BILL NUMBER: S365B
SPONSOR: THOMAS
TITLE OF BILL:
An act to amend the general business law, in relation to the management
and oversight of personal data
PURPOSE GENERAL IDEA OF BILL:
The purpose of the bill is to help New Yorkers regain their privacy.
The bill, cited as the NY Privacy Act, will require the companies to
obtain consent from consumers before processing the personal data of
consumers.
SUMMARY OF PROVISIONS:
Section 1 of the bill defines the act as the "New York Privacy Act".
Section 2 of the bill contains the legislative intent.
Section 3 of the bill amends the general business law by adding a new
article 42.
Section 1100 of the new article 42 provides definitions of relevant
terms to be used in this act.
Section 1101 of the new article 42 states that the jurisdictional scope
of this article applies to legal persons that conduct business in New
York State or produce products or services intentionally targeted to
residents in New York State and that satisfy one or more of the required
thresholds. This section also contains exemptions.
Section 1102 of the new article 42 delineates consumer rights including
notice of how their data is being processed and sold, the right to opt-
out, the right to opt-in for sensitive data, the ability to request
access and obtain a copy of their data in a commonly used electronic
format, the ability to request the correction of inaccurate data and
deletion of data.
Section 1103 of the new article 42 defines the responsibilities and
obligations assigned to controllers, processors and third parties.
First, controllers have an obligation to regularly conduct data
protection assessments for processing activities that present a height-
ened risk of harm to consumers. Controllers are prohibited from engaging
in unfair, deceptive, or abusive acts or practices with respect to
obtaining consumer consent, the processing of personal data, and a
consumer's exercise of any rights of this article.
Additionally, controllers must develop, implement, and maintain reason-
able safeguards to protect the security, confidentiality and integrity
of the consumer data the controller collects and to limit data use and
retention. Furthermore, controllers cannot discriminate against consum-
ers for exercising their data rights; and prior to sharing a consumer's
personal data, the controller must enter into a written and signed
contract with a processor before it provides the consumer's personal
data.
Next, processors must act in accordance with the written contract it has
entered into with a controller. Each contract must set forth
instructions for processing data; the nature and purpose of the process-
ing; the type of data subject to processing; the duration of the proc-
essing; and the rights and obligations of the controller and processor.
In addition, processors are under a continuing obligation to engage in
reasonable measures to review their processing activities with respect
to data identification.
Lastly, for any data acquired or accessed by a third-party from a
controller or processor, the third-party can only process that data to
the extent permitted by the provisions of the written contract and after
the consumer has consented to the individual third party and the purpose
for third party processing.
Section 1104 of the new article 42 requires data brokers to register and
pay an annual fee to the Attorney General and submit information regard-
ing the data broker's data use practices and contact information. The
Attorney General will maintain a data broker registry on its website.
Additionally, controllers must annually submit a list of all known data
brokers or persons reasonably believed to be data brokers with whom the
controller provided personal data in the preceding year. Controllers are
prohibited from sharing personal data with an unregistered data broker.
Section 1105 of the new article 42 describes when controllers and
processors are exempt from complying with the obligations set forth in
Section 1103.
Section 1106 of the new article 42 authorizes the Attorney General to
bring an action or special proceeding whenever it appears that a person
has engaged in or is about to engage in a violation of the article.
Section 1107 of the new article 42 contains miscellaneous provisions
including a conflict preemption clause, timing for the Attorney General
to submit a report on the effectiveness of the article, regulatory
authority for the Attorney General, and how consumers can exercise their
rights under this article.
Section 4 of the bill states that the act will take effect immediately;
provided however, that sections 1101, 1102, 1103, 1105, 1106 and 1107 of
the general business law, as added by section three of this act, shall
take effect one year after the effective.
JUSTIFICATION:
According to a Pew survey from 2018, 69% of American adults use at least
one social media platform, up from 5% in 2005. Americans use these plat-
forms to engage with friends and family, to connect with social and
political organizations, and to follow news and current events. Despite
the platforms' usefulness, many social media users have reservations
about the handling of their personal information. A 2014 Pew survey
found that 91% of Americans believe that people have lost control over
how their personal information is collected and used. Some 80% of
social media users said they were concerned about advertisers and busi-
nesses accessing and using data that they share on social media plat-
forms. Around 64% of people in this survey also said that the government
should do more to address this issue.
Social media companies obtain their revenues through targeted advertis-
ing based on users' likes, shares, searches, phone numbers, emails, and
other information provided while they use these platforms. According to
The New York Times, some of the largest social media companies fail to
inform or obtain consent from users regarding the sharing of their
personal data. It found that in some instances, these social media
companies share the information of hundreds of millions of users without
notifying their consumers. It also found that if users were to choose
the most restrictive privacy settings made available, their personal
data was still shareable with some external companies or affiliates.
What's more, according to these large social media companies, any infor-
mation shared on these platforms can be given to other companies without
any additional consent.
Currently, there are no federal regulations addressing this privacy
issue, and the few attempts of self-regulation by these companies have
been frail and fall well short of addressing consumers' concerns. Hence,
New York must join the increasing number of other states to fill this
void.
PRIOR LEGISLATIVE HISTORY:
2021-22: S.6701-B (Thomas) - Reported from Consumer Protection and
committed to Internet and Technology.
2019-20: S.5642 (Thomas) / A.8526 (L. Rosenthal) - Advanced to third
reading calendar.
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None to the state.
EFFECTIVE DATE:
This act shall take effect immediately; provided however, that sections
1101, 1102, 1103, 1105, 1106 and 1107 of the general business law, added
by section three of this act, shall take effect two years after it shall
have become law but the private right of action authorized by subdivi-
sion 6 of section 1106 of the general business law shall take effect
three years after such section shall have become law.