Bill Text: NY A07191 | 2017-2018 | General Assembly | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
Spectrum: Moderate Partisan Bill (Democrat 36-5)
Status: (Engrossed - Dead) 2018-06-19 - REFERRED TO RULES [A07191 Detail]
Download: New_York-2017-A07191-Amended.html
Bill Title: Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
Spectrum: Moderate Partisan Bill (Democrat 36-5)
Status: (Engrossed - Dead) 2018-06-19 - REFERRED TO RULES [A07191 Detail]
Download: New_York-2017-A07191-Amended.html
STATE OF NEW YORK ________________________________________________________________________ 7191--A 2017-2018 Regular Sessions IN ASSEMBLY April 12, 2017 ___________ Introduced by M. of A. WALLACE, ZEBROWSKI, ROZIC, JOHNS, STECK, PHEFFER AMATO, MORINELLO, McDONOUGH, OTIS, BRINDISI, GALEF, LOPEZ, SKOUFIS, JAFFEE, BUCHWALD, DICKENS, SIMOTAS, ROSENTHAL, LIFTON, SIMA- NOWITZ, COLTON, HYNDMAN, GOTTFRIED, SIMON, RAIA, PICHARDO, RYAN, JONES, D'URSO, LUPARDO, BRONSON, WRIGHT, STIRPE, SKARTADOS, CAHILL -- Multi-Sponsored by -- M. of A. COOK, CROUCH -- read once and referred to the Committee on Consumer Affairs and Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 399-k to read as follows: 3 § 399-k. Disclosure of personally identifiable information by an 4 internet service provider; prohibited. 1. For the purposes of this 5 section the following terms shall have the following meanings: 6 (a) "Consumer" means a person who agrees to pay a fee to an internet 7 service provider for access to the internet for personal, family, or 8 household purposes, and who does not resell access. 9 (b) "Internet service provider" (ISP) means a business entity or indi- 10 vidual who provides consumers authenticated access to, or presence on, 11 the internet by means of a switched or dedicated telecommunications 12 channel upon which the provider provides transit routing of internet 13 protocol packets for and on behalf of the consumer. Internet service 14 provider does not include the offering, on a common carrier basis, of 15 telecommunications facilities or of telecommunications by means of these 16 facilities. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10928-05-7A. 7191--A 2 1 (c) "Personally identifiable information" means information that iden- 2 tifies: 3 (i) a consumer by physical or electronic address or telephone number; 4 (ii) a consumer's internet search history or internet usage history; 5 or 6 (iii) any of the contents of a consumer's data-storage devices. 7 2. Except as provided in subdivisions three and four of this section, 8 an ISP shall not knowingly disclose personally identifiable information 9 resulting from the consumer's use of the telecommunications or ISP with- 10 out express written approval from the consumer. 11 (a) A telecommunications or ISP that has entered into a franchise 12 agreement, right-of-way agreement, or other contract with the state of 13 New York or any political subdivision thereof, or that uses facilities 14 that are subject to such agreements, even if it is not a party to the 15 agreement, shall not collect nor disclose personal information from a 16 consumer resulting from the consumer's use of the telecommunications or 17 ISP without express written approval from the consumer; and 18 (b) No such telecommunication or ISP shall refuse to provide its 19 services to a consumer on the grounds that the consumer has not approved 20 the collection or disclosure of the consumer's personal information. 21 3. An ISP may disclose personally identifiable information concerning 22 a consumer: 23 (a) pursuant to a grand jury subpoena; 24 (b) to an investigative or law enforcement officer while acting as 25 authorized by law; 26 (c) pursuant to a court order in a civil proceeding upon a showing of 27 compelling need for the information that cannot be accommodated by other 28 means; 29 (d) to a court in a civil action for conversion commenced by the ISP 30 or in a civil action to enforce collection of unpaid subscription fees 31 or purchase amounts, and then only to the extent necessary to establish 32 the fact of the subscription delinquency or purchase agreement, and with 33 appropriate safeguards against unauthorized disclosure; 34 (e) to the consumer who is the subject of the information, upon writ- 35 ten or electronic request and upon payment of a fee not to exceed the 36 actual cost of retrieving the information; 37 (f) pursuant to subpoena, including an administrative subpoena, issued 38 under authority of a law of this state or another state or the United 39 States; 40 (g) another ISP for purposes of reporting or preventing violations of 41 the publish acceptable use policy or consumer service agreement of the 42 ISP; except that the recipient may further disclose the personally iden- 43 tifiable information only as provided by this chapter; 44 (h) any person with the authorization of the consumer; or 45 (i) as required by this subdivision. 46 4. (a) The ISP shall obtain the consumer's authorization of the 47 disclosure of personally identifiable information in writing or by elec- 48 tronic means. 49 (b) The request for authorization must reasonably describe the types 50 of persons to whom personally identifiable information may be disclosed 51 and the anticipated uses of the information. 52 (c) In order for an authorization to be effective, a contract between 53 an ISP and the consumer must state that the authorization will be 54 obtained by an affirmative act of the consumer. 55 (d) The provision in the contract must be conspicuous.A. 7191--A 3 1 (e) Authorization shall be obtained in a manner consistent with guide- 2 lines issued by representatives of the ISP or online industries, or in 3 any other manner reasonably designed to comply with this section. 4 5. The ISP shall take all reasonable and necessary steps to maintain 5 the security and privacy of a consumer's personally identifiable infor- 6 mation. 7 6. A consumer who prevails or substantially prevails in an action 8 brought under this section is entitled to the greater of five hundred 9 dollars or actual damages. Costs, disbursements, and reasonable attorney 10 fees may be awarded to a party awarded damages for a violation of this 11 section. The damages available under this section are exempted from any 12 mandatory arbitration clauses that may exist in the contract between the 13 ISP and the consumer. In an action under this section, it is a defense 14 that the defendant has established and implemented reasonable practices 15 and procedures to prevent violations of this section. 16 7. This section does not limit any greater protection of the privacy 17 of information under other law, except that: 18 (a) nothing in this section shall be deemed to limit the authority 19 under other state or federal law of law enforcement to obtain informa- 20 tion; and 21 (b) if federal law is enacted that regulates the release of personally 22 identifiable information by ISPs but does not preempt state law on the 23 subject, state law prevails. 24 § 2. This act shall take effect on the ninetieth day after it shall 25 have become a law.
