECLINE WITHOUT PREVENTING CONTINUED USE OF THE WEBSITE, ONLINE
SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, OR CONNECTED DEVICE;
AND
(IV) CLEARLY PRESENT AN OPTION TO REFUSE TO PROVIDE CONSENT AS THE
MOST PROMINENT OPTION.
(B) SUCH INFORMED CONSENT, ONCE GIVEN, SHALL BE FREELY REVOCABLE AT
ANY TIME, AND SHALL BE AT LEAST AS EASY TO REVOKE AS IT WAS TO PROVIDE.
(C) IF A COVERED USER DECLINES TO PROVIDE OR REVOKES INFORMED CONSENT
FOR PROCESSING, ANOTHER REQUEST MAY NOT BE MADE FOR SUCH PROCESSING FOR
THE FOLLOWING CALENDAR YEAR, HOWEVER AN OPERATOR MAY MAKE AVAILABLE A
MECHANISM THAT A COVERED USER CAN USE UNPROMPTED AND AT THE USER'S
DISCRETION TO PROVIDE INFORMED CONSENT.
(D) IF A COVERED USER'S DEVICE COMMUNICATES OR SIGNALS THAT THE
COVERED USER DECLINES TO PROVIDE INFORMED CONSENT FOR PROCESSING PURSU-
ANT TO THE PROVISIONS OF SUBDIVISION TWO OF SECTION EIGHT HUNDRED NINE-
TY-NINE-II OF THIS ARTICLE, AN OPERATOR SHALL NOT REQUEST INFORMED
CONSENT FOR SUCH PROCESSING, HOWEVER AN OPERATOR MAY MAKE AVAILABLE A
MECHANISM THAT A COVERED USER CAN USE UNPROMPTED AND AT THE USER'S
DISCRETION TO PROVIDE INFORMED CONSENT.
4. EXCEPT WHERE PROCESSING IS STRICTLY NECESSARY TO PROVIDE A PRODUCT,
SERVICE, OR FEATURE, AN OPERATOR MAY NOT WITHHOLD, DEGRADE, LOWER THE
QUALITY, OR INCREASE THE PRICE OF ANY PRODUCT, SERVICE, OR FEATURE TO A
COVERED USER DUE TO THE OPERATOR NOT OBTAINING VERIFIABLE PARENTAL
CONSENT UNDER 15 U.S.C. § 6502 AND ITS IMPLEMENTING REGULATIONS OR
INFORMED CONSENT UNDER SUBDIVISION THREE OF THIS SECTION.
5. EXCEPT AS PROVIDED FOR IN SECTION EIGHT HUNDRED NINETY-NINE-JJ OF
THIS ARTICLE, AN OPERATOR SHALL NOT PURCHASE OR SELL, OR ALLOW A PROCES-
SOR OR THIRD-PARTY OPERATOR TO PURCHASE OR SELL, THE PERSONAL DATA OF A
COVERED USER.
6. WITHIN THIRTY DAYS OF DETERMINING OR BEING INFORMED THAT A USER IS
A COVERED USER, AN OPERATOR SHALL:
(A) DISPOSE OF, DESTROY, OR DELETE AND DIRECT ALL OF ITS PROCESSORS TO
DISPOSE OF, DESTROY, OR DELETE ALL PERSONAL DATA OF SUCH COVERED USER
THAT IT MAINTAINS, UNLESS PROCESSING SUCH PERSONAL DATA IS PERMITTED
UNDER 15 U.S.C. § 6502 AND ITS IMPLEMENTING REGULATIONS, IS STRICTLY
NECESSARY FOR AN ACTIVITY LISTED IN SUBDIVISION TWO OF THIS SECTION, OR
INFORMED CONSENT IS OBTAINED AS SET FORTH IN SUBDIVISION THREE OF THIS
SECTION; AND
(B) NOTIFY ANY THIRD-PARTY OPERATORS TO WHOM IT KNOWS IT DISCLOSED
PERSONAL DATA OF THAT COVERED USER, AND ANY THIRD-PARTY OPERATORS IT
KNOWS IT ALLOWED TO PROCESS THE PERSONAL DATA THAT MAY INCLUDE THE
PERSONAL DATA OF THAT USER, THAT THE USER IS A COVERED USER.
7. EXCEPT AS PROVIDED FOR IN SECTION EIGHT HUNDRED NINETY-NINE-JJ OF
THIS ARTICLE, PRIOR TO DISCLOSING PERSONAL DATA TO A THIRD-PARTY OPERA-
TOR, OR PERMITTING A THIRD-PARTY OPERATOR TO COLLECT PERSONAL DATA FROM
THE OPERATOR'S WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE
A. 8149--A 5
APPLICATION, CONNECTED DEVICE, OR PORTION THEREOF, THE OPERATOR SHALL
DISCLOSE TO THE THIRD-PARTY OPERATOR:
(A) WHEN THEIR WEBSITE, ONLINE SERVICE, ONLINE APPLICATION, MOBILE
APPLICATION, CONNECTED DEVICE, OR PORTION THEREOF, IS PRIMARILY DIRECTED
TO MINORS; OR
(B) WHEN THE PERSONAL DATA CONCERNS A COVERED USER.
§ 899-GG. PROCESSORS. 1. EXCEPT AS PROVIDED FOR IN SECTION EIGHT
HUNDRED NINETY-NINE-JJ OF THIS ARTICLE, NO OPERATOR OR PROCESSOR SHALL
DISCLOSE THE PERSONAL DATA OF A COVERED USER TO A THIRD PARTY, OR ALLOW
THE PROCESSING OF THE PERSONAL DATA OF A COVERED USER BY A THIRD PARTY,
WITHOUT A WRITTEN, BINDING AGREEMENT GOVERNING SUCH DISCLOSURE OR PROC-
ESSING. SUCH AGREEMENT SHALL CLEARLY SET FORTH INSTRUCTIONS FOR THE
NATURE AND PURPOSE OF THE PROCESSOR'S PROCESSING OF THE PERSONAL DATA,
INSTRUCTIONS FOR USING OR FURTHER DISCLOSING THE PERSONAL DATA, AND THE
RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
2. PROCESSORS SHALL PROCESS THE PERSONAL DATA OF COVERED USERS ONLY
WHEN PERMITTED BY THE TERMS OF THE AGREEMENT PURSUANT TO SUBDIVISION ONE
OF THIS SECTION, UNLESS OTHERWISE REQUIRED BY FEDERAL, STATE, OR LOCAL
LAWS, RULES, OR REGULATIONS.
3. A PROCESSOR SHALL, AT THE DIRECTION OF THE OPERATOR, DISPOSE OF,
DESTROY, OR DELETE PERSONAL DATA, AND NOTIFY ANY OTHER PROCESSOR TO
WHICH IT DISCLOSED THE PERSONAL DATA OF THE OPERATOR'S DIRECTION, UNLESS
RETENTION OF THE PERSONAL DATA IS REQUIRED BY FEDERAL, STATE, OR LOCAL
LAWS, RULES, OR REGULATIONS. THE PROCESSOR SHALL PROVIDE EVIDENCE OF
SUCH DELETION TO THE OPERATOR WITHIN THIRTY DAYS OF THE DELETION
REQUEST.
4. A PROCESSOR SHALL DELETE OR RETURN TO THE OPERATOR ALL PERSONAL
DATA OF COVERED USERS AT THE END OF ITS PROVISION OF SERVICES, UNLESS
RETENTION OF THE PERSONAL DATA IS REQUIRED BY FEDERAL, STATE, OR LOCAL
LAWS, RULES, OR REGULATIONS. THE PROCESSOR SHALL PROVIDE EVIDENCE OF
SUCH DELETION TO THE OPERATOR WITHIN THIRTY DAYS OF THE DELETION
REQUEST.
5. AN AGREEMENT PURSUANT TO SUBDIVISION ONE OF THIS SECTION SHALL
REQUIRE THAT THE PROCESSOR:
(A) PROCESS THE PERSONAL DATA OF COVERED USERS ONLY PURSUANT TO THE
INSTRUCTIONS OF THE OPERATOR, UNLESS OTHERWISE REQUIRED BY FEDERAL,
STATE, OR LOCAL LAWS, RULES, OR REGULATIONS;
(B) ASSIST THE OPERATOR IN MEETING THE OPERATOR'S OBLIGATIONS UNDER
THIS ARTICLE. THE PROCESSOR SHALL, TAKING INTO ACCOUNT THE NATURE OF
PROCESSING AND THE INFORMATION AVAILABLE TO THEM, ASSIST THE OPERATOR BY
TAKING APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES, TO THE EXTENT
PRACTICABLE, FOR THE FULFILLMENT OF THE OPERATOR'S OBLIGATION TO DELETE
PERSONAL DATA PURSUANT TO SECTION EIGHT HUNDRED NINETY-NINE-FF OF THIS
ARTICLE;
(C) UPON REASONABLE REQUEST OF THE OPERATOR, MAKE AVAILABLE TO THE
OPERATOR ALL INFORMATION IN ITS POSSESSION NECESSARY TO DEMONSTRATE THE
PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS SECTION;
(D) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE OPERATOR
OR THE OPERATOR'S DESIGNATED ASSESSOR FOR PURPOSES OF EVALUATING COMPLI-
ANCE WITH THE OBLIGATIONS OF THIS ARTICLE. ALTERNATIVELY, THE PROCESSOR
MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT ASSESSOR TO CONDUCT AN
ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL
MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS ARTICLE USING AN
APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT
PROCEDURE FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT OF
SUCH ASSESSMENT TO THE OPERATOR UPON REQUEST; AND
A. 8149--A 6
(E) NOTIFY THE OPERATOR A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING
OR TRANSFERRING THE PERSONAL DATA OF COVERED USERS TO ANY FURTHER
PROCESSORS, WHICH MAY BE IN THE FORM OF A REGULARLY UPDATED LIST OF
FURTHER PROCESSORS THAT MAY ACCESS PERSONAL DATA OF COVERED USERS.
§ 899-HH. ONGOING COVERAGE. 1. UPON LEARNING THAT A USER IS NO LONGER
A COVERED USER, AN OPERATOR:
(A) SHALL NOT PROCESS THE PERSONAL DATA OF THE COVERED USER THAT WOULD
OTHERWISE BE SUBJECT TO THE PROVISIONS OF THIS ARTICLE UNTIL IT RECEIVES
INFORMED CONSENT PURSUANT TO SUBDIVISION THREE OF SECTION EIGHT HUNDRED
NINETY-NINE-FF OF THIS ARTICLE, AND
(B) SHALL PROVIDE NOTICE TO SUCH USER THAT THEY MAY NO LONGER BE ENTI-
TLED TO ALL OF THE PROTECTIONS AND RIGHTS PROVIDED UNDER THIS ARTICLE.
2. UPON LEARNING THAT A USER IS NO LONGER A COVERED USER, AN OPERATOR
SHALL PROVIDE NOTICE TO SUCH USER THAT SUCH USER IS NO LONGER COVERED BY
THE PROTECTIONS AND RIGHTS PROVIDED UNDER THIS ARTICLE.
§ 899-II. RESPECTING USER-PROVIDED AGE FLAGS. 1. FOR THE PURPOSES OF
THIS ARTICLE, AN OPERATOR SHALL TREAT A USER AS A COVERED USER IF THE
USER'S DEVICE COMMUNICATES OR SIGNALS THAT THE USER IS OR SHALL BE
TREATED AS A MINOR, INCLUDING THROUGH A BROWSER PLUG-IN OR PRIVACY
SETTING, DEVICE SETTING, OR OTHER MECHANISM THAT COMPLIES WITH REGU-
LATIONS PROMULGATED BY THE ATTORNEY GENERAL.
2. FOR THE PURPOSES OF SUBDIVISION THREE OF SECTION EIGHT HUNDRED
NINETY-NINE-FF OF THIS ARTICLE, AN OPERATOR SHALL ADHERE TO ANY CLEAR
AND UNAMBIGUOUS COMMUNICATIONS OR SIGNALS FROM A COVERED USER'S DEVICE,
INCLUDING THROUGH A BROWSER PLUG-IN OR PRIVACY SETTING, DEVICE SETTING,
OR OTHER MECHANISM, CONCERNING PROCESSING THAT THE COVERED USER CONSENTS
TO OR DECLINES TO CONSENT TO. AN OPERATOR SHALL NOT ADHERE TO UNCLEAR OR
AMBIGUOUS COMMUNICATIONS OR SIGNALS FROM A COVERED USER'S DEVICE, AND
SHALL INSTEAD REQUEST INFORMED CONSENT PURSUANT TO THE PROVISIONS OF
PARAGRAPH A OF SUBDIVISION THREE OF SECTION EIGHT HUNDRED NINETY-NINE-FF
OF THIS ARTICLE.
§ 899-JJ. PROTECTIONS FOR THIRD-PARTY OPERATORS. SECTIONS EIGHT
HUNDRED NINETY-NINE-FF AND EIGHT HUNDRED NINETY-NINE-GG OF THIS ARTICLE
SHALL NOT APPLY WHERE A THIRD-PARTY OPERATOR IS PROCESSING THE PERSONAL
DATA OF A COVERED USER OF ANOTHER WEBSITE, ONLINE SERVICE, ONLINE APPLI-
CATION, MOBILE APPLICATION, OR CONNECTED DEVICE, OR PORTION THEREOF,
PROVIDED THAT THE THIRD-PARTY OPERATOR RECEIVED REASONABLE WRITTEN
REPRESENTATIONS THAT THE COVERED USER PROVIDED INFORMED CONSENT FOR SUCH
PROCESSING, OR:
1. THE OPERATOR DOES NOT HAVE ACTUAL KNOWLEDGE THAT THE COVERED USER
IS A MINOR; AND
2. THE OPERATOR DOES NOT HAVE ACTUAL KNOWLEDGE THAT THE OTHER WEBSITE,
ONLINE SERVICE, ONLINE APPLICATION, MOBILE APPLICATION, OR CONNECTED
DEVICE, OR PORTION THEREOF, IS PRIMARILY DIRECTED TO MINORS.
§ 899-KK. RULEMAKING AUTHORITY. THE ATTORNEY GENERAL MAY PROMULGATE
SUCH RULES AND REGULATIONS AS ARE NECESSARY TO EFFECTUATE AND ENFORCE
THE PROVISIONS OF THIS ARTICLE.
§ 899-LL. SCOPE. 1. THIS ARTICLE SHALL APPLY TO CONDUCT THAT OCCURS IN
WHOLE OR IN PART IN THE STATE OF NEW YORK. FOR PURPOSES OF THIS ARTICLE,
COMMERCIAL CONDUCT TAKES PLACE WHOLLY OUTSIDE OF THE STATE OF NEW YORK
IF THE BUSINESS COLLECTED SUCH INFORMATION WHILE THE COVERED USER WAS
OUTSIDE OF THE STATE OF NEW YORK, NO PART OF THE USE OF THE COVERED
USER'S PERSONAL DATA OCCURRED IN THE STATE OF NEW YORK, AND NO PERSONAL
DATA COLLECTED WHILE THE COVERED USER WAS IN THE STATE OF NEW YORK IS
USED.
A. 8149--A 7
2. NOTHING IN THIS ARTICLE SHALL BE CONSTRUED TO PROHIBIT AN OPERATOR
FROM STORING A COVERED USER'S PERSONAL DATA THAT WAS COLLECTED PURSUANT
TO SECTION EIGHT HUNDRED NINETY-NINE-FF OF THIS ARTICLE WHEN SUCH
COVERED USER IS IN THE STATE.
3. NOTHING IN THIS ARTICLE SHALL BE CONSTRUED TO IMPOSE LIABILITY FOR
COMMERCIAL ACTIVITIES OR ACTIONS BY OPERATORS SUBJECT TO 15 U.S.C. 6501
THAT IS INCONSISTENT WITH THE TREATMENT OF SUCH ACTIVITIES OR ACTIONS
UNDER 15 U.S.C. 6502.
§ 899-MM. REMEDIES. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL,
EITHER UPON COMPLAINT OR OTHERWISE, THAT ANY PERSON, WITHIN OR OUTSIDE
THE STATE, HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY OF THE ACTS OR
PRACTICES STATED TO BE UNLAWFUL IN THIS ARTICLE, THE ATTORNEY GENERAL
MAY BRING AN ACTION OR SPECIAL PROCEEDING IN THE NAME AND ON BEHALF OF
THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF THIS
ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR PROPERTY OBTAINED
DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN DISGORGEMENT OF
ANY PROFITS OR GAINS OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH
VIOLATION, INCLUDING BUT NOT LIMITED TO THE DESTRUCTION OF UNLAWFULLY
OBTAINED DATA, TO OBTAIN DAMAGES CAUSED DIRECTLY OR INDIRECTLY BY ANY
SUCH VIOLATION, TO OBTAIN CIVIL PENALTIES OF UP TO FIVE THOUSAND DOLLARS
PER VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND FURTHER RELIEF AS THE
COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF.
§ 2. Severability. If any clause, sentence, paragraph, subdivision,
section or part of this act shall be adjudged by any court of competent
jurisdiction to be invalid, such judgment shall not affect, impair, or
invalidate the remainder thereof, but shall be confined in its operation
to the clause, sentence, paragraph, subdivision, section or part thereof
directly involved in the controversy in which such judgment shall have
been rendered. It is hereby declared to be the intent of the legislature
that this act would have been enacted even if such invalid provisions
had not been included herein.
§ 3. This act shall take effect one year after it shall have become a
law. Effective immediately, the addition, amendment and/or repeal of any
rule or regulation necessary for the implementation of this act on its
effective date are authorized to be made and completed on or before such
effective date.