BillCam

STATE OF NEW YORK ________________________________________________________________________ 7191 2017-2018 Regular Sessions IN ASSEMBLY April 12, 2017 ___________ Introduced by M. of A. WALLACE, ZEBROWSKI, ROZIC, JOHNS, STECK, PHEFFER AMATO, MORINELLO, McDONOUGH, OTIS, BRINDISI, GALEF, LOPEZ, SKOUFIS, JAFFEE, BUCHWALD, DICKENS -- Multi-Sponsored by -- M. of A. CROUCH, SIMON -- read once and referred to the Committee on Consumer Affairs and Protection AN ACT to amend the general business law, in relation to prohibiting the disclosure of personally identifiable information by an internet service provider without the express written approval of the customer The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new section 2 399-k to read as follows: 3 § 399-k. Disclosure of personally identifiable information by an 4 internet service provider; prohibited. 1. For the purposes of this 5 section the following terms shall have the following meanings: 6 (a) "Consumer" means a person who agrees to pay a fee to an internet 7 service provider for access to the internet for personal, family, or 8 household purposes, and who does not resell access. 9 (b) "Internet service provider" means a business or person who 10 provides consumers authenticated access to, or presence on, the internet 11 by means of a switched or dedicated telecommunications channel upon 12 which the provider provides transit routing of internet protocol (IP) 13 packets for and on behalf of the consumer. Internet service provider 14 does not include the offering, on a common carrier basis, of telecommu- 15 nications facilities or of telecommunications by means of these facili- 16 ties. 17 (c) "Ordinary course of business" means debt-collection activities, 18 order fulfillment, request processing, or the transfer of ownership. 19 (d) "Personally identifiable information" means information that iden- 20 tifies: 21 (i) a consumer by physical or electronic address or telephone number; EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD10928-02-7

A. 7191 2 1 (ii) a consumer as having requested or obtained specific materials or 2 services from an internet service provider; 3 (iii) internet or online sites visited by a consumer; or 4 (iv) any of the contents of a consumer's data-storage devices. 5 2. Except as provided in subdivisions three and four of this section, 6 an internet service provider shall not knowingly disclose personally 7 identifiable information resulting from the customer's use of the tele- 8 communications or internet service provider without express written 9 approval from the customer. 10 (a) A telecommunications or internet service provider ("ISP") that has 11 entered into a franchise agreement, right-of-way agreement, or other 12 contract with the state of New York or any political subdivision there- 13 of, or that uses facilities that are subject to such agreements, even if 14 it is not a party to the agreement, shall not collect nor disclose 15 personal information from a customer resulting from the customer's use 16 of the telecommunications or internet service provider without express 17 written approval from the customer; and 18 (b) No such telecommunication or internet service provider shall 19 refuse to provide its services to a customer on the grounds that the 20 customer has not approved the collection or disclosure of the customer's 21 personal information. 22 3. An internet service provider shall disclose personally identifiable 23 information concerning a consumer: 24 (a) pursuant to a grand jury subpoena; 25 (b) to an investigative or law enforcement officer while acting as 26 authorized by law; 27 (c) pursuant to a court order in a civil proceeding upon a showing of 28 compelling need for the information that cannot be accommodated by other 29 means; 30 (d) to a court in a civil action for conversion commenced by the 31 internet service provider or in a civil action to enforce collection of 32 unpaid subscription fees or purchase amounts, and then only to the 33 extent necessary to establish the fact of the subscription delinquency 34 or purchase agreement, and with appropriate safeguards against unauthor- 35 ized disclosure; 36 (e) to the consumer who is the subject of the information, upon writ- 37 ten or electronic request and upon payment of a fee not to exceed the 38 actual cost of retrieving the information; 39 (f) pursuant to subpoena, including an administrative subpoena, issued 40 under authority of a law of this state or another state or the United 41 States; or 42 (g) pursuant to a warrant or court order. 43 4. An internet service provider may disclose personally identifiable 44 information concerning a consumer to: 45 (a) any person if the disclosure is incident to the ordinary course of 46 business of the internet service provider; 47 (b) another internet service provider for purposes of reporting or 48 preventing violations of the publish acceptable use policy or customer 49 service agreement of the internet service provider; except that the 50 recipient may further disclose the personally identifiable information 51 only as provided by this chapter; 52 (c) any person with the authorization of the consumer; or 53 (d) as required by subdivision three of this section. 54 5. (a) The internet service provider shall obtain the consumer's 55 authorization of the disclosure of personally identifiable information 56 in writing or by electronic means.

A. 7191 3 1 (b) The request for authorization must reasonably describe the types 2 of persons to whom personally identifiable information may be disclosed 3 and the anticipated uses of the information. 4 (c) In order for an authorization to be effective, a contract between 5 an internet service provider and the consumer must state that the 6 authorization will be obtained by an affirmative act of the consumer. 7 (d) The provision in the contract must be conspicuous. 8 (e) Authorization shall be obtained in a manner consistent with self- 9 regulating guidelines issued by representatives of the internet service 10 provider or online industries, or in any other manner reasonably 11 designed to comply with this section. 12 6. The internet service provider shall take reasonable steps to main- 13 tain the security and privacy of a consumer's personally identifiable 14 information. 15 7. Except for purposes of establishing a violation of this chapter, 16 personally identifiable information obtained in any manner other than as 17 provided in this chapter shall not be received in evidence in a civil 18 action. 19 8. A consumer who prevails or substantially prevails in an action 20 brought under this section is entitled to the greater of five hundred 21 dollars or actual damages. Costs, disbursements, and reasonable attorney 22 fees may be awarded to a party awarded damages for a violation of this 23 section. The damages available under this section are exempted from any 24 mandatory arbitration clauses that may exist in the contract between the 25 internet service provider and the consumer. In an action under this 26 section, it is a defense that the defendant has established and imple- 27 mented reasonable practices and procedures to prevent violations of this 28 section. 29 9. This section does not limit any greater protection of the privacy 30 of information under other law, except that: 31 (a) nothing in this chapter limits the authority under other state or 32 federal law of law enforcement or prosecuting authorities to obtain 33 information; and 34 (b) if federal law is enacted that regulates the release of personally 35 identifiable information by internet service providers but does not 36 preempt state law on the subject, state law prevails. 37 10. This section shall apply to internet service providers in the 38 provision of services to consumers in this state. 39 § 2. This act shall take effect on the ninetieth day after it shall 40 have become a law.