BILL NUMBER: S8524
SPONSOR: GONZALEZ
TITLE OF BILL:
An act to amend the general business law, in relation to the management
and oversight of personal data
PURPOSE:
The purpose of the bill is to help New Yorkers regain their privacy.
The bill, cited as the NY Data Protection Act, will require the compa-
nies to obtain consent from consumers before processing the personal
data of consumers.
SUMMARY OF SPECIFIC PROVISIONS:
Section 1 of the bill defines the act as the "New York Data Protection
Act". Section 2 of the bill contains the legislative intent.
Section 3 of the bill amends the general business law by adding a new
article 42-A.
Section 1200 of the new article 42-A provides definitions of relevant
terms to be used in this act.
Section 1201 of the new article 42-A states that the jurisdictional
scope of this article applies to legal persons that conduct business in
New York State or produce products or services intentionally targeted to
residents in New York State and that satisfy one or more of the required
thresholds. This section also contains exemptions.
Section 1202 of the new article 42-A delineates consumer rights includ-
ing notice of how their data is being processed and sold, the right to
opt-out, the right to opt-in for sensitive data, the ability to request
access and obtain a copy of their data in a commonly used electronic
format, the ability to request the correction of inaccurate data and
deletion of data.
Section 1203 of the new article 42-A defines the responsibilities and
obligations assigned to controllers, processors and third parties.
Section 1204 of the new article 42-A requires data brokers to register
and pay an annual fee to the Attorney General and submit information
regarding the data broker's data use practices and contact information.
The Attorney General will maintain a data broker registry on its
website. Additionally, controllers must annually submit a list of all
known data brokers or persons reasonably believed to be data brokers
with whom the controller provided personal data in the preceding year.
Controllers are prohibited from sharing personal data with an unregis-
tered data broker.
Section 1205 of the new article 42-A describes when controllers and
processors are exempt from complying with the obligations set forth in
Section 1103.
Section 1206 of the new article 42-A authorizes the Attorney General to
bring an action or special proceeding whenever it appears that a person
has engaged in or is about to engage in a violation of the article.
Section 1207 of the new article 42-A contains miscellaneous provisions
including a conflict preemption clause; timing for the Attorney General
to submit a report on the effectiveness of the article, regulatory
authority for the Attorney General, and how consumers can exercise their
rights under this article.
Section 4 of the bill contains the severability provision.
Section 5 of the bill states that the act will take effect immediately;
provided however, that sections 1201, 1202, 1203, 1205, 1206 and 1207 of
the general business law, as added by section three of this act, shall
take effect one year after the effective.
JUSTIFICATION:
According to a Pew survey from 2018, 69% of American adults use at least
one social media platform, up from 5% in 2005. Americans use these plat-
forms to engage with friends and family, to connect with social and
political organizations, and to follow news and current events. Despite
the platforms' usefulness, many social media users have reservations
about the handling of their personal information. A 2014 Pew survey
found that 91% of Americans believe that people have lost control over
how their personal information is collected and used. Some 80% of
social media users said they were concerned about advertisers and busi-
nesses accessing and using data that they share on social media plat-
forms. Around 64% of people in this survey also said that the government
should do more to address this issue.
Social media companies obtain their revenues through targeted advertis-
ing based on users' likes, shares, searches, phone numbers, emails, and
other information provided while they use these platforms. According to
The New York Times, some of the largest social media companies fail to
inform or obtain consent from users regarding the sharing of their
personal data. It found that in some instances, these social media
companies share the information of hundreds of millions of users without
notifying their consumers. It also found that if users were to choose
the most restrictive privacy settings made available, their personal
data was still shareable with some external companies or affiliates.
What's more, according to these large social media companies, any infor-
mation shared on these platforms can be given to other companies without
any additional consent.
Currently, there are no federal regulations addressing this privacy
issue, and the few attempts of self-regulation by these companies have
been frail and fall well short of addressing consumers' concerns. Hence,
New York must join the increasing number of other states to fill this
void.
PRIOR LEGISLATIVE HISTORY:
New bill.
FISCAL IMPACT ON THE STATE:
To be determined.
EFFECTIVE DATE:
This act shall take effect immediately; provided however, that sections
1201, 1202, 1203, 1205, 1206 and 1207 of the general business law, added
by section three of this act, shall take effect two years after it shall
have become law.