RETRIEVE BILL
STATE OF NEW YORK
________________________________________________________________________
2505
2003-2004 Regular Sessions
IN ASSEMBLY
January 29, 2003
___________
Introduced by M. of A. KAUFMAN -- read once and referred to the Commit-
tee on Governmental Operations
AN ACT to amend the civil rights law, the general business law, the
public health law, the civil practice law and rules, and the public
service law, in relation to the protection and preservation of the
right of personal privacy and to repeal article 32 of the general
business law relating to the video consumer privacy act
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "Personal Privacy Act of 2004".
3 § 2. Legislative findings and intent. The legislature finds and
4 declares that the development and preservation of the right of privacy
5 has been unduly interfered with for commercial and economic purposes
6 through the advancement and uninhibited use of telecommunications and
7 computer-based information sharing technologies. It further finds and
8 declares that the law of privacy and the sanctity of the individual have
9 been unduly constrained and otherwise restricted by judicial decisions
10 further limiting the right of privacy to enumerated statutory
11 provisions, and that the people of this state have therefore been
12 deprived of and otherwise denied the protection offered by a law of
13 privacy. The legislature therefore declares that an absolute right of
14 privacy is recognized in this state, and that each individual shall have
15 a cause of action for invasions of privacy.
16 The legislature further finds and declares that the rules of
17 construction requiring statutes in derogation of the common law to be
18 strictly construed shall have no application to this act, and that the
19 right of privacy recognized by this act shall be broadly construed to
20 strengthen the development of the law of privacy in a manner consistent
21 with the freedoms and responsibilities enumerated in the state and
22 federal constitutions.
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD05547-02-3
A. 2505 2
1 § 3. Article 5 of the civil rights law is amended by adding a new
2 section 49 to read as follows:
3 § 49. Right to privacy. 1. For purposes of this section: (a) "person"
4 means a natural person; (b) a "public figure" means any person who,
5 through his or her profession, achievements, or style of life, has been
6 made or otherwise become the object of public interest and scrutiny.
7 2. All persons have a right to privacy, which includes but is not
8 limited to the following rights:
9 (a) Security from intrusion upon solitude or isolation. Each person
10 has the right to be secure from unreasonable intrusion upon his or her
11 seclusion or solitude.
12 A person aggrieved by a violation of the provisions of this paragraph
13 may maintain an action to obtain redress pursuant to the provisions of
14 paragraph (d) of this subdivision for any unreasonable intrusion or
15 violation of his or her right of seclusion or solitude. In any such
16 action, the plaintiff must plead and prove the occurrence of an invasion
17 or intrusion into aspects of his or her life either: (i) that he or she
18 reasonably wishes to maintain in privacy and keep secure from the scru-
19 tiny of any observer, or (ii) which invasion or intrusion was or is
20 highly offensive or objectionable to a reasonable person of ordinary
21 sensibilities. The publication, broadcast, transmission, or dissem-
22 ination by any means, whether commercial or personal, is a required
23 element of a cause of action for intrusion on seclusion or solitude. In
24 any such action, it is not necessary for a plaintiff to plead or prove
25 that any person who made an intrusive disclosure benefited from such
26 disclosure.
27 (b) Security from unreasonable publicity given to private life. Each
28 person has the right to be secure from unreasonable publicity being
29 given to that person's private life.
30 A person aggrieved by a violation of the provisions of this paragraph
31 may maintain an action to obtain redress pursuant to the provisions of
32 paragraph (d) of this subdivision for any unreasonable publicity given
33 to that person's private life. In any such action, the plaintiff must
34 plead and prove that: (i) there has been a public disclosure of a
35 private fact, (ii) the fact that has been made public is one that would
36 be highly embarrassing to a reasonable person of ordinary sensibilities,
37 and (iii) the fact disclosed is not of legitimate concern to the public.
38 For purposes of this subdivision, a person deemed by a court of compe-
39 tent jurisdiction to be a public figure does not have a diminished
40 privacy interest. In any such action, it is not necessary for a plain-
41 tiff to plead or prove that any person who made a public disclosure
42 benefited from such disclosure.
43 (c) Security from publicity placing person in a false light. Each
44 person has the right to be secure from publicity that places that person
45 in a false light before the public. A person aggrieved by a violation of
46 the provisions of this paragraph may maintain an action to obtain
47 redress pursuant to the provisions of paragraph (d) of this subdivision
48 for any unreasonable publicity given to that person's private life. In
49 any such action, the plaintiff must plead and prove that: (i) there has
50 been a public disclosure attributing to such person any characteristics,
51 conduct, or beliefs that are false or misleading and have the capacity
52 to place such person in a false light, (ii) any of the false character-
53 istics, conduct, or beliefs which have been publicly disclosed would be
54 highly offensive or objectionable to a reasonable person of ordinary
55 sensibilities, and (iii) the discloser of the false characteristics,
56 conduct, or beliefs which placed the plaintiff in a false light had
A. 2505 3
1 knowledge of, or acted in reckless disregard as to, the falsity of the
2 matters disclosed. In any such action, it is not necessary for a plain-
3 tiff to plead or prove that any person who made a disclosure of such
4 false characteristics, conduct, or beliefs benefited from such disclo-
5 sure.
6 (d) Any person whose privacy has been invaded in any of the manners
7 provided for in this subdivision may make an application and bring an
8 action in a court of competent jurisdiction to obtain: (i) An injunction
9 to enjoin and restrain such invasion of privacy, and, if it appears to
10 the court that the privacy of such person has been invaded, an injunc-
11 tion shall be issued by the court enjoining and restraining such inva-
12 sion; (ii) Actual damages sustained as a result of such invasion of
13 privacy and such exemplary damages and other remedies as the court deems
14 appropriate; and (iii) Such costs and fees as may have been necessary to
15 bring such action and reasonable attorneys' fees.
16 (e) In any action for invasion of privacy in which publication, broad-
17 cast, or any other electronic transmission is an element of the cause of
18 action, the defenses of consent, newsworthiness, and qualified or abso-
19 lute privilege shall be available to ensure that the freedoms guaranteed
20 by the United States and New York state constitutions shall not be
21 infringed.
22 (f) Such causes of action provided for by this section shall be in
23 addition to any other cause of action provided under section fifty,
24 fifty-a, fifty-b, fifty-c, fifty-d, or fifty-one of this article.
25 § 4. Section 50 of the civil rights law is amended to read as follows:
26 § 50. Right of privacy; nonconsensual use of name or likeness. A
27 person, firm [or], partnership, corporation, association, limited
28 liability company, or other entity that uses for advertising purposes,
29 or for the purposes of trade, the name, portrait [or], picture, voice,
30 actual performance, identity, nickname, or objects of any living person
31 without having first obtained the written consent of such person, or if
32 a minor of his or her parent or guardian, is guilty of a misdemeanor.
33 § 5. Section 51 of the civil rights law, as amended by chapter 674 of
34 the laws of 1995, is amended to read as follows:
35 § 51. Action for injunction and [for] damages; nonconsensual use of
36 name or likeness. Any person whose name, portrait, picture [or], voice,
37 actual performance, identity, nickname, or objects is used within this
38 state for advertising purposes or for the purposes of trade without the
39 written consent first obtained as [above] provided in section fifty of
40 this article may maintain an equitable action in the supreme court of
41 this state against the person, firm [or], partnership, corporation,
42 association, limited liability company, or other entity so using his or
43 her name, portrait, picture [or], voice, actual performance, identity,
44 nickname, or objects, to prevent and restrain the use thereof and obtain
45 such costs and fees as may have been necessary to bring such action; and
46 may also sue and obtain costs and reasonable legal fees and recover
47 damages for any injuries sustained by reason of such use and if the
48 defendant shall have knowingly used such person's name, portrait,
49 picture [or], voice, actual performance, identity, nickname, or objects
50 in such manner as is forbidden or declared to be unlawful by section
51 fifty of this article, the jury, in its discretion, may award exemplary
52 damages. But nothing contained in this article shall be so construed as
53 to prevent any person, firm [or], partnership, corporation, association,
54 limited liability company, or other entity from selling or otherwise
55 transferring any material containing such name, portrait, picture [or],
56 voice, actual performance, identity, nickname, or objects in whatever
A. 2505 4
1 medium to any user of such name, portrait, picture [or], voice, actual
2 performance, identity, nickname, or objects, or to any third party for
3 sale or transfer directly or indirectly to such a user, for use in a
4 manner lawful under this article; nothing contained in this article
5 shall be so construed as to prevent any person, firm [or], partnership,
6 corporation, association, limited liability company, or other entity,
7 practicing the profession of photography, from exhibiting in or about
8 his or her or its establishment specimens of the work of such establish-
9 ment, unless the same is continued by such person, firm [or], partner-
10 ship, corporation, association, limited liability company, or other
11 entity after written notice objecting thereto has been given by the
12 person portrayed; and nothing contained in this article shall be so
13 construed as to prevent any person, firm [or], partnership, corporation,
14 association, limited liability company, or other entity from using the
15 name, portrait, picture [or], voice, actual performance, identity, nick-
16 name, or objects of any manufacturer or dealer in connection with the
17 goods, wares and merchandise manufactured, produced or dealt in by him
18 or her which he or she has sold or disposed of with such name, portrait,
19 picture [or], voice, actual performance, identity, nickname, or objects
20 used in connection therewith; or from using the name, portrait, picture
21 [or], voice, actual performance, identity, nickname, or objects of any
22 author, composer or artist in connection with his or her literary,
23 musical or artistic productions which he or she has sold or disposed of
24 with such name, portrait, picture [or], voice, actual performance, iden-
25 tity, nickname, or objects used in connection therewith. Nothing
26 contained in this section shall be construed to prohibit the copyright
27 owner of a sound or video recording from disposing of, dealing in,
28 licensing or selling that sound or video recording to any party, if the
29 right to dispose of, deal in, license or sell such sound or video
30 recording has been conferred by contract or other written document by
31 such living person or the holder of such right. Nothing contained in the
32 foregoing sentence shall be deemed to abrogate or otherwise limit any
33 rights or remedies otherwise conferred by federal law or state law.
34 § 6. Article 5 of the civil rights law is amended by adding two new
35 sections 52-a and 52-b to read as follows:
36 § 52-a. Recording and reproducing visual images and conversations.
37 Except as provided for in articles seven hundred and seven hundred five
38 of the criminal procedure law, or for the protection of personal proper-
39 ty within a residence, the protection of property within the premises of
40 a business or organization, the protection of commercial or residential
41 real estate, or for the authorized reporting of public events by employ-
42 ees of news gathering and reporting organizations, or by private inves-
43 tigators registered with or licensed by the secretary of state, and
44 after having provided written notification and obtaining a permit or
45 other written authorization for the use of any device that is designed
46 to record or reproduce any visual image or conversation within the mean-
47 ing of this section and as may be provided for by law or regulation by
48 any state, county, or municipal authority, or for purposes of traffic
49 control by any duly designated agency of government, a person is guilty
50 of unlawfully recording a visual image or conversation when, with
51 intent, he or she chemically, mechanically, or electronically records or
52 otherwise reproduces any visual image or conversation without the know-
53 ledge or expressed consent of any person whose image or conversation he
54 or she is recording or reproducing.
55 § 52-b. Privacy of official records. 1. No public entity, nor any
56 officer or employee thereof, shall disclose any information derived from
A. 2505 5
1 highway, bridge, tunnel, and other thoroughfare toll records, and commu-
2 ter railroad and transit facility records, including E-Z Pass and all
3 other pass card system records; provided, however, that the provisions
4 of this subdivision shall not prohibit a public entity, in its
5 discretion from entering into agreements with any other public entities
6 for the provision of such information when necessary to further the
7 public entity's official functions.
8 2. Notwithstanding any other provision of law, an agency of government
9 in receipt of a request for a record which contains any personal infor-
10 mation shall reject such a request if the agency determines that the
11 record sought would, if disclosed, be used for any commercial purpose or
12 any other purpose unrelated to any of the purposes for which the agency
13 maintains such records.
14 3. The provisions of this section shall not apply to a police agency,
15 a district attorney or his or her assistants, the attorney general or
16 his or her deputies or assistants, or a grand jury in connection with
17 their law enforcement functions.
18 4. For purposes of this section, "public entity" means any state or
19 local department, agency, board, bureau, division, commission, public
20 authority, public benefit corporation, office, or any other entity
21 performing a governmental or proprietary function for the state or any
22 of its political subdivisions.
23 § 7. Article 32 of the general business law, as added by chapter 457
24 of the laws of 1993, is REPEALED and a new article 32-A is added to read
25 as follows:
26 ARTICLE 32-A
27 WRONGFUL DISCLOSURE OF PROTECTED PERSONAL INFORMATION
28 Section 676. Definitions.
29 677. Wrongful disclosure of protected personal information.
30 678. Civil liability.
31 § 676. Definitions. 1. "Commercial entity" means any person, firm,
32 partnership, corporation, association, limited liability company, or
33 other entity:
34 (a) who for commercial, financial, or professional gain, monetary
35 fees, dues, or on a cooperative, nonprofit, or pro-bono basis, engages
36 in the practice of collecting personal protected information;
37 (b) who obtains protected personal information pursuant to this chap-
38 ter; or
39 (c) who is any employee, agent, or contractor of a person or entity
40 covered under paragraph (a) or (b) of this subdivision.
41 2. "Disclose" means to release, publish, share, transfer, transmit,
42 disseminate, show, or otherwise divulge protected personal information
43 to any person other than the person who is the subject of such informa-
44 tion. Use of protected personal information within the entity in accord-
45 ance with the provisions of this article shall not constitute disclo-
46 sure.
47 3. "Protected personal information" means individually identifiable
48 information about an individual, including:
49 (a) first, middle, and last names,
50 (b) home or any other physical or legal address or domicile, including
51 street name and name of a city, town, or village,
52 (c) electronic mail address,
53 (d) telephone number,
54 (e) social security number, and
55 (f) purchases and purchasing habits or activities.
A. 2505 6
1 4. The term "consumer" means any renter, purchaser, or subscriber of
2 goods or services from a commercial entity.
3 5. The term "ordinary course of business" means debt collection activ-
4 ities, order fulfillment, request processing, and the transfer of owner-
5 ship.
6 § 677. Wrongful disclosure of protected personal information. 1. A
7 commercial entity which discloses to any person or other commercial
8 entity, protected personal information relating to any customer of such
9 provider shall be liable to the aggrieved person for the relief provided
10 in section six hundred seventy-eight of this article.
11 2. A commercial entity shall disclose protected personal information
12 relating to any consumer:
13 (a) to a grand jury pursuant to a grand jury subpoena;
14 (b) pursuant to a court order, in a civil proceeding upon the showing
15 of compelling need for the information that cannot be accommodated by
16 any other means, or in a criminal proceeding upon a showing of legiti-
17 mate need for the information that cannot be accommodated by any other
18 means, if:
19 (i) the consumer is given reasonable notice, by the person seeking the
20 disclosure, of the court proceeding relevant to the issuance of the
21 court order;
22 (ii) the consumer is afforded the opportunity to appear and contest
23 the claim of the person seeking the disclosure; and
24 (iii) the court imposes appropriate safeguards against unauthorized
25 disclosure;
26 (c) to a law enforcement agency pursuant to a warrant lawfully
27 obtained under the laws of this state or the United States; or
28 (d) to a court pursuant to a civil action to enforce collection or
29 payment past due or to demonstrate the existence of a business relation-
30 ship. Notwithstanding the provisions of this paragraph, the court shall
31 impose appropriate safeguards against unauthorized disclosure of
32 protected personal information.
33 3. A commercial entity may disclose protected personal information
34 concerning any consumer:
35 (a) to the consumer;
36 (b) to any person with the informed written consent of the consumer;
37 or
38 (c) to any person directly involved in the commercial transaction with
39 the consumer where the disclosure is incidental to the ordinary course
40 of business.
41 4. Protected personal information obtained in any manner other than as
42 provided in this section shall not be received in evidence in any trial,
43 hearing, arbitration, or any other proceeding in or before any court,
44 grand jury, department, officer, agency, regulatory body, legislative
45 committee, or other authority of the state or any political subdivision
46 thereof.
47 § 678. Civil liability. 1. Whenever the court shall determine that a
48 violation of section six hundred seventy-seven of this article has
49 occurred, if such violation constitutes the first such offense by such
50 person, firm, partnership, corporation, association, limited liability
51 company, or other entity, the court shall impose a civil penalty not to
52 exceed five hundred dollars for each instance where it has been deter-
53 mined that a consumer's privacy has been violated. A second offense and
54 any subsequent offense shall be punishable by a civil penalty of one
55 thousand dollars for each instance where it has been determined that a
56 consumer's privacy has been violated.
A. 2505 7
1 2. Whenever the attorney general determines that any violation of
2 section six hundred seventy-seven of this article has occurred he may
3 bring an action consistent with the provisions of subdivision (b) of
4 section three hundred forty-nine of this chapter. In any such action the
5 court shall award costs and reasonable attorneys' fees to the state of
6 New York where the attorney general prevails.
7 3. The provisions of this article may be enforced concurrently by the
8 director of a municipal consumer affairs office or by the county, town,
9 or village attorney, city corporation counsel, or other lawful designee
10 of a municipality. The court shall award costs and reasonable attorneys'
11 fees to the municipality where the chief legal officer or his or her
12 designee prevails. All moneys collected thereunder shall be retained by
13 the municipality.
14 4. Any person whose right of privacy has been interfered with because
15 of a violation of section six hundred seventy-seven of this article may
16 bring an action in his or her own name to enjoin any individual, firm,
17 partnership, corporation, limited liability company, or other entity
18 from violating this article and to recover such actual and exemplary
19 damages, in addition to such costs and reasonable attorneys' fees, as
20 the court may determine reasonable.
21 § 8. The general business law is amended by adding two new sections
22 394-f and 394-g to read as follows:
23 § 394-f. Unsolicited advertisements. 1. For purposes of this section,
24 the following terms have the following meanings:
25 (a) "Personal information" means any data contained in a record that
26 allows for the identification of a person including, but not limited to,
27 a name in conjunction with a residence address, electronic mail address,
28 telephone number, social security number, date of birth, physical
29 description, profession, medical history, income, or credit rating.
30 (b) "Unsolicited advertisement" means any written solicitation for the
31 purchase, lease, rent, contract, or investment in property, goods, or
32 services, including the offering of a prize or award in exchange for
33 attendance or purchase at any location for purposes of a solicitation,
34 or contribution to any natural person without that natural person's
35 expressed consent or authorization.
36 (c) "Unsolicited electronic advertisement" means the initiation or any
37 other transmission of any telephone call, electronic mail, telefax
38 communication, internet transmission or any other form of electronic
39 communication soliciting the purchase, lease, rent, contract, or invest-
40 ment in property, goods, or services, including the offer of a prize or
41 award in exchange for attendance or purchase at any location for
42 purposes of a solicitation, or contribution to any natural person with-
43 out that natural person's expressed consent or authorization.
44 (d) "Consumer" means a natural person who is solicited to purchase,
45 lease, rent, contract, or invest in property, goods, or services includ-
46 ing receiving a prize or award in exchange for a purchase or attendance.
47 (e) "Established business relationship" means a prior or existing
48 relationship formed by a voluntary communication between a consumer and
49 a person, firm, partnership, corporation, association, limited liability
50 company, or other entity on the basis of an application, purchase, or
51 transaction by the consumer regarding property, goods, or services
52 offered by such person, firm, partnership, corporation, association,
53 limited liability company, or other entity within the past year, which
54 relationship has not been terminated by the consumer or the person,
55 firm, partnership, corporation, association, limited liability company,
56 or other entity.
A. 2505 8
1 2. Whenever a person, firm, partnership, corporation, association,
2 limited liability company, or other entity purchases or acquires through
3 trade a listing of consumers utilized in any direct, unsolicited adver-
4 tisement, such person, firm, partnership, corporation, association,
5 limited liability company, or other entity shall provide clear and
6 conspicuous written notice to the consumer within the advertisement or
7 affixed thereto of the consumer's right, hereby granted, of deleting his
8 or her name and address from such mailing list and of his or her right
9 not to receive any further unsolicited advertisements. Such written
10 disclosure shall also indicate that such consumer may at any time delete
11 his or her name from such mailing list. Such written disclosure shall
12 provide a reasonable and simple method by which the consumer can exer-
13 cise such preference.
14 3. (a) Whenever a person, firm, partnership, corporation, association,
15 limited liability company, or other entity purchases or acquires through
16 trade a listing of consumers utilized in any unsolicited telephone
17 advertisement, such person, firm, partnership, corporation, association,
18 limited liability company, or other entity shall disclose to such
19 consumer that he or she has the right, hereby granted, of deleting his
20 or her name, address, and telephone number from such telephone list and
21 of his or her right not to receive any further unsolicited telephone
22 advertisement.
23 (b) Such disclosure shall be made at the beginning of the telephone
24 call and shall be made in a clear and conspicuous manner and shall
25 inform the consumer that he or she can remove his or her name, telephone
26 number, and address from the list at any time and shall inform the
27 consumer of the reasonable and simple means including, but not limited
28 to, verbally advising the caller by which the consumer can exercise such
29 preference.
30 4. Such person, firm, partnership, corporation, association, limited
31 liability company, or other entity referred to in subdivisions two and
32 three of this section shall maintain an exclusion list and shall not
33 send any unsolicited advertisement or make any unsolicited telephone
34 advertisement to any consumer on such list. Such person, firm, partner-
35 ship, corporation, association, limited liability company, or other
36 entity is prohibited from using such list for any purpose other than
37 compliance with the requirements of this section, and such person, firm,
38 partnership, corporation, association, limited liability company, or
39 other entity shall not, sell, rent, exchange, or otherwise make avail-
40 able such exclusion list to any third party.
41 5. No person, firm, partnership, corporation, association, limited
42 liability company, or other entity shall be deemed to have violated the
43 provisions of this section if such person, firm, partnership, corpo-
44 ration, association, limited liability company, or other entity shows,
45 by a preponderance of the evidence, that the violation was not inten-
46 tional and resulted from a bona fide error made notwithstanding the
47 maintenance of procedures reasonably adopted to avoid any such error.
48 6. Disclosure shall not be required in such instances where a person,
49 firm, partnership, corporation, association, limited liability company,
50 or other entity has established a business relationship with a consumer
51 through the sale of goods, services, securities, or real property.
52 7. Whenever the court determines that a violation of subdivision two
53 or three of this section has occurred, the court shall impose a civil
54 penalty not to exceed two hundred fifty dollars for each instance where
55 it has been determined that a consumer's privacy has been violated.
56 Whenever the court determines that a violation of subdivision four of
A. 2505 9
1 this section has occurred, if such violation constitutes the first such
2 offense by such person, firm, partnership, corporation, association,
3 limited liability company, or other entity, the court shall impose a
4 civil penalty not to exceed five hundred dollars for each instance where
5 it has been determined that a consumer's privacy has been violated. A
6 second offense and any subsequent offense shall be punishable by a civil
7 penalty of one thousand dollars for each instance where it has been
8 determined that a consumer's privacy has been violated.
9 8. (a) Whenever the attorney general determines that any violation of
10 subdivision two, three, or four of this section has occurred, he or she
11 may bring an action consistent with the provisions of subdivision (b) of
12 section three hundred forty-nine of this chapter. In any such action,
13 the court shall award costs and reasonable attorneys' fees to the state
14 of New York where the attorney general prevails.
15 (b) The provisions of this section may be enforced concurrently by the
16 director of a municipal consumer affairs office or by the county, town,
17 or village attorney, city corporation counsel, or other lawful designee
18 of a municipality. The court shall award costs and reasonable attor-
19 neys' fees to such municipality where the chief legal officer or his or
20 her designee prevails. All moneys collected thereunder shall be retained
21 by the municipality.
22 (c) Any person whose right of privacy has been interfered with because
23 of a violation of this section may bring an action in his or her own
24 name to enjoin any individual, firm, partnership, corporation, limited
25 liability company, or other entity from violating subdivision two,
26 three, or four of this section and to recover such real and exemplary
27 damages, in addition to such costs and reasonable attorneys' fees, as
28 the court may determine reasonable.
29 § 394-g. Sale, rental, or exchange of personal identification informa-
30 tion. 1. For purposes of this section the term:
31 (a) "Commercial purposes" means the solicitation for the purchase,
32 lease, contract, or investment in property, goods, or services, includ-
33 ing the offering of a prize in exchange for a purchase or for attendance
34 at any location for the purposes of a solicitation, the solicitation for
35 a contribution, or the business of compiling personal identification
36 information for sale, lease, or rent.
37 (b) "Personal identification information" means any information
38 including, but not limited to, a natural person's name, address, tele-
39 phone or fax number, electronic mail address, occupation, age, gender,
40 credit history and rating, purchasing history, and services contracted.
41 (c) "Consumer" means a natural person about whom personal identifica-
42 tion information has been collected.
43 2. Every person, firm, partnership, corporation, association, limited
44 liability company, or other entity who sells, rents, exchanges, or
45 releases personal identification information to any other person, part-
46 nership, corporation, association, limited liability company, or other
47 entity for their commercial purposes shall:
48 (a) upon initial contact with a consumer, provide clear and conspicu-
49 ous written notification, and at least annually thereafter shall provide
50 written notification, of such practice to each consumer of their prac-
51 tice of selling, renting, exchanging, or releasing personal identifica-
52 tion information;
53 (b) clearly inform each consumer of the option of prohibiting the
54 sale, rental, exchange, or release of their personal identification
55 information for such commercial purpose;
A. 2505 10
1 (c) provide written notification to each consumer at least fifteen
2 days prior to the commencement of any sale, rental, exchange, or release
3 of any personal identification information to any other person, firm,
4 partnership, corporation, association, limited liability company, or
5 other entity for commercial purposes.
6 3. Such notifications as may be required by subdivision two of this
7 section may be inserted in a billing statement or other mailing,
8 provided that the notification is made in a clear and conspicuous
9 manner. Such notification shall provide a reasonable and simple method
10 whereby a consumer may indicate his or her preference of permitting or
11 prohibiting the sale, rental, exchange, or release of personal informa-
12 tion to another person, firm, partnership, corporation, association,
13 limited liability company, or other entity for commercial purposes.
14 4. Every person, firm, partnership, corporation, association, limited
15 liability company, or other entity engaging in the practices described
16 in paragraph (a) of subdivision two of this section shall maintain a
17 list of those consumers who have exercised their option of being
18 excluded from any sale, lease, exchange, or release of their personal
19 identification information.
20 5. No person, firm, partnership, corporation, association, limited
21 liability company, or other entity shall be deemed to have violated the
22 provisions of this section if such person, partnership, corporation,
23 association, limited liability company, or other entity shows by a
24 preponderance of evidence that the violation was not intentional and
25 resulted from a bona fide error made notwithstanding the maintenance of
26 procedures reasonably adopted to avoid such error.
27 6. The provisions of this section prohibiting the release of informa-
28 tion shall not apply to the reporting of necessary information to
29 consumer reporting agencies, in compliance with the provisions of the
30 federal fair credit reporting act (15 U.S.C. section 1681 et seq.) and
31 article twenty-five of this chapter, known as the "fair credit reporting
32 act", and any regulations promulgated thereunder.
33 7. Whenever the court determines that a violation of subdivision two
34 or three of this section has occurred, the court shall impose a civil
35 penalty not to exceed two hundred fifty dollars for each instance where
36 it has been determined that a consumer's privacy has been violated.
37 Whenever the court determines that a violation of subdivision four of
38 this section has occurred, if such violation constitutes the first such
39 offense by such person, firm, partnership, corporation, association,
40 limited liability company, or other entity, the court shall impose a
41 civil penalty not to exceed five hundred dollars for each instance where
42 it has been determined that a consumer's privacy has been violated. A
43 second offense and any subsequent offense shall be punishable by a civil
44 penalty of one thousand dollars for each instance where it has been
45 determined that a consumer's privacy has been violated.
46 8. (a) Whenever the attorney general determines that any violation of
47 subdivision two, three, or four of this section has occurred, he or she
48 may bring an action consistent with the provisions of subdivision (b) of
49 section three hundred forty-nine of this chapter. In any such action,
50 the court shall award costs and reasonable attorneys' fees to the state
51 of New York where the attorney general prevails.
52 (b) The provisions of this section may be enforced concurrently by the
53 director of a municipal consumer affairs office or by the county, town,
54 or village attorney, city corporation counsel, or other lawful designee
55 of a municipality. The court shall award costs and reasonable attor-
56 neys' fees to such municipality where the chief legal officer or his or
A. 2505 11
1 her designee prevails. All moneys collected thereunder shall be retained
2 by the municipality.
3 (c) Any person whose right of privacy has been interfered with because
4 of a violation of this section may bring an action in his or her own
5 name to enjoin any individual, firm, partnership, corporation, limited
6 liability company, or other entity from violating subdivision two,
7 three, or four of this section and to recover such actual and exemplary
8 damages, in addition to such costs and reasonable attorneys' fees, as
9 the court may determine reasonable.
10 § 9. Section 380-l of the general business law, as amended by chapter
11 619 of the laws of 2002, is amended to read as follows:
12 § 380-l. Civil liability for [willful] noncompliance. Any person,
13 firm, partnership, corporation, [or] association, limited liability
14 company, or other entity whose [knowing and willful] violation of
15 section three hundred eighty-s of this article resulted in the trans-
16 mission or provision to a consumer reporting agency of information that
17 would otherwise not have been transmitted or provided, and any consumer
18 reporting agency or user of information who or which [willfully and
19 knowingly] fails to comply with any requirement imposed under this arti-
20 cle with respect to any consumer is liable to that consumer in an amount
21 equal to the sum of:
22 (a) Any actual damages sustained by the consumer as a result of such
23 failure or as a result of a violation of section three hundred eighty-s
24 of this article;
25 (b) Such amount of punitive damages as the court may allow; and
26 (c) In the case of any successful action to enforce any liability
27 under this section, the costs of the action together with reasonable
28 attorney's fees as determined by the court.
29 § 10. Section 380-t of the general business law, as relettered by
30 chapter 619 of the laws of 2002, is relettered section 380-u and a new
31 section 380-t is added to read as follows:
32 § 380-t. Enforcement. 1. Upon any violation of this article, an appli-
33 cation may be made by the attorney general in the name of the people of
34 the state to a court having jurisdiction. If it shall appear to the
35 satisfaction of the court that the respondent has violated any provision
36 of this article, an injunction may be issued, enjoining and restraining
37 any further violation, without requiring proof that any person has, in
38 fact, been injured or damaged thereby. In any such proceeding, the court
39 may make allowances to the attorney general as provided in paragraph six
40 of subdivision (a) of section eight thousand three hundred three of the
41 civil practice law and rules, and direct restitution. Whenever the court
42 determines that a violation of this section has occurred, the court may
43 impose a civil penalty of not more than one thousand dollars per
44 violation.
45 2. The provisions of this article may be enforced concurrently by the
46 director of a municipal consumer affairs office or by the county, town,
47 or village attorney, city corporation counsel, or other lawful designee
48 of a municipality. The court shall award costs and reasonable attorneys'
49 fees to such municipality where the chief legal officer or his or her
50 designee prevails. All moneys collected thereunder shall be retained by
51 the municipality.
52 3. Any person aggrieved by a violation of this article may bring an
53 action in his or her own name to enjoin any individual, firm, partner-
54 ship, corporation, association, limited liability company, or other
55 entity from engaging in any further violation of this article and may
A. 2505 12
1 request such real and exemplary damages in addition to such costs and
2 reasonable attorneys' fees as the court may determine.
3 § 11. The public health law is amended by adding a new article 10 to
4 read as follows:
5 ARTICLE 10
6 HEALTH INFORMATION PRIVACY
7 Section 1000. Definitions.
8 1001. Application.
9 1002. Duty to maintain the confidentiality of health informa-
10 tion.
11 1003. Disclosure.
12 1004. Notice upon disclosure.
13 1005. Record of disclosures.
14 1006. Disclosure without informed consent.
15 1007. Informed consent.
16 1008. Disclosure for criminal or civil litigation.
17 1009. Criminal penalties.
18 1010. Civil remedy.
19 1011. Immunity.
20 1012. Severability.
21 § 1000. Definitions. As used in this article:
22 1. "Disclose", "disclosed" and "disclosure" means the release, trans-
23 fer, dissemination, or provision of access to or other communication of
24 all or any portion of health information by any means to any other
25 person, firm, partnership, corporation, association, limited liability
26 company, or other entity.
27 2. "Health information" means any information which identifies or can
28 be readily associated with the identity of a person and relates to the
29 person's genetic structure, past, present, or future physical or mental
30 health status, condition, treatment, service, products purchased or
31 provision of care.
32 3. "Informed consent" means a written and signed authorization for
33 disclosure of health information by the person to whom such information
34 relates. Every such informed consent shall be dated and state the person
35 or persons to whom disclosure is authorized.
36 4. "Legitimate public health purpose" means those population-based
37 activities or individual efforts primarily aimed at the prevention of
38 injury, disease, or premature mortality, or promotion of health in the
39 community, including (a) assessing the health needs and status of the
40 community through public health surveillance and epidemiological
41 research, (b) developing public health policy, (c) responding to public
42 health needs and emergencies, and (d) such other public health related
43 activities or efforts specifically authorized by federal or state law.
44 5. "Non-identifiable information" means any health related information
45 which does not identify nor can readily be associated with any specific
46 person through other information, including names, social security
47 numbers, addresses, employers, medical providers, insurance providers,
48 unique identifiers, or other facts, without the use of encryption, a
49 code, a key, or any other technological tool.
50 6. "Public health" means population-based activities or individual
51 efforts primarily aimed at the prevention of injury, disease or prema-
52 ture mortality, or the promotion of health.
53 7. "Public health agency" means any organization, operated or funded
54 in whole or in part by the federal government, the state or any local
55 government, which collects, maintains, uses, or stores health informa-
A. 2505 13
1 tion for public health purposes. Such organizations shall include, but
2 not be limited to, public health offices established by federal, state,
3 or local law, testing laboratories, testing facilities, treatment clin-
4 ics, research facilities, and information storage facilities.
5 8. "Public health information" means any health information that is
6 collected, maintained, used, disclosed, or stored by any public health
7 agency, including information regarding whether the agency possesses
8 such information.
9 9. "Public health official" means any officer, employee, contractor,
10 intern, or volunteer of a public health agency with authorization from
11 the agency or pursuant to law to collect, maintain, use, disclose, or
12 store public health information.
13 10. "Public information" means information which is available to the
14 general public for inspection and review pursuant to article six of the
15 public officers law.
16 11. "Use and used" means to employ or utilize all or any part of
17 health information by any means.
18 § 1001. Application. The provisions of this article apply to all
19 disclosures of health information which are otherwise subject to the
20 provisions of this chapter or to which any other provision of law
21 applies.
22 § 1002. Duty to maintain the confidentiality of health information. 1.
23 Health information shall be collected, maintained, used, and stored in a
24 manner which ensures the confidentiality and integrity of such informa-
25 tion.
26 2. Health information shall not be deemed to be public information and
27 shall not be disclosed, except as authorized by this article.
28 3. No provision of this article shall be deemed to limit the disclo-
29 sure of health information by the person to whom such information
30 relates.
31 § 1003. Disclosure. Health information disclosed without informed
32 consent shall, whenever practicable, be disclosed in a non-identifiable
33 form. All disclosures of health information made in a non-identifiable
34 form shall be limited to the minimum amount which the person making the
35 disclosure reasonably believes is necessary to accomplish the purpose of
36 the disclosure.
37 § 1004. Notice upon disclosure. 1. Every disclosure of health informa-
38 tion made pursuant to this article shall include a statement of policy
39 on the disclosure of health information of the entity disclosing such
40 information. Such statement of policy shall include the following or
41 substantially similar language in a clear, conspicuous, and distinctive
42 manner:
43 "Health information may contain information about a person or persons
44 which is highly sensitive and entitled to confidentiality and privacy
45 protection under federal and state laws. Various provisions of the laws
46 of this state may prohibit further disclosure of health information in
47 an identifiable form without the written and signed informed consent of
48 the person or persons to whom such information relates. Unauthorized
49 disclosure could result in the imposition of criminal and civil liabil-
50 ity, including imprisonment, fines, and monetary damages."
51 2. Upon the premises of any entity where health information is
52 disclosed or made accessible, there shall be conspicuously posted a
53 notice, in letters at least three inches in height, which shall include
54 the following or substantially similar language:
55 "Health information may contain information about a person or persons
56 which is highly sensitive and entitled to confidentiality and privacy
A. 2505 14
1 under federal and state laws. An 'unauthorized disclosure' is disclo-
2 sure of such information outside these premises in an identifiable form
3 without the written and signed informed consent of the person or persons
4 to whom the information relates. Unauthorized disclosure could result
5 in the imposition of criminal and civil liability, including imprison-
6 ment, fines, and monetary damages."
7 § 1005. Record of disclosures. Every entity possessing health informa-
8 tion shall, upon disclosure thereof, establish and maintain a record of
9 each disclosure. Such record shall include, but shall not be limited to:
10 1. the name, address, title, and institutional affiliation of any
11 person to whom health information is disclosed;
12 2. the date and purpose of the disclosure;
13 3. a brief description of the information disclosed; and
14 4. the legal authority for the disclosure.
15 § 1006. Disclosure without informed consent. No information shall be
16 disclosed without the written and signed informed consent of the person
17 to whom the information relates, unless such disclosure is made:
18 1. directly to the person to whom the health information relates;
19 2. to or between public health officials for the purpose of facilitat-
20 ing or accomplishing a legitimate public health objective consistent
21 with their legislative mandate, including:
22 (a) testing, screening, reporting, monitoring, or surveillance of
23 infectious or contagious diseases or other reportable and non-reportable
24 conditions or behavioral risk factors;
25 (b) investigations or interventions; and
26 (c) public health emergencies as determined by law;
27 3. in a non-identifiable manner for statistical purposes;
28 4. for the purpose of public health, epidemiological, medical, or
29 health services research, if:
30 (a) such information is non-identifiable; or
31 (b) such disclosures are made pursuant to compelling need for iden-
32 tifiable information and assurances of protections through the execution
33 of a confidentiality agreement, after review by an institutional review
34 board or committee. Every such agreement shall require any person
35 receiving such information to adhere to protections for the privacy and
36 security of the information equivalent to or greater than the
37 protections required by this article;
38 5. pursuant to any other provision of law; or
39 6. to a health care provider, to the extent necessary, in a medical
40 emergency, to protect the health of the person to whom the information
41 relates.
42 § 1007. Informed consent. 1. Except as otherwise authorized by this
43 article, health information shall not be disclosed without informed
44 consent.
45 2. Informed consent may be revoked in writing at any time. Such revo-
46 cation shall not take effect until the person in receipt of the informed
47 consent has been provided notice of the revocation thereof.
48 3. Every informed consent which does not include a date of expiration
49 shall be deemed to expire one hundred eighty days after the execution
50 thereof.
51 4. No person deemed by law to be incompetent may provide informed
52 consent; provided, however, that such person's parent, guardian, or
53 lawful representative may grant such consent on such person's behalf.
54 § 1008. Disclosure for criminal or civil litigation. No health infor-
55 mation shall be disclosed or compelled to be disclosed pursuant to any
56 criminal, civil, or administrative proceeding, except as follows:
A. 2505 15
1 1. A court of competent jurisdiction may order the disclosure of such
2 information upon a motion showing:
3 (a) a compelling need for the disclosure for the adjudication of a
4 cause of action, or
5 (b) that there may exist a clear and imminent danger to the health of
6 a person as the result of contact with the person to whom such informa-
7 tion relates, or
8 (c) there exists a clear and imminent danger to the public health and
9 welfare, or
10 (d) the disclosure is otherwise authorized pursuant to this article.
11 2. Upon issuance of an order pursuant to subdivision one of this
12 section, the court shall also order that all health information
13 disclosed pursuant to such order be sealed and be made available only to
14 the extent necessary for the conduct of the criminal or civil
15 proceedings, or as otherwise authorized by law.
16 3. (a) Every person about whom health information is sought pursuant
17 to this section and every person who possesses health information that
18 is sought pursuant to this section shall be notified of the motion for
19 disclosure of such information. Every such person shall have a right to
20 be heard by the court prior to the issuance of any order for the disclo-
21 sure of health information.
22 (b) An order for the disclosure of health information may be issued
23 without such notice and opportunity to be heard when the motion for
24 disclosure is submitted by a public health agency or public health offi-
25 cer and states the need for immediate action to avoid a clear and immi-
26 nent danger to the public health. In assessing whether there exists a
27 clear and immediate danger, the court shall weigh the need for disclo-
28 sure against:
29 (i) the private interests of the person to whom the health information
30 relates, and
31 (ii) any legitimate public health purpose which may be impaired by
32 such disclosure. The court shall thereafter issue a written finding of
33 facts statement.
34 4. Every order directing the disclosure of health information shall:
35 (a) limit such disclosure to that information which is necessary for
36 the proceeding;
37 (b) limit such disclosure to only those persons who have a need for
38 the health information in the conduct of the proceedings and prohibit
39 disclosure to any other person;
40 (c) include any other restrictions which the court deems necessary to
41 prevent any unauthorized disclosure; and
42 (d) conform to the provisions of this article.
43 § 1009. Criminal penalties. Any person who intentionally or knowingly
44 violates the provisions of this article or otherwise disseminates health
45 information that relates to any person without that person's informed
46 and expressed written consent is guilty of a misdemeanor which shall be
47 punishable by a fine of not more than five thousand dollars, or a term
48 of imprisonment not to exceed one year, or by both such fine and impri-
49 sonment.
50 § 1010. Civil remedy. 1. The attorney general or any person aggrieved
51 by a violation of this article may bring an action to enjoin such
52 violation of this article as may have occurred and obtain compensatory
53 damages, punitive damages, court costs, and reasonable attorneys' fees
54 upon prevailing.
55 2. A court shall award such additional relief and damages if it finds
56 that the defendant acted with malice.
A. 2505 16
1 3. (a) The provisions of this article may be enforced concurrently by
2 a county attorney, town attorney, city corporation counsel, or any other
3 lawful designee of a municipality. The court shall award costs and
4 reasonable attorneys' fees to such municipality where the chief legal
5 officer or his or her designee prevails. All moneys collected thereunder
6 shall be retained by such municipality.
7 (b) For the purposes of this section, the term "municipality" means
8 any county, city, town, or village.
9 § 1011. Immunity. No person who is the parent or legal guardian of a
10 minor or incompetent shall be subject to the provisions of this article
11 as a result of the disclosure of health information relating to such
12 minor or incompetent.
13 § 1012. Severability. If any section of this article or part thereof
14 is adjudged by a court of competent jurisdiction to be invalid, such
15 judgment shall not affect, impair, or invalidate the remainder of this
16 article or any other section or part thereof.
17 § 12. Section 215 of the civil practice law and rules is amended by
18 adding a new subdivision 9 to read as follows:
19 9. An action to recover damages for a violation of health information
20 privacy under section one thousand ten of the public health law.
21 § 13. The public service law is amended by adding a new article 5-A to
22 read as follows:
23 ARTICLE 5-A
24 TELECOMMUNICATIONS PRIVACY LAW
25 Section 104. Short title.
26 104-a. Definitions.
27 104-b. Collection, use, or disclosure of information.
28 104-c. Subscriber notice of carrier information practices.
29 104-d. Third parties.
30 104-e. Subscriber's right to inspect and correct information.
31 104-f. Monitoring or intercepting upstream communications chan-
32 nels.
33 104-g. Security measures.
34 104-h. Exception to written authorization requirement.
35 104-i. Examination or disclosure of aggregate data.
36 104-j. Enforcement.
37 104-k. Separability clause.
38 § 104. Short title. This article shall be known and may be cited as
39 the "telecommunications privacy law".
40 § 104-a. Definitions. As used in this article:
41 1. "Telecommunications" means the transmission between or among points
42 specified by the user, of information of the user's choosing, without
43 change in the form or content of the information as sent and received,
44 by means of electromagnetic transmission, with or without benefit of any
45 closed transmission medium, including all instrumentalities, facilities,
46 apparatus, and services (including the collection, storage, forwarding,
47 switching, and delivery of such information) essential to such trans-
48 mission.
49 2. "Telecommunications carrier" means any provider of telecommuni-
50 cation services.
51 3. "Subscriber" means any person who receives any form of telecommuni-
52 cations service and any other authorized user of a person's subscriber
53 terminal.
54 4. "Personally identifiable information" means any information that
55 identifies any person as a subscriber to, or user of, a telecommuni-
A. 2505 17
1 cations carrier, or that otherwise provides information about that indi-
2 vidual or his or her use of any service provided by a telecommunications
3 carrier, except listing information published in "white pages" directo-
4 ries.
5 5. "Ordinary course of business" means the provision of:
6 (a) the telecommunications service from which personally identifiable
7 information is derived, or
8 (b) services necessary to, or used in, the provision of such telecom-
9 munications service, including the publishing of directories.
10 6. "Upstream communications channel" means a signaling path provided
11 by a telecommunications carrier for the transmission of signals over a
12 telecommunications system from subscriber terminals.
13 7. "Intercept" means to acquire, at any time from initiation to
14 completion of a signal transmission over a telecommunications system,
15 the content of the information contained in that signal.
16 8. "Third party" means a person other than the subscriber or a tele-
17 communications carrier or any affiliate or agent thereof; but, such term
18 does not include an interconnecting carrier or an organization whose
19 objective is the detection, elimination, or reduction of toll fraud,
20 which has a demonstrable and reasonable requirement for personally iden-
21 tifiable information.
22 9. "Generally available database" means a single collection of
23 personally identifiable information generally used by a telecommuni-
24 cations carrier in the ordinary course of business. The personally iden-
25 tifiable information contained in such database may include such infor-
26 mation as subscriber name and address, amount due, equipment, billing
27 records, contracts with the subscriber, deposit information, payment
28 information, and billing adjustments.
29 § 104-b. Collection, use, or disclosure of information. A telecommuni-
30 cations carrier may collect, receive, store, aggregate, use, rent, sell,
31 release, or disclose personally identifiable information relating to any
32 subscriber, subscriber household, or user of a subscriber terminal only:
33 1. to the extent necessary to provide the carrier's telecommunications
34 services in the normal course of business;
35 2. with the subscriber's consent described in section one hundred
36 four-c of this article;
37 3. to detect the unauthorized receipt of telecommunications services,
38 including cooperative efforts among carriers to detect, eliminate, or
39 reduce toll fraud;
40 4. pursuant to a court order or subpoena;
41 5. as specifically permitted by the federal communications commission
42 or the public service commission; or
43 6. otherwise pursuant to law.
44 § 104-c. Subscriber notice of carrier information practices. 1. A
45 telecommunications carrier must notify a subscriber of the general
46 circumstances under which personally identifiable information may be
47 collected, used, or disclosed.
48 2. In the case of a subscriber's contract entered into on or before
49 the effective date of this article, the notice must be provided within
50 one hundred twenty days of the effective date of this article. In the
51 case of a subscriber's contract entered into after the effective date of
52 this article, the notice shall be provided at the time the contract is
53 entered into. After the initial notice, notice must be provided at
54 least annually.
55 3. Notice must be provided in writing, in plain English, and in a
56 clear and conspicuous manner.
A. 2505 18
1 4. The telecommunications carrier shall not use personally identifi-
2 able information in a manner other than that described in the notice
3 without further written notice to the subscriber and, where required by
4 this article, the consent of the subscriber.
5 5. A subscriber may withdraw his or her consent at any time. This
6 withdrawal shall take effect not more than thirty days after the
7 subscriber notifies the telecommunications carrier that consent has been
8 withdrawn.
9 6. A telecommunications carrier shall not refuse to provide any tele-
10 communications service to any person on account of that person's refus-
11 ing to grant consent to collect, use, or disclose personally identifi-
12 able information.
13 7. A telecommunications carrier must obtain a subscriber's affirmative
14 informed consent before the carrier may rent, release, or disclose the
15 subscriber's personally identifiable information to a third party,
16 except as authorized in section one hundred four-d of this article. Such
17 affirmative informed consent may be obtained only if the telecommuni-
18 cations carrier has notified the subscriber in a clear and conspicuous
19 written form of:
20 (a) the kind of personally identifiable information that the carrier
21 will collect and the intended use of that information;
22 (b) the nature, frequency, and purpose of any disclosure of that
23 information; and
24 (c) the persons to whom disclosure may be made.
25 § 104-d. Third parties. 1. The use of personally identifiable informa-
26 tion by those receiving the information from a telecommunications carri-
27 er pursuant to the provisions of this article is limited to the
28 expressed purposes for which the disclosure is made.
29 2. Concurrent with, or prior to, the provision of personally identifi-
30 able information being provided to others pursuant to the provisions of
31 this article, if personally identifiable information is provided on a
32 continuing basis, written notice shall be provided to the subscriber at
33 the time of, or prior to, the first release or transfer of such
34 personally identifiable material and annually thereafter.
35 3. A third party which has received personally identifiable informa-
36 tion pursuant to this article shall not retain that information if no
37 longer needed for the purposes for which it was acquired, nor shall the
38 party rent, sell, release, or otherwise disclose that information to any
39 person, unless the third party does so in accordance with the provisions
40 of this article.
41 4. Every third party receiving personally identifiable information
42 pursuant to this section shall certify annually to the information
43 provider in writing that it is complying with the provisions of this
44 article.
45 § 104-e. Subscriber's right to inspect and correct information. 1. A
46 telecommunications carrier shall disclose to a subscriber all personally
47 identifiable information which the carrier possesses pertaining to that
48 subscriber, stored on its generally applicable database, upon written
49 request of the subscriber. Such disclosure shall be made within thirty
50 days from the receipt of the subscriber's request.
51 2. A subscriber may request to examine a copy of the information
52 described in this section upon written notice. The information provided
53 to the subscriber shall be in a legible format, which is capable of
54 being understood by a reasonable person. The subscriber shall bear
55 reasonable copying and mailing costs occasioned by the examination.
A. 2505 19
1 3. A telecommunications carrier shall correct the information upon a
2 reasonable showing by the subscriber that personally identifiable infor-
3 mation contained therein is inaccurate. If the telecommunications carri-
4 er and subscriber cannot resolve a dispute about the accuracy of any
5 information concerning the subscriber, the subscriber may append to the
6 carrier's record of information a statement setting forth the nature of
7 the dispute. Such statement shall be retained in the carrier's records
8 for as long as the disputed information is retained. Within forty-five
9 days of receiving this notification from the subscriber, the telecommu-
10 nications carrier shall transmit a corrected copy of the information, or
11 the subscriber's appended statement, to any party which was given the
12 erroneous information. Copies of all such correspondence shall be sent
13 to the subscriber.
14 § 104-f. Monitoring or intercepting upstream communications channels.
15 1. Except as otherwise provided in this article, information derived
16 from any signal of an upstream communications channel transmitted from a
17 subscriber terminal for the purpose of monitoring individual household
18 or communicating patterns may not be disclosed, except with the written
19 authorization of the subscriber. Such authorizing document must explain
20 in clear and plain English that information concerning the subscriber's
21 viewing patterns or practices may be disclosed. The provision of tele-
22 phony services shall be exempt from the requirements of this subdivi-
23 sion.
24 2. Except as otherwise provided by law, no person shall intercept a
25 signal of an upstream communications channel transmitted from a
26 subscriber terminal, except the subscriber and the intended receiver of
27 the signal.
28 § 104-g. Security measures. A telecommunications carrier shall main-
29 tain such safeguards as are necessary to ensure the physical and elec-
30 tronic security and confidentiality of any personally identifiable
31 information concerning subscribers.
32 § 104-h. Exception to written authorization requirement. Written
33 authorization is not required for a telecommunications carrier to
34 conduct system-wide or individually addressed monitoring for the purpose
35 of verifying system integrity, controlling return transmission paths, or
36 for any purposes for which personally identifiable information may be
37 lawfully acquired pursuant to this article.
38 § 104-i. Examination or disclosure of aggregate data. This article
39 does not prohibit the examination of aggregate data by, or the disclo-
40 sure of such data to, any third party; provided that the data contains
41 no personally identifiable information concerning any subscriber, his or
42 her household, or any user of his or her terminal.
43 § 104-j. Enforcement. 1. Any person found to have violated this arti-
44 cle shall be liable to the aggrieved subscriber for all actual damages
45 sustained by such subscriber as a direct result of the violation and
46 such exemplary damages as the court may determine; provided that any
47 subscriber who prevails or substantially prevails in any action brought
48 under this section shall receive not less than five hundred dollars in
49 damages regardless of the amount of actual damage proved, plus costs,
50 disbursements, and reasonable attorneys' fees.
51 2. Whenever there shall be a violation of this article, an application
52 may be made by the attorney general in the name of the people of the
53 state of New York to a court or justice having jurisdiction by a special
54 proceeding to issue an injunction, and upon notice to the defendant of
55 not less than three days, to enjoin and restrain the continuation of
56 such violation; and if it shall appear to the satisfaction of the court
A. 2505 20
1 or justice that the defendant has, in fact, violated this article, an
2 injunction may be issued by such court or justice, enjoining and
3 restraining any further violation, without requiring proof that any
4 person has, in fact, been injured or damaged thereby. In any such
5 proceeding, the court may make allowances to the attorney general as
6 provided in paragraph six of subdivision (a) of section eighty-three
7 hundred three of the civil practice law and rules and direct restitu-
8 tion. Whenever the court shall determine that a grossly negligent
9 violation of this article has occurred, the court may impose a civil
10 penalty of not more than one thousand dollars for each violation. In
11 connection with any such proposed application, the attorney general is
12 authorized to take proof and make a determination of the relevant facts
13 and to issue subpoenas in accordance with the civil practice law and
14 rules.
15 3. (a) The provisions of this article may be enforced concurrently by
16 the county attorney, town attorney, city corporation counsel, or any
17 other lawful designee of a municipality. The court shall award costs
18 and reasonable attorneys' fees to such municipality where the chief
19 legal officer or his or her designee prevails. All moneys collected
20 thereunder shall be retained by such municipality.
21 (b) For the purposes of this section, the term "municipality" means
22 any county, city, town, or village.
23 4. The remedies provided by this article shall be in addition to any
24 other lawful remedy available to a subscriber.
25 5. No action may be brought under the provisions of this section
26 unless such action is commenced within two years of the date of the act
27 complained of or of the date of discovery of such act.
28 § 104-k. Separability clause. If any clause, paragraph, section, or
29 part of this article shall be adjudged by any court of competent juris-
30 diction to be invalid or unconstitutional, such judgment shall not
31 affect, impair, or invalidate the remainder thereof, but shall be
32 confined in its operation to the clause, sentence, paragraph, section,
33 or part thereof directly involved in the controversy in which such judg-
34 ment shall have been rendered.
35 § 14. This act shall take effect January 1, 2004, except that any
36 rules and regulations necessary for the timely implementation of this
37 act on its effective date are authorized and directed to be made and
38 completed on or before such date.