N.Y. General Business Law Section 899-FF
Privacy protection by default


1.

Except as provided for in subdivision six of this section and section eight hundred ninety-nine-jj of this article, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator’s website, online service, online application, mobile application, or connected device unless and to the extent:

(a)

the covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or

(b)

the covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in subdivision two of this section, or informed consent has been obtained as set forth in subdivision three of this section.

2.

For the purposes of paragraph (b) of subdivision one of this section, the processing of personal data of a covered user is permissible where it is strictly necessary for the following permissible purposes:

(a)

providing or maintaining a specific product or service requested by the covered user;

(b)

conducting the operator’s internal business operations. For purposes of this paragraph, such internal business operations shall not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the website, online service, online application, mobile application, or connected device when it is not in use;

(c)

identifying and repairing technical errors that impair existing or intended functionality;

(d)

protecting against malicious, fraudulent, or illegal activity;

(e)

investigating, establishing, exercising, preparing for, or defending legal claims;

(f)

complying with federal, state, or local laws, rules, or regulations;

(g)

complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(h)

detecting, responding to, or preventing security incidents or threats; or

(i)

protecting the vital interests of a natural person.

3.

(a) For the purposes of paragraph (b) of subdivision one of this section, to process personal data of a covered user where such processing is not strictly necessary under subdivision two of this section, informed consent must be obtained from the covered user either through a device communication or signal pursuant to the provisions of subdivision two of § 899-II (Respecting user-provided age flags)section eight hundred ninety-nine-ii of this article or through a request. Requests for such informed consent shall:

(i)

be made separately from any other transaction or part of a transaction;

(ii)

be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user’s decision-making regarding authorization for the processing;

(iii)

clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and

(iv)

clearly present an option to refuse to provide consent as the most prominent option.

(b)

Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide.

(c)

If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user’s discretion to provide informed consent.

(d)

If a covered user’s device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of subdivision two of § 899-II (Respecting user-provided age flags)section eight hundred ninety-nine-ii of this article, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user’s discretion to provide informed consent.

4.

Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under subdivision three of this section.

5.

Except as provided for in § 899-JJ (Protections for third-party operators)section eight hundred ninety-nine-jj of this article, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user.

6.

Within thirty days of determining or being informed that a user is a covered user, an operator shall:

(a)

dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in subdivision two of this section, or informed consent is obtained as set forth in subdivision three of this section; and

(b)

notify any third-party operators to whom it knows it disclosed personal data of that covered user, and any third-party operators it knows it allowed to process the personal data that may include the personal data of that user, that the user is a covered user.

7.

Except as provided for in § 899-JJ (Protections for third-party operators)section eight hundred ninety-nine-jj of this article, prior to disclosing personal data to a third-party operator, or permitting a third-party operator to collect personal data from the operator’s website, online service, online application, mobile application, connected device, or portion thereof, the operator shall disclose to the third-party operator:

(a)

when their website, online service, online application, mobile application, connected device, or portion thereof, is primarily directed to minors; or

(b)

when the personal data concerns a covered user. * NB Effective June 20, 2025

Source: Section 899-FF — Privacy protection by default, https://www.­nysenate.­gov/legislation/laws/GBS/899-FF (updated Jun. 28, 2024; accessed Jul. 6, 2024).

Accessed:
Jul. 6, 2024

Last modified:
Jun. 28, 2024

§ 899-FF’s source at nysenate​.gov

Link Style