WeVote

Bill

Bill

S 9088

Requires the registration of data brokers and establishing a data deletion mechanism for consumers

2025 Regular Session Introduced by Kristen Gonzalez

New York establishes a state-wide, mandatory data broker registry and a consumer data deletion mechanism requiring brokers to disclose practices, register, and delete upon verified

PRINT NUMBER 9088A
0
WeVote Research Nonpartisan
Bill Summary · S 9088

Summary of Bill S 9088-A (2025-2026) – New York

Main purpose and intent

  • Establish a regulatory framework for data brokers in New York, including mandatory registration, ongoing oversight, public disclosure requirements, and a consumer data deletion mechanism.
  • Create a centralized, state-managed system to improve transparency about data broker activities and empower consumers to delete personal information held by data brokers.

Key provisions and changes

  • Article 42-A: Data Brokers

    • Defines critical terms related to data brokers, personal information, sensitive data, deletion requests, and related concepts (e.g., aggregate information, deidentified data, dark patterns, cross-context behavioral advertising, AI-related terms, etc.).
    • Distinguishes data brokers from government entities and certain nonprofit organizations.
  • Section 1151. Registration of data brokers

    • Data brokers must register with the NY Attorney General within 60 days of meeting the definition.
    • Payment of a registration fee (initially set at $100, adjustable by AG rules).
    • Required to provide detailed information about the broker, including:
    • Names and contact information; officer/agent; request handling data (counts, response times, etc.).
    • Whether they deal with minors, infer or collect certain sensitive data (e.g., IDs, biometrics, geolocation, reproductive health data, etc.).
    • Whether they share data with foreign actors, federal government, other states, law enforcement, or AI developers in the past five years.
    • Up to three major types of personal information collected.
    • A link to a page describing consumer privacy rights (delete, correct, access, opt-out, limit sensitive data).
    • Confirmation of absence of dark patterns and regulatory coverage under other laws (FCRA, GLBA, HIPAA-related rules, etc.).
    • AG must create a public web page listing all registered data brokers and deletion mechanism information.
  • Section 1152. Data deletion mechanism

    • AG must establish a state data deletion mechanism within one year.
    • Features:
    • Reasonable security practices to protect deletion requests.
    • A single verifiable consumer request can trigger deletion of all personal information held by data brokers (and associated providers/contractors/subsidiaries).
    • Consumers can exclude specific data brokers from a deletion request.
    • Ability to modify a deletion request after at least 45 days.
    • Ability to submit a single deletion request for all personal information.
    • Various secure submission options and multilingual accessibility (12 languages).
    • Data brokers must verify verifiable requests and not disclose extra data when accessing deletion mechanism.
    • Access via AG website; no fee for deletion requests.
    • Authorized agents may assist deletion requests.
    • Status tracking of deletion requests.
    • Timelines and duties:
    • After six months, brokers must have deletion requests accessible to each broker and respond at least every 45 days.
    • Brokers must process deletion requests within 45 days and direct related service providers/contractors to delete corresponding data.
    • If a deletion request is not verifiable, brokers must treat it as an opt-out of sale/sharing within 45 days.
    • Exemptions for deletion:
    • Data necessary for consumer reporting under FCRA; legal compliance requirements; security/incident response; legal claims; regulatory inquiries, subpoenas, or law enforcement directives (with caveats).
    • If data is deleted, brokers must continue to delete at least every 45 days unless the consumer opts out differently or deletion is not required due to exemptions.
    • Access fee may be charged to data brokers for using the deletion mechanism, but fees must not exceed reasonable costs.
    • Deletion requests are deemed received when made available to the broker via the mechanism.
  • § 1153. Audit

    • Every three years (three years after effective date and every three years thereafter), each data broker must undergo an independent third-party audit.
    • Audit report must be submitted to the AG within five business days of a written request, and reports must be retained for six years.
  • § 1154. Data broker website disclosure requirements

    • Annually, or on a date set by regulation, data brokers must post:
    • Privacy policy and metrics on deletion requests (counts, median/mean response times).
    • A link to where consumers can learn about their rights (delete, access, correct, opt out, limit use of sensitive data).
    • Disclosure of deletion-denial reasons (verifiable issue, lack of authorization, exemptions, etc.) and whether deletion was not required in part or whole.
    • Must provide at least two designated methods for submitting deletion requests (e.g., toll-free phone, email, website form).
  • § 1155. Data brokers; comprehensive information security program

    • Brokers must implement a documented information security program tailored to size, resources, data sensitivity, and risk.
    • Program requirements include governance, risk assessment, procedures to mitigate risks, restricted physical access, regular monitoring, and post-incident reviews.
    • Technical elements include secure authentication, encryption/de-identification of sensitive data, monitoring for unauthorized access, up-to-date firewalls/patches, and current security software.
  • § 1156. Rulemaking

    • AG to adopt rules and regulations necessary to implement the article.
  • § 1157. Enforcement

    • Civil penalties for non-compliance:
    • $500 per day for failing to register or comply with registration requirements.
    • Penalty equal to the applicable registration fee.
    • $500 per day for failing to delete as required.
    • $250 per day for website disclosure non-compliance.
    • Additional expenses as determined by court.
    • AG may seek injunction through a special proceeding.
  • § 1158. Exemptions

    • Several exemptions align with federal privacy regimes (HIPAA/HITECH, HHS health information networks, FCRA, GLBA) and political data under election law.
    • Specifically excludes certain health entities, health information networks, and data regulated by federal privacy laws from the article.
    • Clarifies definitions for business associates, covered entities, and related health information terms.
  • Effective date

    • The act takes effect immediately.

Who is affected

  • Data brokers operating in New York that meet the article’s definition.
  • Businesses that act as data brokers (and their service providers, contractors, and subsidiaries) must register, implement deletion mechanisms, and comply with auditing and disclosure requirements.
  • Consumers in New York who have data broker-held personal information will gain a right-to-delete mechanism and enhanced visibility into data broker practices.
  • Authorized agents and privacy advocates who assist in deletion requests.

Procedural and timeline aspects

  • Registration deadline: within 60 days after meeting data broker criteria.
  • Deletion mechanism: established within one year of the act’s effective date.
  • Audits: first audit required three years after effective date; subsequent audits every three years.
  • Annual disclosures: data brokers must publish privacy policy updates and deletion metrics by a regulated annual date.
  • Deletion requests: brokers must act within 45 days of receipt; aggregated deletion status and tracking requirements apply.

Note: The bill includes extensive definitions and exemptions to align with existing federal frameworks while imposing NY-specific data broker governance, transparency, and consumer rights mechanisms.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.