STATE OF NEW YORK ________________________________________________________________________ 5603 2017-2018 Regular Sessions IN SENATE April 19, 2017 ___________ Introduced by Sen. CARLUCCI -- read twice and ordered printed, and when printed to be committed to the Committee on Consumer Protection AN ACT to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the customer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 399-k to read as follows: 3 § 399-k. Disclosure of personally identifiable information by an 4 internet service provider; prohibited. 1. For the purposes of this 5 section the following terms shall have the following meanings: 6 (a) "Consumer" means a person who agrees to pay a fee to an internet 7 service provider for access to the internet for personal, family, or 8 household purposes, and who does not resell access. 9 (b) "Internet service provider" means a business or person who 10 provides consumers authenticated access to, or presence on, the internet 11 by means of a switched or dedicated telecommunications channel upon 12 which the provider provides transit routing of internet protocol (IP) 13 packets for and on behalf of the consumer. Internet service provider 14 does not include the offering, on a common carrier basis, of telecommu- 15 nications facilities or of telecommunications by means of these facili- 16 ties. 17 (c) "Ordinary course of business" means debt-collection activities, 18 order fulfillment, request processing, or the transfer of ownership. 19 (d) "Personally identifiable information" means information that iden- 20 tifies: 21 (i) a consumer by physical or electronic address or telephone number; 22 (ii) a consumer as having requested or obtained specific materials or 23 services from an internet service provider; 24 (iii) internet or online sites visited by a consumer; or EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10928-02-7

S. 5603 2 1 (iv) any of the contents of a consumer's data-storage devices. 2 2. Except as provided in subdivisions three and four of this section, 3 an internet service provider shall not knowingly disclose personally 4 identifiable information resulting from the customer's use of the tele- 5 communications or internet service provider without express written 6 approval from the customer. 7 (a) A telecommunications or internet service provider ("ISP") that has 8 entered into a franchise agreement, right-of-way agreement, or other 9 contract with the state of New York or any political subdivision there- 10 of, or that uses facilities that are subject to such agreements, even if 11 it is not a party to the agreement, shall not collect nor disclose 12 personal information from a customer resulting from the customer's use 13 of the telecommunications or internet service provider without express 14 written approval from the customer; and 15 (b) No such telecommunication or internet service provider shall 16 refuse to provide its services to a customer on the grounds that the 17 customer has not approved the collection or disclosure of the customer's 18 personal information. 19 3. An internet service provider shall disclose personally identifiable 20 information concerning a consumer: 21 (a) pursuant to a grand jury subpoena; 22 (b) to an investigative or law enforcement officer while acting as 23 authorized by law; 24 (c) pursuant to a court order in a civil proceeding upon a showing of 25 compelling need for the information that cannot be accommodated by other 26 means; 27 (d) to a court in a civil action for conversion commenced by the 28 internet service provider or in a civil action to enforce collection of 29 unpaid subscription fees or purchase amounts, and then only to the 30 extent necessary to establish the fact of the subscription delinquency 31 or purchase agreement, and with appropriate safeguards against unauthor- 32 ized disclosure; 33 (e) to the consumer who is the subject of the information, upon writ- 34 ten or electronic request and upon payment of a fee not to exceed the 35 actual cost of retrieving the information; 36 (f) pursuant to subpoena, including an administrative subpoena, issued 37 under authority of a law of this state or another state or the United 38 States; or 39 (g) pursuant to a warrant or court order. 40 4. An internet service provider may disclose personally identifiable 41 information concerning a consumer to: 42 (a) any person if the disclosure is incident to the ordinary course of 43 business of the internet service provider; 44 (b) another internet service provider for purposes of reporting or 45 preventing violations of the publish acceptable use policy or customer 46 service agreement of the internet service provider; except that the 47 recipient may further disclose the personally identifiable information 48 only as provided by this chapter; 49 (c) any person with the authorization of the consumer; or 50 (d) as required by subdivision three of this section. 51 5. (a) The internet service provider shall obtain the consumer's 52 authorization of the disclosure of personally identifiable information 53 in writing or by electronic means. 54 (b) The request for authorization must reasonably describe the types 55 of persons to whom personally identifiable information may be disclosed 56 and the anticipated uses of the information.

S. 5603 3 1 (c) In order for an authorization to be effective, a contract between 2 an internet service provider and the consumer must state that the 3 authorization will be obtained by an affirmative act of the consumer. 4 (d) The provision in the contract must be conspicuous. 5 (e) Authorization shall be obtained in a manner consistent with self- 6 regulating guidelines issued by representatives of the internet service 7 provider or online industries, or in any other manner reasonably 8 designed to comply with this section. 9 6. The internet service provider shall take reasonable steps to main- 10 tain the security and privacy of a consumer's personally identifiable 11 information. 12 7. Except for purposes of establishing a violation of this chapter, 13 personally identifiable information obtained in any manner other than as 14 provided in this chapter shall not be received in evidence in a civil 15 action. 16 8. A consumer who prevails or substantially prevails in an action 17 brought under this section is entitled to the greater of five hundred 18 dollars or actual damages. Costs, disbursements, and reasonable attorney 19 fees may be awarded to a party awarded damages for a violation of this 20 section. The damages available under this section are exempted from any 21 mandatory arbitration clauses that may exist in the contract between the 22 internet service provider and the consumer. In an action under this 23 section, it is a defense that the defendant has established and imple- 24 mented reasonable practices and procedures to prevent violations of this 25 section. 26 9. This section does not limit any greater protection of the privacy 27 of information under other law, except that: 28 (a) nothing in this chapter limits the authority under other state or 29 federal law of law enforcement or prosecuting authorities to obtain 30 information; and 31 (b) if federal law is enacted that regulates the release of personally 32 identifiable information by internet service providers but does not 33 preempt state law on the subject, state law prevails. 34 10. This section shall apply to internet service providers in the 35 provision of services to consumers in this state. 36 § 2. This act shall take effect on the ninetieth day after it shall 37 have become a law.