BILL NUMBER: S6922
SPONSOR: HOYLMAN-SIGAL
TITLE OF BILL:
An act to amend the general business law, in relation to restricting the
disclosure of personal information by businesses
SUMMARY OF PROVISIONS:
Section One states that this Act shall be known and cited as the "Right
to Know Act of 2018."
Section Two states the legislative intent.
Section Three changes the article heading of article 39-F of the General
Business Law from "Notification of Unauthorized Acquisition of Private
Information" to "Acquisition and Use of Private Information."
Section Four of the bill amends the General Business Law to add a new
section 899-bb which states that a business that retains a customer's
personal information shall make available to the customer free of charge
access to, or copies of, all of the customer's personal information
retained by the business.
A business that discloses a customer's personal information to a third
party shall make the following information available to the customer
free of charge:
*All categories of the customer's personal information that were
disclosed; and
*The names and contact information of all third parties that received
the customer's personal information from the business, including the
third party's designated request address or addresses if available.
*A business required to comply with this Act shall make the required
information available by one or more of the following means:
*By providing a designated request address and, upon receipt of a
request, providing the customer within thirty days with the required
information for all disclosures occurring in the prior twelve months,
provided that:
*If the business has an online privacy policy, that policy includes a
description of a customer's right, accompanied by one or more designated
request addresses;-provided that a business with multiple online privacy
policies must include this information in the policy of each product or
service that collects personal information that may be disclosed to a
third party;
>The business ensures that all persons responsible for handling customer
inquires about the business' privacy practices or the business' compli-
ance with this section are informed of all designated request addresses;
and
>The business provides information pertaining to the specific customer
if that information is reasonably available to the business, and
provides information in standardized format if information pertaining to
the specific customer is not reasonably available.
For information required to be provided under this Act, the business
must provide the customer with notice including the required information
prior to or immediately following a disclosure.
A business is not obligated to provide more than one notice to the same
customer in a twelve-month period about the disclosure of the same
personal information to the same third party and in not obligated to
respond to a request by the same customer more than once within a
twelve-month period.
A business in not obligated to provide information to the customer if
the business cannot reasonably verify that the individual making the
request is the customer.
"Business" is defined as any person, proprietorship, firm, partnership,
association, cooperative, nonprofit organization or corporation organ-
ized or existing under the laws of this state or any other state, and
doing business in this state, exclusive of public corporations as
defined pursuant to article two-A of the general construction law.
"Categories of information" is defined as:
*Identity information, including but not limited to real name, alias,
nickname or user name;
*Address information, including but not limited to postal address or
email;
*Telephone number; *Account name;
*Social Security number or other government-issued identification
number, including but not limited to social security number, driver's
license number, identification card number and passport number;
*Birthdate or age;
*Physical characteristic information, including but not limited to
height and weight;
*Sexual information, including but not limited to sexual orientation,
sex, gender status, gender identity or expression;
*Race or ethnicity;
*Religious affiliation or activity; *Political affiliation or activity;
*Professional or employment-related information;
*Educational information;
*Medical information, including but not limited to medical conditions or
drugs, therapies, mental health or medical products or equipment used;
*Financial information, including but not limited to credit, debit, or
account numbers, account balances, payment history or information
related to assets, liabilities or general creditworthiness;
*Commercial information, including but not limited to records of proper-
ty, products or services provided, obtained or considered or other
purchasing or consuming histories or tendencies;
*Location information;
*Internet or mobile activity information, including but not limited to
Internet protocol addresses or information concerning the access or use
of any Internet or mobile-based site or service;
*Content, including text, photographs, audio or visual recordings or
other material generated or provided by the customer.
The legislation further provides a definitional section.
A violation of the Act constitutes a right to a civil action to recover
penalties by the customer, the Attorney General, a District Attorney, a
City Attorney, or a City Prosecutor in a court of competent jurisdic-
tion.
JUSTIFICATION:
The Right to Know Act will modernize current privacy law and give New
York consumers an effective tool to monitor how their personal informa-
tion, including information about their health, finances, location,
politics, religious, sexual orientation, buying habits, and more is
being collected and disclosed in unexpected and possibly harmful ways.
Many websites incorporate scores of tracking tools that collect informa-
tion about visitors like age, gender, race, income, health concerns and
recent purchases for advertising and marketing companies. Many mobile
applications (apps) share location, age, gender, phone numbers, and
other personal details of both adults and children with third party
companies - which can lead to potential danger for the consumer involved
in the transaction. And Facebook apps used by a consumer's "friend" can
often access sensitive information about that consumer, including reli-
gious, political, and sexual preferences.
Facebook has come under some scrutiny for this issue recently, pertain-
ing to the wrongful disclosure of personal information of 50 million
people to third party Cambridge Analytica, which works with political
campaigns.
There are numerous other examples of companies that collect information
about consumer activities inadvertently exposing sensitive personal
information such as pregnancy status or sexual orientation. Data brokers
are engaged in the widespread buying, selling, and trading of personal
information obtained from mobile phones, banks, social media sites, and
stores creating a secondary market for confidential consumer data. When
this information is incorrect, it can impact credit scores, hurting an
individual at their place of employment or being denied credit. More-
over, scanners are using data broker lists to target vulnerable popu-
lations, such as senior citizens.
LEGISLATIVE HISTORY:
S.3163 of 2023-2024 (Hoylman-Sigal): Died in Consumer Protection
A.417 of 2023-2024 (Rozic): Died in Consumer Affairs and Protection
S,1349 of 2021-2022 (Hoylman): Died in Consumer Protection
A.0400 of 2021-2022 (Rozic): Died in Consumer Affairs and Protection
S.0224 of 2019-2020 (Hoylman): Died in Consumer Protection
A.3739-A of 2019-2020 (Rozic): Died in Consumer Affairs and Protection
S.0072-A of 2017-2018 (Hoylman): Died in Consumer Protection
S.68-A of 2015-2016 (Hoylman): Died in Consumer Protection
A.2134-A of 2015-2016 (Dinowitz): Died in Consumer Affairs and
Protection
S.5171-A of 2013-2014 (Hoylman): Died in Consumer Protection
FISCAL IMPLICATIONS:
Minimal
EFFECTIVE DATE:
This act shall take effect immediately.