Legislation
SECTION 899-FF
Privacy protection by default
General Business (GBS) CHAPTER 20, ARTICLE 39-FF
* § 899-ff. Privacy protection by default. 1. Except as provided for
in subdivision six of this section and section eight hundred
ninety-nine-jj of this article, an operator shall not process, or allow
a processor to process, the personal data of a covered user collected
through the use of a website, online service, online application, mobile
application, or connected device, or allow a third-party operator to
collect the personal data of a covered user collected through the
operator's website, online service, online application, mobile
application, or connected device unless and to the extent:
(a) the covered user is twelve years of age or younger and processing
is permitted under 15 U.S.C. § 6502 and its implementing regulations; or
(b) the covered user is thirteen years of age or older and processing
is strictly necessary for an activity set forth in subdivision two of
this section, or informed consent has been obtained as set forth in
subdivision three of this section.
2. For the purposes of paragraph (b) of subdivision one of this
section, the processing of personal data of a covered user is
permissible where it is strictly necessary for the following permissible
purposes:
(a) providing or maintaining a specific product or service requested
by the covered user;
(b) conducting the operator's internal business operations. For
purposes of this paragraph, such internal business operations shall not
include any activities related to marketing, advertising, research and
development, providing products or services to third parties, or
prompting covered users to use the website, online service, online
application, mobile application, or connected device when it is not in
use;
(c) identifying and repairing technical errors that impair existing or
intended functionality;
(d) protecting against malicious, fraudulent, or illegal activity;
(e) investigating, establishing, exercising, preparing for, or
defending legal claims;
(f) complying with federal, state, or local laws, rules, or
regulations;
(g) complying with a civil, criminal, or regulatory inquiry,
investigation, subpoena, or summons by federal, state, local, or other
governmental authorities;
(h) detecting, responding to, or preventing security incidents or
threats; or
(i) protecting the vital interests of a natural person.
3. (a) For the purposes of paragraph (b) of subdivision one of this
section, to process personal data of a covered user where such
processing is not strictly necessary under subdivision two of this
section, informed consent must be obtained from the covered user either
through a device communication or signal pursuant to the provisions of
subdivision two of section eight hundred ninety-nine-ii of this article
or through a request. Requests for such informed consent shall:
(i) be made separately from any other transaction or part of a
transaction;
(ii) be made in the absence of any mechanism that has the purpose or
substantial effect of obscuring, subverting, or impairing a covered
user's decision-making regarding authorization for the processing;
(iii) clearly and conspicuously state that the processing for which
the consent is requested is not strictly necessary, and that the covered
user may decline without preventing continued use of the website, online
service, online application, mobile application, or connected device;
and
(iv) clearly present an option to refuse to provide consent as the
most prominent option.
(b) Such informed consent, once given, shall be freely revocable at
any time, and shall be at least as easy to revoke as it was to provide.
(c) If a covered user declines to provide or revokes informed consent
for processing, another request may not be made for such processing for
the following calendar year, however an operator may make available a
mechanism that a covered user can use unprompted and at the user's
discretion to provide informed consent.
(d) If a covered user's device communicates or signals that the
covered user declines to provide informed consent for processing
pursuant to the provisions of subdivision two of section eight hundred
ninety-nine-ii of this article, an operator shall not request informed
consent for such processing, however an operator may make available a
mechanism that a covered user can use unprompted and at the user's
discretion to provide informed consent.
4. Except where processing is strictly necessary to provide a product,
service, or feature, an operator may not withhold, degrade, lower the
quality, or increase the price of any product, service, or feature to a
covered user due to the operator not obtaining verifiable parental
consent under 15 U.S.C. § 6502 and its implementing regulations or
informed consent under subdivision three of this section.
5. Except as provided for in section eight hundred ninety-nine-jj of
this article, an operator shall not purchase or sell, or allow a
processor or third-party operator to purchase or sell, the personal data
of a covered user.
6. Within thirty days of determining or being informed that a user is
a covered user, an operator shall:
(a) dispose of, destroy, or delete and direct all of its processors to
dispose of, destroy, or delete all personal data of such covered user
that it maintains, unless processing such personal data is permitted
under 15 U.S.C. § 6502 and its implementing regulations, is strictly
necessary for an activity listed in subdivision two of this section, or
informed consent is obtained as set forth in subdivision three of this
section; and
(b) notify any third-party operators to whom it knows it disclosed
personal data of that covered user, and any third-party operators it
knows it allowed to process the personal data that may include the
personal data of that user, that the user is a covered user.
7. Except as provided for in section eight hundred ninety-nine-jj of
this article, prior to disclosing personal data to a third-party
operator, or permitting a third-party operator to collect personal data
from the operator's website, online service, online application, mobile
application, connected device, or portion thereof, the operator shall
disclose to the third-party operator:
(a) when their website, online service, online application, mobile
application, connected device, or portion thereof, is primarily directed
to minors; or
(b) when the personal data concerns a covered user.
* NB Effective June 20, 2025
in subdivision six of this section and section eight hundred
ninety-nine-jj of this article, an operator shall not process, or allow
a processor to process, the personal data of a covered user collected
through the use of a website, online service, online application, mobile
application, or connected device, or allow a third-party operator to
collect the personal data of a covered user collected through the
operator's website, online service, online application, mobile
application, or connected device unless and to the extent:
(a) the covered user is twelve years of age or younger and processing
is permitted under 15 U.S.C. § 6502 and its implementing regulations; or
(b) the covered user is thirteen years of age or older and processing
is strictly necessary for an activity set forth in subdivision two of
this section, or informed consent has been obtained as set forth in
subdivision three of this section.
2. For the purposes of paragraph (b) of subdivision one of this
section, the processing of personal data of a covered user is
permissible where it is strictly necessary for the following permissible
purposes:
(a) providing or maintaining a specific product or service requested
by the covered user;
(b) conducting the operator's internal business operations. For
purposes of this paragraph, such internal business operations shall not
include any activities related to marketing, advertising, research and
development, providing products or services to third parties, or
prompting covered users to use the website, online service, online
application, mobile application, or connected device when it is not in
use;
(c) identifying and repairing technical errors that impair existing or
intended functionality;
(d) protecting against malicious, fraudulent, or illegal activity;
(e) investigating, establishing, exercising, preparing for, or
defending legal claims;
(f) complying with federal, state, or local laws, rules, or
regulations;
(g) complying with a civil, criminal, or regulatory inquiry,
investigation, subpoena, or summons by federal, state, local, or other
governmental authorities;
(h) detecting, responding to, or preventing security incidents or
threats; or
(i) protecting the vital interests of a natural person.
3. (a) For the purposes of paragraph (b) of subdivision one of this
section, to process personal data of a covered user where such
processing is not strictly necessary under subdivision two of this
section, informed consent must be obtained from the covered user either
through a device communication or signal pursuant to the provisions of
subdivision two of section eight hundred ninety-nine-ii of this article
or through a request. Requests for such informed consent shall:
(i) be made separately from any other transaction or part of a
transaction;
(ii) be made in the absence of any mechanism that has the purpose or
substantial effect of obscuring, subverting, or impairing a covered
user's decision-making regarding authorization for the processing;
(iii) clearly and conspicuously state that the processing for which
the consent is requested is not strictly necessary, and that the covered
user may decline without preventing continued use of the website, online
service, online application, mobile application, or connected device;
and
(iv) clearly present an option to refuse to provide consent as the
most prominent option.
(b) Such informed consent, once given, shall be freely revocable at
any time, and shall be at least as easy to revoke as it was to provide.
(c) If a covered user declines to provide or revokes informed consent
for processing, another request may not be made for such processing for
the following calendar year, however an operator may make available a
mechanism that a covered user can use unprompted and at the user's
discretion to provide informed consent.
(d) If a covered user's device communicates or signals that the
covered user declines to provide informed consent for processing
pursuant to the provisions of subdivision two of section eight hundred
ninety-nine-ii of this article, an operator shall not request informed
consent for such processing, however an operator may make available a
mechanism that a covered user can use unprompted and at the user's
discretion to provide informed consent.
4. Except where processing is strictly necessary to provide a product,
service, or feature, an operator may not withhold, degrade, lower the
quality, or increase the price of any product, service, or feature to a
covered user due to the operator not obtaining verifiable parental
consent under 15 U.S.C. § 6502 and its implementing regulations or
informed consent under subdivision three of this section.
5. Except as provided for in section eight hundred ninety-nine-jj of
this article, an operator shall not purchase or sell, or allow a
processor or third-party operator to purchase or sell, the personal data
of a covered user.
6. Within thirty days of determining or being informed that a user is
a covered user, an operator shall:
(a) dispose of, destroy, or delete and direct all of its processors to
dispose of, destroy, or delete all personal data of such covered user
that it maintains, unless processing such personal data is permitted
under 15 U.S.C. § 6502 and its implementing regulations, is strictly
necessary for an activity listed in subdivision two of this section, or
informed consent is obtained as set forth in subdivision three of this
section; and
(b) notify any third-party operators to whom it knows it disclosed
personal data of that covered user, and any third-party operators it
knows it allowed to process the personal data that may include the
personal data of that user, that the user is a covered user.
7. Except as provided for in section eight hundred ninety-nine-jj of
this article, prior to disclosing personal data to a third-party
operator, or permitting a third-party operator to collect personal data
from the operator's website, online service, online application, mobile
application, connected device, or portion thereof, the operator shall
disclose to the third-party operator:
(a) when their website, online service, online application, mobile
application, connected device, or portion thereof, is primarily directed
to minors; or
(b) when the personal data concerns a covered user.
* NB Effective June 20, 2025