STATE OF NEW YORK
________________________________________________________________________
1180
2019-2020 Regular Sessions
IN SENATE
January 11, 2019
___________
Introduced by Sen. CARLUCCI -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection
AN ACT to amend the general business law, in relation to prohibiting
internet service providers from disclosing personally identifiable
information in the event that a consumer requests that his or her
information not be disseminated
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 399-k to read as follows:
3 § 399-k. Personally identifiable information; non-disclosure. 1. For
4 the purposes of this section, the following terms shall have the follow-
5 ing meanings:
6 (a) "Internet service provider" (ISP) means any business entity or
7 individual that provides consumers, businesses or organizations with
8 authenticated access to the internet as part of a service.
9 (b) "Consumer" means any person who agrees to pay a fee to an ISP for
10 access to the internet and who does not resell access.
11 (c) "Personally identifiable information" means information that iden-
12 tifies:
13 (i) a consumer by physical, electronic mail address, Internet Protocol
14 (IP) address or telephone number;
15 (ii) a consumer's internet search history or internet usage history;
16 or
17 (iii) any of the contents of a consumer's data-storage devices.
18 2. (a) An ISP operating in the state of New York shall honor a consum-
19 er's request that the ISP refrain from sharing, selling, providing or in
20 any way disclosing to a third party any of his or her personally iden-
21 tifiable information, whether such a request is made by postal mail,
22 electronic mail, telephone or in person. Such a request shall be deemed
23 to apply to the personally identifiable information for all individuals
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD06556-01-9
S. 1180 2
1 that access the internet through usage of that consumer's internet
2 service account.
3 (b) No ISP shall refuse to provide its services to a consumer because
4 the consumer requested that his or her personally identifiable informa-
5 tion not be disclosed or disseminated to a third party. No ISP shall in
6 any way disrupt, block or slow down the internet access of a consumer
7 because the consumer has requested that his or her personally identifi-
8 able information not be disclosed or disseminated to a third party.
9 3. ISPs shall provide consumers with a copy, either in electronic or
10 written form, of their privacy policy that shall include its data
11 collection and use practices, third party relationships, purposes of
12 data collection and process by which consumers can exercise control over
13 personally identifiable information as provided in this section. The
14 privacy policy shall be provided to consumers upon entering into a
15 contract or agreement with the ISP and subsequently upon any significant
16 changes made to such policy.
17 4. An ISP may disclose personally identifiable information of a
18 consumer who requested that his or her information not be disclosed
19 under the following circumstance:
20 (a) pursuant to a grand jury subpoena, in accordance with subdivision
21 eight of section 190.30 of the criminal procedure law;
22 (b) pursuant to a warrant issued in accordance with article six
23 hundred ninety or seven hundred of the criminal procedure law;
24 (c) pursuant to a court order in a pending criminal proceeding upon a
25 showing that such personally identifiable information is relevant and
26 material to such criminal action or proceeding;
27 (d) pursuant to a court order in a pending civil proceeding upon a
28 showing of compelling need for such information that cannot be accommo-
29 dated by other means;
30 (e) to a court in a civil action for conversion commenced by the ISP
31 or in a civil action to enforce collection of unpaid subscription fees
32 or purchase amounts, and then only to the extent necessary to establish
33 the fact of the subscription delinquency or purchase agreement, and with
34 appropriate safeguards against authorized disclosure;
35 (f) to the consumer who is the subject of the information, upon
36 request and upon payment of any fee not to exceed the actual cost of
37 retrieving the information;
38 (g) to another ISP for purposes of reporting or preventing violations
39 of the published acceptable use policy or consumer service agreement of
40 the ISP; except that the recipient may further disclose the personally
41 identifiable information only as provided in this chapter; or
42 (h) to any person with the authorization of the consumer.
43 5. The ISP shall take all reasonable and necessary steps to maintain
44 the security and privacy of the personally identifiable information of a
45 consumer who has requested that his or her information not be disclosed
46 or disseminated.
47 6. A consumer who prevails or substantially prevails in an action
48 brought under this section is entitled to the greater of five hundred
49 dollars or actual damages. Costs, disbursements, and reasonable attorney
50 fees may be awarded to a party awarded damages for a violation of this
51 section. The action available under this section is exempted from any
52 mandatory arbitration clauses that may exist in the contract between the
53 ISP and consumer. In a civil action under this section, it is an affir-
54 mative defense that such information was released or otherwise available
55 in violation of this section notwithstanding reasonable practices estab-
S. 1180 3
1 lished and implemented by the defendant to prevent violations of this
2 section.
3 § 2. This act shall take effect on the ninetieth day after it shall
4 have become a law.