BILL NUMBER: S9672
SPONSOR: MAY
TITLE OF BILL:
An act to amend the general business law, in relation to restricting the
disclosure of personal information by businesses
SUMMARY OF PROVISIONS:
Section 1 sets forth the short title: the "Right to Know Act" Section 2
states the legislative intent.
Section 3 retitles Article 39-F of the General Business Law from
"Notification of Unauthorized Acquisition of Private Information" to
"Acquisition and Use of Private Information."
Section 4 adds a new section 899-bb to the General Business Law. It
requires any business that retains a customer's personal information to
make that information available to the customer free of charge upon
request. Where a business has disclosed personal information to a third
party, it must also provide the customer with the categories of informa-
tion disclosed and the names and contact information of all recipients.
A business may satisfy these requirements by maintaining a designated
request address and responding within thirty days to cover all disclo-
sures in the prior twelve months. Businesses with online privacy poli-
cies must describe customers' rights and request addresses in those
policies. Businesses must also ensure that staff handling privacy
inquiries are informed of all designated request addresses.
Where customer-specific information is reasonably available, the busi-
ness must provide it. Where it is not, the business may respond in a
standardized format. Alternatively, a business may provide notice before
or immediately following a disclosure.
A business is not required to provide more than one notice, or respond
to more than one request, from the same customer regarding the same
disclosure within any twelve-month period. A business is not required to
respond if it cannot reasonably verify the identity of the requestor.
The bill defines "business" to include any person, proprietorship, firm,
partnership, association, cooperative, nonprofit organization, or corpo-
ration organized under the laws of this or any other state and doing
business in New York, excluding public corporations as defined under
Article 2A of the General Construction Law.
"Categories of information" is defined to include: identity information;
address information; telephone number; account name; government-issued
identification numbers; birthdate or age; physical characteristics;
sexual orientation, sex, gender status, or gender identity; race or
ethnicity; religious affiliation or activity; political affiliation or
activity; professional or employment-related information; educational
information; medical information; financial information; commercial
information; location information; internet or mobile activity informa-
tion; and customer-generated content.
Violations may be enforced through a civil action brought by the custom-
er, the Attorney General, a District Attorney, or a City Attorney or
Prosecutor in a court of competent jurisdiction.
JUSTIFICATION:
New York consumers currently have limited ability to monitor how their
personal information is collected, shared, and used. Websites routinely
deploy tracking tools that gather data on age, gender, race, income,
health concerns, and purchasing behavior. Mobile applications share
location, phone numbers, and other personal details with third-party
companies. Data brokers buy, sell, and trade personal information drawn
from phones, banks, social media, and retail sources, creating a second-
ary market in consumer data that can affect credit scores and expose
vulnerable populations to targeted fraud.
The Right to Know Act gives consumers a direct, enforceable right to
learn what information businesses hold about them and with whom it has
been shared.
LEGISLATIVE HISTORY:
2025: 5.6922 (Hoylman-Sigal) / A.257 (Rozic)
2023-2024: S.3163 (Hoylman-Sigal) / A.417 (Rozic)
2021-2022: S.1349 (Hoylman) / A.0400 (Rozic)
2019-2020: S.0224 (Hoylman) / A.3739-A (Rozic)
2017-2018: S.0072-A (Hoylman)
2015-2016: S.68-A (Hoylman) / A.2134-A (Dinowitz)
2013-2014: S.5171-A (Hoylman)
FISCAL IMPLICATIONS:
Minimal
EFFECTIVE DATE:
Immediately