File #: Int 1101-2018    Version: * Name: Protecting cable provider customers’ personally identifiable information.
Type: Introduction Status: Filed (End of Session)
Committee: Committee on Technology
On agenda: 9/12/2018
Enactment date: Law number:
Title: A Local Law to amend the administrative code of the city of New York, in relation to protecting cable provider customers' personally identifiable information.
Sponsors: Peter A. Koo, Barry S. Grodenchik, Rafael Salamanca, Jr., Ben Kallos, Carlina Rivera , Helen K. Rosenthal, Paul A. Vallone, Alan N. Maisel, Antonio Reynoso, Public Advocate Jumaane Williams, (by request of the Mayor)
Council Member Sponsors: 10
Summary: This bill would require cable providers in NYC to obtain consent before they can collect and use Personally Identifiable Information (PII) from customers. The bill would also prohibit cable providers from refusing to provide service to customers who do not consent to the collection of PII.
Attachments: 1. Summary of Int. No. 1101, 2. Int. No. 1101, 3. September 12, 2018 - Stated Meeting Agenda with Links to Files, 4. Hearing Transcript - Stated Meeting 9/12/18, 5. Minutes of the Stated Meeting - September 12, 2018

Int. No. 1101

By Council Members Koo, Grodenchik, Salamanca, Kallos, Rivera, Rosenthal, Vallone, Maisel, Reynoso and the Public Advocate (Mr. Williams) (by request of the Mayor)

 

A Local Law to amend the administrative code of the city of New York, in relation to protecting cable provider customers’ personally identifiable information.

 

Be it enacted by the Council as follows:

Section 1. Title 23 of the administrative code of the city of New York is amended by adding a new chapter 13 to read as follows:

CHAPTER 13

COMMUNICATIONS PRIVACY

§ 23-1301 Definitions. As used in this chapter, the following terms have the following meanings:

                     Affiliate. The term “affiliate” means any person or entity that is owned or controlled by, or under common ownership or control with the provider, or is a contractor of a provider and provides any cable service or other service.

                     Cable service. The term “cable service” means the one-way transmission to customers of video programming or other programming service, and customer interaction, if any, which is required for the selection or use of such video programming or other programming service.

                     Cable system. The term “cable system” has the meaning ascribed in subsection (7) of section 522 of title 47 of the United States code.

                     Customer. The term “customer” means a person in the city who subscribes to a cable service or other service of a provider.

Information necessary to render service. The term “information necessary to render service”  means personally identifiable information that is used to detect the unauthorized reception of cable communications, or is necessary to render a cable service or other service provided by the provider to the customer.                     

Other service. The term “other service” means any wire or radio communications services provided to a customer over a cable system or an open video system that are not cable services.

                     Personally Identifiable Information. The term “personally identifiable information” means information that is linked or reasonably linkable to an individual or device. Information is linked or reasonably linkable to an individual or device if it can reasonably be used on its own, in context, or in combination to identify an individual or device, or to logically associate with other information about a specific individual or device. “Personally identifiable information” does not include aggregate data if: (i) the process of aggregation results in none of the information being reasonably linkable to an individual or device; (ii) the provider publicly commits that it will maintain and use the aggregate data without linking it, or seeking to link it, to an individual or device, and that it will not attempt to restore such aggregated data to a state in which it would be reasonably linkable to an individual or device; and (iii) the provider contractually prohibits any entity to which it discloses or permits access to such aggregate data from attempting to use the data to link it to an individual or device or to restore such aggregated data to a state in which it would be reasonably linkable to an individual or device.

                     Provider. The term “provider” means any person or group of persons who: (i) provides cable service or other service within the city over a cable system, or directly or through one or more affiliates owns a significant interest in such cable system; or (ii) otherwise controls or is responsible for, through any arrangement, the management and operation of a cable system or an open video system in the city.

                     Use necessary to render service. The term “use necessary to render service” means a use of personally identifiable information that is necessary to render a cable service or other service provided by the provider to the customer.

                     § 23-1302 Collection and use of personally identifiable information.

                     a. A provider shall not use a cable system to collect, record, monitor, or observe personally identifiable information without the prior affirmative written or electronic notice and consent of a customer unless, and only to the extent that, such information is information necessary to render service. Such notice must include the types of information to be collected or used, and the purpose for the collection or use of each type of information.

                     b. A provider shall take such actions as are necessary to prevent any affiliate from using the cable system or other facilities of the provider in any manner, including, but not limited to, sending data or other signals through such facilities, to the extent such use will permit an affiliate unauthorized access to personally identifiable information on the computer or other equipment of a customer, regardless of whether such computer or other equipment is owned or leased by the customer or provided by a provider, or on the cable system or any other facilities of the provider that are used in the provision of cable service. This subdivision does not prohibit an affiliate from obtaining access to personally identifiable information to the extent otherwise permitted by this section.

                     c. A provider shall take such actions as are reasonably necessary to prevent a person or entity, other than its affiliates, from using the cable system or other facilities of the provider in any manner, including, but not limited to, sending data or other signals through such cable system or other facilities, which would permit such person or entity unauthorized access to personally identifiable information on the computer or other equipment of a customer, regardless of whether such equipment is owned or leased by the customer or provided by a provider, or on the cable system or any other facilities of the provider that are used in the provision of cable service.

                     d. This section does not prevent a provider from complying with any lawful court order.

                     § 23-1303 Disclosure of personally identifiable information.

                     a. A provider shall not disclose personally identifiable information without the prior affirmative written or electronic consent of a customer, except for a use necessary to render service, or as permitted under applicable law. If a customer exercises the right to prohibit disclosure of that customer’s personally identifiable information, such prohibition shall be permanent, unless the customer subsequently notifies the provider of the customer’s intent to permit a disclosure.

b. A minimum of 30 days before making any disclosure of personally identifiable information of any customer pursuant to the affirmative written or electronic consent of such customer as provided in this section, the provider shall notify in writing the department and such customer of the specific information that will be disclosed, to whom it will be disclosed, the purpose of the disclosure, and notice of the customer’s right to prohibit the disclosure of such information for any use that is not a use necessary to render service. The notice to customers may not be included with or made a part of the customer’s monthly bill for cable service or other service, but must be conspicuously marked as a privacy disclosure and be made by separate mailed notice, or by emailed notice if the customer has previously consented to receiving such notice via email. Each time that such notice is given to a customer, the provider also shall provide the customer with an opportunity to prohibit the disclosure of information in the future. Such opportunity shall be given in one or more of the following forms:

1. A toll-free number that the customer may call;

2. A website option; or

3. Such other equivalent methods as may be approved by the department.

c. Additionally, within 45 days after each disclosure of personally identifiable information of any customer as provided in this section, the provider shall notify in writing the department and such customer of the specific information that has been disclosed, to whom it has been disclosed, the purpose for the disclosure, and notice of the customer’s right to prohibit the future disclosure of such information for any use that is not a use necessary to render service. The notice to customers may not be included with or made a part of a customer’s monthly bill for cable service or other service, but must be conspicuously marked as a privacy disclosure and must be made by separate mailed notice, or by emailed notice if the customer has previously consented to receiving such notice via email. Each time that this notice is given to a customer, the provider shall also provide the customer with an opportunity to prohibit the disclosure of information in the future. Such opportunity shall be given in one of the following forms:

1. A toll-free number that the customer may call;

2. A website option; or

3. Such other equivalent methods as may be approved by the department.

d. A provider may disclose personally identifiable information pursuant to a subpoena, lawful court order, or other provision of law authorizing or requiring such disclosure. To the extent permitted by such subpoena, order or applicable provision of law, a provider must notify a customer of any such disclosure contemporaneous with compliance with the subpoena, order or provision of law and must include the specific information disclosed, to whom it was disclosed, and, if known, the purpose of the disclosure and the name of the proceeding related to the disclosure. In no event shall this subdivision be construed as authorizing any disclosure, or requiring or authorizing any notice, which is prohibited by applicable law.

§ 23-1304 Prohibition of punitive action against customers. A provider shall not add a supplemental charge or penalize a customer either financially or in quality or speed of delivery of service for choosing not to consent to the collection, recording, monitoring, observation, or disclosure of personally identifiable information, nor may it refuse to provide service because a customer refuses to consent to the collection, recording, monitoring, observation, or disclosure of personally identifiable information. 

§ 23-1305 Access to personally identifiable information. Any personally identifiable information gathered and maintained by a provider shall be made available for examination by the customer to whom such personally identifying information pertains within 10 days of receiving a request by such customer to examine such information. Such information must be made available on a website that allows customers to easily view the information pertaining to them and submit corrections, and at the local offices of the provider or other convenient place within the city selected by the provider. Upon a reasonable showing by the customer that the information is inaccurate, a provider shall promptly correct or remove such information.

§ 23-1306 Privacy statements.

a. A provider shall annually provide a separate, written privacy statement to each customer consistent with applicable law, including paragraph (1) of subsection (a) of section 551 of title 47 of the United States code, and shall provide each customer with a copy of such statement at the time the provider enters into an agreement with the customer to provide cable service or other service, as well as 30 days prior to the effective date of any changes made by the provider to such statement. Such statements shall be sent by separate mailed notice, or by emailed notice if the customer has previously consented to receiving such statements by email. A provider shall further make such statements readily available on the provider’s website. Privacy statements shall be in a clear and conspicuous format and in twelve point font or larger and shall contain a heading, in bold capital letters in no less than 14-point font, that reads “NOTICE OF CHANGE.” Privacy statements shall include options for viewing the statements in languages other than English and in a manner that is accessible to persons with disabilities. The department shall promulgate rules mandating the specific language and accessibility requirements for privacy statements. 

b. Privacy statements must include a detailed description of the provider’s practices regarding the recording, monitoring, observation, collection and disclosure of personally identifiable information and how customers can exercise their rights to prohibit disclosures of their personally identifiable information. The department shall promulgate rules mandating the specific information that providers must include in their privacy statements.

§ 23-1307 Personally identifiable information reporting requirements.

a. A provider shall provide a report to the department every six months, on March 1 and September 1, which includes the following information:

1. The type of personally identifiable information that was actually collected, recorded, monitored, observed or disclosed during the reporting period, including:

(a) For each type of personally identifiable information collected, recorded, monitored, observed or disclosed, a statement sufficient to demonstrate that the personally identifiable information collected, recorded, monitored, observed or disclosed was: (i) collected, recorded, monitored, or observed with affirmative consent and only to the extent such information was information necessary to render service; or (ii) disclosed with the prior affirmative written or electronic consent of a customer, or for a use necessary to render service, or as permitted or required under applicable law;

(b) The categories of all entities to which such personally identifiable information was disclosed, including, but not limited to, cable installation and maintenance contractors, direct mail vendors, telemarketing companies, print and mail houses, promotional service companies, billing vendors, and account collection companies; and

(c) For each type of personally identifiable information collected, recorded, monitored, observed or disclosed, the purpose of each collection, recording, monitoring, observation or disclosure.

2. A description of the measures that have been taken, and will be taken, to prevent the unauthorized access to personally identifiable information by a person other than the customer to whom such personally identifying information pertains or the provider, including, among other things, a description of the technology that is or will be applied by the provider to prevent unauthorized access to personally identifiable information by any means; and

3. any additional information required by rules promulgated by the department.

b. Annually, and whenever it is changed, a provider shall provide the department with a copy of the privacy statement provided to customers pursuant to section 23-1306 of this chapter, including the website address where the provider’s privacy statement can be accessed online.

c. A provider shall provide to the department the names of the entities described in subparagraph (b) of paragraph (1) of subdivision (a) of section 23-1307of this chapter to which personally identifiable information was disclosed, within 30 days of receiving a request for such names from the department. This subdivision does not require the provider to provide the name of any court or governmental entity to which such disclosure was made if such disclosure would be inconsistent with applicable law. This section does not prevent a provider from complying with any lawful court order.

§ 23-1308 Destruction of personally identifiable information. A provider shall destroy, within 90 days, any personally identifiable information if the personally identifiable information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such personally identifiable information, pursuant to a court order, or pursuant to other applicable law.

§ 23-1309 Private right of action.

a. Any customer may bring an action in any court of competent jurisdiction for a violation of any of the provisions of this chapter. If a court of competent jurisdiction finds that a provider has violated a provision of this chapter, the court may award: (i) actual damages, computed at a rate of $100 a day, or $1,000, whichever amount is higher; (ii) punitive damages; and (iii) reasonable attorney’s fees and costs incurred in maintaining such civil action.

b. The private right of action provided by this section shall not supplant any other legal remedy available to any customer within the city.

§ 23-1310 Enforcement.

a. A provider that willfully and knowingly violates any provision of this chapter or any rule promulgated pursuant to this chapter shall be liable for a civil penalty not exceeding $10,000.

1. For violations of subdivision (a) of section 23-1302 or sections 23-1303, 23-1305 or 23-1308 of this chapter, a civil penalty shall be assessed for each affected customer, with a maximum penalty amount of $1,000,000 for any single violation.

2. For violations of subdivision (a) of section 23-1302 that continue for a period of days, a provider shall be liable for penalties up to $10,000 per day, with a maximum penalty amount of $1,000,000 for any single violation.

3. For violations of section 23-1307, a provider shall be liable for penalties up to $10,000 per day for each day the provider has failed to report the required information by the applicable deadline, with a maximum penalty amount of $250,000 for any single violation.

§ 23-1311 Rulemaking. The department shall promulgate such rules as are necessary to ensure the implementation of this chapter.

§ 2. This local law takes effect 90 days after it becomes law, provided that the department shall take such action as may be necessary to implement this local law, including the promulgation of rules, prior to such effective date.