BillCam

STATE OF NEW YORK ________________________________________________________________________ 5603--A 2017-2018 Regular Sessions IN SENATE April 19, 2017 ___________ Introduced by Sens. CARLUCCI, ALCANTARA, HAMILTON, KAMINSKY, PERALTA, RANZENHOFER, SAVINO -- read twice and ordered printed, and when print- ed to be committed to the Committee on Consumer Protection -- commit- tee discharged, bill amended, ordered reprinted as amended and recom- mitted to said committee AN ACT to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 399-k to read as follows: 3 § 399-k. Disclosure of personally identifiable information by an 4 internet service provider; prohibited. 1. For the purposes of this 5 section the following terms shall have the following meanings: 6 (a) "Consumer" means a person who agrees to pay a fee to an internet 7 service provider for access to the internet for personal, family, or 8 household purposes, and who does not resell access. 9 (b) "Internet service provider" (ISP) means a business entity or indi- 10 vidual who provides consumers authenticated access to, or presence on, 11 the internet by means of a switched or dedicated telecommunications 12 channel upon which the provider provides transit routing of internet 13 protocol packets for and on behalf of the consumer. Internet service 14 provider does not include the offering, on a common carrier basis, of 15 telecommunications facilities or of telecommunications by means of these 16 facilities. 17 (c) "Personally identifiable information" means information that iden- 18 tifies: 19 (i) a consumer by physical or electronic address or telephone number; 20 (ii) a consumer's internet search history or internet usage history; 21 or EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10928-06-7

S. 5603--A 2 1 (iii) any of the contents of a consumer's data-storage devices. 2 2. Except as provided in subdivisions three and four of this section, 3 an ISP shall not knowingly disclose personally identifiable information 4 resulting from the consumer's use of the telecommunications or ISP with- 5 out express written approval from the consumer. 6 (a) A telecommunications or ISP that has entered into a franchise 7 agreement, right-of-way agreement, or other contract with the state of 8 New York or any political subdivision thereof, or that uses facilities 9 that are subject to such agreements, even if it is not a party to the 10 agreement, shall not collect nor disclose personal information from a 11 consumer resulting from the consumer's use of the telecommunications or 12 ISP without express written approval from the consumer; and 13 (b) No such telecommunication or ISP shall refuse to provide its 14 services to a consumer on the grounds that the consumer has not approved 15 the collection or disclosure of the consumer's personal information. 16 3. An ISP may disclose personally identifiable information concerning 17 a consumer: 18 (a) pursuant to a grand jury subpoena; 19 (b) to an investigative or law enforcement officer while acting as 20 authorized by law; 21 (c) pursuant to a court order in a civil proceeding upon a showing of 22 compelling need for the information that cannot be accommodated by other 23 means; 24 (d) to a court in a civil action for conversion commenced by the ISP 25 or in a civil action to enforce collection of unpaid subscription fees 26 or purchase amounts, and then only to the extent necessary to establish 27 the fact of the subscription delinquency or purchase agreement, and with 28 appropriate safeguards against unauthorized disclosure; 29 (e) to the consumer who is the subject of the information, upon writ- 30 ten or electronic request and upon payment of a fee not to exceed the 31 actual cost of retrieving the information; 32 (f) pursuant to subpoena, including an administrative subpoena, issued 33 under authority of a law of this state or another state or the United 34 States; 35 (g) another ISP for purposes of reporting or preventing violations of 36 the publish acceptable use policy or consumer service agreement of the 37 ISP; except that the recipient may further disclose the personally iden- 38 tifiable information only as provided by this chapter; 39 (h) any person with the authorization of the consumer; or 40 (i) as required by this subdivision. 41 4. (a) The ISP shall obtain the consumer's authorization of the 42 disclosure of personally identifiable information in writing or by elec- 43 tronic means. 44 (b) The request for authorization must reasonably describe the types 45 of persons to whom personally identifiable information may be disclosed 46 and the anticipated uses of the information. 47 (c) In order for an authorization to be effective, a contract between 48 an ISP and the consumer must state that the authorization will be 49 obtained by an affirmative act of the consumer. 50 (d) The provision in the contract must be conspicuous. 51 (e) Authorization shall be obtained in a manner consistent with guide- 52 lines issued by representatives of the ISP or online industries, or in 53 any other manner reasonably designed to comply with this section. 54 5. The ISP shall take all reasonable and necessary steps to maintain 55 the security and privacy of a consumer's personally identifiable infor- 56 mation.

S. 5603--A 3 1 6. A consumer who prevails or substantially prevails in an action 2 brought under this section is entitled to the greater of five hundred 3 dollars or actual damages. Costs, disbursements, and reasonable attorney 4 fees may be awarded to a party awarded damages for a violation of this 5 section. The damages available under this section are exempted from any 6 mandatory arbitration clauses that may exist in the contract between the 7 ISP and the consumer. In an action under this section, it is a defense 8 that the defendant has established and implemented reasonable practices 9 and procedures to prevent violations of this section. 10 7. This section does not limit any greater protection of the privacy 11 of information under other law, except that: 12 (a) nothing in this section shall be deemed to limit the authority 13 under other state or federal law of law enforcement to obtain informa- 14 tion; and 15 (b) if federal law is enacted that regulates the release of personally 16 identifiable information by ISPs but does not preempt state law on the 17 subject, state law prevails. 18 § 2. This act shall take effect on the ninetieth day after it shall 19 have become a law.