NY State Senate Bill 2023-S5662

Senate Bill S5662

2023-2024 Legislative Session

Establishes the office of consumer data protection and imposes a tax on data controllers and data processors

download bill text pdf

Current Bill Status - In Senate Committee Finance Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 03, 2024	referred to finance
Mar 13, 2023	referred to finance

co-Sponsors

2023-S5662 (ACTIVE) - Details

Current Committee:: Senate Finance
Law Section:: Executive Law
Laws Affected:: Add Art 51 §§1004 - 1007, Exec L; add §185, Tax L
Versions Introduced in 2021-2022 Legislative Session:: S6727

2023-S5662 (ACTIVE) - Summary

Enacts the "data economy labor compensation and accountability act"; establishes the office of consumer data protection for the purpose of properly safeguarding personal data; imposes a tax on data controllers and data processors required to register with such office.

2023-S5662 (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S5662

SPONSOR: GOUNARDES
 
TITLE OF BILL:

An act to amend the executive law and the tax law, in relation to estab-
lishing the data economy labor compensation and accountability act

 
PURPOSE OR GENERAL IDEA OF BILL:

To establish the Office of Consumer Data Protection to better regulate
companies who profit off of consumer data and to create a tax on their
gross receipts

 
SUMMARY OF PROVISIONS:

Section one of this bill creates a short title.

Section two establishes legislative intent.

Section three adds a new Article 51 to the Executive Law to establish a
new Office of Consumer Data Protection and to outline its role and

responsibilities.

Section four amends the Tax Law to add a new Section 185 to establish a
tax on gross receipts of companies who profit off of consumer data.

Section five provides the effective date.

 
JUSTIFICATION:

The data economy, or the global digital ecosystem in which consumer
information is gathered and exchanged for profit by a variety of
vendors, has produced tremendous but heretofore unmeasured value. A
PricewaterhouseCoopers survey from 2019 found that 94% of global CEOs
considered data on customer and client preferences the most critical
factor driving long-term business decisions, greater even than financial
forecasts and projections. Largely unregulated data brokers, middlemen
who collect consumer data to sell or license it to third parties for a
variety of uses, generate about $200 billion in annual revenue. And
according to a 2016 study by the Rockefeller Foundation "Data Financing
for Global Good," the direct value of Internet-related data is estimated
in industrialized economies to be between three to four percent of GDP.

Much of the difficulty in capturing the value of the data economy,
however, derives from the complex way data is collected and sold in a
process known as "real-time bidding." First party platforms such as
Amazon or Google collect millions of data points on consumers across
apps, search engines, websites, and devices, then aggregate and encrypt
this data and turn it over to second party auctioneers. The second party
auctioneers then take bids on ad space from third party purchasers
bidding on behalf of advertising clients who are looking to target a
specific subset of consumers based on certain demographic traits,
purchasing history, geographic location, etc. Thus, the first party
platform can claim it does not have a consumer's data, second party
auctioneers can claim they only have aggregate masses of demographic
information, and advertisers can claim they are just buying ad space.


More directly, an advertiser will approach a first party platform such
as Facebook looking to target a certain subset of consumers who share
known traits. Facebook will then place the ad on their platform based on
those traits, and the advertiser is told that the ad has been placed and
reaps the profits. The first party platform did not technically "sell"
consumer data, just ad space based on data, and the advertiser can claim
it never bought data, having never had access but profiting off of it
nonetheless.

This bill draws upon established definitions in the European Union's
General Data Protection Regulation (GDPR) and the California Consumer
Privacy Act (CCPA) to capture all entities controlling or processing
consumer data for economic benefit. It is also careful to define "sale"
as the "disclosure, dissemination, making available, release, transfer,
conveyance, license, rental, or other communication of data...for mone-
tary or other valuable consideration, or otherwise for a commercial
purpose" to capture the convoluted transaction chains that have come to
characterize the data economy. The bill aims to provide transparency and
accountability by mandating that companies who commodify consumer data
register with a newly created Office of Consumer Data Protection, and
then taxes the companies at a rate of two percent of gross receipts
estimated to be derived from consumers or "data subjects" who reside in
New York (derived by multiplying a data controller or processor's gross
domestic receipts by the sum equal to NY GDP divided by US GDP multi-
plied by one hundred). This formula will have the desired effect of
extracting a greater tax levy from companies with higher gross receipts
and/or a larger share of New York consumers whose data is being
collected, processed, or sold. This bill excludes from taxation, howev-
er, the first five million dollars in revenue.  Companies which have
been newly formed within the past three years as well as companies which
collect, process, or sell data as an incidental part of doing business
or which do not derive any economic benefit from such collection, proc-
essing, or sale are also exempt.

In implementing a tax on the commercialization of consumer data, New
York would join other domestic and foreign states such as Maryland,
Vermont, and Austria in recognizing the social, economic, and ethical
justification for such a tax. Extracting a small tax on the data economy
could incentivize companies to collect less consumer data, reducing the
risk of a security breach when such data is inevitably leaked and lead-
ing to fewer targeted advertisements which pollute digital spaces and
deplete the "common good" of limited user attention. Most importantly,
however, a data tax will ensure that the general public whose data is
being harvested for profit are able to reap the fruits of their current-
ly free labor. By redirecting some tiny portion of the billions of
dollars derived from the aggregate value of our swipes, clicks, cookies,
browser searches, profiles, emails, texts, purchasing history, credit
scores, and more from the shareholders of Silicon Valley tech companies
to the New York State budget, we can end the exploitation of free,
consumer-provided labor while helping to fund vital public services.

 
PRIOR LEGISLATIVE HISTORY:

2022: S6727 - Referred to Finance

2021: S6727 - Referred to Finance

 
FISCAL IMPLICATIONS:
TBD

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become a law.

2023-S5662 (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   5662
 
                        2023-2024 Regular Sessions
 
                             I N  S E N A T E
 
                              March 13, 2023
                                ___________
 
 Introduced  by Sens. GOUNARDES, HOYLMAN-SIGAL, JACKSON -- read twice and
   ordered printed, and when printed to be committed to the Committee  on
   Finance
 
 AN ACT to amend the executive law and the tax law, in relation to estab-
   lishing the data economy labor compensation and accountability act

   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. Short title. This act shall be known and may  be  cited  as
 the "data economy labor compensation and accountability act".
   § 2. Legislative intent. a. The legislature finds that the commercial-
 ization  of  personal consumer data has wrought wholesale and disruptive
 transformations in our global markets, politics, psychology,  socializa-
 tion, and the basic functioning of society;
   b. The legislature further finds that, according to a 2016 Rockefeller
 Foundation study Data Financing for the Global Good, the "data economy,"
 in  which millions of data points are endlessly gathered, organized, and
 exchanged by a series of vendors for the purpose of deriving value  from
 accumulated  information,  has  produced  enough value in industrialized
 countries to equal 4% of their gross domestic product;
   c. The legislature further finds  that  the  consumers  whose  emails,
 texts,  Internet  searches,  purchasing  history,  profile  information,
 swipes, clicks, and more have produced such tremendous amounts of  value
 do not receive the direct dividends of their labor;
   d.  The  legislature further finds that large swaths of our global and
 national society have yet to benefit from the revolution wrought by such
 commercialization of their data and technology at large;
   e. The legislature further finds that the  proliferation  of  targeted
 advertising  based  on  the  sale,  transfer,  or  licensing of personal
 consumer data has led to an exploitation of individual users' attention,
 leading to reduced productivity, mental acuity,  and  overall  emotional

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD01552-02-3
 S. 5662                             2

 
 and  social  well-being  as  well  as overcrowding of digital spaces and
 depletion of the "common good" of limited user attention;
   f.  The  legislature  further finds that the collection and storage of
 vast amounts of personal consumer data carries an inherent risk of secu-
 rity breach if such data is compromised;
   g. The legislature hereby declares that a levy on the  gross  receipts
 of  commercial  interests engaged in such commodification will erode the
 aforementioned negative  externalities  by  incentivizing  companies  to
 collect  fewer  points of personal consumer data, to provide fair market
 value dividends directly to consumers in exchange for  their  productive
 labor,  to proactively mitigate the security risks of data breaches, and
 to more judiciously preserve the commons of digital  space  and  limited
 user attention;
   h.  The legislature further declares that a levy on the gross receipts
 of such commercial interests will redistribute the wealth created by the
 value of consumers from the shareholders who  exploit  this  free  labor
 back to the people who generate such labor;
   i.  The legislature further declares that the creation of a "data tax"
 will put New York on par with other domestic and foreign states such  as
 Maryland, Vermont, and Austria who have similarly recognized the social,
 economic, and ethical justification for such tax.
   §  3.  The executive law is amended by adding a new article 51 to read
 as follows:
                                ARTICLE 51
                    OFFICE OF CONSUMER DATA PROTECTION
 SECTION 1004. DEFINITIONS.
         1005. APPLICABILITY.
         1006. OFFICE OF CONSUMER DATA PROTECTION.
         1007. ANNUAL REPORT.
   § 1004. DEFINITIONS. FOR THE PURPOSES OF THIS ARTICLE,  THE  FOLLOWING
 TERMS SHALL HAVE THE FOLLOWING MEANINGS:
   1. "CODE OF CONDUCT" SHALL MEAN A SET OF WRITTEN POLICIES ADOPTED BY A
 DATA  CONTROLLER OR PROCESSOR IN ORDER TO FACILITATE COMPLIANCE WITH THE
 PROVISIONS OF THIS ARTICLE AND ANY REGULATIONS PROMULGATED BY THE OFFICE
 OF CONSUMER DATA PROTECTION, TAKING INTO ACCOUNT THE SPECIFIC CHARACTER-
 ISTICS OF THE DATA CONTROLLER OR PROCESSOR'S DATA OPERATIONS.  ALL CODES
 OF CONDUCT SHALL BE APPROVED BY THE OFFICE  DATA  PROTECTION.  EITHER  A
 CODE OF CONDUCT OR THE DATA PROTECTION CERTIFICATION DESCRIBED IN SUBDI-
 VISION  EIGHT OF THIS SECTION MAY BE USED TO DEMONSTRATE COMPLIANCE WITH
 THE PROVISIONS OF THIS ARTICLE  AND  WITH  DATA  PROTECTION  REGULATIONS
 PROMULGATED BY THE OFFICE OF CONSUMER DATA PROTECTION.
   2. "CONSUMER" SHALL MEAN A NATURAL PERSON WHO IS A NEW YORK RESIDENT.
   3.  "DATA BREACH" SHALL MEAN A BREACH OF SECURITY LEADING TO THE ACCI-
 DENTAL OR UNLAWFUL DESTRUCTION, LOSS, ALTERATION,  UNAUTHORIZED  DISCLO-
 SURE  OF,  OR  ACCESS TO, PERSONAL DATA TRANSMITTED, STORED OR OTHERWISE
 PROCESSED.
   4. "DATA CONTROLLER" OR "CONTROLLER" SHALL MEAN  A  NATURAL  OR  LEGAL
 PERSON  WHICH, ALONE OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND
 MEANS OF PROCESSING OF PERSONAL DATA. THIS INCLUDES BUT IS  NOT  LIMITED
 TO  ANY  BUSINESS, WEBSITE, OR PLATFORM THAT COLLECTS DATA WHILE SELLING
 ELECTRONIC ADVERTISING SPACE ON ITS PLATFORM TAILORED TO ANY ONE OR  ANY
 AGGREGATION  OF  THE  ITEMS OF PERSONAL DATA DEFINED IN THIS SECTION. NO
 DATA CONTROLLER IS EXEMPT FROM THE REQUIREMENTS OF THIS ARTICLE IF  THEY
 ARE  PROCESSING  PSEUDONYMIZED DATA, WHEREBY PROCESSING MEANS ANY OPERA-
 TION OR SET OF OPERATIONS THAT ARE PERFORMED ON PERSONAL DATA OR ON SETS
 OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED  MEANS.  FOR  PURPOSES  OF
 S. 5662                             3
 
 THIS  SUBDIVISION  "PSEUDONYMIZED" OR "PSEUDONYMIZATION" MEANS THE PROC-
 ESSING OF PERSONAL DATA IN A MANNER THAT RENDERS THE  PERSONAL  DATA  NO
 LONGER  ATTRIBUTABLE TO A SPECIFIC DATA SUBJECT WITHOUT THE USE OF ADDI-
 TIONAL  INFORMATION,  PROVIDED  THAT  THE ADDITIONAL INFORMATION IS KEPT
 SEPARATELY AND IS SUBJECT TO TECHNICAL AND  ORGANIZATIONAL  MEASURES  TO
 ENSURE  THAT  THE  PERSONAL  DATA  IS NOT ATTRIBUTED TO AN IDENTIFIED OR
 IDENTIFIABLE  DATA  SUBJECT.  ANY  ENTITY  PARTICIPATING  IN  REAL  TIME
 AUCTIONS TO FACILITATE THE SALE OF DIGITAL ADVERTISING SPACE, ANY ENTITY
 COLLECTING ANONYMIZED OR AGGREGATED DATA FOR THE PURPOSE OF ADVERTISING,
 MARKETING,  OR  TRANSFERRING DATA TO ANY PARTY PURCHASING DIGITAL ADVER-
 TISING SPACE, AND ANY COMPANY COLLECTING THE DATA OF DATA  SUBJECTS  VIA
 AN  INTERNET  OR  PHONE-BASED  PLATFORM, APPLICATION OR WEBSITE REGISTRY
 THAT ALSO MARKETS OR ADVERTISES PRODUCTS  TO  CONSUMERS  ARE  CONSIDERED
 DATA CONTROLLERS UNDER THIS ARTICLE.
   5.  "DATA  OPERATIONS"  SHALL  MEAN THE COLLECTION, STORAGE, TRANSFER,
 SALE, OR LICENSING OF PERSONAL DATA BY A DATA CONTROLLER OR DATA PROCES-
 SOR.
   6. "DATA PROCESSOR" OR "PROCESSOR"  SHALL  MEAN  A  NATURAL  OR  LEGAL
 PERSON THAT PROCESSES DATA ON BEHALF OF THE CONTROLLER. PROVIDED, HOWEV-
 ER, THAT WHEN SUCH NATURAL OR LEGAL PERSON IS BOTH A DATA CONTROLLER AND
 DATA  PROCESSOR, AS DEFINED IN THIS SECTION, SUCH PERSON SHALL BE DEEMED
 ONE ENTITY FOR THE PURPOSES OF REGISTRATION AS  DESCRIBED  IN  PARAGRAPH
 (B)  OF  SUBDIVISION TWO OF SECTION ONE THOUSAND SIX OF THIS ARTICLE AND
 TAXATION AS DESCRIBED IN SECTION ONE HUNDRED EIGHTY-FIVE OF THE TAX LAW.
   7. "DATA PROTECTION AUDIT" SHALL MEAN AN AUDIT CONDUCTED BY THE OFFICE
 OR CONSUMER DATA PROTECTION IN ORDER TO ASSESS WHETHER A DATA CONTROLLER
 OR PROCESSOR IS IN COMPLIANCE WITH A DATA CONTROLLER OR PROCESSOR'S CODE
 OF CONDUCT, REGULATIONS PROMULGATED BY THE OFFICE, AND/OR  ANY  RELEVANT
 FEDERAL,  STATE  OR  LOCAL  LAW.  THE OFFICE OF CONSUMER DATA PROTECTION
 SHALL ADOPT A RATING SYSTEM OF "HIGH ASSURANCE," "REASONABLE ASSURANCE,"
 "LIMITED ASSURANCE," AND "VERY LIMITED ASSURANCE" TO MEASURE  LEVELS  OF
 COMPLIANCE WITH SUCH CODE OF CONDUCT, LAWS AND REGULATIONS.
   8.  "DATA  PROTECTION  CERTIFICATION"  SHALL REFER TO A CERTIFICATION,
 CREATED BY THE OFFICE OF  CONSUMER  DATA  PROTECTION,  WHICH  SERVES  TO
 DEMONSTRATE COMPLIANCE WITH THE PROVISIONS OF THIS ARTICLE AND WITH DATA
 PROTECTION  REGULATIONS  PROMULGATED  BY  SUCH  OFFICE.  DATA PROTECTION
 CERTIFICATION SHALL BE VOLUNTARY FOR ALL DATA CONTROLLERS  AND  PROCESS-
 ORS.  THE  OFFICE  SHALL  CREATE  THE  CRITERIA  FOR SUCH CERTIFICATION.
 SUCCESSFUL CERTIFICATION MAY BE DEMONSTRATED BY A CERTIFICATE, SEAL,  OR
 MARK WHICH DATA CONTROLLERS AND PROCESSORS MAY CONSPICUOUSLY DISPLAY.
   9.  "DATA  PROTECTION IMPACT ASSESSMENT" SHALL MEAN AN INTERNAL EVALU-
 ATION WHICH  THE  OFFICE  OF  CONSUMER  DATA  PROTECTION  REQUIRES  DATA
 CONTROLLERS  AND  PROCESSORS TO CARRY OUT IN ORDER TO EVALUATE THE LEVEL
 OF RISK ASSOCIATED WITH SUCH CONTROLLER OR PROCESSOR'S DATA  OPERATIONS.
 SUCH  ASSESSMENT  SHALL  EXAMINE  THE ORIGIN, NATURE, PARTICULARITY, AND
 SEVERITY OF SUCH RISK. WHERE A DATA PROTECTION IMPACT  ASSESSMENT  INDI-
 CATES  THAT  A  CONTROLLER OR PROCESSOR'S DATA OPERATIONS INVOLVE A HIGH
 DEGREE OF RISK, AS DETERMINED BY THE OFFICE OF CONSUMER DATA PROTECTION,
 WHICH CANNOT BE MITIGATED BY APPROPRIATE MEASURES,  SUCH  CONTROLLER  OR
 PROCESSOR SHALL BE OBLIGATED TO RECEIVE EXPRESS APPROVAL FROM THE OFFICE
 OF  CONSUMER  DATA PROTECTION PRIOR TO COMMENCING OR RESUMING DATA OPER-
 ATIONS.
   10. "DATA SUBJECT" OR "SUBJECT" SHALL MEAN A NATURAL PERSON FOR WHOM A
 DATA CONTROLLER HOLDS PERSONAL DATA, AS DEFINED IN SUBDIVISION  THIRTEEN
 OF  THIS  SECTION, AND WHO CAN BE IDENTIFIED, DIRECTLY OR INDIRECTLY, BY
 REFERENCE TO SUCH PERSONAL DATA.
 S. 5662                             4
 
   11. "NEWLY ESTABLISHED" SHALL REFER TO A LIMITED HISTORY OF DATA OPER-
 ATIONS AS DETERMINED BY THE OFFICE OF  CONSUMER  DATA  PROTECTION.  SUCH
 OFFICE  MAY CONSIDER FACTORS SUCH AS DATE OF INCORPORATION OR OTHER FORM
 OF ORGANIZATION, WHETHER IN THIS  STATE  OR  ANOTHER  STATE,  TERRITORY,
 DISTRICT,  PROVINCE,  NATION OR OTHER JURISDICTION, FOREIGN OR DOMESTIC,
 AMOUNT OF CAPITAL RAISED, THE ENTREPRENEURIAL NATURE OF A DATA  CONTROL-
 LER  OR PROCESSOR'S BUSINESS, OR ANY OTHER FACTOR THE OFFICE DEEMS RELE-
 VANT IN DETERMINING LIMITED OPERATING HISTORY AND  AN  INITIAL  DATE  OF
 DATA  OPERATIONS, PROVIDED THAT SUCH OFFICE SHALL PROMULGATE REGULATIONS
 WITH THE GUIDELINES USED FOR DETERMINING SUCH DATE AND THAT SUCH  OFFICE
 SHALL  ADHERE TO SUCH GUIDELINES CONSISTENTLY WHEN DETERMINING SUCH DATE
 FOR ALL DATA CONTROLLERS AND PROCESSORS REQUIRED TO REGISTER UNDER PARA-
 GRAPH (B) OF SUBDIVISION TWO OF SECTION ONE THOUSAND SIX OF  THIS  ARTI-
 CLE.
   12.  "OFFICE" SHALL MEAN THE OFFICE OF CONSUMER DATA PROTECTION ESTAB-
 LISHED BY SECTION ONE THOUSAND SIX OF THIS ARTICLE.
   13. "PERSONAL DATA" SHALL MEAN ANY COMPUTERIZED  INFORMATION  ABOUT  A
 DATA  SUBJECT AS SET FORTH IN THIS SUBDIVISION THAT IS NOT MADE PUBLICLY
 AVAILABLE THROUGH FEDERAL, STATE OR LOCAL  GOVERNMENT  AGENCIES  OR  ANY
 PUBLICLY  AVAILABLE  INFORMATION AS IT RELATES TO A DATA SUBJECT'S BUSI-
 NESS  LICENSE,  STATUS  OR  PROFESSION,  REGARDLESS  OF  WHETHER  IT  IS
 COLLECTED FOR THE PURPOSE OF SELLING OR TRANSFERRING IT TO ANOTHER ENTI-
 TY.  PERSONAL  DATA  SHALL MEAN INFORMATION THAT IDENTIFIES, RELATES TO,
 DESCRIBES OR IS REASONABLY LINKED TO A PARTICULAR DATA SUBJECT OR HOUSE-
 HOLD, INCLUDING BUT NOT LIMITED TO:
   (A) PHYSICAL ADDRESS;
   (B) LEGAL NAME;
   (C) ALIAS;
   (D) UNIQUE PERSONAL IDENTIFIER;
   (E) ONLINE IDENTIFIER;
   (F) INTERNET PROTOCOL ADDRESS;
   (G) EMAIL ADDRESS;
   (H) ACCOUNT NAME;
   (I) SOCIAL SECURITY NUMBER;
   (J) DRIVER'S LICENSE NUMBER;
   (K) PASSPORT NUMBER;
   (L) PLACE OF BIRTH;
   (M) MOTHER'S MAIDEN NAME;
   (N) DATE OF BIRTH;
   (O) PHONE NUMBER;
   (P) AUDIO, VISUAL, THERMAL OR OLFACTORY DATA;
   (Q) PROFESSION OR EMPLOYMENT RELATED INFORMATION;
   (R) MEDICAL HISTORY, RECORDS OF PAST MEDICAL TREATMENT, OR ANY DIAGNO-
 SIS OF A PHYSICAL  OR  MENTAL  HEALTH  CONDITION,  INCLUDING  DIAGNOSIS,
 TREATMENT OR REFERRAL FOR ADDICTION OR SUBSTANCE ABUSE;
   (S)  EDUCATIONAL  INFORMATION  THAT  IS NOT ALREADY PUBLICLY AVAILABLE
 THROUGH A LOCAL, STATE, OR FEDERAL AGENCY;
   (T) REAL TIME GEOLOCATION DATA OR STORED GEOLOCATION HISTORY;
   (U) ANY UNIQUE BIOMETRIC DATA, BODY MEASUREMENT, TECHNICAL ANALYSIS OR
 MEASUREMENTS COLLECTED FOR THE PURPOSE OF ALLOWING  A  DATA  SUBJECT  TO
 AUTHENTICATE THE SUBJECT ON A DEVICE, INTERNET APPLICATION, OR WEB-BASED
 PLATFORM;
   (V) NAMES AND IDENTIFYING INFORMATION OF A SUBJECT'S IMMEDIATE FAMILY;
   (W)  INTERNET  OR  ANY  OTHER  ELECTRONIC  NETWORK ACTIVITY, INCLUDING
 BROWSING HISTORY, SEARCH HISTORY, AND INFORMATION REGARDING A  SUBJECT'S
 ACTIVITY ON A WEBSITE OR INTERACTION WITH AN ELECTRONIC ADVERTISEMENT;
 S. 5662                             5
 
   (X)  ANY  OTHER  INFORMATION  THAT  ALONE, OR COMBINED WITH ANY OF THE
 INFORMATION DESCRIBED IN THIS SUBDIVISION, COULD BE REASONABLY  USED  TO
 IDENTIFY AN INDIVIDUAL DATA SUBJECT OR HOUSEHOLD; AND
   (Y)  ANY  INFERENCES  DRAWN FROM ANY OF THE COMBINED FORMS OF PERSONAL
 DATA THAT ARE USED TO CREATE A PROFILE OF THE  DATA  SUBJECT  REFLECTING
 THE   SUBJECT'S  PREFERENCES,  CHOICES,  CHARACTERISTICS,  PSYCHOLOGICAL
 TRENDS, INTELLIGENCE, APTITUDE, PHYSICAL HEALTH OR BEHAVIOR.
   "PERSONAL DATA" SHALL ALSO INCLUDE ANY INFORMATION WHICH CREATES PROB-
 ABILISTIC IDENTIFIERS THAT CAN BE USED  TO  ISOLATE,  INDIVIDUALIZE,  OR
 IDENTIFY A DATA SUBJECT OR DEVICE TO A DEGREE OF CERTAINTY MORE PROBABLE
 THAN  NOT  BASED  ON  ANY  ITEM  OF PERSONAL INFORMATION DEFINED IN THIS
 SUBDIVISION.
   14. "SALE" OR "SOLD" SHALL MEAN THE DISCLOSURE, DISSEMINATION,  MAKING
 AVAILABLE,  RELEASE,  TRANSFER,  CONVEYANCE,  LICENSE,  RENTAL, OR OTHER
 COMMERCIALIZATION OF DATA BY A DATA CONTROLLER TO A THIRD PARTY, WHETHER
 COMMERCIALIZATION OCCURS VIA ACCESS TO RAW DATA OR VIA USE  OF  PLATFORM
 INTERFACE  RATHER  THAN DIRECT ACCESS TO RAW DATA. THIS DEFINITION SHALL
 INCLUDE DISSEMINATION OF DATA, ORALLY, IN WRITING, OR BY  ELECTRONIC  OR
 OTHER  MEANS, FOR MONETARY OR OTHER VALUABLE CONSIDERATION, OR OTHERWISE
 FOR A COMMERCIAL PURPOSE, BY A DATA CONTROLLER TO A THIRD PARTY.
   15. "THIRD PARTY" SHALL MEAN A NATURAL OR LEGAL PERSON, PUBLIC AUTHOR-
 ITY, AGENCY, OR BODY OTHER THAN THE DATA SUBJECT,  DATA  CONTROLLER,  OR
 DATA PROCESSOR OF THE DATA CONTROLLER.
   §  1005.  APPLICABILITY.  1.  THE PROVISIONS OF THIS ARTICLE SHALL NOT
 APPLY TO A DATA CONTROLLER OR DATA PROCESSOR WHO, AS DETERMINED  BY  THE
 OFFICE,  COLLECTS,  PROCESSES,  OR  SELLS PERSONAL DATA IN A WAY THAT IS
 DEEMED INCIDENTAL TO SUCH CONTROLLER OR PROCESSOR'S ORDINARY  COURSE  OF
 BUSINESS,  TAKING  INTO ACCOUNT THE NATURE, CONTEXT, SCOPE, AND PURPOSES
 OF SUCH DATA COLLECTION, PROCESSING, OR SALE.
   2. THE OFFICE SHALL FURTHER BE EMPOWERED TO EXEMPT FROM THE PROVISIONS
 OF THIS ARTICLE ANY DATA CONTROLLER OR PROCESSOR WHO, AS  DETERMINED  BY
 SUCH  OFFICE,  DERIVES  NO  ECONOMIC  BENEFIT  FROM  SUCH  CONTROLLER OR
 PROCESSOR'S DATA OPERATIONS OR WHOSE DATA  OPERATIONS  ARE  REQUIRED  IN
 ORDER  TO  COMPLY WITH A LEGAL OBLIGATION OR IN THE EXERCISE OF OFFICIAL
 AUTHORITY, OR FOR ANY OTHER PURPOSE, AS DETERMINED BY THE OFFICE,  WHICH
 SERVES TO FURTHER THE PUBLIC INTEREST.
   §  1006.  OFFICE  OF  CONSUMER DATA PROTECTION. 1. (A) THERE IS HEREBY
 CREATED AN OFFICE OF CONSUMER DATA  PROTECTION,  TO  BE  GOVERNED  BY  A
 SEVEN-MEMBER CONSUMER DATA PROTECTION BOARD.  THE BOARD SHALL CONSIST OF
 A  CHAIRPERSON  NOMINATED BY THE GOVERNOR WITH THE ADVICE AND CONSENT OF
 THE SENATE, WITH ONE VOTE, AND  SIX  OTHER  VOTING  BOARD  MEMBERS.  THE
 GOVERNOR  SHALL  HAVE  TWO ADDITIONAL APPOINTMENTS TO THE BOARD WITH THE
 ADVICE AND CONSENT OF THE SENATE, AND THE  TEMPORARY  PRESIDENT  OF  THE
 SENATE AND THE SPEAKER OF THE ASSEMBLY SHALL HAVE TWO APPOINTMENTS EACH.
 THE  MEMBERS  OF  THE  CONSUMER DATA PROTECTION BOARD SHALL ENGAGE IN NO
 OCCUPATION INCOMPATIBLE WITH THEIR DUTIES PRESCRIBED  IN  THIS  SECTION,
 WHETHER  GAINFUL  OR  NOT,  AND SHALL TAKE STEPS THEY DEEM NECESSARY AND
 PROPER TO SHIELD ALL DECISION MAKING PROCESSES OF THE BOARD FROM  UNWAR-
 RANTED AND INAPPROPRIATE COMMUNICATIONS AND ATTEMPTS TO INFLUENCE.
   (B) THE MEMBERS OF THE CONSUMER DATA PROTECTION BOARD SHALL BE SUBJECT
 TO  A  DUTY OF PROFESSIONAL SECRECY BOTH DURING AND AFTER THEIR TERMS ON
 SUCH BOARD, WITH REGARD TO ANY CONFIDENTIAL INFORMATION WHICH  HAS  COME
 TO  THEIR  KNOWLEDGE  IN THE COURSE OF THE PERFORMANCE OF THEIR TASKS OR
 EXERCISE OF THEIR POWERS. DURING THEIR TERM  OF  OFFICE,  THAT  DUTY  OF
 PROFESSIONAL  SECRECY  SHALL  APPLY  TO  REPORTING BY NATURAL PERSONS OF
 INFRINGEMENTS OF THIS ARTICLE.
 S. 5662                             6
 
   (C) A MEMBER OF THE CONSUMER DATA PROTECTION BOARD  MAY  BE  DISMISSED
 BEFORE  THE EXPIRATION OF SUCH MEMBER'S TERM BY SUCH MEMBER'S APPOINTING
 AUTHORITY ONLY IN A  CASE  OF  SERIOUS  MISCONDUCT  OR  IF  SUCH  MEMBER
 VIOLATES THE TERMS OF PARAGRAPH (A) OR (B) OF THIS SUBDIVISION.
   (D)  THE  CONSUMER  DATA  PROTECTION  BOARD SHALL APPOINT AN EXECUTIVE
 DIRECTOR OF THE OFFICE WHO SHALL SUPERVISE ALL DAY-TO-DAY OPERATIONS  OF
 SUCH  OFFICE.  THE  EXECUTIVE  DIRECTOR  MAY APPOINT NECESSARY DEPUTIES,
 COUNSELS, ASSISTANTS, INVESTIGATORS, AND OTHER  EMPLOYEES  IN  ORDER  TO
 EFFECTUATE THE PROVISIONS OF THIS ARTICLE.
   (E) THE CONSUMER DATA PROTECTION BOARD SHALL ENSURE THAT THE OFFICE IS
 PROVIDED  WITH  THE HUMAN, TECHNICAL, AND FINANCIAL RESOURCES, PREMISES,
 AND INFRASTRUCTURE NECESSARY FOR THE EFFECTIVE PERFORMANCE OF ITS  TASKS
 AND EXERCISE OF ITS POWERS DESCRIBED IN SUBDIVISION TWO OF THIS SECTION.
   2.  THE  OFFICE  SHALL  RETAIN THE FOLLOWING ADMINISTRATIVE POWERS AND
 RESPONSIBILITIES:
   (A) THE OFFICE SHALL PROMULGATE ANY AND ALL RULES AND  REGULATIONS  IT
 DEEMS  NECESSARY  TO PROPERLY SAFEGUARD PERSONAL DATA, INCLUDING WHETHER
 AND HOW DATA SUBJECTS SHALL CONSENT TO  THE  PROCESSING  OF  SUCH  DATA,
 WHETHER  AND  HOW  DATA  SUBJECTS  ARE  GRANTED ACCESS TO PERSONAL DATA,
 WHETHER AND HOW DATA SUBJECTS CAN  REQUEST  ERASURE  OF  PERSONAL  DATA,
 WHETHER  AND  HOW  DATA  SUBJECTS  CAN OBJECT TO THE PROCESSING OF THEIR
 PERSONAL DATA FOR COMMERCIAL PURPOSES, ANY STEPS THAT A DATA  CONTROLLER
 OR PROCESSOR MUST TAKE TO SAFEGUARD PERSONAL DATA, NECESSARY DISCLOSURES
 THAT  A  DATA  CONTROLLER  OR  PROCESSOR MUST MAKE TO DATA SUBJECTS WHEN
 THERE IS A POTENTIAL OR LIKELY DATA BREACH, OR AFTER A DATA  BREACH  HAS
 OCCURRED,  AND  ANY  OTHER  POLICIES  WHICH  FURTHER THE INTEREST OF THE
 PROTECTION OF PERSONAL DATA.
   (B) (I) EACH DATA CONTROLLER AND PROCESSOR  IN  THIS  STATE  SHALL  BE
 REQUIRED TO REGISTER WITH THE OFFICE, ON AN ANNUAL BASIS, WITH A DIGITAL
 APPLICATION  DEVELOPED  AND  MAINTAINED BY SUCH OFFICE. SUCH APPLICATION
 SHALL INCLUDE THE NAME OF SUCH DATA CONTROLLER OR PROCESSOR,  ITS  PHYS-
 ICAL  ADDRESS,  ANY  EMAIL  ADDRESS OR WEBSITE ASSOCIATED WITH SUCH DATA
 CONTROLLER OR PROCESSOR,  WHETHER  SUCH  DATA  CONTROLLER  OR  PROCESSOR
 OFFERS  AN  OPT-IN  OR  OPT-OUT  MODEL  FOR  ITS DATA OPERATIONS AND THE
 SPECIFIC DETAILS OF HOW A  DATA  SUBJECT  CAN  ACCESS  EITHER  OF  THESE
 OPTIONS,  A  STATEMENT  SPECIFYING THE METHODS USED FOR DATA OPERATIONS,
 DATABASES MAINTAINED, AND AMOUNT OF DATA COLLECTED, PROCESSED,  OR  SOLD
 OF  BOTH ALL DATA SUBJECTS AND DATA SUBJECTS WHO RESIDE IN NEW YORK, AND
 ANNUAL GROSS RECEIPTS OF SUCH CONTROLLER OR PROCESSOR.  WHEN  DISCLOSING
 SUCH  ANNUAL GROSS RECEIPTS, A DATA CONTROLLER OR PROCESSOR SHALL DETAIL
 (A) THE AMOUNT OF ANNUAL GROSS RECEIPTS FROM ALL  FOREIGN  AND  DOMESTIC
 SOURCES,  (B)  ANNUAL GROSS RECEIPTS FROM DOMESTIC SOURCES ONLY, AND (C)
 ANNUAL GROSS RECEIPTS DERIVED FROM THE  COLLECTION,  PROCESSING,  AND/OR
 SALE OF DATA SUBJECTS WHO RESIDE IN NEW YORK.
   (II)  DATA CONTROLLERS AND PROCESSORS SHALL PAY AN ANNUAL REGISTRATION
 FEE OF TWO HUNDRED FIFTY DOLLARS, IF SUCH CONTROLLER  OR  PROCESSOR  HAS
 GROSS  RECEIPTS  OF EIGHT HUNDRED SIXTY MILLION DOLLARS OR LESS, OR FOUR
 HUNDRED FIFTY  DOLLARS,  IF  SUCH  CONTROLLER  OR  PROCESSOR  HAS  GROSS
 RECEIPTS OF OVER EIGHT HUNDRED SIXTY MILLION DOLLARS.
   (III)  ANY DATA CONTROLLER OR PROCESSOR WHICH FAILS TO ANNUALLY REGIS-
 TER AS REQUIRED BY THIS PARAGRAPH SHALL BE SUBJECT TO A FINE OF  BETWEEN
 ONE THOUSAND DOLLARS AND TWENTY THOUSAND DOLLARS PER DAY. ANY CONTROLLER
 OR  PROCESSOR  FOUND  TO  HAVE  KNOWINGLY  SUBMITTED FALSE OR INCOMPLETE
 INFORMATION UPON REGISTRATION SHALL BE SUBJECT TO A FINE OF BETWEEN  TEN
 THOUSAND  DOLLARS AND ONE HUNDRED THOUSAND DOLLARS. ALL SUCH FINES SHALL
 BE LEVIED BY THE OFFICE, PROVIDED THAT THE OFFICE SHALL CONSIDER FACTORS
 S. 5662                             7
 
 SUCH AS GROSS INCOME AND ASSETS OF A DATA CONTROLLER  OR  PROCESSOR  AND
 WHETHER  SUCH  CONTROLLER  OR  PROCESSOR  HAS MADE REASONABLE EFFORTS TO
 COMPLY WITH THE PROVISIONS OF THIS PARAGRAPH WHEN DETERMINING THE AMOUNT
 OF SUCH FINES TO BE LEVIED.
   (IV)  THE OFFICE SHALL DETERMINE WHICH DATA CONTROLLERS AND PROCESSORS
 HAVE BEEN NEWLY ESTABLISHED WITHIN THE  PREVIOUS  THREE  YEARS  FOR  THE
 PURPOSES  OF  COMPLIANCE  WITH THE REPORTING REQUIREMENTS OF SECTION ONE
 THOUSAND SEVEN OF THIS ARTICLE AND WITH THE TAX IMPOSED IN  SECTION  ONE
 HUNDRED EIGHTY-FIVE OF THE TAX LAW.
   (C)  THE  OFFICE  SHALL  PROMOTE PUBLIC AWARENESS AND UNDERSTANDING OF
 RISKS, RULES, SAFEGUARDS AND RIGHTS IN RELATION TO DATA PROCESSING.
   (D) THE OFFICE SHALL ADVISE ON LEGISLATIVE AND ADMINISTRATIVE MEASURES
 RELATING TO THE PROTECTION OF DATA SUBJECTS' RIGHTS  AND  FREEDOMS  WITH
 REGARD TO PROCESSING.
   (E)  THE  OFFICE  SHALL PROVIDE, UPON REQUEST, INFORMATION TO ANY DATA
 SUBJECT CONCERNING THE EXERCISE  OF  THEIR  RIGHTS  UNDER  THIS  ACT  AS
 CREATED  IN  THE REGULATIONS DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVI-
 SION.
   (F) THE OFFICE SHALL ADVISE DATA CONTROLLERS AND PROCESSORS  OF  THEIR
 OBLIGATIONS UNDER THIS ARTICLE.
   (G)  THE  OFFICE  SHALL ENCOURAGE THE FORMATION OF CODES OF CONDUCT BY
 DATA CONTROLLERS AND PROCESSORS AND PROVIDE AN OPINION AND APPROVE  SUCH
 CODES OF CONDUCT IT DEEMS TO PROVIDE SUFFICIENT SAFEGUARDS.
   (H)  THE  OFFICE SHALL ESTABLISH A DATA PROTECTION CERTIFICATION MECH-
 ANISM, APPROVING ALL CRITERIA FOR SUCH CERTIFICATION AND DATA PROTECTION
 SEALS AND MARKS TO  INDICATE  SUCH  CERTIFICATION.    THE  OFFICE  SHALL
 CONDUCT  A  PERIODIC  REVIEW OF CERTIFICATIONS ISSUED, WHERE APPLICABLE,
 AND SHALL DENY OR WITHDRAW CERTIFICATIONS IF SUCH CRITERIA ARE  NOT  MET
 OR NO LONGER MET BY A DATA CONTROLLER OR PROCESSOR.
   (I) THE OFFICE SHALL ESTABLISH AND MAINTAIN A LIST OF DATA CONTROLLERS
 AND PROCESSORS WHO HAVE COMPLETED DATA PROTECTION IMPACT ASSESSMENTS AND
 THE RESULTS OF SUCH ASSESSMENTS.
   (J)  THE  OFFICE  SHALL MONITOR RELEVANT DEVELOPMENTS, INSOFAR AS THEY
 HAVE AN IMPACT ON THE PROTECTION OF PERSONAL  DATA,  IN  PARTICULAR  THE
 DEVELOPMENT OF INFORMATION AND COMMUNICATION TECHNOLOGIES AND COMMERCIAL
 PRACTICES.
   (K)  THE OFFICE SHALL PROCESS COMPLAINTS LODGED BY DATA SUBJECTS ABOUT
 A DATA CONTROLLER OR PROCESSOR, INVESTIGATING THE SUBJECT MATTER OF SUCH
 COMPLAINTS AND INFORMING THE COMPLAINANT OF THE PROGRESS AND OUTCOME  OF
 SUCH INVESTIGATION WITHIN A REASONABLE TIME PERIOD.
   (L)  THE  OFFICE SHALL CONDUCT DATA PROTECTION AUDITS OF DATA CONTROL-
 LERS OR PROCESSORS UPON A REQUEST FROM SUCH CONTROLLER OR  PROCESSOR  OR
 FROM A DATA SUBJECT OR AS THE OFFICE DEEMS PRUDENT AND NECESSARY.
   (M)  THE  OFFICE  SHALL  HAVE  THE POWER TO ORDER A DATA CONTROLLER OR
 PROCESSOR TO PROVIDE ANY INFORMATION IT REQUIRES FOR THE PERFORMANCE  OF
 THE  OFFICE'S  TASKS  DESCRIBED IN THIS SUBDIVISION, INCLUDING ACCESS TO
 SUCH CONTROLLER OR PROCESSOR'S PREMISES AND  DATA  PROCESSING  EQUIPMENT
 AND MEANS IF NEEDED.
   (N)  THE OFFICE SHALL NOTIFY DATA CONTROLLERS AND PROCESSORS WHEN THEY
 ARE LIKELY TO INFRINGE OR HAVE INFRINGED UPON A REGULATION  SUCH  OFFICE
 HAS ISSUED OR SUCH CONTROLLER OR PROCESSOR'S CODE OF CONDUCT. THE OFFICE
 MAY  ORDER  THAT SUCH DATA CONTROLLER OR PROCESSOR BRING SUCH CONTROLLER
 OR PROCESSOR'S DATA OPERATIONS INTO COMPLIANCE IN A SPECIFIED MANNER AND
 WITHIN A SPECIFIED TIME PERIOD. THE OFFICE MAY FURTHER ORDER A TEMPORARY
 OR DEFINITIVE BAN ON DATA OPERATIONS OR THE RECTIFICATION OR ERASURE  OF
 PERSONAL  DATA  UNTIL SUCH COMPLIANCE IS ACHIEVED. THE OFFICE SHALL KEEP
 S. 5662                             8
 
 INTERNAL RECORDS OF INFRINGEMENTS BY DATA CONTROLLERS AND PROCESSORS  OF
 ANY INFRINGEMENTS OF ITS REGULATIONS OR A CONTROLLER OR PROCESSOR'S CODE
 OF CONDUCT, AND OF MEASURES TAKEN IN RESOLUTION.
   (O)  THE  OFFICE MAY ORDER THE SUSPENSION OF DATA FLOWS TO A RECIPIENT
 IN A THIRD WORLD COUNTRY OR TO AN INTERNATIONAL ORGANIZATION.
   (P) THE OFFICE MAY IMPOSE ADMINISTRATIVE FINES  FOR  THE  PURPOSES  OF
 ENCOURAGING  COMPLIANCE WITH ANY INFRINGEMENT OF THIS ARTICLE OR A REGU-
 LATION SUCH OFFICE HAS ISSUED OR SUCH CONTROLLER OR PROCESSOR'S CODE  OF
 CONDUCT IN ADDITION TO THE FINE DESCRIBED IN SUBPARAGRAPH (III) OF PARA-
 GRAPH (B) OF THIS SUBDIVISION.
   (Q)  THE  OFFICE MAY ISSUE OPINIONS TO THE STATE OR OTHER INSTITUTIONS
 AND BODIES AS WELL AS  TO  THE  PUBLIC  ON  ANY  ISSUE  RELATED  TO  THE
 PROTECTION OF PERSONAL DATA, ON ITS OWN INITIATIVE OR UPON REQUEST.
   §  1007.  ANNUAL  REPORT.  THE  CONSUMER  DATA  PROTECTION BOARD SHALL
 PRODUCE AND TRANSMIT, IN CONJUNCTION WITH THE OFFICE, AN  ANNUAL  REPORT
 TO  THE  TEMPORARY PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY,
 THE CHAIR OF THE SENATE FINANCE COMMITTEE, AND THE CHAIR OF THE ASSEMBLY
 WAYS AND MEANS COMMITTEE, ON OR  BEFORE  JANUARY  THIRTY-FIRST  OF  EACH
 YEAR,  PERTAINING TO THE DATA CONTROLLERS AND PROCESSORS WHO HAVE REGIS-
 TERED WITH THE OFFICE PURSUANT TO PARAGRAPH (B) OF  SUBDIVISION  TWO  OF
 SECTION ONE THOUSAND SIX OF THIS ARTICLE. SUCH REPORT SHALL CONTAIN, BUT
 NOT  BE LIMITED TO, THE NUMBER OF DATA CONTROLLERS AND PROCESSORS REGIS-
 TERED, THE NUMBER OF DATA SUBJECTS RESIDING IN THIS STATE WHOSE DATA  IS
 BEING  COLLECTED, PROCESSED, OR SOLD, BOTH IN THE AGGREGATE AND PER DATA
 CONTROLLER OR PROCESSOR, AND AN ANALYSIS OF THE RECEIPTS GENERATED  FROM
 SUCH  CONTROLLER  OR PROCESSOR'S DATA OPERATIONS. SUCH REPORT SHALL ALSO
 BE POSTED FOR PUBLIC REVIEW IN A CLEAR AND  CONSPICUOUS  MANNER  ON  THE
 OFFICE OF CONSUMER DATA PROTECTION'S WEBSITE.
   §  4.  The  tax  law is amended by adding a new section 185 to read as
 follows:
   § 185. ADDITIONAL TAX ON DATA CONTROLLERS AND  DATA  PROCESSORS.    1.
 NOTWITHSTANDING  ANY  OTHER  PROVISION  OF THIS CHAPTER, OR OF ANY OTHER
 LAW, FOR TAXABLE YEARS BEGINNING ON OR AFTER JANUARY FIRST, TWO THOUSAND
 TWENTY-FOUR, AN ANNUAL TAX IS HEREBY IMPOSED UPON EVERY DATA  CONTROLLER
 OR DATA PROCESSOR, AS DEFINED IN SECTION ONE THOUSAND FOUR OF THE EXECU-
 TIVE LAW, WHICH IS REQUIRED TO REGISTER WITH THE OFFICE OF CONSUMER DATA
 PROTECTION  PURSUANT  TO PARAGRAPH (B) OF SUBDIVISION TWO OF SECTION ONE
 THOUSAND  SIX  OF  THE  EXECUTIVE  LAW.  THE  OFFICE  OF  CONSUMER  DATA
 PROTECTION  SHALL SHARE A COMPLETE DIRECTORY OF ALL DATA CONTROLLERS AND
 PROCESSORS REGISTERED WITH SUCH OFFICE WITH  THE  COMMISSIONER  FOR  THE
 PURPOSES OF ASSESSING THE TAX IMPOSED BY THIS SECTION.
   2. (A) THE TAX SHALL BE EQUAL TO TWO PER CENTUM OF THE ESTIMATED ANNU-
 AL  GROSS  RECEIPTS  OF  A DATA CONTROLLER OR PROCESSOR DERIVED FROM THE
 COLLECTION, PROCESSING, AND/OR SALE OF DATA SUBJECTS WHO RESIDE  IN  NEW
 YORK.  THE COMMISSIONER SHALL CALCULATE SUCH ESTIMATION BY MULTIPLYING A
 DATA CONTROLLER  OR  PROCESSOR'S  ANNUAL  GROSS  DOMESTIC  RECEIPTS,  AS
 REPORTED  IN  SUBPARAGRAPH  (I)  OF  PARAGRAPH (B) OF SUBDIVISION TWO OF
 SECTION ONE THOUSAND SIX OF THE EXECUTIVE LAW, BY A SUM THAT IS EQUAL TO
 THE QUOTIENT OF THE GROSS DOMESTIC PRODUCT OF NEW YORK  DIVIDED  BY  THE
 GROSS  DOMESTIC  PRODUCT OF THE UNITED STATES, AND THEN MULTIPLYING SUCH
 SUM BY ONE HUNDRED. IF A DATA CONTROLLER OR PROCESSOR DISAGREES WITH THE
 ESTIMATION OF ANNUAL GROSS RECEIPTS DESCRIBED IN  THIS  PARAGRAPH,  SUCH
 CONTROLLER  OR  PROCESSOR  SHALL  HAVE THE OPPORTUNITY TO PRESENT TO THE
 COMMISSIONER AN ALTERNATIVE ESTIMATION OF SUCH CONTROLLER OR PROCESSOR'S
 ANNUAL GROSS RECEIPTS DERIVED FROM THE  COLLECTION,  PROCESSING,  AND/OR
 SALE OF DATA SUBJECTS WHO RESIDE IN NEW YORK BASED ON SUCH CONTROLLER OR
 S. 5662                             9
 
 PROCESSOR'S  INTERNAL  RECORDS. IF THE COMMISSIONER ACCEPTS THE ALTERNA-
 TIVE ESTIMATION SO  PRESENTED  BY  SUCH  CONTROLLER  OR  PROCESSOR,  THE
 COMMISSIONER  SHALL  IMPOSE  A TAX OF TWO PER CENTUM OF SUCH ALTERNATIVE
 ESTIMATION ON SUCH CONTROLLER OR PROCESSOR. AS USED IN THIS SUBDIVISION,
 "GROSS  DOMESTIC  PRODUCT"  SHALL  MEAN A MONETARY MEASURE OF THE MARKET
 VALUE OF ALL FINAL GOODS AND SERVICES PRODUCED AND SOLD  IN  A  SPECIFIC
 TIME PERIOD BY A COUNTRY OR COUNTRIES.
   (B)  PROVIDED,  HOWEVER,  THE COMMISSIONER SHALL EXEMPT THE FIRST FIVE
 MILLION DOLLARS OF THE ESTIMATED GROSS RECEIPTS OF A DATA CONTROLLER  OR
 PROCESSOR,  AS  DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION, FROM THE
 TAX IMPOSED BY THIS SECTION.
   3. DATA CONTROLLERS AND PROCESSORS SHALL BE EXEMPT FROM  SUCH  TAX  ON
 GROSS RECEIPTS IF THE CONTROLLER OR PROCESSOR HAS BEEN NEWLY ESTABLISHED
 WITHIN THE PREVIOUS THREE YEARS, AS DETERMINED BY THE OFFICE OF CONSUMER
 DATA PROTECTION IN SUBPARAGRAPH (IV) OF PARAGRAPH (B) OF SUBDIVISION TWO
 OF SECTION ONE THOUSAND SIX OF THE EXECUTIVE LAW.
   4.  (A) ALL GROSS RECEIPTS OF SUBSIDIARIES FORMED BY A DATA CONTROLLER
 OR PROCESSOR SHALL BE  CONSIDERED  ASSETS  OF  THE  DATA  CONTROLLER  OR
 PROCESSOR  FOR  THE PURPOSES OF DETERMINING THE GROSS RECEIPTS EXEMPTION
 DESCRIBED IN PARAGRAPH (B) OF SUBDIVISION TWO OF THIS  SECTION.    GROSS
 RECEIPTS OF SUBSIDIARIES SHALL NOT BE USED IN ANY WAY TO OFFSET, REDUCE,
 OR  DISCOUNT  THE  GROSS  RECEIPTS  OF THE UNDERLYING DATA CONTROLLER OR
 PROCESSOR FOR THE PURPOSES OF CALCULATION OF SUCH RECEIPTS.
   (B) PROVIDED, FURTHER, AN INITIAL DATE OF REGISTRATION WITH THE OFFICE
 OF CONSUMER DATA PROTECTION BY THE SUBSIDIARY OF A  DATA  CONTROLLER  OR
 PROCESSOR  WHICH IS LATER THAN SUCH UNDERLYING CONTROLLER OR PROCESSOR'S
 INITIAL DATE OF REGISTRATION SHALL NOT BE USED TO DELAY SUCH  UNDERLYING
 CONTROLLER  OR  PROCESSOR'S INITIAL DATE. A DATA CONTROLLER OR PROCESSOR
 AND SUCH CONTROLLER OR PROCESSOR'S SUBSIDIARY SHALL COUNT AS ONE  ENTITY
 FOR  THE  PURPOSES OF DETERMINING THE PERIOD OF TIME AFTER WHICH THE TAX
 IMPOSED BY THIS SECTION SHALL APPLY.
   (C) "SUBSIDIARY" AS USED IN THIS SUBDIVISION SHALL MEAN A  CORPORATION
 OF  WHICH  OVER FIFTY PERCENT OF THE NUMBER OF SHARES OF STOCK ENTITLING
 THE HOLDERS THEREOF TO VOTE FOR THE ELECTION OF DIRECTORS OR TRUSTEES IS
 OWNED BY THE DATA CONTROLLER OR PROCESSOR WHICH FORMED SUCH SUBSIDIARY.
   § 5. This act shall take effect on the one hundred eightieth day after
 it shall have become a law. Effective immediately, the addition,  amend-
 ment and/or repeal of any rule or regulation necessary for the implemen-
 tation  of  this act on its effective date are authorized to be made and
 completed on or before such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Senate Bill S5662

Share this bill

Sponsored By

Andrew Gounardes