Requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A711
SPONSOR: Rosenthal L
 
TITLE OF BILL:
An act to amend the general business law, in relation to collection,
storage or transmission of personal information collected from smart
home systems
 
PURPOSE:
This bill relates to collection, storage or transmission of personal
information collected from smart home systems.
 
SUMMARY OF SPECIFIC PROVISIONS:
Section one amends the general business law by adding a new section
390-d.
Section two establishes the effective date.
 
JUSTIFICATION:
Technological advances have revolutionized traditional household appli-
ances and operating systems. Smart devices, like smart fridges that
monitor their own inventory and thermostats that constantly self-regu-
late, rely on artificial intelligence (AI) technology to gather data to
integrate seamlessly into the user's life. The products rely on user
surveillance to function optimally, but users are often not aware that
the data collected can be stored and even sold to third parties.
While New Yorkers race forward to embrace new technologies that will no
doubt reshape our daily lives, we must also be hyper vigilant of the
dangers these devices pose. Without the consent of the consumer, many of
these "smart" technologies are constantly collecting data on the behav-
ior and patterns of the household they occupy. Unwittingly, consumers
are being asked to exchange access to their private lives for new
conveniences.
This legislation aims to establish a regulatory framework for the
collection, storage and transmission of personal information collected
on such smart devices. This legislation prohibits any business that
manufactures or sells a smart home device or system in New York State
from storing or transmitting to a third-party, any personal information
obtained from the installation or use of a smart home device or system,
without the express and affirmative consent of the consumer. Further,
this legislation prohibits any landlord or employer who has installed
such a device or system from storing or transmitting any personal data
without the tenant or employees express and affirmative consent. This
bill will help ensure that while New Yorkers continue to embrace new
technologies their privacy is safeguarded.
 
LEGISLATIVE HISTORY:
2021-22: A.733 - Referred to Consumer Affairs and Protection
2019-20: A.7268 - Referred to Consumer Affairs and Protection
 
FISCAL IMPLICATIONS:
Undetermined.
 
EFFECTIVE DATE:
This act shall take effect immediately.
STATE OF NEW YORK
________________________________________________________________________
711
2023-2024 Regular Sessions
IN ASSEMBLY
January 11, 2023
___________
Introduced by M. of A. L. ROSENTHAL -- read once and referred to the
Committee on Consumer Affairs and Protection
AN ACT to amend the general business law, in relation to collection,
storage or transmission of personal information collected from smart
home systems
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new section
2 390-e to read as follows:
3 § 390-e. Smart home systems. 1. For the purposes of this section the
4 following terms shall have the following meanings:
5 (a) "Smart home system" means any device, or other physical object
6 that is capable of connecting to the internet, directly or indirectly,
7 and that is assigned an internet protocol address or bluetooth address.
8 (b) "End user" means a person that ultimately uses a smart home
9 connected system regardless of whether such person installed such
10 system.
11 (c) "Personal information" includes, but is not limited to, the
12 following:
13 (i) identity information including, but not limited to, real name,
14 alias, nickname, and user name;
15 (ii) address information, including, but not limited to, postal
16 address or e-mail;
17 (iii) telephone number;
18 (iv) account name;
19 (v) social security number or other government-issued identification
20 number, including, but not limited to, social security number, driver's
21 license number, identification card number, and passport number;
22 (vi) birthdate or age;
23 (vii) physical characteristic information, including, but not limited
24 to, height and weight;
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD00703-01-3
A. 711 2
1 (viii) sexual information, including, but not limited to, sexual
2 orientation, sex, gender status, gender identity, and gender expression;
3 (ix) race or ethnicity;
4 (x) religious affiliation or activity;
5 (xi) political affiliation or activity;
6 (xii) professional or employment-related information;
7 (xiii) educational information;
8 (xiv) medical information, including, but not limited to, medical
9 conditions or drugs, therapies, mental health, or medical products or
10 equipment used;
11 (xv) financial information, including, but not limited to, credit,
12 debit, or account numbers, account balances, payment history, or infor-
13 mation related to assets, liabilities, or general creditworthiness;
14 (xvi) commercial information, including, but not limited to, records
15 of property, products or services provided, obtained, or considered, or
16 other purchasing or consumer histories or tendencies;
17 (xvii) location information;
18 (xviii) internet or mobile activity information, including, but not
19 limited to, internet protocol addresses or information concerning the
20 access or use of any internet or mobile-based site or service;
21 (xix) content, including text, photographs, audio or video recordings,
22 or other material generated by or provided by an end user; and
23 (xx) any of the above categories of information as they pertain to any
24 children of an end user.
25 2. (a) No business which manufactures or sells a smart home connected
26 system shall collect, store or transmit any personal information
27 obtained from the installation or use of a smart home connected system
28 to a third-party without the express and affirmative consent of the end
29 user of such system.
30 (b) No landlord who has installed a smart home connected system on or
31 in rental property shall collect, store or transmit any personal infor-
32 mation obtained from the installation or use of such smart home
33 connected system without the express and affirmative consent of the
34 tenant of such rental property.
35 (c) No employer who has installed a smart home connected system shall
36 collect, store or transmit any personal information of any employee
37 obtained from the installation or use of such smart home connected
38 system without the express and affirmative consent of such employee.
39 § 2. This act shall take effect immediately.