STATE OF NEW YORK
        ________________________________________________________________________
                                          7191
                               2017-2018 Regular Sessions
                   IN ASSEMBLY
                                     April 12, 2017
                                       ___________
        Introduced  by  M.  of  A.  WALLACE,  ZEBROWSKI,  ROZIC,  JOHNS,  STECK,
          PHEFFER AMATO, MORINELLO, McDONOUGH,  OTIS,  BRINDISI,  GALEF,  LOPEZ,
          SKOUFIS,  JAFFEE,  BUCHWALD, DICKENS -- Multi-Sponsored by -- M. of A.
          CROUCH, SIMON -- read once and referred to the Committee  on  Consumer
          Affairs and Protection
        AN ACT to amend the general business law, in relation to prohibiting the
          disclosure  of  personally  identifiable  information  by  an internet
          service provider without the express written approval of the customer
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
     1    Section 1. The general business law is amended by adding a new section
     2  399-k to read as follows:
     3    §  399-k.  Disclosure  of  personally  identifiable  information by an
     4  internet service provider; prohibited.  1.  For  the  purposes  of  this
     5  section the following terms shall have the following meanings:
     6    (a)  "Consumer"  means a person who agrees to pay a fee to an internet
     7  service provider for access to the internet  for  personal,  family,  or
     8  household purposes, and who does not resell access.
     9    (b)  "Internet  service  provider"  means  a  business  or  person who
    10  provides consumers authenticated access to, or presence on, the internet
    11  by means of a switched  or  dedicated  telecommunications  channel  upon
    12  which  the  provider  provides transit routing of internet protocol (IP)
    13  packets for and on behalf of the  consumer.  Internet  service  provider
    14  does  not include the offering, on a common carrier basis, of telecommu-
    15  nications facilities or of telecommunications by means of these  facili-
    16  ties.
    17    (c)  "Ordinary  course  of business" means debt-collection activities,
    18  order fulfillment, request processing, or the transfer of ownership.
    19    (d) "Personally identifiable information" means information that iden-
    20  tifies:
    21    (i) a consumer by physical or electronic address or telephone number;
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD10928-02-7
        A. 7191                             2
     1    (ii) a consumer as having requested or obtained specific materials  or
     2  services from an internet service provider;
     3    (iii) internet or online sites visited by a consumer; or
     4    (iv) any of the contents of a consumer's data-storage devices.
     5    2.  Except as provided in subdivisions three and four of this section,
     6  an internet service provider shall  not  knowingly  disclose  personally
     7  identifiable  information resulting from the customer's use of the tele-
     8  communications or internet  service  provider  without  express  written
     9  approval from the customer.
    10    (a) A telecommunications or internet service provider ("ISP") that has
    11  entered  into  a  franchise  agreement, right-of-way agreement, or other
    12  contract with the state of New York or any political subdivision  there-
    13  of, or that uses facilities that are subject to such agreements, even if
    14  it  is  not  a  party  to  the agreement, shall not collect nor disclose
    15  personal information from a customer resulting from the  customer's  use
    16  of  the  telecommunications or internet service provider without express
    17  written approval from the customer; and
    18    (b) No such  telecommunication  or  internet  service  provider  shall
    19  refuse  to  provide  its  services to a customer on the grounds that the
    20  customer has not approved the collection or disclosure of the customer's
    21  personal information.
    22    3. An internet service provider shall disclose personally identifiable
    23  information concerning a consumer:
    24    (a) pursuant to a grand jury subpoena;
    25    (b) to an investigative or law enforcement  officer  while  acting  as
    26  authorized by law;
    27    (c)  pursuant to a court order in a civil proceeding upon a showing of
    28  compelling need for the information that cannot be accommodated by other
    29  means;
    30    (d) to a court in a civil  action  for  conversion  commenced  by  the
    31  internet  service provider or in a civil action to enforce collection of
    32  unpaid subscription fees or purchase  amounts,  and  then  only  to  the
    33  extent  necessary  to establish the fact of the subscription delinquency
    34  or purchase agreement, and with appropriate safeguards against unauthor-
    35  ized disclosure;
    36    (e) to the consumer who is the subject of the information, upon  writ-
    37  ten  or  electronic  request and upon payment of a fee not to exceed the
    38  actual cost of retrieving the information;
    39    (f) pursuant to subpoena, including an administrative subpoena, issued
    40  under authority of a law of this state or another state  or  the  United
    41  States; or
    42    (g) pursuant to a warrant or court order.
    43    4.  An  internet service provider may disclose personally identifiable
    44  information concerning a consumer to:
    45    (a) any person if the disclosure is incident to the ordinary course of
    46  business of the internet service provider;
    47    (b) another internet service provider for  purposes  of  reporting  or
    48  preventing  violations  of the publish acceptable use policy or customer
    49  service agreement of the internet  service  provider;  except  that  the
    50  recipient  may  further disclose the personally identifiable information
    51  only as provided by this chapter;
    52    (c) any person with the authorization of the consumer; or
    53    (d) as required by subdivision three of this section.
    54    5. (a) The internet  service  provider  shall  obtain  the  consumer's
    55  authorization  of  the disclosure of personally identifiable information
    56  in writing or by electronic means.
        A. 7191                             3
     1    (b) The request for authorization must reasonably describe  the  types
     2  of  persons to whom personally identifiable information may be disclosed
     3  and the anticipated uses of the information.
     4    (c)  In order for an authorization to be effective, a contract between
     5  an internet service provider  and  the  consumer  must  state  that  the
     6  authorization will be obtained by an affirmative act of the consumer.
     7    (d) The provision in the contract must be conspicuous.
     8    (e)  Authorization shall be obtained in a manner consistent with self-
     9  regulating guidelines issued by representatives of the internet  service
    10  provider  or  online  industries,  or  in  any  other  manner reasonably
    11  designed to comply with this section.
    12    6. The internet service provider shall take reasonable steps to  main-
    13  tain  the  security  and privacy of a consumer's personally identifiable
    14  information.
    15    7. Except for purposes of establishing a violation  of  this  chapter,
    16  personally identifiable information obtained in any manner other than as
    17  provided  in  this  chapter shall not be received in evidence in a civil
    18  action.
    19    8. A consumer who prevails or  substantially  prevails  in  an  action
    20  brought  under  this  section is entitled to the greater of five hundred
    21  dollars or actual damages. Costs, disbursements, and reasonable attorney
    22  fees may be awarded to a party awarded damages for a violation  of  this
    23  section.  The damages available under this section are exempted from any
    24  mandatory arbitration clauses that may exist in the contract between the
    25  internet service provider and the consumer.  In  an  action  under  this
    26  section,  it  is a defense that the defendant has established and imple-
    27  mented reasonable practices and procedures to prevent violations of this
    28  section.
    29    9. This section does not limit any greater protection of  the  privacy
    30  of information under other law, except that:
    31    (a)  nothing in this chapter limits the authority under other state or
    32  federal law of law enforcement  or  prosecuting  authorities  to  obtain
    33  information; and
    34    (b) if federal law is enacted that regulates the release of personally
    35  identifiable  information  by  internet  service  providers but does not
    36  preempt state law on the subject, state law prevails.
    37    10. This section shall apply to  internet  service  providers  in  the
    38  provision of services to consumers in this state.
    39    §  2.  This  act shall take effect on the ninetieth day after it shall
    40  have become a law.