Bill > A2584

Introduced Session

This bill requires an online service operator (operator) to notify consumers of the collection and disclosure of "personally identifiable information," as that term is defined in the bill, to third parties. An operator that collects the personally identifiable information of a consumer through an online service is to provide on its online service notification to a consumer that includes, but is not limited to: 1) the categories of the personally identifiable information that the operator collects through the online service about a consumer who uses or visits the online service; 2) all third parties to which the operator may disclose a consumer's personally identifiable information; 3) whether a third party may collect personally identifiable information about a consumer's online activities over time and across different online services when the consumer uses the online service of the operator; 4) a description of the process for an individual consumer who uses or visits the online service to review and request changes to any of the consumer's personally identifiable information that is collected by the online service of the operator; 5) the process by which the operator notifies consumers who use or visit the online service of material changes to the notification required to be made available pursuant to the bill, along with the effective date of the notice; and 6) information concerning one or more designated request addresses of the operator. This bill requires that an operator that discloses a consumer's personally identifiable information to a third party make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address: the category or categories of a consumer's personally identifiable information that were disclosed; and the category or categories of the third parties that received the consumer's personally identifiable information. An operator that receives a request from a consumer is to provide a response to the consumer within 60 days of its verification of the request and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months. The bill provides that an operator that collects the personally identifiable information of a consumer through its online service and sells the personally identifiable information of the consumer is to clearly and conspicuously post a link on its online service, or in another prominently accessible location the online service maintains for consumer privacy settings, to an Internet webpage maintained by the operator which enables a consumer, by verified request, to opt in to the sale of the consumer's personally identifiable information. The method by which a consumer may opt in is required to be in a form and manner determined by the operator, provided that a consumer is not to be required to establish an account with the operator in order to opt into the sale of a consumer's personally identifiable information. An operator is prohibited from discriminating against a consumer if the consumer chooses to opt out of the sale of the consumer's personally identifiable information. The provisions of the bill are not to prohibit the operator from offering consumer discounts, loyalty programs, or other incentives for the sale of the consumer's personally identifiable information, or to provide different services to consumers that are reasonably related to the value of the relevant data, provided the operator has clearly and conspicuously disclosed to the consumer that the offered incentives require consenting to the sale or processing of personally identifiable information that the consumer otherwise has a right to opt out of. The provisions of the bill are not to apply to certain types of information and institutions listed in the bill. Nothing in the bill is to require an operator to re-identify de-identified data or to collect, retain, use, link, or combine personally identifiable information concerning a consumer that it otherwise would not. Additionally, nothing in this bill is to be construed as the basis for, or subject to, a private right of action. The Attorney General is to have sole authority to enforce a violation of the bill.

AI Summary

Committee Categories

Jessica Ramirez (D)*,  Wayne DeAngelo (D),  Anthony Verrelli (D),  Benjie Wimberly (D), 

Withdrawn Because Approved P.L.2023, c.266. (on 01/09/2024)

Official Document