STATE OF NEW YORK ________________________________________________________________________ 7236 2017-2018 Regular Sessions IN ASSEMBLY April 12, 2017 ___________ Introduced by M. of A. ZEBROWSKI, SKOUFIS, BUCHWALD, JAFFEE, MONTESANO -- Multi-Sponsored by -- M. of A. CROUCH, SIMON -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to requiring internet service providers to provide customers with a copy of their privacy policy and to obtain written and explicit permission from a customer prior to sharing, using, selling or providing to a third party any sensitive information of such customer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 390-bb to read as follows: 3 § 390-bb. Internet service providers; customer data privacy. 1. For 4 the purposes of this section the following terms shall have the follow- 5 ing meanings: 6 (a) "Internet service provider" means any person, business, or organ- 7 ization who is qualified to conduct business in the state that provides 8 individuals, corporations, or other entities with access to the internet 9 as part of a service. 10 (b) "Customer" means any person, corporation or entity which pays a 11 fee to an internet service provider for access to the internet as part 12 of a service. 13 (c) "Sensitive information" means any information that which can iden- 14 tify the customer or any other information that is specifically attrib- 15 utable to such customer including, but not limited to, financial or 16 medical data, biographical information, communication content, browsing 17 or web history, or internet usage. 18 (d) "Non-sensitive information" means information collected on users 19 that is not specific to an individual customer including, but not limit- 20 ed to, aggregated use, subscription data or other macro level informa- 21 tion. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10887-01-7

A. 7236 2 1 2. Each internet service provider shall provide customers with a copy, 2 either in writing or in electronic form, of their privacy policy that 3 shall include its data collection and use practices, third party 4 relationships, purpose of the data collection and process for customers 5 to exercise control over their information as provided in this section. 6 The privacy policy shall be provided to customers upon entering into a 7 contract with the internet service provider and subsequently upon any 8 significant changes made to such policy. 9 3. An internet service provider shall obtain written and explicit 10 permission from a customer prior to sharing, using, selling or providing 11 to a third party any sensitive information of such customer. The inter- 12 net service provider shall provide to the customer a clear and conspicu- 13 ous description of the intended use of their information, including, but 14 not limited to, type of information that may be disclosed, purpose of 15 such disclosure, and all third party entities that may be receiving or 16 using the information. 17 4. A customer shall have the option to remove their consent for the 18 use or disclosure of non-sensitive information. The internet service 19 provider shall develop a process for a customer to easily remove their 20 consent for the use of any non-sensitive information. The process shall 21 include a detailed description of the intended use of their information, 22 including, but not limited to, type of information that may be 23 disclosed, purpose of such disclosure, and all third party entities that 24 may be receiving or using the information. 25 5. An internet service provider shall not, as a condition of the 26 service, require consent from a customer for use of their sensitive or 27 non-sensitive information. 28 6. An internet service provider may use sensitive or non-sensitive 29 information without consent from the customer if such information is 30 necessary in providing the service to the customer, including, but not 31 limited to, billing, installation, and support. 32 7. Whenever there shall be a violation of this section, an application 33 may be made by the attorney general in the name of the people of the 34 state of New York to a court or justice having jurisdiction by a special 35 proceeding to issue an injunction, and upon notice to the defendant of 36 not less than five days, to enjoin and restrain the continuance of such 37 violation; and if it shall appear to the satisfaction of the court or 38 justice that the defendant has, in fact, violated this section, an 39 injunction may be issued by such court or justice, enjoining and 40 restraining any further violation, without requiring proof that any 41 person has, in fact, been injured or damaged thereby. In any such 42 proceeding, the court may make allowances to the attorney general as 43 provided in paragraph six of subdivision (a) of section eighty-three 44 hundred three of the civil practice law and rules, and direct restitu- 45 tion. Whenever the court shall determine that a violation of this 46 section has occurred, the court may impose a civil penalty of not more 47 than five hundred dollars for a single violation and not more than fifty 48 thousand dollars for multiple violations resulting from a single act or 49 incident. In connection with any such proposed application, the attorney 50 general is authorized to take proof and make a determination of the 51 relevant facts and issue subpoenas in accordance with the civil practice 52 law and rules. 53 § 2. This act shall take effect on the sixtieth day after it shall 54 have become a law.