NY S09599: Creates privacy standards for electronic health products and services and permissible data brokering; requires consent to be given for the collection… Verified

The bill amends New York's general business law by introducing Article 42, which sets privacy standards for electronic health products and services. It defines key terms such as 'consent,' 'electronic health product or service,' and 'personal health information.' Section 1101 prohibits covered organizations from engaging in data processing, geofencing, or data brokering without obtaining affirmative express consent from users. The bill mandates that organizations disclose the types of data collected, the purposes for data collection, and third parties involved. Users must be able to withdraw consent, and organizations must cease data processing within fifteen days of consent withdrawal. Section 1101(7) specifically prohibits geofencing for digital advertisements at health care facilities. Section 1102 provides a private right of action for individuals injured by violations, allowing for declaratory relief, injunctions, and damages, including statutory damages of five hundred dollars per violation. Section 1103 clarifies that actions compliant with HIPAA are not prohibited. The bill also requires covered organizations to implement reasonable security procedures and prohibits discrimination against users exercising their rights under the bill.