§ 899-ff. Privacy protection by default. 1. Except as provided for in\nsubdivision six of this section and section eight hundred ninety-nine-jj\nof this article, an operator shall not process, or allow a processor to\nprocess, the personal data of a covered user collected through the use\nof a website, online service, online application, mobile application, or\nconnected device, or allow a third-party operator to collect the\npersonal data of a covered user collected through the operator's\nwebsite, online service, online application, mobile application, or\nconnected device unless and to the extent:\n (a) the covered user is twelve years of age or younger and processing\nis permitted under 15 U.S.C. § 6502 and its implementing regulations; or\n (b) the covered user is thirteen years of age or older and processing\nis strictly necessary for an activity set forth in subdivision two of\nthis section, or informed consent has been obtained as set forth in\nsubdivision three of this section.\n 2. For the purposes of paragraph (b) of subdivision one of this\nsection, the processing of personal data of a covered user is\npermissible where it is strictly necessary for the following permissible\npurposes:\n (a) providing or maintaining a specific product or service requested\nby the covered user;\n (b) conducting the operator's internal business operations. For\npurposes of this paragraph, such internal business operations shall not\ninclude any activities related to marketing, advertising, research and\ndevelopment, providing products or services to third parties, or\nprompting covered users to use the website, online service, online\napplication, mobile application, or connected device when it is not in\nuse;\n (c) identifying and repairing technical errors that impair existing or\nintended functionality;\n (d) protecting against malicious, fraudulent, or illegal activity;\n (e) investigating, establishing, exercising, preparing for, or\ndefending legal claims;\n (f) complying with federal, state, or local laws, rules, or\nregulations;\n (g) complying with a civil, criminal, or regulatory inquiry,\ninvestigation, subpoena, or summons by federal, state, local, or other\ngovernmental authorities;\n (h) detecting, responding to, or preventing security incidents or\nthreats; or\n (i) protecting the vital interests of a natural person.\n 3. (a) For the purposes of paragraph (b) of subdivision one of this\nsection, to process personal data of a covered user where such\nprocessing is not strictly necessary under subdivision two of this\nsection, informed consent must be obtained from the covered user either\nthrough a device communication or signal pursuant to the provisions of\nsubdivision two of section eight hundred ninety-nine-ii of this article\nor through a request. Requests for such informed consent shall:\n (i) be made separately from any other transaction or part of a\ntransaction;\n (ii) be made in the absence of any mechanism that has the purpose or\nsubstantial effect of obscuring, subverting, or impairing a covered\nuser's decision-making regarding authorization for the processing;\n (iii) clearly and conspicuously state that the processing for which\nthe consent is requested is not strictly necessary, and that the covered\nuser may decline without preventing continued use of the website, online\nservice, online application, mobile application, or connected device;\nand\n (iv) clearly present an option to refuse to provide consent as the\nmost prominent option.\n (b) Such informed consent, once given, shall be freely revocable at\nany time, and shall be at least as easy to revoke as it was to provide.\n (c) If a covered user declines to provide or revokes informed consent\nfor processing, another request may not be made for such processing for\nthe following calendar year, however an operator may make available a\nmechanism that a covered user can use unprompted and at the user's\ndiscretion to provide inform
‹ Prev All New York sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.