§ 899-ff. Privacy protection by default.
1.Except as provided for in\nsubdivision six of this section and section eight hundred ninety-nine-jj\nof this article, an operator shall not process, or allow a processor to\nprocess, the personal data of a covered user collected through the use\nof a website, online service, online application, mobile application, or\nconnected device, or allow a third-party operator to collect the\npersonal data of a covered user collected through the operator's\nwebsite, online service, online application, mobile application, or\nconnected device unless and to the extent:\n (a) the covered user is twelve years of age or younger and processing\nis permitted under 15 U.S.C. § 6502 and its implementing regulations; or\n (b) the covered user is thirteen years o Free access — add to your briefcase to read the full text and ask questions with AI
§ 899-ff. Privacy protection by default. 1. Except as provided for in\nsubdivision six of this section and section eight hundred ninety-nine-jj\nof this article, an operator shall not process, or allow a processor to\nprocess, the personal data of a covered user collected through the use\nof a website, online service, online application, mobile application, or\nconnected device, or allow a third-party operator to collect the\npersonal data of a covered user collected through the operator's\nwebsite, online service, online application, mobile application, or\nconnected device unless and to the extent:\n (a) the covered user is twelve years of age or younger and processing\nis permitted under 15 U.S.C. § 6502 and its implementing regulations; or\n (b) the covered user is thirteen years of age or older and processing\nis strictly necessary for an activity set forth in subdivision two of\nthis section, or informed consent has been obtained as set forth in\nsubdivision three of this section.\n 2. For the purposes of paragraph (b) of subdivision one of this\nsection, the processing of personal data of a covered user is\npermissible where it is strictly necessary for the following permissible\npurposes:\n (a) providing or maintaining a specific product or service requested\nby the covered user;\n (b) conducting the operator's internal business operations. For\npurposes of this paragraph, such internal business operations shall not\ninclude any activities related to marketing, advertising, research and\ndevelopment, providing products or services to third parties, or\nprompting covered users to use the website, online service, online\napplication, mobile application, or connected device when it is not in\nuse;\n (c) identifying and repairing technical errors that impair existing or\nintended functionality;\n (d) protecting against malicious, fraudulent, or illegal activity;\n (e) investigating, establishing, exercising, preparing for, or\ndefending legal claims;\n (f) complying with federal, state, or local laws, rules, or\nregulations;\n (g) complying with a civil, criminal, or regulatory inquiry,\ninvestigation, subpoena, or summons by federal, state, local, or other\ngovernmental authorities;\n (h) detecting, responding to, or preventing security incidents or\nthreats; or\n (i) protecting the vital interests of a natural person.\n 3. (a) For the purposes of paragraph (b) of subdivision one of this\nsection, to process personal data of a covered user where such\nprocessing is not strictly necessary under subdivision two of this\nsection, informed consent must be obtained from the covered user either\nthrough a device communication or signal pursuant to the provisions of\nsubdivision two of section eight hundred ninety-nine-ii of this article\nor through a request. Requests for such informed consent shall:\n (i) be made separately from any other transaction or part of a\ntransaction;\n (ii) be made in the absence of any mechanism that has the purpose or\nsubstantial effect of obscuring, subverting, or impairing a covered\nuser's decision-making regarding authorization for the processing;\n (iii) clearly and conspicuously state that the processing for which\nthe consent is requested is not strictly necessary, and that the covered\nuser may decline without preventing continued use of the website, online\nservice, online application, mobile application, or connected device;\nand\n (iv) clearly present an option to refuse to provide consent as the\nmost prominent option.\n (b) Such informed consent, once given, shall be freely revocable at\nany time, and shall be at least as easy to revoke as it was to provide.\n (c) If a covered user declines to provide or revokes informed consent\nfor processing, another request may not be made for such processing for\nthe following calendar year, however an operator may make available a\nmechanism that a covered user can use unprompted and at the user's\ndiscretion to provide informed consent.\n (d) If a covered user's device communicates or signals that the\ncovered user declines to provide informed consent for processing\npursuant to the provisions of subdivision two of section eight hundred\nninety-nine-ii of this article, an operator shall not request informed\nconsent for such processing, however an operator may make available a\nmechanism that a covered user can use unprompted and at the user's\ndiscretion to provide informed consent.\n 4. Except where processing is strictly necessary to provide a product,\nservice, or feature, an operator may not withhold, degrade, lower the\nquality, or increase the price of any product, service, or feature to a\ncovered user due to the operator not obtaining verifiable parental\nconsent under 15 U.S.C. § 6502 and its implementing regulations or\ninformed consent under subdivision three of this section.\n 5. Except as provided for in section eight hundred ninety-nine-jj of\nthis article, an operator shall not purchase or sell, or allow a\nprocessor or third-party operator to purchase or sell, the personal data\nof a covered user.\n 6. Within thirty days of determining or being informed that a user is\na covered user, an operator shall:\n (a) dispose of, destroy, or delete and direct all of its processors to\ndispose of, destroy, or delete all personal data of such covered user\nthat it maintains, unless processing such personal data is permitted\nunder 15 U.S.C. § 6502 and its implementing regulations, is strictly\nnecessary for an activity listed in subdivision two of this section, or\ninformed consent is obtained as set forth in subdivision three of this\nsection; and\n (b) notify any third-party operators to whom it knows it disclosed\npersonal data of that covered user, and any third-party operators it\nknows it allowed to process the personal data that may include the\npersonal data of that user, that the user is a covered user.\n 7. Except as provided for in section eight hundred ninety-nine-jj of\nthis article, prior to disclosing personal data to a third-party\noperator, or permitting a third-party operator to collect personal data\nfrom the operator's website, online service, online application, mobile\napplication, connected device, or portion thereof, the operator shall\ndisclose to the third-party operator:\n (a) when their website, online service, online application, mobile\napplication, connected device, or portion thereof, is primarily directed\nto minors; or\n (b) when the personal data concerns a covered user.\n