STATE OF NEW YORK
        ________________________________________________________________________

                                          8530

                               2019-2020 Regular Sessions

                   IN ASSEMBLY

                                     August 7, 2019
                                       ___________

        Introduced by M. of A. ABINANTI -- read once and referred to the Commit-
          tee on Consumer Affairs and Protection

        AN  ACT to amend the general business law, in relation to establishing a
          prohibition on sharing location data with third parties

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section 1. The general business law is amended by adding a new article
     2  29-CCC to read as follows:

     3                               ARTICLE 29-CCC
     4                    PROHIBITION ON SHARING LOCATION DATA

     5  Section 539. Definitions.
     6          539-a. Prohibition on sharing location data.
     7          539-b. Exceptions.
     8          539-c. Enforcement.
     9          539-d. Penalties.
    10          539-e. Private right of action.
    11          539-f. Rulemaking.
    12          539-g. Local laws or ordinances.
    13    § 539. Definitions. As used in this article, the following terms shall
    14  have the following meanings:
    15    (a)  (1)  "Authorized  use" means the sharing of a customer's location
    16  data:
    17    (i) for the purpose of providing a  service  explicitly  requested  by
    18  such customer;
    19    (ii)  exclusively  for  the  purpose of providing a service explicitly
    20  requested by such customer; and
    21    (iii) where such data is not collected, shared,  stored  or  otherwise
    22  used  by  a  third  party for any purpose other than providing a service
    23  explicitly requested by such customer.

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD13551-03-9
        A. 8530                             2

     1    (2) Such term does not include any  instance  in  which  a  customer's
     2  location data is shared in exchange for products or services.
     3    (b)  "Customer" means a current or former subscriber to a telecommuni-
     4  cations carrier or a current or former user of a mobile application.
     5    (c) "Location data" means  information  related  to  the  physical  or
     6  geographical  location of a person or the person's mobile communications
     7  device, regardless of the particular technological method used to obtain
     8  this information.
     9    (d) "Mobile application" means a software program  that  runs  on  the
    10  operating system of a mobile communications device.
    11    (e)  "Mobile application developer" means a person that owns, operates
    12  or maintains a mobile application and makes such  application  available
    13  for the use of customers, whether for a fee or otherwise.
    14    (f)  "Mobile  communications device" means any portable wireless tele-
    15  communications equipment that is utilized for the transmission or recep-
    16  tion of data, including location data, and that is or  may  be  commonly
    17  carried  by  or on a person or commonly travels with a person, including
    18  in or as part of a vehicle a person drives.
    19    (g) "Municipality" shall mean any county, city, town or village within
    20  the state.
    21    (h) "Share" means to make location data available to  another  person,
    22  whether for a fee or otherwise.
    23    (i) "Telecommunications carrier" means a service offered to the public
    24  for  a  fee that transmits sounds, images or data through wireless tele-
    25  communications technology.
    26    § 539-a. Prohibition on sharing location data. (a) It is unlawful  for
    27  a  mobile application developer or a telecommunications carrier to share
    28  a customer's location data where such location data was collected  while
    29  the  customer's  mobile  communications device was physically present in
    30  the state.
    31    (b) It is unlawful for a person who receives  location  data  that  is
    32  shared  in  violation  of  subdivision (a) of this section to share such
    33  data with any other person.
    34    (c) Each instance in which a mobile application developer,  telecommu-
    35  nications carrier or other person shares a customer's location data with
    36  another  person  in  a  manner  prohibited by this section constitutes a
    37  separate violation of this section.
    38    § 539-b. Exceptions. The provisions of section  five  hundred  thirty-
    39  nine-a of this article do not apply to:
    40    (a)  information provided to a law enforcement agency in response to a
    41  lawful process;
    42    (b) information provided to an emergency service agency responding  to
    43  a  911  communication  or  any other communication reporting an imminent
    44  threat to life or property;
    45    (c) information required to be provided by  federal,  state  or  local
    46  law; or
    47    (d)  a customer providing the customer's own location data to a mobile
    48  application or telecommunications carrier to be shared for an authorized
    49  use.
    50    § 539-c. Enforcement. The office of  information  technology  services
    51  shall enforce the provisions of this section.
    52    §  539-d. Penalties. (a) Except as provided in subdivision (b) of this
    53  section, any person who violates the provisions of section five  hundred
    54  thirty-nine-a of this article shall be subject to a civil penalty of one
    55  thousand dollars for each such violation.
        A. 8530                             3

     1    (b)  Where  a person commits multiple violations of subdivision (a) or
     2  (b) of section five hundred thirty-nine-a of this article  on  the  same
     3  day,  the  maximum  civil  penalty  assessed against such person for all
     4  violations occurring on such day shall be a cumulative  penalty  of  ten
     5  thousand dollars per person whose location data was shared unlawfully.
     6    § 539-e. Private right of action. (a) Any customer whose location data
     7  has  been shared in violation of this article may bring an action in any
     8  court of competent jurisdiction. If a court  of  competent  jurisdiction
     9  finds  that a person has violated a provision of this article, the court
    10  may award: (1) actual damages,  computed  at  a  rate  of  one  thousand
    11  dollars  per  violation  up  to  ten  thousand  dollars per day; and (2)
    12  reasonable attorney's fees and costs incurred in maintaining such  civil
    13  action.
    14    (b)  The  private  right  of  action provided by this section does not
    15  supplant any other claim or cause of  action  available  to  a  customer
    16  under  common  law  or by statute. The provisions of this section are in
    17  addition to any such common law and statutory remedies.
    18    (c) Nothing in this article shall be construed as creating  a  private
    19  right of action against the city or any agency or employee thereof.
    20    §  539-f.  Rulemaking. The director of the office of information tech-
    21  nology services may promulgate and amend rules  in  furtherance  of  the
    22  administration of this article.
    23    §  539-g.  Local  laws or ordinances. Nothing in this article shall be
    24  deemed to preempt any provision of local law  or  ordinance  restricting
    25  the  sharing  of  location  data  with  third parties, provided that the
    26  provisions of such local law or ordinance are at least as  stringent  as
    27  the provisions of this article.
    28    § 2. This act shall take effect on the one hundred twentieth day after
    29  it shall have become a law.