BILL NUMBER: S4276
SPONSOR: KAVANAGH
TITLE OF BILL:
An act to amend the general business law, the executive law, the state
finance law and the education law, in relation to enacting the "digital
fairness act"
SUMMARY OF PROVISIONS:
Article 1 of the legislation adds a new article to the general business
law protecting privacy through affirmative obligations. This article
requires any entity that conducts business in New York and as part of
that business processes and maintains the personal information of 500 or
more individuals to provide meaningful notice about their use of
personal information. That notice must be concise and intelligible,
prominently displayed, and written in clear and plain language to make
complex information understandable by the ordinary user. Article 1
further requires individuals' affirmative opt-in consent before covered
entities collect, use, retain, share, or monetize their personal infor-
mation. This article also limits the personal information that may be
collected and requires covered entities to secure that information from
unauthorized access and share it only with authorized parties who will
treat the information with similar care. It also provides individuals
with the ability to access and delete their personal information when it
is held by a covered entity and to transfer that personal information to
another covered entity. Finally, this article heightens protections for
biometric information, prohibits surreptitious surveillance by consumer
devices, and offers a private right of action to consumers whose rights
are violated.
Article 2 of the legislation adds a new section to the executive law
making it unlawful to process personal information or target advertising
in ways that discriminate in employment, finance, health care, credit,
insurance, housing, educational opportunities, or public accommodations
based on an individual or class of individuals' actual or perceived age,
race, creed, color, national origin, sexual orientation, gender identity
or expression, sex, disability, predisposing genetic characteristics, or
domestic violence victim status. The article also adds a new section to
the general business law making the same behavior an unlawful trade
practice. Article 2 of the legislation also adds a new section to the
state finance law requiring that before any governmental entity in New
York acquires or deploys an automated decision system, that decision
system must undergo and pass a civil rights audit conducted by a neutral
third party; the bill imposes this requirement on existing government
automated decision systems as well. In addition, this article requires
that individuals subjected to automated decisions that affect their
human rights or liberty receive notice of the decision made, the
involvement of an automated system, and an opportunity to contest the
decision and seek human review. Finally, this article requires govern-
ment entities that use automated decision-making systems to have appro-
priate governing policies in place, adhere to certain transparency
requirements, and have the approval of the relevant governing body,
following a public hearing, before acquiring the technology. Article 3
of the legislation adds a new section to the education law requiring the
NY Office of State Assessment to update both
Elementary/Intermediate-level and Regents-level curriculum to teach
digital literacy and digital privacy, beginning in kindergarten and
continuing through 12th.
JUSTIFICATION:
It is no longer possible to participate in society without sharing
personal information with third parties that may, in and of itself,
reveal intimate details of one's life, or, when combined with other data
and analyzed, may expose such details. In the digital age, countless
websites, apps, services, internet-connected devices,.and even brick-
and-mortar stores collect, retain, use, share, and monetize our personal
information - often in ways we do not understand and would not agree to
if we did. Misuse of this personal information, and the privacy
violations that often result, can lead to a range of harms, including
monetary losses, harassment, public exposure of our intimate lives, and
reputational damage. Misuse of personal information can limit awareness
of and access to opportunities, exacerbate information disparities,
erode public trust and free expression, disincentivize individuals from
participating fully in digital life and utilizing online services, and
increase the risk of future harm.
One of the most pernicious ways personal information is used in the
digital age is to discriminate in employment, health care, housing,
access to credit, and other areas. Employers have leveraged personal
information to ensure that only younger men see certain job postings.
Landlords have used personal information to exclude African-Americans
from viewing certain housing advertisements. Cambridge Analytica
obtained more than 50 million Facebook users' personal information and
purported to use that information to convince individuals to vote for
Mr. Trump. During the 2016 election, personal information was used to
target ads to African-Americans urging them not to vote. In addition,
government actors are increasingly using automated decision-making
systems for everything from teacher evaluations to child custody deci-
sions to sentencing, probation, and parole determinations, giving algo-
rithms an outsized role in determining individuals' rights, opportu-
nities, and outcomes.
Compounding these problems, individuals do not know or consent to the
manner in which entities collect, use, retain, share, and monetize their
personal information. Carnegie Mellon researchers found that it would
take 76 workdays for individuals to read all of the privacy policies
they encounter in a year. Entities that collect, use, retain, share, and
monetize personal information have specialized knowledge about the algo-
rithms and data security measures they use, as well as about how they
collect, use, retain, share, and monetize personal information, that the
average individual is unlikely to understand.
Nonetheless, privacy remains popular; individuals in New York State,
like individuals across the country, value privacy and wish to control
who may access their personal information. Ninety-two percent of Face-
book users alter the social network's default privacy settings, demon-
strating that they wish to choose with whom they share personal informa-
tion. Similarly, ninety-two percent of Americans believe companies
should obtain individuals' permission before sharing or selling their
personal information.
This bill will put control back in individuals' hands by requiring mean-
ingful notice of use of personal information, affirmative consent from
individuals before their personal information is captured or used, hard
limits on the use of biometric information, and affirmative notice and
consent before any surveillance technology in consumer products is acti-
vated. And, just as banks, lawyers, and medical providers, given their
specialized knowledge, have special obligations to individuals, the bill
will require entities collecting intimate personal information in the
digital age and benefiting from similarly specialized knowledge to
undertake similar obligations.
Most importantly, the bill will address many of the tangible harms that
arise from the abuse and misuse of personal information in the digital
age by addressing privacy and civil rights in the same bill, making
clear that it is both discrimination and unfair trade practice when
personal information is used to circumvent our civil and human rights
laws and providing guardrails for governmental use of automated decision
systems.
The bill will also help students learn how to protect their digital
privacy and how to identify, assess, and evaluate the information they
see online including the misinformation and "fake news" that proliferate
in digital spaces. Individuals face increasingly personalized, curated
news feeds that amplify their points of view or customize recommended
videos that show increasingly radicalized versions of their perspec-
tives. K-12 digital literacy and digital privacy education will help
young New Yorkers to identify online fraud, as well as reliable sources
and information, and will also enable them to better understand how
online activities are tracked and recorded, where personal information
posted online may go, with whom it may be shared, how it may be used,
and how best to protect digital security and digital privacy.
PRIOR LEGISLATIVE HISTORY:
2024: S2277 (Kavanagh) - REFERRED TO INTERNET AND TECHNOLOGY /A3308
(Cruz) referred to consumer affairs and protection
2023: S2277 (Kavanagh) - REFERRED TO INTERNET AND TECHNOLOGY /A3308
(Cruz) referred to consumer affairs and protection
2022: A6042 (Cruz) - referred to consumer affairs and protection
2021: A6042 (Cruz) - referred to consumer affairs and protection
FISCAL IMPLICATIONS:
To be determined
EFFECTIVE DATE:
This act shall take effect immediately; provided, however, that sections
one, two, three, four, five and six of this act shall take effect one
year after it shall have become a law and section eight of this act
shall take effect two years after it shall have become a law. Effective
immediately, the addition, amendment and/or repeal of any rule or regu-
lation necessary for the implementation of this act on its effective
date are authorized to be made and completed on or before such effective
date.
Statutes affected: S4276: 292 executive law, 165 state finance law, 8 state finance law