New York 2023-2024 Regular Session

New York Senate Bill S05662 Latest Draft

Bill / Introduced Version Filed 03/13/2023

   
  STATE OF NEW YORK ________________________________________________________________________ 5662 2023-2024 Regular Sessions  IN SENATE March 13, 2023 ___________ Introduced by Sens. GOUNARDES, HOYLMAN-SIGAL, JACKSON -- read twice and ordered printed, and when printed to be committed to the Committee on Finance AN ACT to amend the executive law and the tax law, in relation to estab- lishing the data economy labor compensation and accountability act The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Short title. This act shall be known and may be cited as 2 the "data economy labor compensation and accountability act". 3 § 2. Legislative intent. a. The legislature finds that the commercial- 4 ization of personal consumer data has wrought wholesale and disruptive 5 transformations in our global markets, politics, psychology, socializa- 6 tion, and the basic functioning of society; 7 b. The legislature further finds that, according to a 2016 Rockefeller 8 Foundation study Data Financing for the Global Good, the "data economy," 9 in which millions of data points are endlessly gathered, organized, and 10 exchanged by a series of vendors for the purpose of deriving value from 11 accumulated information, has produced enough value in industrialized 12 countries to equal 4% of their gross domestic product; 13 c. The legislature further finds that the consumers whose emails, 14 texts, Internet searches, purchasing history, profile information, 15 swipes, clicks, and more have produced such tremendous amounts of value 16 do not receive the direct dividends of their labor; 17 d. The legislature further finds that large swaths of our global and 18 national society have yet to benefit from the revolution wrought by such 19 commercialization of their data and technology at large; 20 e. The legislature further finds that the proliferation of targeted 21 advertising based on the sale, transfer, or licensing of personal 22 consumer data has led to an exploitation of individual users' attention, 23 leading to reduced productivity, mental acuity, and overall emotional EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD01552-02-3 

 S. 5662 2 1 and social well-being as well as overcrowding of digital spaces and 2 depletion of the "common good" of limited user attention; 3 f. The legislature further finds that the collection and storage of 4 vast amounts of personal consumer data carries an inherent risk of secu- 5 rity breach if such data is compromised; 6 g. The legislature hereby declares that a levy on the gross receipts 7 of commercial interests engaged in such commodification will erode the 8 aforementioned negative externalities by incentivizing companies to 9 collect fewer points of personal consumer data, to provide fair market 10 value dividends directly to consumers in exchange for their productive 11 labor, to proactively mitigate the security risks of data breaches, and 12 to more judiciously preserve the commons of digital space and limited 13 user attention; 14 h. The legislature further declares that a levy on the gross receipts 15 of such commercial interests will redistribute the wealth created by the 16 value of consumers from the shareholders who exploit this free labor 17 back to the people who generate such labor; 18 i. The legislature further declares that the creation of a "data tax" 19 will put New York on par with other domestic and foreign states such as 20 Maryland, Vermont, and Austria who have similarly recognized the social, 21 economic, and ethical justification for such tax. 22 § 3. The executive law is amended by adding a new article 51 to read 23 as follows: 24 ARTICLE 51 25 OFFICE OF CONSUMER DATA PROTECTION 26 Section 1004. Definitions. 27 1005. Applicability. 28 1006. Office of consumer data protection. 29 1007. Annual report. 30 § 1004. Definitions. For the purposes of this article, the following 31 terms shall have the following meanings: 32 1. "Code of conduct" shall mean a set of written policies adopted by a 33 data controller or processor in order to facilitate compliance with the 34 provisions of this article and any regulations promulgated by the office 35 of consumer data protection, taking into account the specific character- 36 istics of the data controller or processor's data operations. All codes 37 of conduct shall be approved by the office data protection. Either a 38 code of conduct or the data protection certification described in subdi- 39 vision eight of this section may be used to demonstrate compliance with 40 the provisions of this article and with data protection regulations 41 promulgated by the office of consumer data protection. 42 2. "Consumer" shall mean a natural person who is a New York resident. 43 3. "Data breach" shall mean a breach of security leading to the acci- 44 dental or unlawful destruction, loss, alteration, unauthorized disclo- 45 sure of, or access to, personal data transmitted, stored or otherwise 46 processed. 47 4. "Data controller" or "controller" shall mean a natural or legal 48 person which, alone or jointly with others, determines the purposes and 49 means of processing of personal data. This includes but is not limited 50 to any business, website, or platform that collects data while selling 51 electronic advertising space on its platform tailored to any one or any 52 aggregation of the items of personal data defined in this section. No 53 data controller is exempt from the requirements of this article if they 54 are processing pseudonymized data, whereby processing means any opera- 55 tion or set of operations that are performed on personal data or on sets 56 of personal data, whether or not by automated means. For purposes of 

 S. 5662 3 1 this subdivision "pseudonymized" or "pseudonymization" means the proc- 2 essing of personal data in a manner that renders the personal data no 3 longer attributable to a specific data subject without the use of addi- 4 tional information, provided that the additional information is kept 5 separately and is subject to technical and organizational measures to 6 ensure that the personal data is not attributed to an identified or 7 identifiable data subject. Any entity participating in real time 8 auctions to facilitate the sale of digital advertising space, any entity 9 collecting anonymized or aggregated data for the purpose of advertising, 10 marketing, or transferring data to any party purchasing digital adver- 11 tising space, and any company collecting the data of data subjects via 12 an internet or phone-based platform, application or website registry 13 that also markets or advertises products to consumers are considered 14 data controllers under this article. 15 5. "Data operations" shall mean the collection, storage, transfer, 16 sale, or licensing of personal data by a data controller or data proces- 17 sor. 18 6. "Data processor" or "processor" shall mean a natural or legal 19 person that processes data on behalf of the controller. Provided, howev- 20 er, that when such natural or legal person is both a data controller and 21 data processor, as defined in this section, such person shall be deemed 22 one entity for the purposes of registration as described in paragraph 23 (b) of subdivision two of section one thousand six of this article and 24 taxation as described in section one hundred eighty-five of the tax law. 25 7. "Data protection audit" shall mean an audit conducted by the office 26 or consumer data protection in order to assess whether a data controller 27 or processor is in compliance with a data controller or processor's code 28 of conduct, regulations promulgated by the office, and/or any relevant 29 federal, state or local law. The office of consumer data protection 30 shall adopt a rating system of "high assurance," "reasonable assurance," 31 "limited assurance," and "very limited assurance" to measure levels of 32 compliance with such code of conduct, laws and regulations. 33 8. "Data protection certification" shall refer to a certification, 34 created by the office of consumer data protection, which serves to 35 demonstrate compliance with the provisions of this article and with data 36 protection regulations promulgated by such office. Data protection 37 certification shall be voluntary for all data controllers and process- 38 ors. The office shall create the criteria for such certification. 39 Successful certification may be demonstrated by a certificate, seal, or 40 mark which data controllers and processors may conspicuously display. 41 9. "Data protection impact assessment" shall mean an internal evalu- 42 ation which the office of consumer data protection requires data 43 controllers and processors to carry out in order to evaluate the level 44 of risk associated with such controller or processor's data operations. 45 Such assessment shall examine the origin, nature, particularity, and 46 severity of such risk. Where a data protection impact assessment indi- 47 cates that a controller or processor's data operations involve a high 48 degree of risk, as determined by the office of consumer data protection, 49 which cannot be mitigated by appropriate measures, such controller or 50 processor shall be obligated to receive express approval from the office 51 of consumer data protection prior to commencing or resuming data oper- 52 ations. 53 10. "Data subject" or "subject" shall mean a natural person for whom a 54 data controller holds personal data, as defined in subdivision thirteen 55 of this section, and who can be identified, directly or indirectly, by 56 reference to such personal data. 

 S. 5662 4 1 11. "Newly established" shall refer to a limited history of data oper- 2 ations as determined by the office of consumer data protection. Such 3 office may consider factors such as date of incorporation or other form 4 of organization, whether in this state or another state, territory, 5 district, province, nation or other jurisdiction, foreign or domestic, 6 amount of capital raised, the entrepreneurial nature of a data control- 7 ler or processor's business, or any other factor the office deems rele- 8 vant in determining limited operating history and an initial date of 9 data operations, provided that such office shall promulgate regulations 10 with the guidelines used for determining such date and that such office 11 shall adhere to such guidelines consistently when determining such date 12 for all data controllers and processors required to register under para- 13 graph (b) of subdivision two of section one thousand six of this arti- 14 cle. 15 12. "Office" shall mean the office of consumer data protection estab- 16 lished by section one thousand six of this article. 17 13. "Personal data" shall mean any computerized information about a 18 data subject as set forth in this subdivision that is not made publicly 19 available through federal, state or local government agencies or any 20 publicly available information as it relates to a data subject's busi- 21 ness license, status or profession, regardless of whether it is 22 collected for the purpose of selling or transferring it to another enti- 23 ty. Personal data shall mean information that identifies, relates to, 24 describes or is reasonably linked to a particular data subject or house- 25 hold, including but not limited to: 26 (a) physical address; 27 (b) legal name; 28 (c) alias; 29 (d) unique personal identifier; 30 (e) online identifier; 31 (f) internet protocol address; 32 (g) email address; 33 (h) account name; 34 (i) social security number; 35 (j) driver's license number; 36 (k) passport number; 37 (l) place of birth; 38 (m) mother's maiden name; 39 (n) date of birth; 40 (o) phone number; 41 (p) audio, visual, thermal or olfactory data; 42 (q) profession or employment related information; 43 (r) medical history, records of past medical treatment, or any diagno- 44 sis of a physical or mental health condition, including diagnosis, 45 treatment or referral for addiction or substance abuse; 46 (s) educational information that is not already publicly available 47 through a local, state, or federal agency; 48 (t) real time geolocation data or stored geolocation history; 49 (u) any unique biometric data, body measurement, technical analysis or 50 measurements collected for the purpose of allowing a data subject to 51 authenticate the subject on a device, internet application, or web-based 52 platform; 53 (v) names and identifying information of a subject's immediate family; 54 (w) internet or any other electronic network activity, including 55 browsing history, search history, and information regarding a subject's 56 activity on a website or interaction with an electronic advertisement; 

 S. 5662 5 1 (x) any other information that alone, or combined with any of the 2 information described in this subdivision, could be reasonably used to 3 identify an individual data subject or household; and 4 (y) any inferences drawn from any of the combined forms of personal 5 data that are used to create a profile of the data subject reflecting 6 the subject's preferences, choices, characteristics, psychological 7 trends, intelligence, aptitude, physical health or behavior. 8 "Personal data" shall also include any information which creates prob- 9 abilistic identifiers that can be used to isolate, individualize, or 10 identify a data subject or device to a degree of certainty more probable 11 than not based on any item of personal information defined in this 12 subdivision. 13 14. "Sale" or "sold" shall mean the disclosure, dissemination, making 14 available, release, transfer, conveyance, license, rental, or other 15 commercialization of data by a data controller to a third party, whether 16 commercialization occurs via access to raw data or via use of platform 17 interface rather than direct access to raw data. This definition shall 18 include dissemination of data, orally, in writing, or by electronic or 19 other means, for monetary or other valuable consideration, or otherwise 20 for a commercial purpose, by a data controller to a third party. 21 15. "Third party" shall mean a natural or legal person, public author- 22 ity, agency, or body other than the data subject, data controller, or 23 data processor of the data controller. 24 § 1005. Applicability. 1. The provisions of this article shall not 25 apply to a data controller or data processor who, as determined by the 26 office, collects, processes, or sells personal data in a way that is 27 deemed incidental to such controller or processor's ordinary course of 28 business, taking into account the nature, context, scope, and purposes 29 of such data collection, processing, or sale. 30 2. The office shall further be empowered to exempt from the provisions 31 of this article any data controller or processor who, as determined by 32 such office, derives no economic benefit from such controller or 33 processor's data operations or whose data operations are required in 34 order to comply with a legal obligation or in the exercise of official 35 authority, or for any other purpose, as determined by the office, which 36 serves to further the public interest. 37 § 1006. Office of consumer data protection. 1. (a) There is hereby 38 created an office of consumer data protection, to be governed by a 39 seven-member consumer data protection board. The board shall consist of 40 a chairperson nominated by the governor with the advice and consent of 41 the senate, with one vote, and six other voting board members. The 42 governor shall have two additional appointments to the board with the 43 advice and consent of the senate, and the temporary president of the 44 senate and the speaker of the assembly shall have two appointments each. 45 The members of the consumer data protection board shall engage in no 46 occupation incompatible with their duties prescribed in this section, 47 whether gainful or not, and shall take steps they deem necessary and 48 proper to shield all decision making processes of the board from unwar- 49 ranted and inappropriate communications and attempts to influence. 50 (b) The members of the consumer data protection board shall be subject 51 to a duty of professional secrecy both during and after their terms on 52 such board, with regard to any confidential information which has come 53 to their knowledge in the course of the performance of their tasks or 54 exercise of their powers. During their term of office, that duty of 55 professional secrecy shall apply to reporting by natural persons of 56 infringements of this article. 

 S. 5662 6 1 (c) A member of the consumer data protection board may be dismissed 2 before the expiration of such member's term by such member's appointing 3 authority only in a case of serious misconduct or if such member 4 violates the terms of paragraph (a) or (b) of this subdivision. 5 (d) The consumer data protection board shall appoint an executive 6 director of the office who shall supervise all day-to-day operations of 7 such office. The executive director may appoint necessary deputies, 8 counsels, assistants, investigators, and other employees in order to 9 effectuate the provisions of this article. 10 (e) The consumer data protection board shall ensure that the office is 11 provided with the human, technical, and financial resources, premises, 12 and infrastructure necessary for the effective performance of its tasks 13 and exercise of its powers described in subdivision two of this section. 14 2. The office shall retain the following administrative powers and 15 responsibilities: 16 (a) The office shall promulgate any and all rules and regulations it 17 deems necessary to properly safeguard personal data, including whether 18 and how data subjects shall consent to the processing of such data, 19 whether and how data subjects are granted access to personal data, 20 whether and how data subjects can request erasure of personal data, 21 whether and how data subjects can object to the processing of their 22 personal data for commercial purposes, any steps that a data controller 23 or processor must take to safeguard personal data, necessary disclosures 24 that a data controller or processor must make to data subjects when 25 there is a potential or likely data breach, or after a data breach has 26 occurred, and any other policies which further the interest of the 27 protection of personal data. 28 (b) (i) Each data controller and processor in this state shall be 29 required to register with the office, on an annual basis, with a digital 30 application developed and maintained by such office. Such application 31 shall include the name of such data controller or processor, its phys- 32 ical address, any email address or website associated with such data 33 controller or processor, whether such data controller or processor 34 offers an opt-in or opt-out model for its data operations and the 35 specific details of how a data subject can access either of these 36 options, a statement specifying the methods used for data operations, 37 databases maintained, and amount of data collected, processed, or sold 38 of both all data subjects and data subjects who reside in New York, and 39 annual gross receipts of such controller or processor. When disclosing 40 such annual gross receipts, a data controller or processor shall detail 41 (A) the amount of annual gross receipts from all foreign and domestic 42 sources, (B) annual gross receipts from domestic sources only, and (C) 43 annual gross receipts derived from the collection, processing, and/or 44 sale of data subjects who reside in New York. 45 (ii) Data controllers and processors shall pay an annual registration 46 fee of two hundred fifty dollars, if such controller or processor has 47 gross receipts of eight hundred sixty million dollars or less, or four 48 hundred fifty dollars, if such controller or processor has gross 49 receipts of over eight hundred sixty million dollars. 50 (iii) Any data controller or processor which fails to annually regis- 51 ter as required by this paragraph shall be subject to a fine of between 52 one thousand dollars and twenty thousand dollars per day. Any controller 53 or processor found to have knowingly submitted false or incomplete 54 information upon registration shall be subject to a fine of between ten 55 thousand dollars and one hundred thousand dollars. All such fines shall 56 be levied by the office, provided that the office shall consider factors 

 S. 5662 7 1 such as gross income and assets of a data controller or processor and 2 whether such controller or processor has made reasonable efforts to 3 comply with the provisions of this paragraph when determining the amount 4 of such fines to be levied. 5 (iv) The office shall determine which data controllers and processors 6 have been newly established within the previous three years for the 7 purposes of compliance with the reporting requirements of section one 8 thousand seven of this article and with the tax imposed in section one 9 hundred eighty-five of the tax law. 10 (c) The office shall promote public awareness and understanding of 11 risks, rules, safeguards and rights in relation to data processing. 12 (d) The office shall advise on legislative and administrative measures 13 relating to the protection of data subjects' rights and freedoms with 14 regard to processing. 15 (e) The office shall provide, upon request, information to any data 16 subject concerning the exercise of their rights under this act as 17 created in the regulations described in paragraph (a) of this subdivi- 18 sion. 19 (f) The office shall advise data controllers and processors of their 20 obligations under this article. 21 (g) The office shall encourage the formation of codes of conduct by 22 data controllers and processors and provide an opinion and approve such 23 codes of conduct it deems to provide sufficient safeguards. 24 (h) The office shall establish a data protection certification mech- 25 anism, approving all criteria for such certification and data protection 26 seals and marks to indicate such certification. The office shall 27 conduct a periodic review of certifications issued, where applicable, 28 and shall deny or withdraw certifications if such criteria are not met 29 or no longer met by a data controller or processor. 30 (i) The office shall establish and maintain a list of data controllers 31 and processors who have completed data protection impact assessments and 32 the results of such assessments. 33 (j) The office shall monitor relevant developments, insofar as they 34 have an impact on the protection of personal data, in particular the 35 development of information and communication technologies and commercial 36 practices. 37 (k) The office shall process complaints lodged by data subjects about 38 a data controller or processor, investigating the subject matter of such 39 complaints and informing the complainant of the progress and outcome of 40 such investigation within a reasonable time period. 41 (l) The office shall conduct data protection audits of data control- 42 lers or processors upon a request from such controller or processor or 43 from a data subject or as the office deems prudent and necessary. 44 (m) The office shall have the power to order a data controller or 45 processor to provide any information it requires for the performance of 46 the office's tasks described in this subdivision, including access to 47 such controller or processor's premises and data processing equipment 48 and means if needed. 49 (n) The office shall notify data controllers and processors when they 50 are likely to infringe or have infringed upon a regulation such office 51 has issued or such controller or processor's code of conduct. The office 52 may order that such data controller or processor bring such controller 53 or processor's data operations into compliance in a specified manner and 54 within a specified time period. The office may further order a temporary 55 or definitive ban on data operations or the rectification or erasure of 56 personal data until such compliance is achieved. The office shall keep 

 S. 5662 8 1 internal records of infringements by data controllers and processors of 2 any infringements of its regulations or a controller or processor's code 3 of conduct, and of measures taken in resolution. 4 (o) The office may order the suspension of data flows to a recipient 5 in a third world country or to an international organization. 6 (p) The office may impose administrative fines for the purposes of 7 encouraging compliance with any infringement of this article or a regu- 8 lation such office has issued or such controller or processor's code of 9 conduct in addition to the fine described in subparagraph (iii) of para- 10 graph (b) of this subdivision. 11 (q) The office may issue opinions to the state or other institutions 12 and bodies as well as to the public on any issue related to the 13 protection of personal data, on its own initiative or upon request. 14 § 1007. Annual report. The consumer data protection board shall 15 produce and transmit, in conjunction with the office, an annual report 16 to the temporary president of the senate, the speaker of the assembly, 17 the chair of the senate finance committee, and the chair of the assembly 18 ways and means committee, on or before January thirty-first of each 19 year, pertaining to the data controllers and processors who have regis- 20 tered with the office pursuant to paragraph (b) of subdivision two of 21 section one thousand six of this article. Such report shall contain, but 22 not be limited to, the number of data controllers and processors regis- 23 tered, the number of data subjects residing in this state whose data is 24 being collected, processed, or sold, both in the aggregate and per data 25 controller or processor, and an analysis of the receipts generated from 26 such controller or processor's data operations. Such report shall also 27 be posted for public review in a clear and conspicuous manner on the 28 office of consumer data protection's website. 29 § 4. The tax law is amended by adding a new section 185 to read as 30 follows: 31 § 185. Additional tax on data controllers and data processors. 1. 32 Notwithstanding any other provision of this chapter, or of any other 33 law, for taxable years beginning on or after January first, two thousand 34 twenty-four, an annual tax is hereby imposed upon every data controller 35 or data processor, as defined in section one thousand four of the execu- 36 tive law, which is required to register with the office of consumer data 37 protection pursuant to paragraph (b) of subdivision two of section one 38 thousand six of the executive law. The office of consumer data 39 protection shall share a complete directory of all data controllers and 40 processors registered with such office with the commissioner for the 41 purposes of assessing the tax imposed by this section. 42 2. (a) The tax shall be equal to two per centum of the estimated annu- 43 al gross receipts of a data controller or processor derived from the 44 collection, processing, and/or sale of data subjects who reside in New 45 York. The commissioner shall calculate such estimation by multiplying a 46 data controller or processor's annual gross domestic receipts, as 47 reported in subparagraph (i) of paragraph (b) of subdivision two of 48 section one thousand six of the executive law, by a sum that is equal to 49 the quotient of the gross domestic product of New York divided by the 50 gross domestic product of the United States, and then multiplying such 51 sum by one hundred. If a data controller or processor disagrees with the 52 estimation of annual gross receipts described in this paragraph, such 53 controller or processor shall have the opportunity to present to the 54 commissioner an alternative estimation of such controller or processor's 55 annual gross receipts derived from the collection, processing, and/or 56 sale of data subjects who reside in New York based on such controller or 

 S. 5662 9 1 processor's internal records. If the commissioner accepts the alterna- 2 tive estimation so presented by such controller or processor, the 3 commissioner shall impose a tax of two per centum of such alternative 4 estimation on such controller or processor. As used in this subdivision, 5 "gross domestic product" shall mean a monetary measure of the market 6 value of all final goods and services produced and sold in a specific 7 time period by a country or countries. 8 (b) Provided, however, the commissioner shall exempt the first five 9 million dollars of the estimated gross receipts of a data controller or 10 processor, as described in paragraph (a) of this subdivision, from the 11 tax imposed by this section. 12 3. Data controllers and processors shall be exempt from such tax on 13 gross receipts if the controller or processor has been newly established 14 within the previous three years, as determined by the office of consumer 15 data protection in subparagraph (iv) of paragraph (b) of subdivision two 16 of section one thousand six of the executive law. 17 4. (a) All gross receipts of subsidiaries formed by a data controller 18 or processor shall be considered assets of the data controller or 19 processor for the purposes of determining the gross receipts exemption 20 described in paragraph (b) of subdivision two of this section. Gross 21 receipts of subsidiaries shall not be used in any way to offset, reduce, 22 or discount the gross receipts of the underlying data controller or 23 processor for the purposes of calculation of such receipts. 24 (b) Provided, further, an initial date of registration with the office 25 of consumer data protection by the subsidiary of a data controller or 26 processor which is later than such underlying controller or processor's 27 initial date of registration shall not be used to delay such underlying 28 controller or processor's initial date. A data controller or processor 29 and such controller or processor's subsidiary shall count as one entity 30 for the purposes of determining the period of time after which the tax 31 imposed by this section shall apply. 32 (c) "Subsidiary" as used in this subdivision shall mean a corporation 33 of which over fifty percent of the number of shares of stock entitling 34 the holders thereof to vote for the election of directors or trustees is 35 owned by the data controller or processor which formed such subsidiary. 36 § 5. This act shall take effect on the one hundred eightieth day after 37 it shall have become a law. Effective immediately, the addition, amend- 38 ment and/or repeal of any rule or regulation necessary for the implemen- 39 tation of this act on its effective date are authorized to be made and 40 completed on or before such effective date.