RETRIEVE BILL
STATE OF NEW YORK
________________________________________________________________________
2115
2003-2004 Regular Sessions
IN SENATE
February 20, 2003
___________
Introduced by Sens. MORAHAN, DeFRANCISCO, McGEE -- read twice and
ordered printed, and when printed to be committed to the Committee on
Codes
AN ACT to amend the civil rights law, the general business law, the
public health law, the civil practice law and rules, and the public
service law, in relation to the protection and preservation of the
right of personal privacy and to repeal article 32 of the general
business law relating to the video consumer privacy act
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Short title. This act shall be known and may be cited as
2 the "Personal Privacy Act of 2004".
3 § 2. Legislative findings and intent. The legislature finds and
4 declares that the development and preservation of the right of privacy
5 has been unduly interfered with for commercial and economic purposes
6 through the advancement and uninhibited use of telecommunications and
7 computer-based information sharing technologies. It further finds and
8 declares that the law of privacy and the sanctity of the individual have
9 been unduly constrained and otherwise restricted by judicial decisions
10 further limiting the right of privacy to enumerated statutory
11 provisions, and that the people of this state have therefore been
12 deprived of and otherwise denied the protection offered by a law of
13 privacy. The legislature therefore declares that an absolute right of
14 privacy is recognized in this state, and that each individual shall have
15 a cause of action for invasions of privacy.
16 The legislature further finds and declares that the rules of
17 construction requiring statutes in derogation of the common law to be
18 strictly construed shall have no application to this act, and that the
19 right of privacy recognized by this act shall be broadly construed to
20 strengthen the development of the law of privacy in a manner consistent
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD05547-02-3
S. 2115 2
1 with the freedoms and responsibilities enumerated in the state and
2 federal constitutions.
3 § 3. Article 5 of the civil rights law is amended by adding a new
4 section 49 to read as follows:
5 § 49. Right to privacy. 1. For purposes of this section: (a) "person"
6 means a natural person; (b) a "public figure" means any person who,
7 through his or her profession, achievements, or style of life, has been
8 made or otherwise become the object of public interest and scrutiny.
9 2. All persons have a right to privacy, which includes but is not
10 limited to the following rights:
11 (a) Security from intrusion upon solitude or isolation. Each person
12 has the right to be secure from unreasonable intrusion upon his or her
13 seclusion or solitude.
14 A person aggrieved by a violation of the provisions of this paragraph
15 may maintain an action to obtain redress pursuant to the provisions of
16 paragraph (d) of this subdivision for any unreasonable intrusion or
17 violation of his or her right of seclusion or solitude. In any such
18 action, the plaintiff must plead and prove the occurrence of an invasion
19 or intrusion into aspects of his or her life either: (i) that he or she
20 reasonably wishes to maintain in privacy and keep secure from the scru-
21 tiny of any observer, or (ii) which invasion or intrusion was or is
22 highly offensive or objectionable to a reasonable person of ordinary
23 sensibilities. The publication, broadcast, transmission, or dissem-
24 ination by any means, whether commercial or personal, is a required
25 element of a cause of action for intrusion on seclusion or solitude. In
26 any such action, it is not necessary for a plaintiff to plead or prove
27 that any person who made an intrusive disclosure benefited from such
28 disclosure.
29 (b) Security from unreasonable publicity given to private life. Each
30 person has the right to be secure from unreasonable publicity being
31 given to that person's private life.
32 A person aggrieved by a violation of the provisions of this paragraph
33 may maintain an action to obtain redress pursuant to the provisions of
34 paragraph (d) of this subdivision for any unreasonable publicity given
35 to that person's private life. In any such action, the plaintiff must
36 plead and prove that: (i) there has been a public disclosure of a
37 private fact, (ii) the fact that has been made public is one that would
38 be highly embarrassing to a reasonable person of ordinary sensibilities,
39 and (iii) the fact disclosed is not of legitimate concern to the public.
40 For purposes of this subdivision, a person deemed by a court of compe-
41 tent jurisdiction to be a public figure does not have a diminished
42 privacy interest. In any such action, it is not necessary for a plain-
43 tiff to plead or prove that any person who made a public disclosure
44 benefited from such disclosure.
45 (c) Security from publicity placing person in a false light. Each
46 person has the right to be secure from publicity that places that person
47 in a false light before the public. A person aggrieved by a violation of
48 the provisions of this paragraph may maintain an action to obtain
49 redress pursuant to the provisions of paragraph (d) of this subdivision
50 for any unreasonable publicity given to that person's private life. In
51 any such action, the plaintiff must plead and prove that: (i) there has
52 been a public disclosure attributing to such person any characteristics,
53 conduct, or beliefs that are false or misleading and have the capacity
54 to place such person in a false light, (ii) any of the false character-
55 istics, conduct, or beliefs which have been publicly disclosed would be
56 highly offensive or objectionable to a reasonable person of ordinary
S. 2115 3
1 sensibilities, and (iii) the discloser of the false characteristics,
2 conduct, or beliefs which placed the plaintiff in a false light had
3 knowledge of, or acted in reckless disregard as to, the falsity of the
4 matters disclosed. In any such action, it is not necessary for a plain-
5 tiff to plead or prove that any person who made a disclosure of such
6 false characteristics, conduct, or beliefs benefited from such disclo-
7 sure.
8 (d) Any person whose privacy has been invaded in any of the manners
9 provided for in this subdivision may make an application and bring an
10 action in a court of competent jurisdiction to obtain: (i) An injunction
11 to enjoin and restrain such invasion of privacy, and, if it appears to
12 the court that the privacy of such person has been invaded, an injunc-
13 tion shall be issued by the court enjoining and restraining such inva-
14 sion; (ii) Actual damages sustained as a result of such invasion of
15 privacy and such exemplary damages and other remedies as the court deems
16 appropriate; and (iii) Such costs and fees as may have been necessary to
17 bring such action and reasonable attorneys' fees.
18 (e) In any action for invasion of privacy in which publication, broad-
19 cast, or any other electronic transmission is an element of the cause of
20 action, the defenses of consent, newsworthiness, and qualified or abso-
21 lute privilege shall be available to ensure that the freedoms guaranteed
22 by the United States and New York state constitutions shall not be
23 infringed.
24 (f) Such causes of action provided for by this section shall be in
25 addition to any other cause of action provided under section fifty,
26 fifty-a, fifty-b, fifty-c, fifty-d, or fifty-one of this article.
27 § 4. Section 50 of the civil rights law is amended to read as follows:
28 § 50. Right of privacy; nonconsensual use of name or likeness. A
29 person, firm [or], partnership, corporation, association, limited
30 liability company, or other entity that uses for advertising purposes,
31 or for the purposes of trade, the name, portrait [or], picture, voice,
32 actual performance, identity, nickname, or objects of any living person
33 without having first obtained the written consent of such person, or if
34 a minor of his or her parent or guardian, is guilty of a misdemeanor.
35 § 5. Section 51 of the civil rights law, as amended by chapter 674 of
36 the laws of 1995, is amended to read as follows:
37 § 51. Action for injunction and [for] damages; nonconsensual use of
38 name or likeness. Any person whose name, portrait, picture [or], voice,
39 actual performance, identity, nickname, or objects is used within this
40 state for advertising purposes or for the purposes of trade without the
41 written consent first obtained as [above] provided in section fifty of
42 this article may maintain an equitable action in the supreme court of
43 this state against the person, firm [or], partnership, corporation,
44 association, limited liability company, or other entity so using his or
45 her name, portrait, picture [or], voice, actual performance, identity,
46 nickname, or objects, to prevent and restrain the use thereof and obtain
47 such costs and fees as may have been necessary to bring such action; and
48 may also sue and obtain costs and reasonable legal fees and recover
49 damages for any injuries sustained by reason of such use and if the
50 defendant shall have knowingly used such person's name, portrait,
51 picture [or], voice, actual performance, identity, nickname, or objects
52 in such manner as is forbidden or declared to be unlawful by section
53 fifty of this article, the jury, in its discretion, may award exemplary
54 damages. But nothing contained in this article shall be so construed as
55 to prevent any person, firm [or], partnership, corporation, association,
56 limited liability company, or other entity from selling or otherwise
S. 2115 4
1 transferring any material containing such name, portrait, picture [or],
2 voice, actual performance, identity, nickname, or objects in whatever
3 medium to any user of such name, portrait, picture [or], voice, actual
4 performance, identity, nickname, or objects, or to any third party for
5 sale or transfer directly or indirectly to such a user, for use in a
6 manner lawful under this article; nothing contained in this article
7 shall be so construed as to prevent any person, firm [or], partnership,
8 corporation, association, limited liability company, or other entity,
9 practicing the profession of photography, from exhibiting in or about
10 his or her or its establishment specimens of the work of such establish-
11 ment, unless the same is continued by such person, firm [or], partner-
12 ship, corporation, association, limited liability company, or other
13 entity after written notice objecting thereto has been given by the
14 person portrayed; and nothing contained in this article shall be so
15 construed as to prevent any person, firm [or], partnership, corporation,
16 association, limited liability company, or other entity from using the
17 name, portrait, picture [or], voice, actual performance, identity, nick-
18 name, or objects of any manufacturer or dealer in connection with the
19 goods, wares and merchandise manufactured, produced or dealt in by him
20 or her which he or she has sold or disposed of with such name, portrait,
21 picture [or], voice, actual performance, identity, nickname, or objects
22 used in connection therewith; or from using the name, portrait, picture
23 [or], voice, actual performance, identity, nickname, or objects of any
24 author, composer or artist in connection with his or her literary,
25 musical or artistic productions which he or she has sold or disposed of
26 with such name, portrait, picture [or], voice, actual performance, iden-
27 tity, nickname, or objects used in connection therewith. Nothing
28 contained in this section shall be construed to prohibit the copyright
29 owner of a sound or video recording from disposing of, dealing in,
30 licensing or selling that sound or video recording to any party, if the
31 right to dispose of, deal in, license or sell such sound or video
32 recording has been conferred by contract or other written document by
33 such living person or the holder of such right. Nothing contained in the
34 foregoing sentence shall be deemed to abrogate or otherwise limit any
35 rights or remedies otherwise conferred by federal law or state law.
36 § 6. Article 5 of the civil rights law is amended by adding two new
37 sections 52-a and 52-b to read as follows:
38 § 52-a. Recording and reproducing visual images and conversations.
39 Except as provided for in articles seven hundred and seven hundred five
40 of the criminal procedure law, or for the protection of personal proper-
41 ty within a residence, the protection of property within the premises of
42 a business or organization, the protection of commercial or residential
43 real estate, or for the authorized reporting of public events by employ-
44 ees of news gathering and reporting organizations, or by private inves-
45 tigators registered with or licensed by the secretary of state, and
46 after having provided written notification and obtaining a permit or
47 other written authorization for the use of any device that is designed
48 to record or reproduce any visual image or conversation within the mean-
49 ing of this section and as may be provided for by law or regulation by
50 any state, county, or municipal authority, or for purposes of traffic
51 control by any duly designated agency of government, a person is guilty
52 of unlawfully recording a visual image or conversation when, with
53 intent, he or she chemically, mechanically, or electronically records or
54 otherwise reproduces any visual image or conversation without the know-
55 ledge or expressed consent of any person whose image or conversation he
56 or she is recording or reproducing.
S. 2115 5
1 § 52-b. Privacy of official records. 1. No public entity, nor any
2 officer or employee thereof, shall disclose any information derived from
3 highway, bridge, tunnel, and other thoroughfare toll records, and commu-
4 ter railroad and transit facility records, including E-Z Pass and all
5 other pass card system records; provided, however, that the provisions
6 of this subdivision shall not prohibit a public entity, in its
7 discretion from entering into agreements with any other public entities
8 for the provision of such information when necessary to further the
9 public entity's official functions.
10 2. Notwithstanding any other provision of law, an agency of government
11 in receipt of a request for a record which contains any personal infor-
12 mation shall reject such a request if the agency determines that the
13 record sought would, if disclosed, be used for any commercial purpose or
14 any other purpose unrelated to any of the purposes for which the agency
15 maintains such records.
16 3. The provisions of this section shall not apply to a police agency,
17 a district attorney or his or her assistants, the attorney general or
18 his or her deputies or assistants, or a grand jury in connection with
19 their law enforcement functions.
20 4. For purposes of this section, "public entity" means any state or
21 local department, agency, board, bureau, division, commission, public
22 authority, public benefit corporation, office, or any other entity
23 performing a governmental or proprietary function for the state or any
24 of its political subdivisions.
25 § 7. Article 32 of the general business law, as added by chapter 457
26 of the laws of 1993, is REPEALED and a new article 32-A is added to read
27 as follows:
28 ARTICLE 32-A
29 WRONGFUL DISCLOSURE OF PROTECTED PERSONAL INFORMATION
30 Section 676. Definitions.
31 677. Wrongful disclosure of protected personal information.
32 678. Civil liability.
33 § 676. Definitions. 1. "Commercial entity" means any person, firm,
34 partnership, corporation, association, limited liability company, or
35 other entity:
36 (a) who for commercial, financial, or professional gain, monetary
37 fees, dues, or on a cooperative, nonprofit, or pro-bono basis, engages
38 in the practice of collecting personal protected information;
39 (b) who obtains protected personal information pursuant to this chap-
40 ter; or
41 (c) who is any employee, agent, or contractor of a person or entity
42 covered under paragraph (a) or (b) of this subdivision.
43 2. "Disclose" means to release, publish, share, transfer, transmit,
44 disseminate, show, or otherwise divulge protected personal information
45 to any person other than the person who is the subject of such informa-
46 tion. Use of protected personal information within the entity in accord-
47 ance with the provisions of this article shall not constitute disclo-
48 sure.
49 3. "Protected personal information" means individually identifiable
50 information about an individual, including:
51 (a) first, middle, and last names,
52 (b) home or any other physical or legal address or domicile, including
53 street name and name of a city, town, or village,
54 (c) electronic mail address,
55 (d) telephone number,
S. 2115 6
1 (e) social security number, and
2 (f) purchases and purchasing habits or activities.
3 4. The term "consumer" means any renter, purchaser, or subscriber of
4 goods or services from a commercial entity.
5 5. The term "ordinary course of business" means debt collection activ-
6 ities, order fulfillment, request processing, and the transfer of owner-
7 ship.
8 § 677. Wrongful disclosure of protected personal information. 1. A
9 commercial entity which discloses to any person or other commercial
10 entity, protected personal information relating to any customer of such
11 provider shall be liable to the aggrieved person for the relief provided
12 in section six hundred seventy-eight of this article.
13 2. A commercial entity shall disclose protected personal information
14 relating to any consumer:
15 (a) to a grand jury pursuant to a grand jury subpoena;
16 (b) pursuant to a court order, in a civil proceeding upon the showing
17 of compelling need for the information that cannot be accommodated by
18 any other means, or in a criminal proceeding upon a showing of legiti-
19 mate need for the information that cannot be accommodated by any other
20 means, if:
21 (i) the consumer is given reasonable notice, by the person seeking the
22 disclosure, of the court proceeding relevant to the issuance of the
23 court order;
24 (ii) the consumer is afforded the opportunity to appear and contest
25 the claim of the person seeking the disclosure; and
26 (iii) the court imposes appropriate safeguards against unauthorized
27 disclosure;
28 (c) to a law enforcement agency pursuant to a warrant lawfully
29 obtained under the laws of this state or the United States; or
30 (d) to a court pursuant to a civil action to enforce collection or
31 payment past due or to demonstrate the existence of a business relation-
32 ship. Notwithstanding the provisions of this paragraph, the court shall
33 impose appropriate safeguards against unauthorized disclosure of
34 protected personal information.
35 3. A commercial entity may disclose protected personal information
36 concerning any consumer:
37 (a) to the consumer;
38 (b) to any person with the informed written consent of the consumer;
39 or
40 (c) to any person directly involved in the commercial transaction with
41 the consumer where the disclosure is incidental to the ordinary course
42 of business.
43 4. Protected personal information obtained in any manner other than as
44 provided in this section shall not be received in evidence in any trial,
45 hearing, arbitration, or any other proceeding in or before any court,
46 grand jury, department, officer, agency, regulatory body, legislative
47 committee, or other authority of the state or any political subdivision
48 thereof.
49 § 678. Civil liability. 1. Whenever the court shall determine that a
50 violation of section six hundred seventy-seven of this article has
51 occurred, if such violation constitutes the first such offense by such
52 person, firm, partnership, corporation, association, limited liability
53 company, or other entity, the court shall impose a civil penalty not to
54 exceed five hundred dollars for each instance where it has been deter-
55 mined that a consumer's privacy has been violated. A second offense and
56 any subsequent offense shall be punishable by a civil penalty of one
S. 2115 7
1 thousand dollars for each instance where it has been determined that a
2 consumer's privacy has been violated.
3 2. Whenever the attorney general determines that any violation of
4 section six hundred seventy-seven of this article has occurred he may
5 bring an action consistent with the provisions of subdivision (b) of
6 section three hundred forty-nine of this chapter. In any such action the
7 court shall award costs and reasonable attorneys' fees to the state of
8 New York where the attorney general prevails.
9 3. The provisions of this article may be enforced concurrently by the
10 director of a municipal consumer affairs office or by the county, town,
11 or village attorney, city corporation counsel, or other lawful designee
12 of a municipality. The court shall award costs and reasonable attorneys'
13 fees to the municipality where the chief legal officer or his or her
14 designee prevails. All moneys collected thereunder shall be retained by
15 the municipality.
16 4. Any person whose right of privacy has been interfered with because
17 of a violation of section six hundred seventy-seven of this article may
18 bring an action in his or her own name to enjoin any individual, firm,
19 partnership, corporation, limited liability company, or other entity
20 from violating this article and to recover such actual and exemplary
21 damages, in addition to such costs and reasonable attorneys' fees, as
22 the court may determine reasonable.
23 § 8. The general business law is amended by adding two new sections
24 394-f and 394-g to read as follows:
25 § 394-f. Unsolicited advertisements. 1. For purposes of this section,
26 the following terms have the following meanings:
27 (a) "Personal information" means any data contained in a record that
28 allows for the identification of a person including, but not limited to,
29 a name in conjunction with a residence address, electronic mail address,
30 telephone number, social security number, date of birth, physical
31 description, profession, medical history, income, or credit rating.
32 (b) "Unsolicited advertisement" means any written solicitation for the
33 purchase, lease, rent, contract, or investment in property, goods, or
34 services, including the offering of a prize or award in exchange for
35 attendance or purchase at any location for purposes of a solicitation,
36 or contribution to any natural person without that natural person's
37 expressed consent or authorization.
38 (c) "Unsolicited electronic advertisement" means the initiation or any
39 other transmission of any telephone call, electronic mail, telefax
40 communication, internet transmission or any other form of electronic
41 communication soliciting the purchase, lease, rent, contract, or invest-
42 ment in property, goods, or services, including the offer of a prize or
43 award in exchange for attendance or purchase at any location for
44 purposes of a solicitation, or contribution to any natural person with-
45 out that natural person's expressed consent or authorization.
46 (d) "Consumer" means a natural person who is solicited to purchase,
47 lease, rent, contract, or invest in property, goods, or services includ-
48 ing receiving a prize or award in exchange for a purchase or attendance.
49 (e) "Established business relationship" means a prior or existing
50 relationship formed by a voluntary communication between a consumer and
51 a person, firm, partnership, corporation, association, limited liability
52 company, or other entity on the basis of an application, purchase, or
53 transaction by the consumer regarding property, goods, or services
54 offered by such person, firm, partnership, corporation, association,
55 limited liability company, or other entity within the past year, which
56 relationship has not been terminated by the consumer or the person,
S. 2115 8
1 firm, partnership, corporation, association, limited liability company,
2 or other entity.
3 2. Whenever a person, firm, partnership, corporation, association,
4 limited liability company, or other entity purchases or acquires through
5 trade a listing of consumers utilized in any direct, unsolicited adver-
6 tisement, such person, firm, partnership, corporation, association,
7 limited liability company, or other entity shall provide clear and
8 conspicuous written notice to the consumer within the advertisement or
9 affixed thereto of the consumer's right, hereby granted, of deleting his
10 or her name and address from such mailing list and of his or her right
11 not to receive any further unsolicited advertisements. Such written
12 disclosure shall also indicate that such consumer may at any time delete
13 his or her name from such mailing list. Such written disclosure shall
14 provide a reasonable and simple method by which the consumer can exer-
15 cise such preference.
16 3. (a) Whenever a person, firm, partnership, corporation, association,
17 limited liability company, or other entity purchases or acquires through
18 trade a listing of consumers utilized in any unsolicited telephone
19 advertisement, such person, firm, partnership, corporation, association,
20 limited liability company, or other entity shall disclose to such
21 consumer that he or she has the right, hereby granted, of deleting his
22 or her name, address, and telephone number from such telephone list and
23 of his or her right not to receive any further unsolicited telephone
24 advertisement.
25 (b) Such disclosure shall be made at the beginning of the telephone
26 call and shall be made in a clear and conspicuous manner and shall
27 inform the consumer that he or she can remove his or her name, telephone
28 number, and address from the list at any time and shall inform the
29 consumer of the reasonable and simple means including, but not limited
30 to, verbally advising the caller by which the consumer can exercise such
31 preference.
32 4. Such person, firm, partnership, corporation, association, limited
33 liability company, or other entity referred to in subdivisions two and
34 three of this section shall maintain an exclusion list and shall not
35 send any unsolicited advertisement or make any unsolicited telephone
36 advertisement to any consumer on such list. Such person, firm, partner-
37 ship, corporation, association, limited liability company, or other
38 entity is prohibited from using such list for any purpose other than
39 compliance with the requirements of this section, and such person, firm,
40 partnership, corporation, association, limited liability company, or
41 other entity shall not, sell, rent, exchange, or otherwise make avail-
42 able such exclusion list to any third party.
43 5. No person, firm, partnership, corporation, association, limited
44 liability company, or other entity shall be deemed to have violated the
45 provisions of this section if such person, firm, partnership, corpo-
46 ration, association, limited liability company, or other entity shows,
47 by a preponderance of the evidence, that the violation was not inten-
48 tional and resulted from a bona fide error made notwithstanding the
49 maintenance of procedures reasonably adopted to avoid any such error.
50 6. Disclosure shall not be required in such instances where a person,
51 firm, partnership, corporation, association, limited liability company,
52 or other entity has established a business relationship with a consumer
53 through the sale of goods, services, securities, or real property.
54 7. Whenever the court determines that a violation of subdivision two
55 or three of this section has occurred, the court shall impose a civil
56 penalty not to exceed two hundred fifty dollars for each instance where
S. 2115 9
1 it has been determined that a consumer's privacy has been violated.
2 Whenever the court determines that a violation of subdivision four of
3 this section has occurred, if such violation constitutes the first such
4 offense by such person, firm, partnership, corporation, association,
5 limited liability company, or other entity, the court shall impose a
6 civil penalty not to exceed five hundred dollars for each instance where
7 it has been determined that a consumer's privacy has been violated. A
8 second offense and any subsequent offense shall be punishable by a civil
9 penalty of one thousand dollars for each instance where it has been
10 determined that a consumer's privacy has been violated.
11 8. (a) Whenever the attorney general determines that any violation of
12 subdivision two, three, or four of this section has occurred, he or she
13 may bring an action consistent with the provisions of subdivision (b) of
14 section three hundred forty-nine of this chapter. In any such action,
15 the court shall award costs and reasonable attorneys' fees to the state
16 of New York where the attorney general prevails.
17 (b) The provisions of this section may be enforced concurrently by the
18 director of a municipal consumer affairs office or by the county, town,
19 or village attorney, city corporation counsel, or other lawful designee
20 of a municipality. The court shall award costs and reasonable attor-
21 neys' fees to such municipality where the chief legal officer or his or
22 her designee prevails. All moneys collected thereunder shall be retained
23 by the municipality.
24 (c) Any person whose right of privacy has been interfered with because
25 of a violation of this section may bring an action in his or her own
26 name to enjoin any individual, firm, partnership, corporation, limited
27 liability company, or other entity from violating subdivision two,
28 three, or four of this section and to recover such real and exemplary
29 damages, in addition to such costs and reasonable attorneys' fees, as
30 the court may determine reasonable.
31 § 394-g. Sale, rental, or exchange of personal identification informa-
32 tion. 1. For purposes of this section the term:
33 (a) "Commercial purposes" means the solicitation for the purchase,
34 lease, contract, or investment in property, goods, or services, includ-
35 ing the offering of a prize in exchange for a purchase or for attendance
36 at any location for the purposes of a solicitation, the solicitation for
37 a contribution, or the business of compiling personal identification
38 information for sale, lease, or rent.
39 (b) "Personal identification information" means any information
40 including, but not limited to, a natural person's name, address, tele-
41 phone or fax number, electronic mail address, occupation, age, gender,
42 credit history and rating, purchasing history, and services contracted.
43 (c) "Consumer" means a natural person about whom personal identifica-
44 tion information has been collected.
45 2. Every person, firm, partnership, corporation, association, limited
46 liability company, or other entity who sells, rents, exchanges, or
47 releases personal identification information to any other person, part-
48 nership, corporation, association, limited liability company, or other
49 entity for their commercial purposes shall:
50 (a) upon initial contact with a consumer, provide clear and conspicu-
51 ous written notification, and at least annually thereafter shall provide
52 written notification, of such practice to each consumer of their prac-
53 tice of selling, renting, exchanging, or releasing personal identifica-
54 tion information;
S. 2115 10
1 (b) clearly inform each consumer of the option of prohibiting the
2 sale, rental, exchange, or release of their personal identification
3 information for such commercial purpose;
4 (c) provide written notification to each consumer at least fifteen
5 days prior to the commencement of any sale, rental, exchange, or release
6 of any personal identification information to any other person, firm,
7 partnership, corporation, association, limited liability company, or
8 other entity for commercial purposes.
9 3. Such notifications as may be required by subdivision two of this
10 section may be inserted in a billing statement or other mailing,
11 provided that the notification is made in a clear and conspicuous
12 manner. Such notification shall provide a reasonable and simple method
13 whereby a consumer may indicate his or her preference of permitting or
14 prohibiting the sale, rental, exchange, or release of personal informa-
15 tion to another person, firm, partnership, corporation, association,
16 limited liability company, or other entity for commercial purposes.
17 4. Every person, firm, partnership, corporation, association, limited
18 liability company, or other entity engaging in the practices described
19 in paragraph (a) of subdivision two of this section shall maintain a
20 list of those consumers who have exercised their option of being
21 excluded from any sale, lease, exchange, or release of their personal
22 identification information.
23 5. No person, firm, partnership, corporation, association, limited
24 liability company, or other entity shall be deemed to have violated the
25 provisions of this section if such person, partnership, corporation,
26 association, limited liability company, or other entity shows by a
27 preponderance of evidence that the violation was not intentional and
28 resulted from a bona fide error made notwithstanding the maintenance of
29 procedures reasonably adopted to avoid such error.
30 6. The provisions of this section prohibiting the release of informa-
31 tion shall not apply to the reporting of necessary information to
32 consumer reporting agencies, in compliance with the provisions of the
33 federal fair credit reporting act (15 U.S.C. section 1681 et seq.) and
34 article twenty-five of this chapter, known as the "fair credit reporting
35 act", and any regulations promulgated thereunder.
36 7. Whenever the court determines that a violation of subdivision two
37 or three of this section has occurred, the court shall impose a civil
38 penalty not to exceed two hundred fifty dollars for each instance where
39 it has been determined that a consumer's privacy has been violated.
40 Whenever the court determines that a violation of subdivision four of
41 this section has occurred, if such violation constitutes the first such
42 offense by such person, firm, partnership, corporation, association,
43 limited liability company, or other entity, the court shall impose a
44 civil penalty not to exceed five hundred dollars for each instance where
45 it has been determined that a consumer's privacy has been violated. A
46 second offense and any subsequent offense shall be punishable by a civil
47 penalty of one thousand dollars for each instance where it has been
48 determined that a consumer's privacy has been violated.
49 8. (a) Whenever the attorney general determines that any violation of
50 subdivision two, three, or four of this section has occurred, he or she
51 may bring an action consistent with the provisions of subdivision (b) of
52 section three hundred forty-nine of this chapter. In any such action,
53 the court shall award costs and reasonable attorneys' fees to the state
54 of New York where the attorney general prevails.
55 (b) The provisions of this section may be enforced concurrently by the
56 director of a municipal consumer affairs office or by the county, town,
S. 2115 11
1 or village attorney, city corporation counsel, or other lawful designee
2 of a municipality. The court shall award costs and reasonable attor-
3 neys' fees to such municipality where the chief legal officer or his or
4 her designee prevails. All moneys collected thereunder shall be retained
5 by the municipality.
6 (c) Any person whose right of privacy has been interfered with because
7 of a violation of this section may bring an action in his or her own
8 name to enjoin any individual, firm, partnership, corporation, limited
9 liability company, or other entity from violating subdivision two,
10 three, or four of this section and to recover such actual and exemplary
11 damages, in addition to such costs and reasonable attorneys' fees, as
12 the court may determine reasonable.
13 § 9. Section 380-l of the general business law, as amended by chapter
14 619 of the laws of 2002, is amended to read as follows:
15 § 380-l. Civil liability for [willful] noncompliance. Any person,
16 firm, partnership, corporation, [or] association, limited liability
17 company, or other entity whose [knowing and willful] violation of
18 section three hundred eighty-s of this article resulted in the trans-
19 mission or provision to a consumer reporting agency of information that
20 would otherwise not have been transmitted or provided, and any consumer
21 reporting agency or user of information who or which [willfully and
22 knowingly] fails to comply with any requirement imposed under this arti-
23 cle with respect to any consumer is liable to that consumer in an amount
24 equal to the sum of:
25 (a) Any actual damages sustained by the consumer as a result of such
26 failure or as a result of a violation of section three hundred eighty-s
27 of this article;
28 (b) Such amount of punitive damages as the court may allow; and
29 (c) In the case of any successful action to enforce any liability
30 under this section, the costs of the action together with reasonable
31 attorney's fees as determined by the court.
32 § 10. Section 380-t of the general business law, as relettered by
33 chapter 619 of the laws of 2002, is relettered section 380-u and a new
34 section 380-t is added to read as follows:
35 § 380-t. Enforcement. 1. Upon any violation of this article, an appli-
36 cation may be made by the attorney general in the name of the people of
37 the state to a court having jurisdiction. If it shall appear to the
38 satisfaction of the court that the respondent has violated any provision
39 of this article, an injunction may be issued, enjoining and restraining
40 any further violation, without requiring proof that any person has, in
41 fact, been injured or damaged thereby. In any such proceeding, the court
42 may make allowances to the attorney general as provided in paragraph six
43 of subdivision (a) of section eight thousand three hundred three of the
44 civil practice law and rules, and direct restitution. Whenever the court
45 determines that a violation of this section has occurred, the court may
46 impose a civil penalty of not more than one thousand dollars per
47 violation.
48 2. The provisions of this article may be enforced concurrently by the
49 director of a municipal consumer affairs office or by the county, town,
50 or village attorney, city corporation counsel, or other lawful designee
51 of a municipality. The court shall award costs and reasonable attorneys'
52 fees to such municipality where the chief legal officer or his or her
53 designee prevails. All moneys collected thereunder shall be retained by
54 the municipality.
55 3. Any person aggrieved by a violation of this article may bring an
56 action in his or her own name to enjoin any individual, firm, partner-
S. 2115 12
1 ship, corporation, association, limited liability company, or other
2 entity from engaging in any further violation of this article and may
3 request such real and exemplary damages in addition to such costs and
4 reasonable attorneys' fees as the court may determine.
5 § 11. The public health law is amended by adding a new article 10 to
6 read as follows:
7 ARTICLE 10
8 HEALTH INFORMATION PRIVACY
9 Section 1000. Definitions.
10 1001. Application.
11 1002. Duty to maintain the confidentiality of health informa-
12 tion.
13 1003. Disclosure.
14 1004. Notice upon disclosure.
15 1005. Record of disclosures.
16 1006. Disclosure without informed consent.
17 1007. Informed consent.
18 1008. Disclosure for criminal or civil litigation.
19 1009. Criminal penalties.
20 1010. Civil remedy.
21 1011. Immunity.
22 1012. Severability.
23 § 1000. Definitions. As used in this article:
24 1. "Disclose", "disclosed" and "disclosure" means the release, trans-
25 fer, dissemination, or provision of access to or other communication of
26 all or any portion of health information by any means to any other
27 person, firm, partnership, corporation, association, limited liability
28 company, or other entity.
29 2. "Health information" means any information which identifies or can
30 be readily associated with the identity of a person and relates to the
31 person's genetic structure, past, present, or future physical or mental
32 health status, condition, treatment, service, products purchased or
33 provision of care.
34 3. "Informed consent" means a written and signed authorization for
35 disclosure of health information by the person to whom such information
36 relates. Every such informed consent shall be dated and state the person
37 or persons to whom disclosure is authorized.
38 4. "Legitimate public health purpose" means those population-based
39 activities or individual efforts primarily aimed at the prevention of
40 injury, disease, or premature mortality, or promotion of health in the
41 community, including (a) assessing the health needs and status of the
42 community through public health surveillance and epidemiological
43 research, (b) developing public health policy, (c) responding to public
44 health needs and emergencies, and (d) such other public health related
45 activities or efforts specifically authorized by federal or state law.
46 5. "Non-identifiable information" means any health related information
47 which does not identify nor can readily be associated with any specific
48 person through other information, including names, social security
49 numbers, addresses, employers, medical providers, insurance providers,
50 unique identifiers, or other facts, without the use of encryption, a
51 code, a key, or any other technological tool.
52 6. "Public health" means population-based activities or individual
53 efforts primarily aimed at the prevention of injury, disease or prema-
54 ture mortality, or the promotion of health.
S. 2115 13
1 7. "Public health agency" means any organization, operated or funded
2 in whole or in part by the federal government, the state or any local
3 government, which collects, maintains, uses, or stores health informa-
4 tion for public health purposes. Such organizations shall include, but
5 not be limited to, public health offices established by federal, state,
6 or local law, testing laboratories, testing facilities, treatment clin-
7 ics, research facilities, and information storage facilities.
8 8. "Public health information" means any health information that is
9 collected, maintained, used, disclosed, or stored by any public health
10 agency, including information regarding whether the agency possesses
11 such information.
12 9. "Public health official" means any officer, employee, contractor,
13 intern, or volunteer of a public health agency with authorization from
14 the agency or pursuant to law to collect, maintain, use, disclose, or
15 store public health information.
16 10. "Public information" means information which is available to the
17 general public for inspection and review pursuant to article six of the
18 public officers law.
19 11. "Use and used" means to employ or utilize all or any part of
20 health information by any means.
21 § 1001. Application. The provisions of this article apply to all
22 disclosures of health information which are otherwise subject to the
23 provisions of this chapter or to which any other provision of law
24 applies.
25 § 1002. Duty to maintain the confidentiality of health information. 1.
26 Health information shall be collected, maintained, used, and stored in a
27 manner which ensures the confidentiality and integrity of such informa-
28 tion.
29 2. Health information shall not be deemed to be public information and
30 shall not be disclosed, except as authorized by this article.
31 3. No provision of this article shall be deemed to limit the disclo-
32 sure of health information by the person to whom such information
33 relates.
34 § 1003. Disclosure. Health information disclosed without informed
35 consent shall, whenever practicable, be disclosed in a non-identifiable
36 form. All disclosures of health information made in a non-identifiable
37 form shall be limited to the minimum amount which the person making the
38 disclosure reasonably believes is necessary to accomplish the purpose of
39 the disclosure.
40 § 1004. Notice upon disclosure. 1. Every disclosure of health informa-
41 tion made pursuant to this article shall include a statement of policy
42 on the disclosure of health information of the entity disclosing such
43 information. Such statement of policy shall include the following or
44 substantially similar language in a clear, conspicuous, and distinctive
45 manner:
46 "Health information may contain information about a person or persons
47 which is highly sensitive and entitled to confidentiality and privacy
48 protection under federal and state laws. Various provisions of the laws
49 of this state may prohibit further disclosure of health information in
50 an identifiable form without the written and signed informed consent of
51 the person or persons to whom such information relates. Unauthorized
52 disclosure could result in the imposition of criminal and civil liabil-
53 ity, including imprisonment, fines, and monetary damages."
54 2. Upon the premises of any entity where health information is
55 disclosed or made accessible, there shall be conspicuously posted a
S. 2115 14
1 notice, in letters at least three inches in height, which shall include
2 the following or substantially similar language:
3 "Health information may contain information about a person or persons
4 which is highly sensitive and entitled to confidentiality and privacy
5 under federal and state laws. An 'unauthorized disclosure' is disclo-
6 sure of such information outside these premises in an identifiable form
7 without the written and signed informed consent of the person or persons
8 to whom the information relates. Unauthorized disclosure could result
9 in the imposition of criminal and civil liability, including imprison-
10 ment, fines, and monetary damages."
11 § 1005. Record of disclosures. Every entity possessing health informa-
12 tion shall, upon disclosure thereof, establish and maintain a record of
13 each disclosure. Such record shall include, but shall not be limited to:
14 1. the name, address, title, and institutional affiliation of any
15 person to whom health information is disclosed;
16 2. the date and purpose of the disclosure;
17 3. a brief description of the information disclosed; and
18 4. the legal authority for the disclosure.
19 § 1006. Disclosure without informed consent. No information shall be
20 disclosed without the written and signed informed consent of the person
21 to whom the information relates, unless such disclosure is made:
22 1. directly to the person to whom the health information relates;
23 2. to or between public health officials for the purpose of facilitat-
24 ing or accomplishing a legitimate public health objective consistent
25 with their legislative mandate, including:
26 (a) testing, screening, reporting, monitoring, or surveillance of
27 infectious or contagious diseases or other reportable and non-reportable
28 conditions or behavioral risk factors;
29 (b) investigations or interventions; and
30 (c) public health emergencies as determined by law;
31 3. in a non-identifiable manner for statistical purposes;
32 4. for the purpose of public health, epidemiological, medical, or
33 health services research, if:
34 (a) such information is non-identifiable; or
35 (b) such disclosures are made pursuant to compelling need for iden-
36 tifiable information and assurances of protections through the execution
37 of a confidentiality agreement, after review by an institutional review
38 board or committee. Every such agreement shall require any person
39 receiving such information to adhere to protections for the privacy and
40 security of the information equivalent to or greater than the
41 protections required by this article;
42 5. pursuant to any other provision of law; or
43 6. to a health care provider, to the extent necessary, in a medical
44 emergency, to protect the health of the person to whom the information
45 relates.
46 § 1007. Informed consent. 1. Except as otherwise authorized by this
47 article, health information shall not be disclosed without informed
48 consent.
49 2. Informed consent may be revoked in writing at any time. Such revo-
50 cation shall not take effect until the person in receipt of the informed
51 consent has been provided notice of the revocation thereof.
52 3. Every informed consent which does not include a date of expiration
53 shall be deemed to expire one hundred eighty days after the execution
54 thereof.
S. 2115 15
1 4. No person deemed by law to be incompetent may provide informed
2 consent; provided, however, that such person's parent, guardian, or
3 lawful representative may grant such consent on such person's behalf.
4 § 1008. Disclosure for criminal or civil litigation. No health infor-
5 mation shall be disclosed or compelled to be disclosed pursuant to any
6 criminal, civil, or administrative proceeding, except as follows:
7 1. A court of competent jurisdiction may order the disclosure of such
8 information upon a motion showing:
9 (a) a compelling need for the disclosure for the adjudication of a
10 cause of action, or
11 (b) that there may exist a clear and imminent danger to the health of
12 a person as the result of contact with the person to whom such informa-
13 tion relates, or
14 (c) there exists a clear and imminent danger to the public health and
15 welfare, or
16 (d) the disclosure is otherwise authorized pursuant to this article.
17 2. Upon issuance of an order pursuant to subdivision one of this
18 section, the court shall also order that all health information
19 disclosed pursuant to such order be sealed and be made available only to
20 the extent necessary for the conduct of the criminal or civil
21 proceedings, or as otherwise authorized by law.
22 3. (a) Every person about whom health information is sought pursuant
23 to this section and every person who possesses health information that
24 is sought pursuant to this section shall be notified of the motion for
25 disclosure of such information. Every such person shall have a right to
26 be heard by the court prior to the issuance of any order for the disclo-
27 sure of health information.
28 (b) An order for the disclosure of health information may be issued
29 without such notice and opportunity to be heard when the motion for
30 disclosure is submitted by a public health agency or public health offi-
31 cer and states the need for immediate action to avoid a clear and immi-
32 nent danger to the public health. In assessing whether there exists a
33 clear and immediate danger, the court shall weigh the need for disclo-
34 sure against:
35 (i) the private interests of the person to whom the health information
36 relates, and
37 (ii) any legitimate public health purpose which may be impaired by
38 such disclosure. The court shall thereafter issue a written finding of
39 facts statement.
40 4. Every order directing the disclosure of health information shall:
41 (a) limit such disclosure to that information which is necessary for
42 the proceeding;
43 (b) limit such disclosure to only those persons who have a need for
44 the health information in the conduct of the proceedings and prohibit
45 disclosure to any other person;
46 (c) include any other restrictions which the court deems necessary to
47 prevent any unauthorized disclosure; and
48 (d) conform to the provisions of this article.
49 § 1009. Criminal penalties. Any person who intentionally or knowingly
50 violates the provisions of this article or otherwise disseminates health
51 information that relates to any person without that person's informed
52 and expressed written consent is guilty of a misdemeanor which shall be
53 punishable by a fine of not more than five thousand dollars, or a term
54 of imprisonment not to exceed one year, or by both such fine and impri-
55 sonment.
S. 2115 16
1 § 1010. Civil remedy. 1. The attorney general or any person aggrieved
2 by a violation of this article may bring an action to enjoin such
3 violation of this article as may have occurred and obtain compensatory
4 damages, punitive damages, court costs, and reasonable attorneys' fees
5 upon prevailing.
6 2. A court shall award such additional relief and damages if it finds
7 that the defendant acted with malice.
8 3. (a) The provisions of this article may be enforced concurrently by
9 a county attorney, town attorney, city corporation counsel, or any other
10 lawful designee of a municipality. The court shall award costs and
11 reasonable attorneys' fees to such municipality where the chief legal
12 officer or his or her designee prevails. All moneys collected thereunder
13 shall be retained by such municipality.
14 (b) For the purposes of this section, the term "municipality" means
15 any county, city, town, or village.
16 § 1011. Immunity. No person who is the parent or legal guardian of a
17 minor or incompetent shall be subject to the provisions of this article
18 as a result of the disclosure of health information relating to such
19 minor or incompetent.
20 § 1012. Severability. If any section of this article or part thereof
21 is adjudged by a court of competent jurisdiction to be invalid, such
22 judgment shall not affect, impair, or invalidate the remainder of this
23 article or any other section or part thereof.
24 § 12. Section 215 of the civil practice law and rules is amended by
25 adding a new subdivision 9 to read as follows:
26 9. An action to recover damages for a violation of health information
27 privacy under section one thousand ten of the public health law.
28 § 13. The public service law is amended by adding a new article 5-A to
29 read as follows:
30 ARTICLE 5-A
31 TELECOMMUNICATIONS PRIVACY LAW
32 Section 104. Short title.
33 104-a. Definitions.
34 104-b. Collection, use, or disclosure of information.
35 104-c. Subscriber notice of carrier information practices.
36 104-d. Third parties.
37 104-e. Subscriber's right to inspect and correct information.
38 104-f. Monitoring or intercepting upstream communications chan-
39 nels.
40 104-g. Security measures.
41 104-h. Exception to written authorization requirement.
42 104-i. Examination or disclosure of aggregate data.
43 104-j. Enforcement.
44 104-k. Separability clause.
45 § 104. Short title. This article shall be known and may be cited as
46 the "telecommunications privacy law".
47 § 104-a. Definitions. As used in this article:
48 1. "Telecommunications" means the transmission between or among points
49 specified by the user, of information of the user's choosing, without
50 change in the form or content of the information as sent and received,
51 by means of electromagnetic transmission, with or without benefit of any
52 closed transmission medium, including all instrumentalities, facilities,
53 apparatus, and services (including the collection, storage, forwarding,
54 switching, and delivery of such information) essential to such trans-
55 mission.
S. 2115 17
1 2. "Telecommunications carrier" means any provider of telecommuni-
2 cation services.
3 3. "Subscriber" means any person who receives any form of telecommuni-
4 cations service and any other authorized user of a person's subscriber
5 terminal.
6 4. "Personally identifiable information" means any information that
7 identifies any person as a subscriber to, or user of, a telecommuni-
8 cations carrier, or that otherwise provides information about that indi-
9 vidual or his or her use of any service provided by a telecommunications
10 carrier, except listing information published in "white pages" directo-
11 ries.
12 5. "Ordinary course of business" means the provision of:
13 (a) the telecommunications service from which personally identifiable
14 information is derived, or
15 (b) services necessary to, or used in, the provision of such telecom-
16 munications service, including the publishing of directories.
17 6. "Upstream communications channel" means a signaling path provided
18 by a telecommunications carrier for the transmission of signals over a
19 telecommunications system from subscriber terminals.
20 7. "Intercept" means to acquire, at any time from initiation to
21 completion of a signal transmission over a telecommunications system,
22 the content of the information contained in that signal.
23 8. "Third party" means a person other than the subscriber or a tele-
24 communications carrier or any affiliate or agent thereof; but, such term
25 does not include an interconnecting carrier or an organization whose
26 objective is the detection, elimination, or reduction of toll fraud,
27 which has a demonstrable and reasonable requirement for personally iden-
28 tifiable information.
29 9. "Generally available database" means a single collection of
30 personally identifiable information generally used by a telecommuni-
31 cations carrier in the ordinary course of business. The personally iden-
32 tifiable information contained in such database may include such infor-
33 mation as subscriber name and address, amount due, equipment, billing
34 records, contracts with the subscriber, deposit information, payment
35 information, and billing adjustments.
36 § 104-b. Collection, use, or disclosure of information. A telecommuni-
37 cations carrier may collect, receive, store, aggregate, use, rent, sell,
38 release, or disclose personally identifiable information relating to any
39 subscriber, subscriber household, or user of a subscriber terminal only:
40 1. to the extent necessary to provide the carrier's telecommunications
41 services in the normal course of business;
42 2. with the subscriber's consent described in section one hundred
43 four-c of this article;
44 3. to detect the unauthorized receipt of telecommunications services,
45 including cooperative efforts among carriers to detect, eliminate, or
46 reduce toll fraud;
47 4. pursuant to a court order or subpoena;
48 5. as specifically permitted by the federal communications commission
49 or the public service commission; or
50 6. otherwise pursuant to law.
51 § 104-c. Subscriber notice of carrier information practices. 1. A
52 telecommunications carrier must notify a subscriber of the general
53 circumstances under which personally identifiable information may be
54 collected, used, or disclosed.
55 2. In the case of a subscriber's contract entered into on or before
56 the effective date of this article, the notice must be provided within
S. 2115 18
1 one hundred twenty days of the effective date of this article. In the
2 case of a subscriber's contract entered into after the effective date of
3 this article, the notice shall be provided at the time the contract is
4 entered into. After the initial notice, notice must be provided at
5 least annually.
6 3. Notice must be provided in writing, in plain English, and in a
7 clear and conspicuous manner.
8 4. The telecommunications carrier shall not use personally identifi-
9 able information in a manner other than that described in the notice
10 without further written notice to the subscriber and, where required by
11 this article, the consent of the subscriber.
12 5. A subscriber may withdraw his or her consent at any time. This
13 withdrawal shall take effect not more than thirty days after the
14 subscriber notifies the telecommunications carrier that consent has been
15 withdrawn.
16 6. A telecommunications carrier shall not refuse to provide any tele-
17 communications service to any person on account of that person's refus-
18 ing to grant consent to collect, use, or disclose personally identifi-
19 able information.
20 7. A telecommunications carrier must obtain a subscriber's affirmative
21 informed consent before the carrier may rent, release, or disclose the
22 subscriber's personally identifiable information to a third party,
23 except as authorized in section one hundred four-d of this article. Such
24 affirmative informed consent may be obtained only if the telecommuni-
25 cations carrier has notified the subscriber in a clear and conspicuous
26 written form of:
27 (a) the kind of personally identifiable information that the carrier
28 will collect and the intended use of that information;
29 (b) the nature, frequency, and purpose of any disclosure of that
30 information; and
31 (c) the persons to whom disclosure may be made.
32 § 104-d. Third parties. 1. The use of personally identifiable informa-
33 tion by those receiving the information from a telecommunications carri-
34 er pursuant to the provisions of this article is limited to the
35 expressed purposes for which the disclosure is made.
36 2. Concurrent with, or prior to, the provision of personally identifi-
37 able information being provided to others pursuant to the provisions of
38 this article, if personally identifiable information is provided on a
39 continuing basis, written notice shall be provided to the subscriber at
40 the time of, or prior to, the first release or transfer of such
41 personally identifiable material and annually thereafter.
42 3. A third party which has received personally identifiable informa-
43 tion pursuant to this article shall not retain that information if no
44 longer needed for the purposes for which it was acquired, nor shall the
45 party rent, sell, release, or otherwise disclose that information to any
46 person, unless the third party does so in accordance with the provisions
47 of this article.
48 4. Every third party receiving personally identifiable information
49 pursuant to this section shall certify annually to the information
50 provider in writing that it is complying with the provisions of this
51 article.
52 § 104-e. Subscriber's right to inspect and correct information. 1. A
53 telecommunications carrier shall disclose to a subscriber all personally
54 identifiable information which the carrier possesses pertaining to that
55 subscriber, stored on its generally applicable database, upon written
S. 2115 19
1 request of the subscriber. Such disclosure shall be made within thirty
2 days from the receipt of the subscriber's request.
3 2. A subscriber may request to examine a copy of the information
4 described in this section upon written notice. The information provided
5 to the subscriber shall be in a legible format, which is capable of
6 being understood by a reasonable person. The subscriber shall bear
7 reasonable copying and mailing costs occasioned by the examination.
8 3. A telecommunications carrier shall correct the information upon a
9 reasonable showing by the subscriber that personally identifiable infor-
10 mation contained therein is inaccurate. If the telecommunications carri-
11 er and subscriber cannot resolve a dispute about the accuracy of any
12 information concerning the subscriber, the subscriber may append to the
13 carrier's record of information a statement setting forth the nature of
14 the dispute. Such statement shall be retained in the carrier's records
15 for as long as the disputed information is retained. Within forty-five
16 days of receiving this notification from the subscriber, the telecommu-
17 nications carrier shall transmit a corrected copy of the information, or
18 the subscriber's appended statement, to any party which was given the
19 erroneous information. Copies of all such correspondence shall be sent
20 to the subscriber.
21 § 104-f. Monitoring or intercepting upstream communications channels.
22 1. Except as otherwise provided in this article, information derived
23 from any signal of an upstream communications channel transmitted from a
24 subscriber terminal for the purpose of monitoring individual household
25 or communicating patterns may not be disclosed, except with the written
26 authorization of the subscriber. Such authorizing document must explain
27 in clear and plain English that information concerning the subscriber's
28 viewing patterns or practices may be disclosed. The provision of tele-
29 phony services shall be exempt from the requirements of this subdivi-
30 sion.
31 2. Except as otherwise provided by law, no person shall intercept a
32 signal of an upstream communications channel transmitted from a
33 subscriber terminal, except the subscriber and the intended receiver of
34 the signal.
35 § 104-g. Security measures. A telecommunications carrier shall main-
36 tain such safeguards as are necessary to ensure the physical and elec-
37 tronic security and confidentiality of any personally identifiable
38 information concerning subscribers.
39 § 104-h. Exception to written authorization requirement. Written
40 authorization is not required for a telecommunications carrier to
41 conduct system-wide or individually addressed monitoring for the purpose
42 of verifying system integrity, controlling return transmission paths, or
43 for any purposes for which personally identifiable information may be
44 lawfully acquired pursuant to this article.
45 § 104-i. Examination or disclosure of aggregate data. This article
46 does not prohibit the examination of aggregate data by, or the disclo-
47 sure of such data to, any third party; provided that the data contains
48 no personally identifiable information concerning any subscriber, his or
49 her household, or any user of his or her terminal.
50 § 104-j. Enforcement. 1. Any person found to have violated this arti-
51 cle shall be liable to the aggrieved subscriber for all actual damages
52 sustained by such subscriber as a direct result of the violation and
53 such exemplary damages as the court may determine; provided that any
54 subscriber who prevails or substantially prevails in any action brought
55 under this section shall receive not less than five hundred dollars in
S. 2115 20
1 damages regardless of the amount of actual damage proved, plus costs,
2 disbursements, and reasonable attorneys' fees.
3 2. Whenever there shall be a violation of this article, an application
4 may be made by the attorney general in the name of the people of the
5 state of New York to a court or justice having jurisdiction by a special
6 proceeding to issue an injunction, and upon notice to the defendant of
7 not less than three days, to enjoin and restrain the continuation of
8 such violation; and if it shall appear to the satisfaction of the court
9 or justice that the defendant has, in fact, violated this article, an
10 injunction may be issued by such court or justice, enjoining and
11 restraining any further violation, without requiring proof that any
12 person has, in fact, been injured or damaged thereby. In any such
13 proceeding, the court may make allowances to the attorney general as
14 provided in paragraph six of subdivision (a) of section eighty-three
15 hundred three of the civil practice law and rules and direct restitu-
16 tion. Whenever the court shall determine that a grossly negligent
17 violation of this article has occurred, the court may impose a civil
18 penalty of not more than one thousand dollars for each violation. In
19 connection with any such proposed application, the attorney general is
20 authorized to take proof and make a determination of the relevant facts
21 and to issue subpoenas in accordance with the civil practice law and
22 rules.
23 3. (a) The provisions of this article may be enforced concurrently by
24 the county attorney, town attorney, city corporation counsel, or any
25 other lawful designee of a municipality. The court shall award costs
26 and reasonable attorneys' fees to such municipality where the chief
27 legal officer or his or her designee prevails. All moneys collected
28 thereunder shall be retained by such municipality.
29 (b) For the purposes of this section, the term "municipality" means
30 any county, city, town, or village.
31 4. The remedies provided by this article shall be in addition to any
32 other lawful remedy available to a subscriber.
33 5. No action may be brought under the provisions of this section
34 unless such action is commenced within two years of the date of the act
35 complained of or of the date of discovery of such act.
36 § 104-k. Separability clause. If any clause, paragraph, section, or
37 part of this article shall be adjudged by any court of competent juris-
38 diction to be invalid or unconstitutional, such judgment shall not
39 affect, impair, or invalidate the remainder thereof, but shall be
40 confined in its operation to the clause, sentence, paragraph, section,
41 or part thereof directly involved in the controversy in which such judg-
42 ment shall have been rendered.
43 § 14. This act shall take effect January 1, 2004, except that any
44 rules and regulations necessary for the timely implementation of this
45 act on its effective date are authorized and directed to be made and
46 completed on or before such date.