BILL NUMBER: S8641
SPONSOR: MAY
TITLE OF BILL:
An act to amend the general business law, in relation to providing
website and mobile application users the right to refuse non-essential
cookies
PURPOSE OR GENERAL IDEA OF BILL:
This bill establishes the right of New York State website and mobile
application users to refuse non-essential cookies and requires operators
to provide a clear, immediate mechanism to do so.
SUMMARY OF PROVISIONS:
The bill adds a new article to the General Business Law addressing non-
essential cookies on websites and mobile applications. T
The bill defines "cookies" as small text files created when users visit
websites or apps. "Essential cookies" are strictly necessary for basic
functionality like security. "Non-essential cookies" are used for
purposes like data analytics and marketing. It requires website and app
operators to get permission before using non-essential cookies. Opera-
tors must give users a clear option to reject non-essential cookies,
displayed just as prominently as the option to accept them. The reject
button must say "Reject Non-Essential Cookies" or similar language.
Users must be able to refuse or turn off non-essential cookies at any
time. Operators must provide a clear privacy notice that explains what
essential and non-essential cookies do and what happens if a user
rejects non-essential cookies. Once a user rejects non-essential cook-
ies, operators cannot ask again unless the user later wants to enable
cookies or a feature that needs them.
The Attorney General is authorized to enforce violations through actions
for injunctive relief, restitution, disgorgement, damages, and civil
penalties of up to five thousand dollars per violation.
JUSTIFICATION:
Current practice on many websites and mobile applications requires users
to navigate multiple steps, confusing interfaces, or deliberately
obscured options to refuse non-essential cookies. Users are frequently
presented with a prominent "Accept All" button while the option to
reject cookies is buried in settings menus or presented in smaller, less
visible text. This design pattern prioritizes data collection over user
choice.
Non-essential cookies are used for data analytics, marketing, and track-
ing user behavior across websites. "While these functions may benefit
operators, they are not required for basic website functionality. Users
have a legitimate interest in refusing data collection that is not
necessary to access the services they seek.
This bill ensures that refusing non-essential cookies is as simple as
accepting them. By requiring operators to present refusal options at the
same level and in the same configuration as acceptance options, the bill
eliminates design tactics that steer users toward consent. The bill
also prevents operators from repeatedly asking users to reconsider their
decision, a practice that burdens users and undermines the effectiveness
of their initial refusal.
The enforcement mechanism provides the Attorney General with authority
to address violations and impose penalties sufficient to deter non-com-
pliance.
PRIOR LEGISLATIVE HISTORY:
New bill.
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:
None.
EFFECTIVE DATE:
This act takes effect ninety days after becoming law.