S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   2587
 
                        2023-2024 Regular Sessions
 
                           I N  A S S E M B L Y
 
                             January 26, 2023
                                ___________
 
 Introduced  by M. of A. VANEL -- read once and referred to the Committee
   on Governmental Operations
 
 AN ACT to amend the executive law, in relation to enacting the New  York
   data protection act
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:

   Section 1. Short title. This act shall be known and may  be  cited  as
 the "New York data protection act".
   §  2. The executive law is amended by adding a new article 5-A to read
 as follows:
                                ARTICLE 5-A
                       NEW YORK DATA PROTECTION ACT
 SECTION 81. DEFINITIONS.
         82.   RIGHT TO REQUEST DISCLOSURE.
         83.   RIGHT TO REQUEST DELETION OF PERSONAL INFORMATION.
         84.   PERSONAL INFORMATION WHICH MAY BE REQUESTED.
         85.   SHARED INFORMATION; GOVERNMENT ENTITIES OR CONTRACTORS.
         86.   NON-SHAREABLE PERSONAL INFORMATION.
         87.   RIGHT NOT TO BE DISCRIMINATED AGAINST.
         88.   ACCESSIBILITY.
         89.   LIMITATION ON RESTRICTIONS.
         89-A. RELIEF.
         89-B. COMPLIANCE GUIDANCE.
 § 81. DEFINITIONS. AS USED IN THIS ARTICLE, THE  FOLLOWING  TERMS  SHALL
 HAVE THE FOLLOWING MEANINGS UNLESS OTHERWISE SPECIFIED:
   1.  "AGGREGATE  PERSONAL  INFORMATION"  SHALL  MEAN  INFORMATION  THAT
 RELATES TO A GROUP OR CATEGORY OF  INDIVIDUALS,  FROM  WHICH  INDIVIDUAL
 IDENTITIES  HAVE BEEN REMOVED, THAT IS NOT LINKED OR REASONABLY LINKABLE
 TO ANY INDIVIDUAL OR HOUSEHOLD, INCLUDING  VIA  A  DEVICE.    "AGGREGATE
 PERSONAL  INFORMATION"  SHALL  NOT MEAN ONE OR MORE INDIVIDUAL'S RECORDS
 THAT HAVE BEEN DE-IDENTIFIED.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD06208-01-3
              

 A. 2587                             2
 
   2. "COLLECTS", "COLLECTED",  OR  "COLLECTION"  SHALL  MEAN  GATHERING,
 OBTAINING,  RECEIVING,  OR ACCESSING ANY PERSONAL INFORMATION PERTAINING
 TO AN INDIVIDUAL BY ANY MEANS. THIS INCLUDES RECEIVING INFORMATION  FROM
 SUCH INDIVIDUAL EITHER ACTIVELY OR PASSIVELY.
   3.  "CONTRACTOR" MEANS A CONTRACTOR, OR SUBCONTRACTOR OF A CONTRACTOR,
 THAT CONTRACTS TO PROCESS INFORMATION ON BEHALF OF A  GOVERNMENT  ENTITY
 AND  TO  WHICH SUCH GOVERNMENT ENTITY DISCLOSES AN INDIVIDUAL'S PERSONAL
 INFORMATION FOR A LEGITIMATE GOVERNMENT PURPOSE PURSUANT  TO  A  WRITTEN
 CONTRACT,  PROVIDED  THAT  SUCH  CONTRACT  PROHIBITS  SUCH CONTRACTOR OR
 SUBCONTRACTOR RECEIVING SUCH PERSONAL INFORMATION FROM RETAINING, USING,
 OR DISCLOSING SUCH PERSONAL INFORMATION FOR ANY PURPOSE OTHER  THAN  FOR
 THE  SPECIFIC  PURPOSE  OF  PERFORMING  THE  SERVICES  SPECIFIED IN SUCH
 CONTRACT, OR AS OTHERWISE PERMITTED BY THIS ARTICLE,  INCLUDING  RETAIN-
 ING,  USING,  OR  DISCLOSING  SUCH PERSONAL INFORMATION FOR A COMMERCIAL
 PURPOSE OTHER THAN PROVIDING THE SERVICES SPECIFIED IN THE CONTRACT.
   4. "DEIDENTIFIED" SHALL MEAN INFORMATION THAT CANNOT REASONABLY  IDEN-
 TIFY,  RELATE  TO,  DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE
 LINKED, DIRECTLY OR INDIRECTLY, TO  A  PARTICULAR  INDIVIDUAL,  PROVIDED
 THAT A GOVERNMENT ENTITY THAT USES SUCH DEIDENTIFIED INFORMATION:
   (A)  HAS  IMPLEMENTED TECHNICAL SAFEGUARDS AND PROCESSES THAT PROHIBIT
 REIDENTIFICATION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
   (B) HAS  IMPLEMENTED  PROCESSES  TO  PREVENT  INADVERTENT  RELEASE  OF
 DEIDENTIFIED INFORMATION; AND
   (C) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
   5.  "DESIGNATED  METHODS FOR SUBMITTING REQUESTS" SHALL MEAN A MAILING
 ADDRESS, EMAIL ADDRESS, INTERNET WEB PAGE, INTERNET  WEB  PORTAL,  TOLL-
 FREE  TELEPHONE NUMBER, OR OTHER APPLICABLE CONTACT INFORMATION, WHEREBY
 INDIVIDUALS MAY SUBMIT A REQUEST OR DIRECTION UNDER  THIS  ARTICLE,  AND
 ANY  NEW  MEANS  OF  CONTACTING  A GOVERNMENT ENTITY, AS APPROVED BY THE
 ATTORNEY GENERAL.
   6. "DEVICE" SHALL MEAN ANY PHYSICAL OBJECT THAT IS CAPABLE OF CONNECT-
 ING TO THE INTERNET, DIRECTLY OR INDIRECTLY, OR TO ANOTHER DEVICE.
   7. "GOVERNMENT ENTITY" OR "ENTITY" SHALL MEAN ANY STATE AGENCY OR  ANY
 PART, BODY, OR SUBDIVISION THEREOF.
   8. "HOMEPAGE" SHALL MEAN THE INTRODUCTORY PAGE OF AN INTERNET WEB SITE
 AND ANY INTERNET WEB PAGE WHERE PERSONAL INFORMATION IS COLLECTED.
   9.  "INDIVIDUAL"  SHALL  MEAN  A  PERSON WHO IS A RESIDENT OF NEW YORK
 STATE.
   10. (A) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT IDENTIFIES,
 RELATES TO, DESCRIBES, IS CAPABLE OF BEING  ASSOCIATED  WITH,  OR  COULD
 REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY, WITH A PARTICULAR INDIVID-
 UAL  OR HOUSEHOLD. PERSONAL INFORMATION INCLUDES, BUT IS NOT LIMITED TO,
 THE FOLLOWING:
   (I) IDENTIFIERS SUCH AS A REAL NAME,  ALIAS,  POSTAL  ADDRESS,  UNIQUE
 PERSONAL  IDENTIFIER,  INTERNET  PROTOCOL ADDRESS, EMAIL ADDRESS, SOCIAL
 SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT  NUMBER,  PHOTOGRAPH,
 OR OTHER SIMILAR IDENTIFIERS;
   (II)  CHARACTERISTICS  OF  PROTECTED CLASSIFICATIONS UNDER NEW YORK OR
 FEDERAL LAW;
   (III) COMMERCIAL INFORMATION, INCLUDING RECORDS OF  REAL  OR  PERSONAL
 PROPERTY;
   (IV) BIOMETRIC INFORMATION;
   (V) AUDIO, ELECTRONIC, VISUAL, OR SIMILAR INFORMATION;
   (VI) PROFESSIONAL OR EMPLOYMENT-RELATED INFORMATION;
 A. 2587                             3
 
   (VII)  EDUCATION  INFORMATION,  DEFINED  AS  INFORMATION  THAT  IS NOT
 PUBLICLY AVAILABLE PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN THE
 FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (20 USC 1232G);
   (VIII) INFERENCES DRAWN FROM ANY OF THE INFORMATION IDENTIFIED IN THIS
 SUBDIVISION  TO  CREATE  A  PROFILE  ABOUT AN INDIVIDUAL REFLECTING SUCH
 INDIVIDUAL'S PREFERENCES, CHARACTERISTICS, PSYCHOLOGICAL TRENDS, PREDIS-
 POSITIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND  APTITUDES;
 AND
   (IX) FINANCIAL OR TAX INFORMATION.
   (B) "PERSONAL INFORMATION" SHALL NOT INCLUDE PUBLICLY AVAILABLE INFOR-
 MATION.  FOR THESE PURPOSES, "PUBLICLY AVAILABLE" SHALL MEAN INFORMATION
 THAT IS LAWFULLY MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT
 RECORDS, OR ANY CONDITIONS ASSOCIATED WITH SUCH  INFORMATION.  "PUBLICLY
 AVAILABLE" SHALL NOT INCLUDE AN INDIVIDUAL'S INFORMATION THAT IS DEIDEN-
 TIFIED OR AGGREGATE PERSONAL INFORMATION.
   11.  "PROBABILISTIC  IDENTIFIER"  SHALL  MEAN THE IDENTIFICATION OF AN
 INDIVIDUAL OR A DEVICE TO A DEGREE OF CERTAINTY OF  MORE  PROBABLE  THAN
 NOT  BASED  ON  ANY  CATEGORIES  OF PERSONAL INFORMATION INCLUDED IN, OR
 SIMILAR TO,  THE  CATEGORIES  ENUMERATED  IN  SUBDIVISION  TEN  OF  THIS
 SECTION.
   12. "PROCESS" OR "PROCESSING" SHALL MEAN ANY OPERATION OR SET OF OPER-
 ATIONS  THAT ARE PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA,
 WHETHER OR NOT BY AUTOMATED MEANS.
   13. "PSEUDONYMIZE" OR "PSEUDONYMIZATION" SHALL MEAN THE PROCESSING  OF
 PERSONAL  INFORMATION IN A MANNER THAT RENDERS SUCH PERSONAL INFORMATION
 NO LONGER ATTRIBUTABLE TO A SPECIFIC INDIVIDUAL WITHOUT THE USE OF ADDI-
 TIONAL INFORMATION, PROVIDED THAT SUCH ADDITIONAL  INFORMATION  IS  KEPT
 SEPARATELY  AND  IS  SUBJECT TO TECHNICAL AND ORGANIZATIONAL MEASURES TO
 ENSURE THAT SUCH PERSONAL INFORMATION IS NOT ATTRIBUTED TO AN IDENTIFIED
 OR IDENTIFIABLE INDIVIDUAL.
   14. (A) "SELL", "SELLING", "SALE", OR "SOLD" SHALL MEAN SELLING, RENT-
 ING, RELEASING,  DISCLOSING,  DISSEMINATING,  MAKING  AVAILABLE,  TRANS-
 FERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC
 OR  OTHER  MEANS,  AN  INDIVIDUAL'S PERSONAL INFORMATION BY A GOVERNMENT
 ENTITY OR CONTRACTOR TO A THIRD PARTY FOR  MONETARY  OR  OTHER  VALUABLE
 CONSIDERATION.
   (B)  A GOVERNMENT ENTITY OR CONTRACTOR DOES NOT SELL PERSONAL INFORMA-
 TION WITHIN THE MEANING OF THIS ARTICLE WHEN:
   (I) AN INDIVIDUAL USES OR DIRECTS SUCH GOVERNMENT ENTITY OR CONTRACTOR
 TO  INTENTIONALLY  DISCLOSE  PERSONAL  INFORMATION  TO  A  THIRD  PARTY,
 PROVIDED  SUCH THIRD PARTY ALSO DOES NOT SELL SUCH PERSONAL INFORMATION,
 UNLESS SUCH DISCLOSURE WOULD BE CONSISTENT WITH THE PROVISIONS  OF  THIS
 ARTICLE.
   (II)  SUCH GOVERNMENT ENTITY OR CONTRACTOR USES OR SHARES WITH A THIRD
 PARTY PERSONAL INFORMATION OF AN INDIVIDUAL THAT IS NECESSARY TO PERFORM
 A LEGITIMATE GOVERNMENT PURPOSE IF BOTH OF THE FOLLOWING CONDITIONS  ARE
 MET:
   (1)  THE  GOVERNMENT  ENTITY  OR  CONTRACTOR  HAS PROVIDED NOTICE THAT
 INFORMATION IS BEING USED OR SHARED; AND
   (2) THE THIRD PARTY  DOES  NOT  FURTHER  COLLECT,  SELL,  OR  USE  THE
 PERSONAL  INFORMATION  OF SUCH INDIVIDUAL EXCEPT AS NECESSARY TO PERFORM
 THE BUSINESS PURPOSE FOR WHICH IT RECEIVED SUCH INFORMATION.
   (III) A CONTRACTOR WHO TRANSFERS TO  A  THIRD  PARTY  AN  INDIVIDUAL'S
 PERSONAL  INFORMATION AS AN ASSET THAT IS PART OF A MERGER, ACQUISITION,
 BANKRUPTCY, OR OTHER TRANSACTION IN WHICH SUCH CONTRACTOR OR THIRD PARTY
 ASSUMES CONTROL OF ALL OR PART OF SUCH THIRD PARTY  PROVIDED  THAT  SUCH
 A. 2587                             4
 
 INFORMATION  IS  USED  OR  SHARED CONSISTENTLY WITH THIS ARTICLE.   IF A
 THIRD PARTY MATERIALLY ALTERS HOW IT USES OR SHARES PERSONAL INFORMATION
 OF AN INDIVIDUAL IN A MANNER THAT IS MATERIALLY  INCONSISTENT  WITH  THE
 PROMISES  MADE  AT THE TIME OF COLLECTION, IT SHALL PROVIDE PRIOR NOTICE
 OF THE NEW OR CHANGED PRACTICE TO SUCH INDIVIDUAL.  SUCH NOTICE SHALL BE
 SUFFICIENTLY PROMINENT AND ROBUST TO ENSURE THAT INDIVIDUALS CAN  EASILY
 EXERCISE  THEIR  CHOICES  CONSISTENTLY WITH SECTION EIGHTY-THREE OF THIS
 ARTICLE.
   15. "SERVICE" OR "SERVICES" SHALL  MEAN  WORK,  LABOR,  AND  SERVICES,
 INCLUDING  SERVICES  FURNISHED  IN CONNECTION WITH THE SALE OR REPAIR OF
 GOODS.
   16. "THIRD PARTY" SHALL MEAN A PERSON OR BUSINESS ENTITY  WHO  IS  NOT
 ANOTHER GOVERNMENT ENTITY OR CONTRACTOR THEREOF.
   17.  "UNIQUE  IDENTIFIER" OR "UNIQUE PERSONAL IDENTIFIER" SHALL MEAN A
 PERSISTENT IDENTIFIER THAT CAN BE USED TO  RECOGNIZE  AN  INDIVIDUAL,  A
 FAMILY, OR A DEVICE THAT IS LINKED TO AN INDIVIDUAL OR FAMILY, OVER TIME
 AND  ACROSS  DIFFERENT SERVICES, INCLUDING, BUT NOT LIMITED TO, A DEVICE
 IDENTIFIER; AN INTERNET PROTOCOL ADDRESS; COOKIES, BEACONS, PIXEL  TAGS,
 OR  SIMILAR  TECHNOLOGY;  UNIQUE  PSEUDONYM,  OR  USER  ALIAS; TELEPHONE
 NUMBERS, OR OTHER FORMS OF PERSISTENT OR PROBABILISTIC IDENTIFIERS  THAT
 CAN  BE USED TO IDENTIFY A PARTICULAR INDIVIDUAL OR DEVICE. FOR PURPOSES
 OF THIS SUBDIVISION, "FAMILY" MEANS A CUSTODIAL PARENT OR  GUARDIAN  AND
 ANY MINOR CHILDREN OVER WHICH SUCH PARENT OR GUARDIAN HAS CUSTODY.
   18. "VERIFIABLE INFORMATION REQUEST" SHALL MEAN A REQUEST TO A GOVERN-
 MENT ENTITY THAT IS MADE BY AN INDIVIDUAL, BY AN INDIVIDUAL ON BEHALF OF
 SUCH INDIVIDUAL'S MINOR CHILD, OR BY A NATURAL PERSON OR A PERSON REGIS-
 TERED  WITH THE SECRETARY OF STATE, AUTHORIZED BY SUCH INDIVIDUAL TO ACT
 ON SUCH INDIVIDUAL'S BEHALF, AND THAT SUCH GOVERNMENT ENTITY OR CONTRAC-
 TOR CAN REASONABLY VERIFY, PURSUANT TO REGULATIONS ADOPTED BY THE ATTOR-
 NEY GENERAL TO BE SUCH INDIVIDUAL ABOUT WHOM SUCH GOVERNMENT  ENTITY  OR
 CONTRACTOR  HAS  COLLECTED  PERSONAL INFORMATION. A GOVERNMENT ENTITY OR
 CONTRACTOR SHALL NOT BE OBLIGATED TO PROVIDE INFORMATION TO  SUCH  INDI-
 VIDUAL  PURSUANT TO SECTIONS EIGHTY-TWO AND EIGHTY-THREE OF THIS ARTICLE
 IF SUCH GOVERNMENT ENTITY OR CONTRACTOR CANNOT VERIFY THAT SUCH INDIVID-
 UAL MAKING SUCH REQUEST IS THE SAME INDIVIDUAL ABOUT WHOM  SUCH  GOVERN-
 MENT ENTITY HAS COLLECTED INFORMATION, OR IS A PERSON AUTHORIZED BY SUCH
 INDIVIDUAL TO ACT ON SUCH INDIVIDUAL'S BEHALF.
   §  82.  RIGHT  TO REQUEST DISCLOSURE. 1. ANY INDIVIDUAL SHALL HAVE THE
 RIGHT TO REQUEST THAT A GOVERNMENT ENTITY OR  CONTRACTOR  THAT  COLLECTS
 PERSONAL  INFORMATION  DISCLOSE  TO  SUCH  INDIVIDUAL THE CATEGORIES AND
 SPECIFIC PIECES  OF  PERSONAL  INFORMATION  SUCH  GOVERNMENT  ENTITY  OR
 CONTRACTOR HAS COLLECTED.
   2. A GOVERNMENT ENTITY THAT COLLECTS AN INDIVIDUAL'S PERSONAL INFORMA-
 TION SHALL, AT OR BEFORE THE POINT OF COLLECTION, INFORM SUCH INDIVIDUAL
 AS  TO  THE  CATEGORIES  OF PERSONAL INFORMATION TO BE COLLECTED AND THE
 PURPOSES FOR WHICH SUCH CATEGORIES  OF  PERSONAL  INFORMATION  SHALL  BE
 USED.  A  GOVERNMENT  ENTITY  OR CONTRACTOR SHALL NOT COLLECT ADDITIONAL
 CATEGORIES OF PERSONAL INFORMATION OR USE PERSONAL INFORMATION COLLECTED
 FOR ADDITIONAL PURPOSES WITHOUT PROVIDING SUCH  INDIVIDUAL  WITH  NOTICE
 CONSISTENT WITH THIS ARTICLE.
   3.  A  GOVERNMENT  ENTITY  OR CONTRACTOR SHALL PROVIDE THE INFORMATION
 SPECIFIED IN SUBDIVISION ONE OF THIS SECTION TO AN INDIVIDUAL ONLY  UPON
 RECEIPT OF A VERIFIABLE INFORMATION REQUEST.
   4. A GOVERNMENT ENTITY OR CONTRACTOR THAT RECEIVES A VERIFIABLE INFOR-
 MATION  REQUEST  FROM AN INDIVIDUAL TO ACCESS PERSONAL INFORMATION SHALL
 PROMPTLY TAKE STEPS TO DISCLOSE AND DELIVER,  FREE  OF  CHARGE  TO  SUCH
 A. 2587                             5
 
 INDIVIDUAL,  SUCH  PERSONAL  INFORMATION  REQUIRED BY THIS SECTION. SUCH
 INFORMATION MAY BE DELIVERED BY MAIL OR ELECTRONICALLY.    A  GOVERNMENT
 ENTITY  OR  CONTRACTOR MAY PROVIDE PERSONAL INFORMATION TO AN INDIVIDUAL
 AT  ANY  TIME, BUT SHALL NOT BE REQUIRED TO PROVIDE PERSONAL INFORMATION
 TO ANY INDIVIDUAL MORE THAN TWICE IN A TWELVE-MONTH PERIOD.
   5. THIS SECTION SHALL NOT REQUIRE A GOVERNMENT  ENTITY  OR  CONTRACTOR
 TO:
   (A)  RETAIN  ANY PERSONAL INFORMATION COLLECTED FOR A SINGLE, ONE-TIME
 TRANSACTION IF SUCH INFORMATION  IS  NOT  SHARED  OR  RETAINED  BY  SUCH
 GOVERNMENT ENTITY OR CONTRACTOR; OR
   (B)  RE-IDENTIFY  OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED
 IN A MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION.
   § 83. RIGHT TO REQUEST DELETION OF PERSONAL INFORMATION. 1. ANY  INDI-
 VIDUAL  SHALL  HAVE  THE  RIGHT  TO  REQUEST THAT A GOVERNMENT ENTITY OR
 CONTRACTOR DELETE ANY PERSONAL INFORMATION ABOUT SUCH  INDIVIDUAL  WHICH
 SUCH GOVERNMENT ENTITY OR CONTRACTOR HAS COLLECTED FROM SUCH INDIVIDUAL.
   2.  A  GOVERNMENT ENTITY OR CONTRACTOR THAT COLLECTS PERSONAL INFORMA-
 TION ABOUT INDIVIDUALS SHALL NOTIFY SUCH INDIVIDUALS OF THEIR RIGHTS  TO
 REQUEST THE DELETION OF THEIR PERSONAL INFORMATION.
   3. A GOVERNMENT ENTITY OR CONTRACTOR THAT RECEIVES A VERIFIABLE INFOR-
 MATION  REQUEST  FROM AN INDIVIDUAL TO DELETE SUCH INDIVIDUAL'S PERSONAL
 INFORMATION SHALL DELETE SUCH INDIVIDUAL'S PERSONAL INFORMATION FROM ITS
 RECORDS AND DIRECT ANY CONTRACTORS TO DELETE SUCH INDIVIDUAL'S  PERSONAL
 INFORMATION FROM THEIR RECORDS.
   4.  NOTWITHSTANDING  OTHER PROVISIONS UNDER THIS ARTICLE, A GOVERNMENT
 ENTITY OR CONTRACTOR SHALL NOT BE REQUIRED TO COMPLY  WITH  AN  INDIVID-
 UAL'S  REQUEST TO DELETE SUCH INDIVIDUAL'S PERSONAL INFORMATION IF IT IS
 NECESSARY FOR THE GOVERNMENT ENTITY OR CONTRACTOR TO MAINTAIN SUCH INDI-
 VIDUAL'S PERSONAL INFORMATION IN ORDER TO:
   (A) COMPLETE THE  PURPOSE  FOR  WHICH  THE  PERSONAL  INFORMATION  WAS
 COLLECTED;
   (B) COMPLY WITH A LEGAL OBLIGATION;
   (C)  OTHERWISE USE SUCH INDIVIDUAL'S PERSONAL INFORMATION, INTERNALLY,
 IN A LAWFUL MANNER THAT IS COMPATIBLE WITH THE SCOPE OF SUCH  GOVERNMENT
 ENTITY OR CONTRACTOR'S DUTIES.
   §  84.  PERSONAL  INFORMATION WHICH MAY BE REQUESTED. 1. AN INDIVIDUAL
 WHO REQUESTS DISCLOSURE OF INFORMATION PURSUANT TO SECTION EIGHTY-TWO OF
 THIS ARTICLE MAY REQUEST THE FOLLOWING INFORMATION:
   (A) THE CATEGORIES OF PERSONAL INFORMATION SUCH GOVERNMENT  ENTITY  OR
 CONTRACTOR HAS COLLECTED ABOUT SUCH INDIVIDUAL;
   (B) THE CATEGORIES OF SOURCES FROM WHICH SUCH PERSONAL INFORMATION HAS
 BEEN COLLECTED;
   (C) THE PURPOSE FOR COLLECTING OR SHARING SUCH PERSONAL INFORMATION;
   (D)  ANY OTHER GOVERNMENT ENTITIES, CONTRACTORS, OR THIRD PARTIES WITH
 WHOM SUCH GOVERNMENT ENTITY OR CONTRACTOR SHARES SUCH PERSONAL  INFORMA-
 TION; AND
   (E) THE SPECIFIC PIECES OF PERSONAL INFORMATION SUCH GOVERNMENT ENTITY
 OR CONTRACTOR HAS COLLECTED ABOUT SUCH INDIVIDUAL.
   2.  A  GOVERNMENT ENTITY OR CONTRACTOR POSSESSING PERSONAL INFORMATION
 ABOUT AN INDIVIDUAL SHALL DISCLOSE TO SUCH INDIVIDUAL  SUCH  INFORMATION
 UPON RECEIPT OF A VERIFIABLE INFORMATION REQUEST SUBMITTED BY SUCH INDI-
 VIDUAL.  WITHIN  FIVE  DAYS  OF  RECEIPT  OF SUCH VERIFIABLE INFORMATION
 REQUEST, SUCH GOVERNMENT ENTITY OR CONTRACTOR SHALL SEND A  RESPONSE  TO
 SUCH REQUESTOR ACKNOWLEDGING RECEIPT OF SUCH REQUEST.
 A. 2587                             6
 
   3. (A) A GOVERNMENT ENTITY OR CONTRACTOR THAT COLLECTS PERSONAL INFOR-
 MATION  ABOUT  INDIVIDUALS  FROM ANOTHER GOVERNMENT ENTITY OR CONTRACTOR
 SHALL DISCLOSE TO SUCH INDIVIDUALS THE FOLLOWING:
   (I) THE CATEGORIES OF PERSONAL INFORMATION IT HAS COLLECTED ABOUT SUCH
 INDIVIDUAL;
   (II) THE CATEGORIES OF SOURCES FROM WHICH SUCH PERSONAL INFORMATION IS
 COLLECTED;
   (III) THE PURPOSE FOR COLLECTING OR SHARING SUCH PERSONAL INFORMATION;
   (IV)  ANY  OTHER  GOVERNMENT  ENTITIES  OR  CONTRACTORS WITH WHOM SUCH
 GOVERNMENT ENTITY OR CONTRACTOR SHARES PERSONAL INFORMATION; AND
   (V) THE SPECIFIC PIECES OF PERSONAL INFORMATION IT HAS COLLECTED ABOUT
 SUCH INDIVIDUAL.
   (B) SUCH GOVERNMENT ENTITY OR CONTRACTOR SHALL DISCLOSE  THE  INFORMA-
 TION  REQUIRED  BY PARAGRAPH (A) OF THIS SUBDIVISION TO SUCH INDIVIDUALS
 IMMEDIATELY UPON RECEIPT OF SUCH INFORMATION, WITHOUT  THE  NEED  FOR  A
 REQUEST TO FIRST BE SUBMITTED.
   4. THIS SECTION SHALL NOT REQUIRE A GOVERNMENT ENTITY OR CONTRACTOR TO
 DO THE FOLLOWING:
   (A)  RETAIN ANY PERSONAL INFORMATION ABOUT AN INDIVIDUAL COLLECTED FOR
 A SINGLE ONE-TIME TRANSACTION IF, IN THE ORDINARY  COURSE  OF  BUSINESS,
 SUCH INFORMATION ABOUT SUCH INDIVIDUAL IS NOT RETAINED; OR
   (B)  RE-IDENTIFY  OR  OTHERWISE  LINK  ANY  DATA THAT, IN THE ORDINARY
 COURSE OF BUSINESS, IS NOT MAINTAINED IN A MANNER THAT WOULD BE  CONSID-
 ERED PERSONAL INFORMATION.
   §  85.  SHARED  INFORMATION;  GOVERNMENT  ENTITIES OR CONTRACTORS. ANY
 INDIVIDUAL SHALL HAVE THE RIGHT TO REQUEST THAT A GOVERNMENT ENTITY THAT
 SHARES SUCH INDIVIDUAL'S PERSONAL INFORMATION, DISCLOSE TO SUCH INDIVID-
 UAL:
   (1) THE CATEGORIES OF PERSONAL INFORMATION THAT SUCH GOVERNMENT ENTITY
 COLLECTED ABOUT SUCH INDIVIDUAL; AND
   (2) THE CATEGORIES OF PERSONAL INFORMATION THAT SUCH GOVERNMENT ENTITY
 OR CONTRACTOR HAS SHARED ABOUT SUCH INDIVIDUAL AND THE OTHER  GOVERNMENT
 ENTITIES  OR CONTRACTORS WITH WHOM SUCH PERSONAL INFORMATION WAS SHARED,
 BY CATEGORY OR CATEGORIES OF PERSONAL INFORMATION  FOR  EACH  GOVERNMENT
 ENTITY OR CONTRACTOR TO WHOM SUCH PERSONAL INFORMATION WAS SHARED.
   §  86.  NON-SHAREABLE PERSONAL INFORMATION. 1. NO GOVERNMENT ENTITY OR
 CONTRACTOR SHALL SHARE ANY  INDIVIDUAL'S  PERSONAL  INFORMATION  WITH  A
 CONTRACTOR  OR  SUBCONTRACTOR  UNLESS SUCH INFORMATION IS CRUCIAL TO THE
 PURPOSE FOR WHICH SUCH GOVERNMENT ENTITY OR  CONTRACTOR  HAS  CONTRACTED
 SUCH CONTRACTOR OR SUBCONTRACTOR'S SERVICES.
   2.  NO  GOVERNMENT  ENTITY  OR CONTRACTOR SHALL SHARE ANY INDIVIDUAL'S
 PERSONAL INFORMATION WITH ANOTHER GOVERNMENT ENTITY OR CONTRACTOR UNLESS
 SUCH INFORMATION IS CRUCIAL TO THE PERFORMANCE OF SUCH OTHER  GOVERNMENT
 ENTITY  OR  CONTRACTOR'S  DUTIES,  AND  SUCH  OTHER GOVERNMENT ENTITY OR
 CONTRACTOR CANNOT PROCURE SUCH PERSONAL INFORMATION ON ITS  OWN  WITHOUT
 SERIOUS HARDSHIP.
   3.  NO GOVERNMENT ENTITY OR CONTRACTOR SHALL SELL PERSONAL INFORMATION
 ABOUT AN INDIVIDUAL THAT HAS BEEN SHARED WITH SUCH GOVERNMENT ENTITY  OR
 CONTRACTOR.
   §  87.  RIGHT NOT TO BE DISCRIMINATED AGAINST. NO GOVERNMENT ENTITY OR
 CONTRACTOR SHALL DISCRIMINATE AGAINST  ANY  INDIVIDUAL  IN  ANY  WAY  IN
 RESPONSE  TO  SUCH  INDIVIDUAL EXERCISING ANY OF HIS OR HER RIGHTS UNDER
 THIS ARTICLE.
   § 88. ACCESSIBILITY. 1. IN ORDER TO COMPLY WITH  THE  REQUIREMENTS  OF
 THIS  ARTICLE, IN A METHOD THAT IS REASONABLY ACCESSIBLE TO INDIVIDUALS,
 GOVERNMENT ENTITIES SHALL:
 A. 2587                             7
 
   (A) MAKE AVAILABLE TO INDIVIDUALS TWO OR MORE DESIGNATED  METHODS  FOR
 SUBMITTING  VERIFIABLE INFORMATION REQUESTS WHICH INCLUDE, AT A MINIMUM,
 A TOLL-FREE TELEPHONE NUMBER, AND IF SUCH GOVERNMENT ENTITY MAINTAINS AN
 INTERNET WEBSITE, A WEBSITE ADDRESS.
   (B)  IF  SUCH GOVERNMENT ENTITY MAINTAINS AN INTERNET WEBSITE, PROVIDE
 ON SUCH WEBSITE INFORMATION INSTRUCTING INDIVIDUALS OF THEIR  RIGHTS  TO
 REQUEST  DISCLOSURE OR DELETION OF PERSONAL INFORMATION UNDER THIS ARTI-
 CLE, AND ALL METHODS AVAILABLE FOR MAKING SUCH A REQUEST. SUCH  INFORMA-
 TION  SHALL  NOT  BE  REQUIRED  TO BE ON THE HOMEPAGE OF SUCH GOVERNMENT
 ENTITY'S WEBSITE.
   2. IN ORDER TO COMPLY WITH THE REQUIREMENTS OF THIS  ARTICLE,  GOVERN-
 MENT ENTITIES AND CONTRACTORS SHALL:
   (A)  DISCLOSE  AND  DELIVER  ANY INFORMATION REQUESTED IN A VERIFIABLE
 INFORMATION REQUEST FREE OF CHARGE WITHIN FORTY-FIVE DAYS  OF  RECEIVING
 SUCH  REQUEST  FROM  AN  INDIVIDUAL.    THE  TIME  PERIOD TO PROVIDE THE
 REQUIRED INFORMATION MAY BE EXTENDED ONCE BY  AN  ADDITIONAL  FORTY-FIVE
 DAYS  WHEN  REASONABLY  NECESSARY, PROVIDED THE REQUESTING INDIVIDUAL IS
 PROVIDED NOTICE OF SUCH EXTENSION WITHIN THE FIRST FORTY-FIVE DAY  PERI-
 OD.  SUCH  DISCLOSURE SHALL COVER THE TWELVE-MONTH PERIOD PRECEDING SUCH
 GOVERNMENT ENTITY OR CONTRACTOR'S RECEIPT OF THE VERIFIABLE  INFORMATION
 REQUEST, AND SHALL BE MADE IN WRITING AND DELIVERED BY MAIL OR ELECTRON-
 ICALLY AT THE REQUESTOR'S OPTION.
   (B)  DISCLOSE  AND  DELIVER THE INFORMATION REQUESTED IN A MANNER THAT
 COVERS ALL DISCLOSURE REQUIREMENTS  UNDER  SUBDIVISION  ONE  OF  SECTION
 EIGHTY-FOUR OF THIS ARTICLE.
   (C)  DISCLOSE  AND  DELIVER ANY INFORMATION SHARED PURSUANT TO SECTION
 EIGHTY-SIX OF THIS ARTICLE BY SUCH GOVERNMENT ENTITY OR CONTRACTOR WITH-
 IN THE TWELVE MONTHS PRECEDING SUCH REQUEST.
   (D) ENSURE THAT ANY EMPLOYEES OF SUCH GOVERNMENT ENTITY OR  CONTRACTOR
 WHO ARE RESPONSIBLE FOR HANDLING INQUIRIES ABOUT DISCLOSURE REQUIREMENTS
 PRESCRIBED  BY  THIS ARTICLE ARE INFORMED OF ALL DISCLOSURE REQUIREMENTS
 UNDER THIS ARTICLE, AND THAT SUCH  EMPLOYEES  ARE  INFORMED  OF  HOW  TO
 DIRECT INDIVIDUALS OF HOW TO EXERCISE THEIR RIGHTS UNDER THIS ARTICLE.
   (E)  USE  ANY  PERSONAL  INFORMATION COLLECTED FROM AN INDIVIDUAL IN A
 VERIFIABLE INFORMATION REQUEST IN CONNECTION WITH SUCH GOVERNMENT ENTITY
 OR CONTRACTOR'S VERIFICATION OF SUCH REQUEST SOLELY FOR THE PURPOSES  OF
 SUCH VERIFICATION.
   (F) NOT BE REQUIRED TO RESPOND TO MORE THAN TWO VERIFIABLE INFORMATION
 REQUESTS FROM THE SAME INDIVIDUAL WITHIN THE SAME TWELVE-MONTH PERIOD.
   §  89.  LIMITATION  ON  RESTRICTIONS.  1.  THE  OBLIGATIONS IMPOSED ON
 GOVERNMENT ENTITIES AND CONTRACTORS BY THIS ARTICLE SHALL  NOT  RESTRICT
 ANY GOVERNMENT ENTITY OR CONTRACTOR'S ABILITY TO:
   (A) OTHERWISE COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS;
   (B)  COMPLY  WITH  A  CIVIL, CRIMINAL, OR REGULATORY INQUIRY, INVESTI-
 GATION, SUBPOENA, OR SUMMONS BY FEDERAL, STATE, OR LOCAL AUTHORITIES;
   (C) COMPLY WITH A REQUEST MADE UNDER THE FREEDOM OF  INFORMATION  LAW;
 OR
   (D) EXERCISE OR DEFEND LEGAL CLAIMS.
   2. THIS ARTICLE SHALL NOT APPLY TO THE SALE OF PERSONAL INFORMATION TO
 OR  FROM  A  CONSUMER  REPORTING  AGENCY  IF  SUCH  INFORMATION IS TO BE
 REPORTED IN, OR USED TO GENERATE, A CONSUMER REPORT AS  DEFINED  BY  THE
 FEDERAL  FAIR CREDIT REPORTING ACT (15 USC 1681), AND USE OF THAT INFOR-
 MATION IS LIMITED BY SUCH ACT.
   3. IF REQUESTS FROM AN INDIVIDUAL ARE MANIFESTLY UNFOUNDED  OR  EXCES-
 SIVE,  IN PARTICULAR BECAUSE OF THEIR REPETITIVE CHARACTER, A GOVERNMENT
 ENTITY OR CONTRACTOR MAY EITHER CHARGE A  REASONABLE  FEE,  TAKING  INTO
 A. 2587                             8
 
 ACCOUNT THE ADMINISTRATIVE COSTS OF PROVIDING SUCH INFORMATION OR COMMU-
 NICATION  OR  TAKING  THE  ACTION  REQUESTED,  OR  REFUSE TO ACT ON SUCH
 REQUEST AND NOTIFY SUCH INDIVIDUAL  OF  THE  REASON  FOR  REFUSING  SUCH
 REQUEST.  SUCH  GOVERNMENT ENTITY OR CONTRACTOR SHALL BEAR THE BURDEN OF
 DEMONSTRATING  THAT  SUCH  VERIFIED  CONSUMER  REQUEST   IS   MANIFESTLY
 UNFOUNDED OR EXCESSIVE.
   4.  A  GOVERNMENT  ENTITY  THAT  DISCLOSES  PERSONAL  INFORMATION TO A
 CONTRACTOR SHALL NOT BE LIABLE UNDER THIS  ARTICLE  IF  SUCH  CONTRACTOR
 USES  SUCH  PERSONAL  INFORMATION  IN  VIOLATION OF THE RESTRICTIONS SET
 FORTH IN THIS ARTICLE, PROVIDED THAT, AT THE  TIME  OF  DISCLOSING  SUCH
 PERSONAL  INFORMATION, SUCH GOVERNMENT ENTITY DOES NOT HAVE ACTUAL KNOW-
 LEDGE OR REASON TO BELIEVE THAT SUCH CONTRACTOR INTENDS TO COMMIT SUCH A
 VIOLATION. NO CONTRACTOR SHALL BE LIABLE  UNDER  THIS  ARTICLE  FOR  THE
 OBLIGATIONS OF A GOVERNMENT ENTITY FOR WHICH IT PROVIDES SERVICES AS SET
 FORTH IN THIS ARTICLE.
   5.  THIS ARTICLE SHALL NOT BE CONSTRUED TO REQUIRE A GOVERNMENT ENTITY
 TO REIDENTIFY OR OTHERWISE LINK INFORMATION THAT IS NOT MAINTAINED IN  A
 MANNER THAT WOULD BE CONSIDERED PERSONAL INFORMATION.
   6.  THE  RIGHTS AFFORDED TO INDIVIDUALS AND THE OBLIGATIONS IMPOSED ON
 GOVERNMENT ENTITIES AND CONTRACTORS BY THIS ARTICLE SHALL NOT  ADVERSELY
 AFFECT THE RIGHTS AND FREEDOMS OF ANY OTHER PERSON.
   §  89-A.  RELIEF.  1.  ANY  INDIVIDUAL  WHOSE  PERSONAL INFORMATION IS
 SUBJECT TO AN UNAUTHORIZED ACCESS AND EXFILTRATION, THEFT, OR DISCLOSURE
 AS A RESULT OF A GOVERNMENT ENTITY OR CONTRACTOR'S VIOLATION OF THE DUTY
 TO IMPLEMENT AND MAINTAIN REASONABLE SECURITY PROCEDURES  AND  PRACTICES
 APPROPRIATE  TO  THE  NATURE OF THE INFORMATION TO PROTECT SUCH PERSONAL
 INFORMATION REQUEST ACTION BY THE ATTORNEY GENERAL IN RESPONSE  TO  SUCH
 VIOLATION.
   2.  NOTHING IN THIS ARTICLE SHALL BE INTERPRETED TO SERVE AS THE BASIS
 FOR A PRIVATE RIGHT OF ACTION UNDER ANY OTHER LAW.  THIS  SHALL  NOT  BE
 CONSTRUED  TO  RELIEVE  ANY PARTY FROM ANY DUTIES OR OBLIGATIONS IMPOSED
 UNDER OTHER LAW OR THE UNITED STATES OR NEW YORK CONSTITUTION.
   § 89-B. COMPLIANCE GUIDANCE. ANY GOVERNMENT ENTITY OR  CONTRACTOR  MAY
 SEEK  THE  OPINION OF THE ATTORNEY GENERAL FOR GUIDANCE ON HOW TO COMPLY
 WITH THE PROVISIONS OF THIS ARTICLE.
   § 3. This act shall take effect one year after it shall have become  a
 law.