LBD01642-01-3
S. 365 2
ability to correct inaccurate data and to delete their data; and the
ability to challenge certain automated decisions. This act also imposes
obligations upon businesses to maintain reasonable data security for
personal data, to notify New York consumers of foreseeable harms arising
from use of their data and to obtain specific consent for that use, and
to conduct regular assessments to ensure that data is not being used for
unacceptable purposes. These data assessments can be obtained and evalu-
ated by the New York State Attorney General, who is empowered to obtain
penalties for violations of this act and prevent future violations. This
act also grants New York consumers who have been injured as the result
of a violation a private right of action, which includes reasonable
attorneys' fees to a prevailing plaintiff.
§ 3. The general business law is amended by adding a new article 42 to
read as follows:
ARTICLE 42
NEW YORK PRIVACY ACT
SECTION 1100. DEFINITIONS.
1101. JURISDICTIONAL SCOPE.
1102. CONSUMER RIGHTS.
1103. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES.
1104. DATA BROKERS.
1105. LIMITATIONS.
1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION.
1107. MISCELLANEOUS.
§ 1100. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY THROUGHOUT THIS
ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
1. "AUTOMATED DECISION-MAKING" OR "AUTOMATED DECISION" MEANS A COMPU-
TATIONAL PROCESS, INCLUDING ONE DERIVED FROM MACHINE LEARNING, ARTIFI-
CIAL INTELLIGENCE, OR ANY OTHER AUTOMATED PROCESS, INVOLVING PERSONAL
DATA THAT RESULTS IN A DECISION AFFECTING A CONSUMER.
2. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM THE
MEASUREMENT OR SPECIFIC TECHNOLOGICAL PROCESSING OF A NATURAL PERSON'S
BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS THAT ALLOWS OR
CONFIRMS THE UNIQUE IDENTIFICATION OF A NATURAL PERSON, INCLUDING FING-
ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
DEOXYRIBONUCLEIC ACID (DNA) INFORMATION, AND GAIT.
3. "BUSINESS ASSOCIATE" HAS THE SAME MEANING AS IN TITLE 45 OF THE
C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT OF 1996.
4. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY GIVEN,
SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT
TO THE PROCESSING OF DATA RELATING TO THE CONSUMER. CONSENT MAY BE
WITHDRAWN AT ANY TIME, AND A CONTROLLER MUST PROVIDE CLEAR, CONSPICUOUS,
AND CONSUMER-FRIENDLY MEANS TO WITHDRAW CONSENT. THE BURDEN OF ESTAB-
LISHING CONSENT IS ON THE CONTROLLER. CONSENT DOES NOT INCLUDE: (A) AN
AGREEMENT OF GENERAL TERMS OF USE OR A SIMILAR DOCUMENT THAT REFERENCES
UNRELATED INFORMATION IN ADDITION TO PERSONAL DATA PROCESSING; (B) AN
AGREEMENT OBTAINED THROUGH FRAUD, DECEIT OR DECEPTION; (C) ANY ACT THAT
DOES NOT CONSTITUTE A USER'S INTENT TO INTERACT WITH ANOTHER PARTY SUCH
AS HOVERING OVER, PAUSING OR CLOSING ANY CONTENT; OR (D) A PRE-CHECKED
BOX OR SIMILAR DEFAULT.
5. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
ONLY IN AN INDIVIDUAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A
NATURAL PERSON KNOWN TO BE ACTING IN A PROFESSIONAL OR EMPLOYMENT
CONTEXT.
S. 365 3
6. "CONTROLLER" MEANS THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS,
DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA.
7. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R.,
ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996.
8. "DATA BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A LEGAL ENTITY,
SEPARATELY OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK AND
KNOWINGLY COLLECTS, AND SELLS TO CONTROLLERS OR THIRD PARTIES, THE
PERSONAL DATA OF A CONSUMER WITH WHOM IT DOES NOT HAVE A DIRECT
RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING:
(A) A CONSUMER REPORTING AGENCY TO THE EXTENT THAT IT IS COVERED BY
THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR
(B) A FINANCIAL INSTITUTION TO THE EXTENT THAT IT IS COVERED BY THE
GRAMM-LEACH-BLILEY ACT (PUBLIC LAW 106-102) AND IMPLEMENTING REGU-
LATIONS.
9. "DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT EFFECTS"
MEANS DECISIONS MADE BY THE CONTROLLER THAT RESULT IN THE PROVISION OR
DENIAL BY THE CONTROLLER OF FINANCIAL OR LENDING SERVICES, HOUSING,
INSURANCE, EDUCATION ENROLLMENT OR OPPORTUNITY, CRIMINAL JUSTICE,
EMPLOYMENT OPPORTUNITIES, HEALTH CARE SERVICES OR ACCESS TO ESSENTIAL
GOODS OR SERVICES.
10. "DEIDENTIFIED DATA" MEANS DATA THAT CANNOT REASONABLY BE USED TO
INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR CONSUM-
ER, HOUSEHOLD OR DEVICE, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT
POSSESSES THE DATA:
(A) IMPLEMENTS REASONABLE TECHNICAL SAFEGUARDS TO ENSURE THAT THE DATA
CANNOT BE ASSOCIATED WITH A CONSUMER, HOUSEHOLD OR DEVICE;
(B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND
NOT ATTEMPT TO REIDENTIFY THE DATA, EXCEPT THAT THE CONTROLLER OR
PROCESSOR MAY ATTEMPT TO REIDENTIFY THE INFORMATION SOLELY FOR THE
PURPOSE OF DETERMINING WHETHER ITS DEIDENTIFICATION PROCESSES SATISFY
THE REQUIREMENTS OF THIS SUBDIVISION; AND
(C) CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY WITH
ALL PROVISIONS OF THIS ARTICLE.
11. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECTING
TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE AND IS
INTENDED FOR USE BY A NATURAL PERSON OR HOUSEHOLD OR, IF USED OUTSIDE
THE HOME, FOR USE BY THE GENERAL PUBLIC.
12. "IDENTIFIED OR IDENTIFIABLE" MEANS A NATURAL PERSON WHO CAN BE
IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO AN IDENTIFI-
ER SUCH AS A NAME, AN IDENTIFICATION NUMBER, LOCATION DATA, OR AN ONLINE
OR DEVICE IDENTIFIER.
13. "MEANINGFUL HUMAN REVIEW" MEANS REVIEW OR OVERSIGHT BY ONE OR MORE
INDIVIDUALS WHO (A) ARE TRAINED IN THE CAPABILITIES AND LIMITATIONS OF
THE ALGORITHM AT ISSUE AND THE PROCEDURES TO INTERPRET AND ACT ON THE
OUTPUT OF THE ALGORITHM, AND (B) HAVE THE AUTHORITY TO ALTER THE AUTO-
MATED DECISION UNDER REVIEW.
14. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID-
UAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN TO
BE ACTING IN A PROFESSIONAL OR EMPLOYMENT CONTEXT.
15. "PERSON" MEANS A NATURAL PERSON OR A LEGAL ENTITY, INCLUDING BUT
NOT LIMITED TO A PROPRIETORSHIP, PARTNERSHIP, LIMITED PARTNERSHIP,
CORPORATION, COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION, ASSOCI-
ATION, OR OTHER FIRM OR SIMILAR BODY, OR ANY UNIT, DIVISION, AGENCY,
DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF.
S. 365 4
16. "PERSONAL DATA" MEANS ANY DATA THAT IDENTIFIES OR COULD REASONABLY
BE LINKED, DIRECTLY OR INDIRECTLY, WITH A SPECIFIC NATURAL PERSON,
HOUSEHOLD, OR DEVICE. PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED DATA.
17. "PRECISE GEOLOCATION DATA" MEANS INFORMATION DERIVED FROM TECHNOL-
OGY, INCLUDING, BUT NOT LIMITED TO, GLOBAL POSITION SYSTEM LEVEL LATI-
TUDE AND LONGITUDE COORDINATES OR OTHER MECHANISMS, THAT DIRECTLY IDEN-
TIFIES THE SPECIFIC LOCATION OF AN INDIVIDUAL WITH PRECISION AND
ACCURACY WITHIN A RADIUS OF ONE THOUSAND SEVEN HUNDRED FIFTY FEET,
EXCEPT AS PRESCRIBED BY REGULATIONS. PRECISE GEOLOCATION DATA DOES NOT
INCLUDE THE CONTENT OF COMMUNICATIONS OR ANY DATA GENERATED BY OR
CONNECTED TO ADVANCE UTILITY METERING INFRASTRUCTURE SYSTEMS OR EQUIP-
MENT FOR USE BY A UTILITY.
18. "PROCESS", "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET
OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA, INCLUDING
BUT NOT LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION,
ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN-
IZATION, STRUCTURING, STORAGE, DISCLOSURE, TRANSMISSION, ANALYSIS,
DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI-
CATION OF DATA.
19. "PROCESSOR" MEANS A PERSON THAT PROCESSES DATA ON BEHALF OF THE
CONTROLLER.
20. "PROFILING" MEANS ANY FORM OF AUTOMATED PROCESSING PERFORMED ON
PERSONAL DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS RELATED
TO AN IDENTIFIED OR IDENTIFIABLE NATURAL PERSON'S ECONOMIC SITUATION,
HEALTH, PERSONAL PREFERENCES, INTERESTS, RELIABILITY, BEHAVIOR,
LOCATION, OR MOVEMENTS. PROFILING DOES NOT INCLUDE EVALUATION, ANALY-
SIS, OR PREDICTION BASED SOLELY UPON A NATURAL PERSON'S CURRENT SEARCH
QUERY OR CURRENT VISIT TO A WEBSITE OR ONLINE APPLICATION, IF NO
PERSONAL DATA IS RETAINED AFTER THE COMPLETION OF THE ACTIVITY FOR THE
PURPOSES IDENTIFIED IN THIS SUBDIVISION.
21. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT OF 1996.
22. "SALE", "SELL", OR "SOLD" MEANS THE DISCLOSURE, TRANSFER, CONVEY-
ANCE, SHARING, LICENSING, MAKING AVAILABLE, PROCESSING, GRANTING OF
PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER EXCHANGE OF PERSONAL
DATA, OR PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU-
ABLE CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY. "SALE" INCLUDES
ENABLING, FACILITATING OR PROVIDING ACCESS TO PERSONAL DATA FOR TARGETED
ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING:
(A) THE DISCLOSURE OF DATA TO A PROCESSOR WHO PROCESSES THE DATA ON
BEHALF OF THE CONTROLLER AND WHICH IS CONTRACTUALLY PROHIBITED FROM
USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER; OR
(B) THE DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART OF A
MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN WHICH ANOTHER
ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL-
LER'S ASSETS.
23."SENSITIVE DATA" MEANS PERSONAL DATA THAT REVEALS:
(A) RACIAL OR ETHNIC ORIGIN, RELIGIOUS BELIEFS, MENTAL OR PHYSICAL
HEALTH CONDITION OR DIAGNOSIS, SEX LIFE, SEXUAL ORIENTATION, OR CITIZEN-
SHIP OR IMMIGRATION STATUS;
(B) GENETIC OR BIOMETRIC INFORMATION FOR THE PURPOSE OF UNIQUELY IDEN-
TIFYING A NATURAL PERSON; OR
(C) PRECISE GEOLOCATION DATA.
24. "TARGETED ADVERTISING" MEANS ADVERTISING BASED UPON PROFILING.
S. 365 5
25. "THIRD PARTY" MEANS, WITH RESPECT TO A PARTICULAR INTERACTION OR
OCCURRENCE, A PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER THAN THE
CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER. A THIRD PARTY
MAY ALSO BE A CONTROLLER IF THE THIRD PARTY, ALONE OR JOINTLY WITH
OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL
DATA.
26. "VERIFIED REQUEST" MEANS A REQUEST BY A CONSUMER OR THEIR AGENT TO
EXERCISE A RIGHT AUTHORIZED BY THIS ARTICLE, THE AUTHENTICITY OF WHICH
HAS BEEN ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH (C)
OF SUBDIVISION NINE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE.
§ 1101. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS
THAT CONDUCT BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR SERVICES THAT
ARE TARGETED TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR MORE OF
THE FOLLOWING THRESHOLDS:
(A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE;
(B) CONTROLS OR PROCESSES PERSONAL DATA OF ONE HUNDRED THOUSAND
CONSUMERS OR MORE;
(C) CONTROLS OR PROCESSES PERSONAL DATA OF FIVE HUNDRED THOUSAND
NATURAL PERSONS OR MORE NATIONWIDE, AND CONTROLS OR PROCESSES PERSONAL
DATA OF TEN THOUSAND CONSUMERS OR MORE; OR
(D) DERIVES OVER FIFTY PERCENT OF GROSS REVENUE FROM THE SALE OF
PERSONAL DATA, AND CONTROLS OR PROCESSES PERSONAL DATA OF TWENTY-FIVE
THOUSAND CONSUMERS OR MORE.
2. THIS ARTICLE DOES NOT APPLY TO:
(A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC-
IPAL CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND PROCESSING
FEES ARE NOT SALE);
(B) A NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT TO SECTION
15A OF THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED, OR REGULATIONS
ADOPTED THEREUNDER OR A REGISTERED FUTURES ASSOCIATION SO DESIGNATED
PURSUANT TO SECTION 17 OF THE COMMODITY EXCHANGE ACT, AS AMENDED, OR ANY
REGULATIONS ADOPTED THEREUNDER;
(C) INFORMATION THAT MEETS THE FOLLOWING CRITERIA:
(I) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO
AND IN COMPLIANCE WITH THE FEDERAL GRAMM-LEACH-BLILEY ACT (P.L.
106-102), AND IMPLEMENTING REGULATIONS;
(II) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT
TO THE FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18 U.S.C. SEC.
2721 ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN
COMPLIANCE WITH THAT LAW;
(III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS
AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS;
(IV) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT
TO THE FEDERAL FARM CREDIT ACT OF 1971 (AS AMENDED IN 12 U.S.C. SEC.
2001-2279CC) AND ITS IMPLEMENTING REGULATIONS (12 C.F.R. PART 600 ET
SEQ.) IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS IN COMPLI-
ANCE WITH THAT LAW;
(V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW;
(VI) DATA MAINTAINED AS EMPLOYMENT RECORDS, FOR PURPOSES OTHER THAN
SALE;
(VII) PROTECTED HEALTH INFORMATION THAT IS LAWFULLY COLLECTED BY A
COVERED ENTITY OR BUSINESS ASSOCIATE AND IS GOVERNED BY THE PRIVACY,
SECURITY, AND BREACH NOTIFICATION RULES ISSUED BY THE UNITED STATES
DEPARTMENT OF HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45
OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO THE HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (PUBLIC LAW
S. 365 6
104-191) ("HIPAA") AND THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC
AND CLINICAL HEALTH ACT (PUBLIC LAW 111-5);
(VIII) PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART
2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2, AS LONG AS SUCH DATA
IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR FEDERAL LAW;
(IX) INFORMATION AND DOCUMENTS LAWFULLY CREATED FOR PURPOSES OF THE
FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND RELATED REGU-
LATIONS;
(X) PATIENT SAFETY WORK PRODUCT CREATED FOR PURPOSES OF 42 C.F.R. PART
3, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26;
(XI) INFORMATION THAT IS TREATED IN THE SAME MANNER AS INFORMATION
EXEMPT UNDER SUBPARAGRAPH (VII) OF THIS PARAGRAPH THAT IS MAINTAINED BY
A COVERED ENTITY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM
OR A QUALIFIED SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C. § 290DD-2,
AS LONG AS SUCH DATA IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR
FEDERAL LAW;
(XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE FOLLOWING
CONDITIONS:
(A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN-
TIFICATION SET FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE
CODE OF FEDERAL REGULATIONS;
(B) IT IS DERIVED FROM PROTECTED HEALTH INFORMATION, INDIVIDUALLY
IDENTIFIABLE HEALTH INFORMATION, OR IDENTIFIABLE PRIVATE INFORMATION
COMPLIANT WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS,
ALSO KNOWN AS THE COMMON RULE; AND
(C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN-
TIFY THE INFORMATION NOR DO THEY ACTUALLY REIDENTIFY THE INFORMATION
EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW;
(XIII) INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS ASSOCI-
ATE GOVERNED BY THE PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES
ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES,
PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS, ESTAB-
LISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE COVERED ENTITY OR
BUSINESS ASSOCIATE MAINTAINS THE INFORMATION IN THE SAME MANNER AS
PROTECTED HEALTH INFORMATION AS DESCRIBED IN SUBPARAGRAPH (VII) OF THIS
PARAGRAPH;
(XIV) DATA COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A
CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR THE
PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO
GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL
FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT PROTECTION REQUIREMENTS
OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR
(XV) PERSONAL DATA PROCESSED ONLY FOR ONE OR MORE OF THE FOLLOWING
PURPOSES:
(A) PRODUCT REGISTRATION AND TRACKING CONSISTENT WITH APPLICABLE
UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE;
(B) PUBLIC HEALTH ACTIVITIES AND PURPOSES AS DESCRIBED IN SECTION
164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR
(C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS REGULATED
BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION;
(D) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE,
SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S
CREDIT WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL
REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING BY A CONSUMER
REPORTING AGENCY, AS DEFINED IN TITLE 15 U.S.C. SEC. 1681A(F), BY A
S. 365 7
FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC. 1681S-2,
WHO PROVIDES INFORMATION FOR USE IN A CONSUMER REPORT, AS DEFINED IN
TITLE 15 U.S.C. SEC. 1861A(D), AND BY A USER OF A CONSUMER REPORT, AS
SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND
(II) THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH ACTIVITY
INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION,
OR USE OF SUCH DATA BY THAT AGENCY, FURNISHER, OR USER IS SUBJECT TO
REGULATION UNDER THE FAIR CREDIT REPORTING ACT, TITLE 15 U.S.C. SEC.
1681 ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED, COMMUNI-
CATED, DISCLOSED, OR SOLD EXCEPT AS AUTHORIZED BY THE FAIR CREDIT
REPORTING ACT.
§ 1102. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL-
LER THAT PROCESSES A CONSUMER'S PERSONAL DATA MUST MAKE PUBLICLY AND
PERSISTENTLY AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE MANNER,
A NOTICE CONTAINING THE FOLLOWING:
(I) A DESCRIPTION OF THE CONSUMER'S RIGHTS UNDER SUBDIVISIONS TWO
THROUGH SEVEN OF THIS SECTION AND HOW A CONSUMER MAY EXERCISE THOSE
RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT;
(II) THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE CONTROLLER AND
BY ANY PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROL-
LER;
(III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED;
(IV) THE PURPOSES FOR PROCESSING PERSONAL DATA;
(V) THE CATEGORIES OF THIRD PARTIES TO WHOM THE CONTROLLER DISCLOSED,
SHARED, TRANSFERRED OR SOLD PERSONAL DATA AND, FOR EACH CATEGORY OF
THIRD PARTY, (A) THE CATEGORIES OF PERSONAL DATA BEING SHARED,
DISCLOSED, TRANSFERRED, OR SOLD TO THE THIRD PARTY, (B) THE PURPOSES FOR
WHICH PERSONAL DATA IS BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO
THE THIRD PARTY, (C) ANY APPLICABLE RETENTION PERIODS FOR EACH CATEGORY
OF PERSONAL DATA PROCESSED BY THE THIRD PARTIES OR PROCESSED ON THEIR
BEHALF, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THE
PERIOD, AND (D) WHETHER THE THIRD PARTIES MAY USE THE PERSONAL DATA FOR
TARGETED ADVERTISING;
(VI) THE CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY OF PERSONAL
DATA THAT THEY PROCESS OR IS PROCESSED ON THEIR BEHALF, OR IF THAT IS
NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD; AND
(VII) FOR CONTROLLERS ENGAGING IN TARGETED ADVERTISING, AVERAGE
EXPECTED REVENUE PER USER (ARPU) OR A SIMILAR METRIC FOR THE MOST RECENT
FISCAL YEAR FOR THE REGION THAT COVERS NEW YORK.
(B) NOTICE REQUIREMENTS.
(I) THE NOTICE MUST BE WRITTEN IN EASY-TO-UNDERSTAND LANGUAGE AT AN
EIGHTH GRADE READING LEVEL OR BELOW.
(II) THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR WHICH
EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED AT A LEVEL
SPECIFIC ENOUGH TO ENABLE A CONSUMER TO EXERCISE MEANINGFUL CONTROL OVER
THEIR PERSONAL DATA BUT NOT SO SPECIFIC AS TO RENDER THE NOTICE UNHELP-
FUL TO A REASONABLE CONSUMER.
(III) THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED AT
LEAST ANNUALLY. WHEN THE INFORMATION REQUIRED TO BE DISCLOSED TO A
CONSUMER PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION HAS NOT CHANGED
SINCE THE IMMEDIATELY PREVIOUS NOTICE (WHETHER INITIAL, ANNUAL, OR
REVISED) PROVIDED TO THE CONSUMER, A CONTROLLER MAY ISSUE A STATEMENT
THAT NO CHANGES HAVE BEEN MADE.
(IV) THE NOTICE, AS WELL AS EACH VERSION OF THE NOTICE IN EFFECT IN
THE PRECEDING SIX YEARS, MUST BE EASILY ACCESSIBLE TO CONSUMERS AND
CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME.
S. 365 8
2. RIGHT TO OPT OUT. (A) A CONTROLLER MUST ALLOW CONSUMERS THE RIGHT
TO OPT OUT, AT ANY TIME, OF PROCESSING PERSONAL DATA CONCERNING THE
CONSUMER FOR THE PURPOSES OF:
(I) TARGETED ADVERTISING;
(II) THE SALE OF PERSONAL DATA; AND
(III) PROFILING IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR
SIMILARLY SIGNIFICANT EFFECTS CONCERNING A CONSUMER.
(B) A CONTROLLER MUST PROVIDE CLEAR AND CONSPICUOUS MEANS FOR THE
CONSUMER OR THEIR AGENT TO OPT OUT OF PROCESSING AND CLEARLY PRESENT AS
THE MOST CONSPICUOUS CHOICE AN OPTION TO SIMULTANEOUSLY OPT OUT OF ALL
PROCESSING PURPOSES SET FORTH IN PARAGRAPH (A) OF THIS SUBDIVISION.
(C) A CONTROLLER MUST NOT PROCESS PERSONAL DATA FOR ANY PURPOSE FROM
WHICH THE CONSUMER HAS OPTED OUT.
(D) A CONTROLLER MUST NOT REQUEST THAT A CONSUMER WHO HAS OPTED OUT OF
CERTAIN PURPOSES OF PROCESSING PERSONAL DATA OPT BACK IN, UNLESS THOSE
PURPOSES SUBSEQUENTLY BECOME NECESSARY TO PROVIDE THE SERVICES OR GOODS
REQUESTED BY A CONSUMER. TARGETED ADVERTISING AND SALE OF PERSONAL DATA
SHALL NOT BE CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO
PROVIDE SERVICE OR GOODS REQUESTED BY A CONSUMER.
(E) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER,
BROWSER PLUG-IN, SMARTPHONE APPLICATION, OPERATING SYSTEM, DEVICE
SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S
CHOICE NOT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA IN FURTHERANCE
OF TARGETED ADVERTISING, THE SALE OF THEIR PERSONAL DATA, OR PROFILING
IN FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT
EFFECTS CONCERNING THE CONSUMER AS AN OPT OUT UNDER THIS ARTICLE. TO THE
EXTENT THAT THE PRIVACY CONTROL CONFLICTS WITH A CONSUMER'S CONSENT, THE
PRIVACY CONTROL SETTINGS GOVERN, UNLESS THE CONSUMER PROVIDES FREELY
GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS CONSENT TO OVERRIDE THE
PRIVACY CONTROL.
3. SENSITIVE DATA. (A) A CONTROLLER MUST OBTAIN FREELY GIVEN, SPECIF-
IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO:
(I) PROCESS THE CONSUMER'S SENSITIVE DATA RELATED TO THAT CONSUMER FOR
ANY PURPOSE OTHER THAN THOSE IN SUBDIVISION TWO OF SECTION ELEVEN
HUNDRED FIVE OF THIS ARTICLE; OR
(II) MAKE ANY CHANGES TO THE EXISTING PROCESSING OR PROCESSING
PURPOSE, INCLUDING THOSE REGARDING THE METHOD AND SCOPE OF COLLECTION,
OF THE CONSUMER'S SENSITIVE DATA THAT MAY BE LESS PROTECTIVE OF THE
CONSUMER'S SENSITIVE DATA THAN THE PROCESSING TO WHICH THE CONSUMER HAS
PREVIOUSLY GIVEN THEIR FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
OPT-IN CONSENT.
(B) ANY REQUEST FOR CONSENT TO PROCESS SENSITIVE DATA MUST BE PROVIDED
TO THE CONSUMER, PRIOR TO PROCESSING THEIR SENSITIVE DATA, IN A STAND-
ALONE DISCLOSURE THAT IS SEPARATE AND APART FROM ANY CONTRACT OR PRIVACY
POLICY. THE REQUEST FOR CONSENT MUST:
(I) INCLUDE A CLEAR AND CONSPICUOUS DESCRIPTION OF EACH CATEGORY OF
DATA AND PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT;
(II) CLEARLY IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF DATA AND
PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR GOODS
REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES
THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
CONSUMER;
(III) ENABLE A REASONABLE CONSUMER TO EASILY IDENTIFY THE CATEGORIES
OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT;
S. 365 9
(IV) CLEARLY PRESENT AS THE MOST CONSPICUOUS CHOICE AN OPTION TO
PROVIDE ONLY THE CONSENT NECESSARY TO PROVIDE THE SERVICES OR GOODS
REQUESTED BY THE CONSUMER;
(V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND
(VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER,
OR SALE OF SENSITIVE DATA TO THIRD PARTIES, IDENTIFY THE CATEGORIES OF
SUCH THIRD PARTIES, THE CATEGORIES OF DATA SOLD OR SHARED WITH THEM, THE
PROCESSING PURPOSES, THE RETENTION PERIOD, OR IF THAT IS NOT POSSIBLE,
THE CRITERIA USED TO DETERMINE THE PERIOD, AND STATE IF SUCH SHARING,
DISCLOSURE, TRANSFER, OR SALE ENABLES OR INVOLVES TARGETED ADVERTISING.
THE DETAILS OF THE CATEGORIES OF SUCH THIRD PARTIES, AND THE CATEGORIES
OF DATA, PROCESSING PURPOSES, AND THE RETENTION PERIOD, MAY BE SET FORTH
IN A DIFFERENT DISCLOSURE, PROVIDED THAT THE REQUEST FOR CONSENT
CONTAINS A CONSPICUOUS AND DIRECTLY ACCESSIBLE LINK TO THAT DISCLOSURE.
(C) TARGETED ADVERTISING AND SALE OF PERSONAL DATA SHALL NOT BE
CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR
GOODS REQUESTED BY A CONSUMER.
(D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND
UNAMBIGUOUS OPT-IN CONSENT TO PROCESS THEIR SENSITIVE DATA FOR A PROC-
ESSING PURPOSE, A CONTROLLER MAY RELY ON SUCH CONSENT UNTIL IT IS WITH-
DRAWN.
(E) A CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER TO WITHDRAW
PREVIOUSLY GIVEN CONSENT AT ANY TIME. SUCH MECHANISM SHALL MAKE IT AS
EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER
TO PROVIDE CONSENT.
(F) A CONTROLLER MUST NOT INFER THAT A CONSUMER HAS PROVIDED FREELY
GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM THE
CONSUMER'S INACTION OR THE CONSUMER'S CONTINUED USE OF A SERVICE OR
PRODUCT PROVIDED BY THE CONTROLLER.
(G) CONTROLLERS MUST NOT REQUEST CONSENT FROM A CONSUMER WHO HAS
PREVIOUSLY WITHHELD OR DENIED CONSENT TO PROCESS SENSITIVE DATA, UNLESS
CONSENT IS NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
CONSUMER.
(H) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLLERS IN A BROW-
SER, BROWSER PLUG-IN, SMARTPHONE APPLICATION, OPERATING SYSTEM, DEVICE
SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE CONSUMER'S
CHOICES TO OPT OUT OF THE PROCESSING OF PERSONAL DATA IN FURTHERANCE OF
TARGETED ADVERTISING, THE SALE OF THEIR PERSONAL DATA, OR PROFILING IN
FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT
EFFECTS CONCERNING THE CONSUMER AS A DENIAL OF CONSENT TO PROCESS SENSI-
TIVE DATA UNDER THIS ARTICLE. TO THE EXTENT THAT THE PRIVACY CONTROL
CONFLICTS WITH A CONSUMER'S CONSENT, THE PRIVACY CONTROL SETTINGS
GOVERN, UNLESS THE CONSUMER PROVIDES FREELY GIVEN, SPECIFIC, INFORMED,
AND UNAMBIGOUS OPT-IN CONSENT TO OVERRIDE THE PRIVACY CONTROL.
(I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST A CONSUMER FOR WITH-
HOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY:
(I) DENYING SERVICES OR GOODS TO THE CONSUMER, UNLESS THE CONSUMER
DOES NOT CONSENT TO PROCESSING NECESSARY TO PROVIDE THE SERVICES OR
GOODS REQUESTED BY THE CONSUMER;
(II) CHARGING DIFFERENT PRICES FOR GOODS OR SERVICES, INCLUDING
THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING PENALTIES, OR
PROVIDING A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE
CONSUMER; OR
(III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF SERVICES
OR GOODS.
S. 365 10
(J) A CONTROLLER MAY, WITH THE CONSUMER'S FREELY GIVEN, SPECIFIC,
INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION,
OPERATE A PROGRAM IN WHICH INFORMATION, PRODUCTS, OR SERVICES SOLD TO
THE CONSUMER ARE DISCOUNTED BASED SOLELY ON SUCH CONSUMER'S PRIOR
PURCHASES FROM THE CONTROLLER, PROVIDED THAT ANY SENSITIVE DATA USED TO
OPERATE SUCH PROGRAM IS PROCESSED SOLELY FOR THE PURPOSE OF OPERATING
SUCH PROGRAM.
(K) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS-
ACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR
MAJORITY OF THE CONTROLLER'S ASSETS, ANY CONSENT PROVIDED TO THE
CONTROLLER BY A CONSUMER PRIOR TO SUCH TRANSACTION SHALL BE DEEMED WITH-
DRAWN.
4. RIGHT TO ACCESS. UPON THE VERIFIED REQUEST OF A CONSUMER, A
CONTROLLER SHALL:
(A) CONFIRM WHETHER OR NOT THE CONTROLLER IS PROCESSING OR HAS PROC-
ESSED PERSONAL DATA OF THAT CONSUMER, AND PROVIDE ACCESS TO A COPY OF
ANY SUCH PERSONAL DATA IN A MANNER UNDERSTANDABLE TO A REASONABLE
CONSUMER WHEN REQUESTED; AND
(B) PROVIDE THE CATEGORY OF EACH PROCESSOR OR THIRD PARTY TO WHOM THE
CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL DATA
AND, FOR EACH CATEGORY OF PROCESSOR OR THIRD PARTY, (I) THE CATEGORIES
OF THE CONSUMER'S PERSONAL DATA DISCLOSED, TRANSFERRED, OR SOLD TO EACH
PROCESSOR OR THIRD PARTY AND (II) THE PURPOSES FOR WHICH EACH CATEGORY
OF THE CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO
EACH PROCESSOR OR THIRD PARTY.
5. RIGHT TO PORTABLE DATA. UPON A VERIFIED REQUEST, AND TO THE EXTENT
TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A
COPY OF ALL OF, OR A PORTION OF, AS DESIGNATED IN A VERIFIED REQUEST,
THE CONSUMER'S PERSONAL DATA IN A STRUCTURED, COMMONLY USED AND
MACHINE-READABLE FORMAT AND (B) TRANSMIT THE DATA TO ANOTHER PERSON OF
THE CONSUMER'S OR THEIR AGENT'S DESIGNATION WITHOUT HINDRANCE.
6. RIGHT TO CORRECT. (A) UPON THE VERIFIED REQUEST OF A CONSUMER OR
THEIR AGENT, A CONTROLLER MUST CONDUCT A REASONABLE INVESTIGATION TO
DETERMINE WHETHER PERSONAL DATA, THE ACCURACY OF WHICH IS DISPUTED BY
THE CONSUMER, IS INACCURATE, WITH SUCH INVESTIGATION TO BE CONCLUDED
WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION NINE OF
THIS SECTION.
(B) NOTWITHSTANDING PARAGRAPH (A) OF THIS SUBDIVISION, A CONTROLLER
MAY TERMINATE AN INVESTIGATION INITIATED PURSUANT TO SUCH PARAGRAPH IF
THE CONTROLLER REASONABLY AND IN GOOD FAITH DETERMINES THAT THE DISPUTE
BY THE CONSUMER IS WHOLLY WITHOUT MERIT, INCLUDING BY REASON OF A FAIL-
URE BY A CONSUMER TO PROVIDE SUFFICIENT INFORMATION TO INVESTIGATE THE
DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH
THIS PARAGRAPH THAT A DISPUTE IS WHOLLY WITHOUT MERIT, A CONTROLLER
MUST, WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION
NINE OF THIS SECTION, PROVIDE THE AFFECTED CONSUMER A STATEMENT IN WRIT-
ING THAT INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR THE DETERMI-
NATION, AND IDENTIFICATION OF ANY INFORMATION REQUIRED TO INVESTIGATE
THE DISPUTED PERSONAL DATA, WHICH MAY CONSIST OF A STANDARDIZED FORM
DESCRIBING THE GENERAL NATURE OF SUCH INFORMATION.
(C) IF, AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF THIS SUBDIVI-
SION OF ANY PERSONAL DATA DISPUTED BY A CONSUMER, AN ITEM OF THE
PERSONAL DATA IS FOUND TO BE INACCURATE OR INCOMPLETE, OR CANNOT BE
VERIFIED, THE CONTROLLER MUST:
(I) CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE CONSUM-
ER; AND
S. 365 11
(II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT,
COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD PARTY TO WHOM THE
CONTROLLER DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN ONE
YEAR PRECEDING THE CONSUMER'S REQUEST, AND TO REQUIRE THOSE PROCESSORS
OR THIRD PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD
PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
(D) IF THE INVESTIGATION DOES NOT RESOLVE THE DISPUTE, THE CONSUMER
MAY FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE NATURE
OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE
EXISTS REASONABLE GROUNDS TO BELIEVE THAT IT IS WHOLLY WITHOUT MERIT,
THE CONTROLLER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE
EITHER THE CONSUMER'S STATEMENT OR A CLEAR AND ACCURATE CODIFICATION OR
SUMMARY THEREOF WITH THE DISPUTED PERSONAL DATA WHENEVER IT IS
DISCLOSED, TRANSFERRED, OR SOLD TO ANY PROCESSOR OR THIRD PARTY.
7. RIGHT TO DELETE. (A) UPON THE VERIFIED REQUEST OF A CONSUMER, A
CONTROLLER MUST:
(I) WITHIN FORTY-FIVE DAYS AFTER RECEIVING THE VERIFIED REQUEST,
DELETE ANY OR ALL OF THE CONSUMER'S PERSONAL DATA, AS DIRECTED BY THE
CONSUMER OR THEIR AGENT, THAT THE CONTROLLER POSSESSES OR CONTROLS; AND
(II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT
THAT IS DOCUMENTED IN WRITING BY THE CONTROLLER, COMMUNICATE SUCH
REQUEST TO EACH PROCESSOR OR THIRD PARTY TO WHOM THE CONTROLLER
DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECED-
ING THE CONSUMER'S REQUEST AND TO REQUIRE THOSE PROCESSORS OR THIRD
PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD PARTIES THEY
DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
(B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A
PROCESSOR OF THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO (I) COMMUNI-
CATE THE CONSUMER'S REQUEST FOR DELETION TO THE PROCESSOR, OR (II)
REQUEST THAT THE PROCESSOR RETURN TO THE CONTROLLER THE PERSONAL DATA
THAT IS THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE SUCH PERSONAL
DATA UPON RECEIPT OF THE REQUEST.
(C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A
REQUEST TO THE CONTROLLER TO DELETE ALL OF THAT CONSUMER'S PERSONAL
DATA.
(D) A CONTROLLER MUST MAINTAIN REASONABLE PROCEDURES DESIGNED TO
PREVENT THE REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA IT DISCLOSES,
TRANSFERS, OR SELLS TO ANY PROCESSOR OR THIRD PARTY, THE PERSONAL DATA
THAT IS DELETED PURSUANT TO THIS SUBDIVISION.
(E) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A CONSUMER'S REQUEST
TO DELETE PERSONAL DATA IF:
(I) COMPLYING WITH THE REQUEST WOULD PREVENT THE CONTROLLER FROM
PERFORMING ACCOUNTING FUNCTIONS, PROCESSING REFUNDS, EFFECTUATING A
PRODUCT RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING WARRANTY
CLAIMS, PROVIDED THAT THE PERSONAL DATA THAT IS THE SUBJECT OF THE
REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV-
ITIES; OR
(II) IT IS NECESSARY FOR THE CONTROLLER TO MAINTAIN THE CONSUMER'S
PERSONAL DATA TO ENGAGE IN PUBLIC OR PEER-REVIEWED SCIENTIFIC, HISTOR-
ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL
OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION
OF THE INFORMATION IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR
THE ACHIEVEMENT OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER HAS GIVEN
INFORMED CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY PURPOSE
OTHER THAN SUCH RESEARCH.
S. 365 12
8. AUTOMATED DECISION-MAKING. (A) WHENEVER A CONTROLLER MAKES AN AUTO-
MATED DECISION INVOLVING SOLELY AUTOMATED PROCESSING THAT MATERIALLY
CONTRIBUTES TO A DENIAL OF FINANCIAL OR LENDING SERVICES, HOUSING,
PUBLIC ACCOMMODATION, INSURANCE, HEALTH CARE SERVICES, OR ACCESS TO
BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR PRODUCES LEGAL OR SIMILAR-
LY SIGNIFICANT EFFECTS THE CONTROLLER MUST:
(I) DISCLOSE IN A CLEAR, CONSPICUOUS, AND CONSUMER-FRIENDLY MANNER
THAT THE DECISION WAS MADE BY A SOLELY AUTOMATED PROCESS;
(II) PROVIDE AN AVENUE FOR THE AFFECTED CONSUMER TO APPEAL THE DECI-
SION, WHICH MUST AT MINIMUM ALLOW THE AFFECTED CONSUMER TO (A) FORMALLY
CONTEST THE DECISION, (B) PROVIDE INFORMATION TO SUPPORT THEIR POSITION,
AND (C) OBTAIN MEANINGFUL HUMAN REVIEW OF THE DECISION; AND
(III) EXPLAIN THE PROCESS TO APPEAL THE DECISION.
(B) A CONTROLLER MUST RESPOND TO A CONSUMER'S APPEAL WITHIN FORTY-FIVE
DAYS OF RECEIPT OF THE APPEAL. THAT PERIOD MAY BE EXTENDED ONCE BY
FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO
ACCOUNT THE COMPLEXITY AND NUMBER OF APPEALS. THE CONTROLLER MUST INFORM
THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF RECEIPT OF
THE APPEAL, TOGETHER WITH THE REASONS FOR THE DELAY.
(C) (I) A CONTROLLER OR PROCESSOR ENGAGED IN AUTOMATED DECISION-MAKING
AFFECTING FINANCIAL OR LENDING SERVICES, HOUSING, PUBLIC ACCOMMODATION,
INSURANCE, EDUCATION ENROLLMENT, EMPLOYMENT, HEALTH CARE SERVICES, OR
ACCESS TO BASIC NECESSITIES, SUCH AS FOOD AND WATER, OR PRODUCING LEGAL
OR OTHER SIMILARLY SIGNIFICANT EFFECTS OR ENGAGED IN ASSISTING OTHERS IN
AUTOMATED DECISION-MAKING IN THOSE FIELDS, MUST ANNUALLY CONDUCT AN
IMPACT ASSESSMENT OF SUCH AUTOMATED DECISION-MAKING THAT:
(A) DESCRIBES AND EVALUATES THE OBJECTIVES AND DEVELOPMENT OF THE
AUTOMATED DECISION-MAKING PROCESSES INCLUDING THE DESIGN AND TRAINING
DATA USED TO DEVELOP THE AUTOMATED DECISION-MAKING PROCESS, HOW THE
AUTOMATED DECISION-MAKING PROCESS WAS TESTED FOR ACCURACY, FAIRNESS,
BIAS AND DISCRIMINATION; AND
(B) ASSESSES WHETHER THE AUTOMATED DECISION-MAKING SYSTEM PRODUCES
DISCRIMINATORY RESULTS ON THE BASIS OF A CONSUMER'S OR CLASS OF CONSUM-
ERS' ACTUAL OR PERCEIVED RACE, COLOR, ETHNICITY, RELIGION, NATIONAL
ORIGIN, SEX, GENDER, GENDER IDENTITY, SEXUAL ORIENTATION, FAMILIAL
STATUS, BIOMETRIC INFORMATION, LAWFUL SOURCE OF INCOME, OR DISABILITY
AND OUTLINES MITIGATIONS FOR ANY IDENTIFIED PERFORMANCE DIFFERENCES
ACROSS RELEVANT GROUPS IMPACTED BY THE SYSTEM. SUCH EVALUATIONS SHOULD
BE CONDUCTED ON A SYSTEM PRIOR TO DEPLOYMENT, INCLUDING IN THE ENVIRON-
MENT IN WHICH A SYSTEM IS GOING TO BE USED, AND THROUGHOUT THE LIFECYCLE
OF A SYSTEM.
(II) A CONTROLLER OR PROCESSOR MUST UTILIZE AN EXTERNAL, INDEPENDENT
AUDITOR OR RESEARCHER TO CONDUCT SUCH ASSESSMENTS.
(III) A CONTROLLER OR PROCESSOR MUST MAKE PUBLICLY AVAILABLE IN A
MANNER ACCESSIBLE ONLINE ALL IMPACT ASSESSMENTS PREPARED PURSUANT TO
THIS SECTION, RETAIN ALL SUCH IMPACT ASSESSMENTS FOR AT LEAST SIX YEARS,
AND MAKE ANY SUCH RETAINED IMPACT ASSESSMENTS AVAILABLE TO ANY STATE,
FEDERAL, OR LOCAL GOVERNMENT AUTHORITY UPON REQUEST.
(IV) FOR PURPOSES OF THIS PARAGRAPH, THE LIMITATIONS TO JURISDICTIONAL
SCOPE SET FORTH IN PARAGRAPHS (B) AND (C) OF SUBDIVISION TWO OF SECTION
ELEVEN HUNDRED ONE OF THIS ARTICLE SHALL NOT APPLY.
9. RESPONDING TO REQUESTS. (A) A CONTROLLER MUST TAKE ACTION UNDER
SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION AND INFORM THE CONSUMER
OF ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-
FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY
FORTY-FIVE ADDITIONAL DAYS WHERE REASONABLY NECESSARY, TAKING INTO
S. 365 13
ACCOUNT THE COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER MUST
INFORM THE CONSUMER OF ANY SUCH EXTENSION WITHIN FORTY-FIVE DAYS OF
RECEIPT OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN A
CONTROLLER DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD DISCLOSE
TO THE CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS FOR THE
DENIAL.
(B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS
OBLIGATIONS SET FORTH IN SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION
FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE REQUESTS
FROM A CONSUMER ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR
BECAUSE OF THEIR REPETITIVE CHARACTER, THE CONTROLLER MAY EITHER (I)
CHARGE A REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING
WITH THE REQUEST OR (II) REFUSE TO ACT ON THE REQUEST AND NOTIFY THE
CONSUMER OF THE REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS
THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE CHAR-
ACTER OF THE REQUEST.
(C) (I) A CONTROLLER SHALL PROMPTLY ATTEMPT, USING COMMERCIALLY
REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE ANY RIGHTS
SET FORTH IN ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST
WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON
LAWFULLY EXERCISING THE RIGHT ON BEHALF OF THE CONSUMER WHO IS THE
SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED
BASED ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF THE
DATA IMPLICATED BY THE REQUEST.
(II) A CONTROLLER MAY REQUIRE THE CONSUMER TO PROVIDE ADDITIONAL
INFORMATION ONLY IF THE REQUEST CANNOT REASONABLY BE VERIFIED WITHOUT
THE PROVISION OF SUCH ADDITIONAL INFORMATION. A CONTROLLER MUST NOT
TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO
THIS SECTION FOR ANY OTHER PURPOSE AND MUST DELETE ANY SUCH ADDITIONAL
INFORMATION WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE DAYS
AFTER THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN ACTION
ON A REQUEST UNDER SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION AS
DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION.
(III) IF A CONTROLLER DISCLOSES THIS ADDITIONAL INFORMATION TO ANY
PROCESSOR OR THIRD PARTY FOR THE PURPOSE OF VERIFYING A CONSUMER
REQUEST, IT MUST NOTIFY THE RECEIVING PROCESSOR OR THIRD PARTY AT THE
TIME OF SUCH DISCLOSURE, OR AS CLOSE IN TIME TO THE DISCLOSURE AS IS
REASONABLY PRACTICABLE, THAT SUCH INFORMATION WAS PROVIDED BY THE
CONSUMER FOR THE SOLE PURPOSE OF VERIFICATION AND CANNOT BE PROCESSED
FOR ANY PURPOSE OTHER THAN VERIFICATION.
10. IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY ACCESSI-
BLE AND CONVENIENT MEANS FOR CONSUMERS TO EXERCISE THEIR RIGHTS UNDER
THIS ARTICLE.
11. NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT OF
ANY KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS
UNDER THIS ARTICLE IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNEN-
FORCEABLE.
§ 1103. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES. 1.
CONTROLLER RESPONSIBILITIES. (A) DATA PROTECTION ASSESSMENT. A CONTROL-
LER SHALL REGULARLY CONDUCT AND DOCUMENT A DATA PROTECTION ASSESSMENT
FOR PROCESSING ACTIVITIES THAT PRESENT A HEIGHTENED RISK OF HARM TO THE
CONSUMER. SUCH ASSESSMENT MUST IDENTIFY AND WEIGH THE BENEFITS THAT MAY
FLOW, DIRECTLY AND INDIRECTLY, FROM THE PROCESSING TO THE CONTROLLER,
THE CONSUMER, OTHER STAKEHOLDERS, AND THE PUBLIC AGAINST THE POTENTIAL
RISKS TO THE RIGHTS OF THE CONSUMER, OR CLASS OF CONSUMERS, ASSOCIATED
WITH THE PROCESSING, AS MITIGATED BY SAFEGUARDS THAT THE CONTROLLER CAN
S. 365 14
EMPLOY TO REDUCE THE RISKS. THE CONTROLLER SHALL FACTOR INTO THIS
ASSESSMENT THE USE OF DEIDENTIFIED DATA AND THE REASONABLE EXPECTATIONS
OF CONSUMERS, AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATION-
SHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE
PROCESSED, WITH THE GOAL OF RESTRICTING OR PROHIBITING SUCH PROCESSING
IF THE RISKS OF HARM TO THE CONSUMER OUTWEIGH THE BENEFITS RESULTING
FROM THE PROCESSING TO THE CONSUMER. PROCESSING THAT PRESENTS A HEIGHT-
ENED RISK OF HARM TO THE CONSUMER INCLUDES THE FOLLOWING:
(I) PROCESSING THAT MAY BENEFIT THE CONTROLLER TO THE DETRIMENT OF THE
CONSUMER;
(II) PROCESSING THAT WOULD BE UNEXPECTED AND HIGHLY OFFENSIVE TO A
REASONABLE CONSUMER;
(III) PROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED ADVERTISING;
(IV) SALE OF PERSONAL DATA;
(V) PROCESSING SENSITIVE DATA; AND
(VI) PROCESSING OF PERSONAL DATA FOR PURPOSES OF PROFILING, WHERE SUCH
PROFILING PRESENTS A REASONABLY FORESEEABLE RISK OF:
(A) UNFAIR OR DECEPTIVE TREATMENT, OR UNLAWFUL DISPARATE IMPACT ON,
CONSUMERS OR A CLASS OF CONSUMERS;
(B) FINANCIAL, PHYSICAL, PSYCHOLOGICAL OR REPUTATIONAL INJURY TO
CONSUMERS, OR A CLASS OF CONSUMERS;
(C) A PHYSICAL OR OTHERWISE INTRUSION UPON THE SOLITUDE OR SECLUSION,
OR THE PRIVATE AFFAIRS OR CONCERNS, OF CONSUMERS, WHERE SUCH INTRUSION
WOULD BE OFFENSIVE TO A REASONABLE PERSON; OR
(D) OTHER SUBSTANTIAL INJURY TO CONSUMERS.
(B) DUTY OF LOYALTY. (I) A CONTROLLER MUST NOTIFY THE CONSUMER, OR
CLASS OF CONSUMERS, OF THE INTEREST THAT MAY BE HARMED IN ADVANCE OF
REQUESTING CONSENT AND AS CLOSE IN TIME TO THE PROCESSING AS PRACTICABLE
WHERE IT IS REASONABLY FORESEEABLE TO THE CONTROLLER THAT A PROCESS
PRESENTS A HEIGHTENED RISK OF HARM TO THE CONSUMER OR CLASS OF CONSUM-
ERS.
(II) CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS
OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE PROCESSING
OF PERSONAL DATA, AND A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS
ARTICLE, INCLUDING WITHOUT LIMITATION:
(A) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL EFFECT
OF DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE,
OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE; OR
(B) OBTAINING CONSENT IN A MANNER DESIGNED TO OVERPOWER A CONSUMER'S
RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT.
(C) DUTY OF CARE. (I) (A) CONTROLLERS MUST, ON AT LEAST AN ANNUAL
BASIS, CONDUCT AND DOCUMENT RISK ASSESSMENTS OF ALL CURRENT PROCESSING
OF PERSONAL DATA.
(B) RISK ASSESSMENTS MUST ASSESS AT A MINIMUM:
(I) THE NATURE, SENSITIVITY AND CONTEXT OF THE PERSONAL DATA THAT THE
CONTROLLER PROCESSES;
(II) THE NATURE, PURPOSE, AND VALUE OF THE PROCESSES;
(III) ANY RISKS OR HARMS TO CONSUMERS ACTUALLY OR POTENTIALLY ARISING
OUT OF THE PROCESSES, INCLUDING PHYSICAL, FINANCIAL, PSYCHOLOGICAL, OR
REPUTATIONAL HARMS;
(IV) THE ADEQUACY AND EFFECT OF SAFEGUARDS IMPLEMENTED BY THE CONTROL-
LERS;
(V) THE SUFFICIENCY OF THE CONTROLLER'S NOTICES TO CONSUMERS AT
DESCRIBING AND OBTAINING CONSENT CONCERNING THE PROCESSES; AND
S. 365 15
(VI) THE ADEQUACY OF THE SAFEGUARDS AND MONITORING PRACTICES OF
PROCESSORS AND THIRD PARTIES TO WHOM THE CONTROLLER HAS PROVIDED
PERSONAL DATA.
(C) THE CONTROLLER MUST RETAIN RISK ASSESSMENTS FOR AT LEAST SIX YEARS
AND MAKE RISK ASSESSMENTS AVAILABLE TO THE ATTORNEY GENERAL UPON
REQUEST.
(II) CONTROLLERS MUST DEVELOP, IMPLEMENT, AND MAINTAIN REASONABLE
SAFEGUARDS TO PROTECT THE SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE,
TECHNICAL AND PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME AND NATURE
OF THE PERSONAL DATA AT ISSUE.
(III) (A) A CONTROLLER SHALL LIMIT THE USE AND RETENTION OF A CONSUM-
ER'S PERSONAL DATA TO WHAT IS (I) NECESSARY TO PROVIDE THE SERVICES OR
GOODS REQUESTED BY THE CONSUMER, (II) NECESSARY FOR THE INTERNAL BUSI-
NESS OPERATIONS OF THE CONTROLLER AND CONSISTENT WITH THE DISCLOSURES
MADE TO THE CONSUMER PURSUANT TO SECTION ELEVEN HUNDRED TWO OF THIS
ARTICLE, OR (III) NECESSARY TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE
CONTROLLER.
(B) AT LEAST ANNUALLY, A CONTROLLER SHALL REVIEW ITS RETENTION PRAC-
TICES FOR THE PURPOSE OF ENSURING THAT IT IS MAINTAINING THE MINIMUM
AMOUNT OF PERSONAL DATA AS IS NECESSARY FOR THE OPERATION OF ITS BUSI-
NESS. A CONTROLLER MUST SECURELY DISPOSE OF ALL PERSONAL DATA THAT IS NO
LONGER (I) NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
CONSUMER, (II) NECESSARY FOR THE INTERNAL BUSINESS OPERATIONS OF THE
CONTROLLER AND CONSISTENT WITH THE DISCLOSURES MADE TO THE CONSUMER
PURSUANT TO SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR (III) NECES-
SARY TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE CONTROLLER.
(IV) CONTROLLERS SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN
REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT
MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
TO UPDATE THEIR CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
ACCORDINGLY.
(D) NON-DISCRIMINATION. (I) A CONTROLLER MUST NOT DISCRIMINATE AGAINST
A CONSUMER FOR EXERCISING RIGHTS UNDER THIS ARTICLE, INCLUDING BUT NOT
LIMITED TO, BY:
(A) DENYING SERVICES OR GOODS TO CONSUMERS;
(B) CHARGING DIFFERENT PRICES FOR SERVICES OR GOODS, INCLUDING THROUGH
THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING PENALTIES; OR PROVIDING
A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR
(C) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
RATE FOR SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY OF SERVICES
OR GOODS.
(II) THIS PARAGRAPH DOES NOT APPLY TO A CONTROLLER'S CONDUCT WITH
RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH (J) OF SUBDIVISION
THREE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE GOVERNS.
(E) AGREEMENTS WITH PROCESSORS. (I) BEFORE MAKING ANY DISCLOSURE,
TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST
ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT
MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING DATA,
THE NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC-
ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF
BOTH PARTIES. THE CONTRACT MUST ALSO INCLUDE REQUIREMENTS THAT THE
PROCESSOR MUST:
(A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT TO A
DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA;
S. 365 16
(B) PROTECT THE DATA IN A MANNER CONSISTENT WITH THE REQUIREMENTS OF
THIS ARTICLE AND AT LEAST EQUAL TO THE SECURITY REQUIREMENTS OF THE
CONTROLLER SET FORTH IN THEIR PUBLICLY AVAILABLE POLICIES, NOTICES, OR
SIMILAR STATEMENTS;
(C) PROCESS THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY TO COMPLY
WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY
AUTHORIZED BY THE CONTROLLER;
(D) NOT COMBINE THE PERSONAL DATA WHICH THE PROCESSOR RECEIVES FROM OR
ON BEHALF OF THE CONTROLLER WITH PERSONAL DATA WHICH THE PROCESSOR
RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR COLLECTS FROM ITS OWN
INTERACTION WITH CONSUMERS;
(E) COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER,
SUBJECT TO THE LIMITATIONS SET FORTH IN SECTION ELEVEN HUNDRED FIVE OF
THIS ARTICLE;
(F) AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL DATA
TO THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICES,
UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW;
(G) UPON THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO
THE CONTROLLER ALL DATA IN ITS POSSESSION NECESSARY TO DEMONSTRATE THE
PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ARTICLE;
(H) ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE CONTROL-
LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS-
OR MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT ASSESSOR TO CONDUCT AN
ASSESSMENT OF THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL
MEASURES IN SUPPORT OF THE OBLIGATIONS UNDER THIS ARTICLE USING AN
APPROPRIATE AND ACCEPTED CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT
PROCEDURE FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT OF
SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST;
(I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE
DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED
DISCLOSURE OR TRANSFER AND PROVIDE THE CONTROLLER AN OPPORTUNITY TO
APPROVE OR REJECT THE PROPOSAL; AND
(J) ENGAGE ANY FURTHER PROCESSOR PURSUANT TO A WRITTEN, SIGNED
CONTRACT THAT INCLUDES THE CONTRACTUAL REQUIREMENTS PROVIDED IN THIS
PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR
HAS ENTERED INTO WITH REGARD TO THE DATA.
(II) A CONTROLLER MUST NOT AGREE TO INDEMNIFY, DEFEND, OR HOLD A
PROCESSOR HARMLESS, OR AGREE TO A PROVISION THAT HAS THE EFFECT OF
INDEMNIFYING, DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM CLAIMS
OR LIABILITY ARISING FROM THE PROCESSOR'S BREACH OF THE CONTRACT
REQUIRED BY CLAUSE (A) OF SUBPARAGRAPH (I) OF THIS PARAGRAPH OR A
VIOLATION OF THIS ARTICLE. ANY PROVISION OF AN AGREEMENT THAT VIOLATES
THIS SUBPARAGRAPH IS CONTRARY TO PUBLIC POLICY AND IS VOID AND UNEN-
FORCEABLE.
(III) NOTHING IN THIS PARAGRAPH RELIEVES A CONTROLLER OR A PROCESSOR
FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS-
ING RELATIONSHIP AS DEFINED BY THIS ARTICLE.
(IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES-
SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER-
MINATION THAT DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS TO BE
PROCESSED. A PROCESSOR THAT CONTINUES TO ADHERE TO A CONTROLLER'S
INSTRUCTIONS WITH RESPECT TO A SPECIFIC PROCESSING OF PERSONAL DATA
REMAINS A PROCESSOR.
(F) THIRD PARTIES. (I) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANS-
FER, OR SELL PERSONAL DATA, OR FACILITATE OR ENABLE THE PROCESSING,
S. 365 17
DISCLOSURE, TRANSFER, OR SALE TO A THIRD PARTY OF PERSONAL DATA FOR
WHICH A CONSUMER HAS EXERCISED THEIR OPT-OUT RIGHTS PURSUANT TO SUBDIVI-
SION TWO OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR FOR WHICH
CONSENT OF THE CONSUMER PURSUANT TO SUBDIVISION THREE OF SECTION ELEVEN
HUNDRED TWO OF THIS ARTICLE, HAS NOT BEEN OBTAINED OR IS NOT CURRENTLY
IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE, TRANSFER, OR SELL
PERSONAL DATA, OR TO FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE,
TRANSFER, OR SALE OF PERSONAL DATA TO A THIRD PARTY OF PERSONAL DATA TO
A THIRD PARTY MUST CLEARLY INCLUDE THE CATEGORY OF THE THIRD PARTY AND
THE PROCESSING PURPOSES FOR WHICH THE THIRD PARTY MAY USE THE PERSONAL
DATA.
(II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL
DATA, OR FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR
SALE TO A THIRD PARTY OF PERSONAL DATA IF IT CAN REASONABLY EXPECT THE
PERSONAL DATA OF A CONSUMER TO BE USED FOR PURPOSES FOR WHICH A CONSUMER
HAS EXERCISED THEIR OPT-OUT RIGHTS PURSUANT TO SUBDIVISION TWO OF
SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR FOR WHICH THE CONSUMER
HAS NOT CONSENTED TO PURSUANT TO SUBDIVISION THREE OF SECTION ELEVEN
HUNDRED TWO OF THIS ARTICLE, OR IF IT CAN REASONABLY EXPECT THAT ANY
RIGHTS OF THE CONSUMER PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED AS
A RESULT OF SUCH TRANSACTION.
(III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA
TO ANY THIRD PARTY, THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED
CONTRACT. SUCH CONTRACT MUST BE BINDING AND THE SCOPE, NATURE, AND
PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA-
TION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY:
(A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY THE AGREEMENT
ENTERED INTO WITH THE CONTROLLER; AND
(B) PROVIDE A MECHANISM TO COMPLY WITH ANY EXERCISES OF A CONSUMER'S
RIGHTS UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST
OF THE CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY
THIS ARTICLE; AND
(C) TO THE EXTENT THE DISCLOSURE, TRANSFER, OR SALE OF THE PERSONAL
DATA CAUSES THE THIRD PARTY TO BECOME A CONTROLLER, COMPLY WITH ALL
OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE.
2. PROCESSOR RESPONSIBILITIES. (A) FOR ANY PERSONAL DATA THAT IS
OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED BY A PROCESSOR,
WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR,
THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A)
THROUGH (J) OF SUBPARAGRAPH (I) OF PARAGRAPH (E) OF SUBDIVISION ONE OF
THIS SECTION.
(B) A PROCESSOR IS NOT REQUIRED TO COMPLY WITH A REQUEST BY THE
CONSUMER SUBMITTED PURSUANT TO THIS ARTICLE BY A CONSUMER DIRECTLY TO
THE PROCESSOR TO THE EXTENT THAT THE PROCESSOR HAS PROCESSED THE CONSUM-
ER'S PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER.
(C) PROCESSORS SHALL BE UNDER A CONTINUING OBLIGATION TO ENGAGE IN
REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES FOR CIRCUMSTANCES THAT
MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
TO UPDATE THEIR CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
ACCORDINGLY.
(D) A PROCESSOR SHALL NOT ENGAGE IN ANY SALE OF PERSONAL DATA OTHER
THAN ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED INTO
WITH THE CONTROLLER.
S. 365 18
3. THIRD PARTY RESPONSIBILITIES. (A) FOR ANY PERSONAL DATA THAT IS
OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE ACQUIRED OR ACCESSED BY A
THIRD PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD PARTY MUST:
(I) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY ANY AGREEMENTS
ENTERED INTO WITH THE CONTROLLER;
(II) COMPLY WITH ANY EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
ELEVEN HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR
PROCESSOR, SUBJECT TO ANY LIMITATIONS THEREON AS AUTHORIZED BY THIS
ARTICLE; AND
(III) TO THE EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR PERSONAL
DATA, COMPLY WITH ALL OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS
ARTICLE.
4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE:
(A) THE PROCESSING IS REQUIRED BY LAW;
(B) THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL, STATE,
OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR
(C) THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST CRIMINAL
OR TORTIOUS ACTIVITY.
§ 1104. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE,
MUST:
(A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
(I) REGISTER WITH THE ATTORNEY GENERAL;
(II) PAY A REGISTRATION FEE OF ONE HUNDRED DOLLARS OR AS OTHERWISE
DETERMINED BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY
GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT TO EXCEED THE
REASONABLE COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR-
MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
(III) PROVIDE THE FOLLOWING INFORMATION:
(A) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
OF THE DATA BROKER;
(B) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR REGISTERED AGENT OF
THE DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE DATA
BROKER;
(C) A STATEMENT DESCRIBING THE METHOD FOR EXERCISING CONSUMERS RIGHTS
UNDER SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
(D) A STATEMENT WHETHER THE DATA BROKER IMPLEMENTS A PURCHASER CREDEN-
TIALING PROCESS; AND
(E) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER CHOOSES
TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER
THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST:
(A) ANNUALLY, ON OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
WHICH A PERSON MEETS THE DEFINITION OF CONTROLLER IN THIS ACT, PROVIDE
TO THE ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS REASONABLY
BELIEVED TO BE DATA BROKERS TO WHICH THE CONTROLLER PROVIDED PERSONAL
DATA IN THE PRECEDING YEAR; AND
(B) NOT SELL A CONSUMER'S PERSONAL DATA TO AN ENTITY REASONABLY
BELIEVED TO BE A DATA BROKER THAT IS NOT REGISTERED WITH THE ATTORNEY
GENERAL.
3. THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A STATE-
WIDE REGISTRY ON ITS INTERNET WEBSITE, WHICH SHALL LIST ALL REGISTERED
DATA BROKERS AND MAKE ACCESSIBLE TO THE PUBLIC ALL THE INFORMATION
PROVIDED BY DATA BROKERS PURSUANT TO THIS SECTION. PRINTED HARD COPIES
OF SUCH REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT OF A
FEE TO BE DETERMINED BY THE ATTORNEY GENERAL.
S. 365 19
4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR
SUBMITS FALSE INFORMATION IN ITS REGISTRATION IS, IN ADDITION TO ANY
OTHER INJUNCTION, PENALTY, OR LIABILITY THAT MAY BE IMPOSED UNDER THIS
ARTICLE, LIABLE FOR CIVIL PENALTIES, FEES, AND COSTS IN AN ACTION
BROUGHT BY THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY OF ONE
THOUSAND DOLLARS FOR EACH DAY THE DATA BROKER FAILS TO REGISTER AS
REQUIRED BY THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION, (B) AN
AMOUNT EQUAL TO THE FEES THAT WERE DUE DURING THE PERIOD IT FAILED TO
REGISTER, AND (C) EXPENSES INCURRED BY THE ATTORNEY GENERAL IN THE
INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI-
ATE.
§ 1105. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER OR
PROCESSOR TO DO ANY OF THE FOLLOWING SOLELY FOR PURPOSES OF COMPLYING
WITH THIS ARTICLE:
(A) REIDENTIFY DEIDENTIFIED DATA;
(B) COMPLY WITH A VERIFIED CONSUMER REQUEST TO ACCESS, CORRECT, OR
DELETE PERSONAL DATA PURSUANT TO THIS ARTICLE IF ALL OF THE FOLLOWING
ARE TRUE:
(I) THE CONTROLLER IS NOT REASONABLY CAPABLE OF ASSOCIATING THE
REQUEST WITH THE PERSONAL DATA;
(II) THE CONTROLLER DOES NOT ASSOCIATE THE PERSONAL DATA WITH OTHER
PERSONAL DATA ABOUT THE SAME SPECIFIC CONSUMER AS PART OF ITS NORMAL
BUSINESS PRACTICE; AND
(III) THE CONTROLLER DOES NOT SELL THE PERSONAL DATA TO ANY THIRD
PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO
ANY PROCESSOR OR THIRD PARTY, EXCEPT AS OTHERWISE PERMITTED IN THIS
ARTICLE; OR
(C) MAINTAIN PERSONAL DATA IN IDENTIFIABLE FORM, OR COLLECT, OBTAIN,
RETAIN, OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE CAPA-
BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA.
2. THE OBLIGATIONS IMPOSED ON CONTROLLERS AND PROCESSORS UNDER THIS
ARTICLE DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO ANY
OF THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S PERSONAL
DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES:
(A) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS;
(B) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI-
GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, LOCAL, OR OTHER GOVERN-
MENTAL AUTHORITIES;
(C) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING CONDUCT OR
ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONABLY AND IN GOOD FAITH
BELIEVES MAY VIOLATE FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGU-
LATIONS;
(D) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR, OR DEFEND LEGAL
CLAIMS;
(E) PROCESS PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES OR GOODS
REQUESTED BY A CONSUMER; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A
PARTY; OR TAKE STEPS AT THE REQUEST OF THE CONSUMER PRIOR TO ENTERING
INTO A CONTRACT;
(F) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE
CONSUMER OR OF ANOTHER NATURAL PERSON, AND WHERE THE PROCESSING CANNOT
BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS;
(G) PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO SECURITY INCI-
DENTS, IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIV-
ITIES, OR ANY ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY OR SECURITY OF
SYSTEMS; OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR ANY
SUCH ACTION;
S. 365 20
(H) IDENTIFY AND REPAIR TECHNICAL ERRORS THAT IMPAIR EXISTING OR
INTENDED FUNCTIONALITY; OR
(I) PROCESS BUSINESS CONTACT INFORMATION, INCLUDING A NATURAL PERSON'S
NAME, POSITION NAME OR TITLE, BUSINESS TELEPHONE NUMBER, BUSINESS
ADDRESS, BUSINESS ELECTRONIC MAIL ADDRESS, BUSINESS FAX NUMBER, OR QUAL-
IFICATIONS AND ANY OTHER SIMILAR INFORMATION ABOUT THE NATURAL PERSON.
3. THE OBLIGATIONS IMPOSED ON CONTROLLERS OR PROCESSORS UNDER THIS
ARTICLE DO NOT APPLY WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR
WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW YORK
LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL
DATA CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI-
LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION.
4. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS FOUR
THROUGH SEVEN OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE, OR A
PROCESSOR OR THIRD PARTY TO WHOM A CONTROLLER COMMUNICATES SUCH A
REQUEST, MAY DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF:
(A) THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY THE
REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH
(C) OF SUBDIVISION NINE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE;
(B) COMPLYING WITH THE REQUEST WOULD BE DEMONSTRABLY IMPOSSIBLE (FOR
PURPOSES OF THIS PARAGRAPH, THE RECEIPT OF A LARGE NUMBER OF VERIFIED
REQUESTS, ON ITS OWN, IS NOT SUFFICIENT TO RENDER COMPLIANCE WITH A
REQUEST DEMONSTRABLY IMPOSSIBLE);
(C) COMPLYING WITH THE REQUEST WOULD IMPAIR THE PRIVACY OF ANOTHER
INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR
(D) THE PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER THAN THE
CONSUMER MAKING THE REQUEST AND IS BEING PROCESSED FOR THE PURPOSE OF
FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION.
§ 1106. ENFORCEMENT AND PRIVATE RIGHT OF ACTION. 1. WHENEVER IT
APPEARS TO THE ATTORNEY GENERAL, EITHER UPON COMPLAINT OR OTHERWISE,
THAT ANY PERSON OR PERSONS HAS ENGAGED IN OR IS ABOUT TO ENGAGE IN ANY
OF THE ACTS OR PRACTICES STATED TO BE UNLAWFUL UNDER THIS ARTICLE, THE
ATTORNEY GENERAL MAY BRING AN ACTION OR SPECIAL PROCEEDING IN THE NAME
AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK TO ENJOIN ANY
VIOLATION OF THIS ARTICLE, TO OBTAIN RESTITUTION OF ANY MONEYS OR PROP-
ERTY OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN
DISGORGEMENT OF ANY PROFITS OBTAINED DIRECTLY OR INDIRECTLY BY ANY SUCH
VIOLATION, TO OBTAIN CIVIL PENALTIES OF NOT MORE THAN FIFTEEN THOUSAND
DOLLARS PER VIOLATION, AND TO OBTAIN ANY SUCH OTHER AND FURTHER RELIEF
AS THE COURT MAY DEEM PROPER, INCLUDING PRELIMINARY RELIEF.
(A) ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS.
(B) EACH INSTANCE OF UNLAWFUL PROCESSING COUNTS AS A SEPARATE
VIOLATION. UNLAWFUL PROCESSING OF THE PERSONAL DATA OF MORE THAN ONE
CONSUMER COUNTS AS A SEPARATE VIOLATION AS TO EACH CONSUMER. EACH
PROVISION OF THIS ARTICLE THAT IS VIOLATED COUNTS AS A SEPARATE
VIOLATION.
(C) IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER ANY
ONE OR MORE OF THE RELEVANT CIRCUMSTANCES PRESENTED BY ANY OF THE
PARTIES, INCLUDING, BUT NOT LIMITED TO, THE NATURE AND SERIOUSNESS OF
THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON-
DUCT, THE LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED, THE WILL-
FULNESS OF THE VIOLATOR'S MISCONDUCT, AND THE VIOLATOR'S FINANCIAL
CONDITION.
2. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING UNDER
THIS SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE
S. 365 21
A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
ANCE WITH THE CIVIL PRACTICE LAW AND RULES. THE ATTORNEY GENERAL MAY
ALSO REQUIRE SUCH OTHER DATA AND INFORMATION AS HE OR SHE MAY DEEM RELE-
VANT AND MAY REQUIRE WRITTEN RESPONSES TO QUESTIONS UNDER OATH. SUCH
POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMINATE BY REASON
OF ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY GENERAL
UNDER THIS ARTICLE.
3. ANY PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE ATTORNEY GENERAL
BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS,
OR OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR PRACTICES
STATED TO BE UNLAWFUL IN THIS ARTICLE IS SUBJECT TO THE SERVICE OF A
SUBPOENA ISSUED BY THE ATTORNEY GENERAL PURSUANT TO THIS SECTION.
SERVICE MAY BE MADE IN ANY MANNER THAT IS AUTHORIZED FOR SERVICE OF A
SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE.
4. (A) FAILURE TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS
SECTION WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF LIMI-
TATIONS IN ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY
GENERAL AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE ATTORNEY
GENERAL'S INVESTIGATION.
(B) IF A PERSON FAILS TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO
THIS SECTION, THE ATTORNEY GENERAL MAY MOVE IN THE SUPREME COURT TO
COMPEL COMPLIANCE. IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED,
IT SHALL ORDER COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP TO FIVE
HUNDRED DOLLARS PER DAY OF NONCOMPLIANCE.
(C) SUCH TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO ANY OTHER
PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA.
5. THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL UNDER
THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS STATE UNDER
WHICH THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT
ANY INQUIRY.
6. ANY CONSUMER WHO HAS BEEN INJURED BY A VIOLATION OF SUBDIVISION
TWO, THREE, EIGHT OR NINE OF SECTION ELEVEN HUNDRED TWO OF THIS ARTICLE
MAY BRING AN ACTION IN HIS OR HER OWN NAME TO ENJOIN SUCH UNLAWFUL ACT
OR PRACTICE AND TO RECOVER HIS OR HER ACTUAL DAMAGES SUFFERED AS A
RESULT OF THE VIOLATION. THE COURT MAY ALSO AWARD REASONABLE ATTORNEYS'
FEES TO A PREVAILING PLAINTIFF. ACTIONS PURSUANT TO THIS SECTION MAY BE
BROUGHT ON A CLASS-WIDE BASIS.
§ 1107. MISCELLANEOUS. 1. PREEMPTION: THIS ARTICLE DOES NOT ANNUL,
ALTER, OR AFFECT THE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT
ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS-
FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR
PROCESSOR SUBJECT TO THIS ARTICLE, EXCEPT TO THE EXTENT THOSE LAWS,
ORDINANCES, REGULATIONS, OR THE EQUIVALENT CREATE REQUIREMENTS OR OBLI-
GATIONS THAT CONFLICT WITH OR REDUCE THE PROTECTIONS AFFORDED TO CONSUM-
ERS UNDER THIS ARTICLE.
2. IMPACT REPORT: THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING
THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR PERSONS, THE
LIABILITY AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT
LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO ENFORCE THIS ARTICLE,
AND ANY RECOMMENDATIONS FOR CHANGES TO SUCH PROVISIONS. THE ATTORNEY
GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT
OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE COMMIT-
TEES OF THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS
SECTION.
S. 365 22
3. REGULATORY AUTHORITY: (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED
AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND
REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES
GOVERNING THE FORM AND CONTENT OF ANY DISCLOSURES OR COMMUNICATIONS
REQUIRED BY THIS ARTICLE.
(B) THE ATTORNEY GENERAL MAY REQUEST DATA AND INFORMATION FROM
CONTROLLERS CONDUCTING BUSINESS IN NEW YORK STATE, OTHER NEW YORK STATE
GOVERNMENT ENTITIES ADMINISTERING NOTICE AND CONSENT REGIMES, CONSUMER
PROTECTION AND PRIVACY ADVOCATES AND RESEARCHERS, INTERNET STANDARDS
SETTING BODIES, SUCH AS THE INTERNET ENGINEERING TASKFORCE AND THE
INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, AND OTHER RELEVANT
SOURCES, TO CONDUCT STUDIES TO INFORM SUITABLE RULES AND REGULATIONS.
THE ATTORNEY GENERAL SHALL RECEIVE, UPON REQUEST, DATA FROM OTHER NEW
YORK STATE GOVERNMENTAL ENTITIES.
4. EXERCISE OF RIGHTS: ANY CONSUMER RIGHT SET FORTH IN THIS ARTICLE
MAY BE EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT OF THE
DATA OR BY A PARENT OR GUARDIAN AUTHORIZED BY LAW TO TAKE ACTIONS OF
LEGAL CONSEQUENCE ON BEHALF OF THE CONSUMER WHO IS THE SUBJECT OF THE
DATA. AN AGENT AUTHORIZED BY A CONSUMER MAY EXERCISE THE CONSUMER RIGHTS
SET FORTH IN SUBDIVISIONS FOUR THROUGH SEVEN OF SECTION ELEVEN HUNDRED
TWO OF THIS ARTICLE ON THE CONSUMERS BEHALF.
§ 4. This act shall take effect immediately; provided, however, that
sections 1101, 1102, 1103, 1105, 1106 and 1107 of the general business
law, as added by section three of this act, shall take effect two years
after it shall have become a law but the private right of action author-
ized by subdivision 6 of section 1106 of the general business law shall
take effect three years after such section shall have become a law.
