WHAT THIS BILL REGULATES · 8 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(1)–(14) § 501. Definitions. As used in this article, the following terms shall have the following meanings: 1. "Civil rights, civil liberties, and privacyCivil rights, civil liberties, and privacy"Civil rights, civil liberties, and privacy" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance.State Tech. Law § 501(1)" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance. 2. "Equal opportunityEqual opportunity"Equal opportunity" means equal access to education, housing, credit, employment, and other programs.State Tech. Law § 501(2)" means equal access to education, housing, credit, employment, and other programs. 3. "Access to critical resources or servicesAccess to critical resources or services"Access to critical resources or services" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits.State Tech. Law § 501(3)" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits. 4. "Algorithmic discriminationAlgorithmic discrimination"Algorithmic discrimination" means circumstances where an automated system contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law.State Tech. Law § 501(4)" means circumstances where an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law. 5. "Automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5)" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7). Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructurePassive computing infrastructure"Passive computing infrastructure" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity.State Tech. Law § 501(6). 6. "Passive computing infrastructurePassive computing infrastructure"Passive computing infrastructure" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity.State Tech. Law § 501(6)" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity. 7. "CommunitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7)" means neighborhoods, social networkSocial network"Social network" means any connection of persons which exists online or offline.State Tech. Law § 501(8) connections, familiesFamilies"Families" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being.State Tech. Law § 501(9), people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7). 8. "Social networkSocial network"Social network" means any connection of persons which exists online or offline.State Tech. Law § 501(8)" means any connection of persons which exists online or offline. 9. "FamiliesFamilies"Families" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being.State Tech. Law § 501(9)" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being. 10. "EquityEquity"Equity" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality.State Tech. Law § 501(10)" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communitiesUnderserved communities"Underserved communities" means communities that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.State Tech. Law § 501(14) that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. 11. "Sensitive dataSensitive data"Sensitive data" means any data and metadata: (a) that pertains to a New York resident in a sensitive domain; (b) that are generated by technologies in a sensitive domain; (c) that can be used to infer data from a sensitive domain; (d) about a New York resident, such as disability-related data, genomic data, biometric data, behavioral data, geolocation data, data related to the criminal justice system, relationship history, or legal status such as custody and divorce information, and home, work, or school environmental data; (e) that has the reasonable potential to be used in ways that are likely to expose New York residents to meaningful harm, such as a loss of privacy or financial harm due to identity theft; or (f) that is generated by a person under the age of eighteen.State Tech. Law § 501(11)" means any data and metadata: (a) that pertains to a New York resident in a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12); (b) that are generated by technologies in a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12); (c) that can be used to infer data from a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12); (d) about a New York resident, such as disability-related data, genomic data, biometric data, behavioral data, geolocation data, data related to the criminal justice system, relationship history, or legal status such as custody and divorce information, and home, work, or school environmental data; (e) that has the reasonable potential to be used in ways that are likely to expose New York residents to meaningful harm, such as a loss of privacy or financial harm due to identity theft; or (f) that is generated by a person under the age of eighteen. 12. "Sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12)" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights. 13. "Surveillance technologySurveillance technology"Surveillance technology" means products or services marketed for or that can be lawfully used to detect, monitor, intercept, collect, exploit, preserve, protect, transmit, or retain data, identifying information, or communications concerning New York residents or groups.State Tech. Law § 501(13)" means products or services marketed for or that can be lawfully used to detect, monitor, intercept, collect, exploit, preserve, protect, transmit, or retain data, identifying information, or communications concerning New York residents or groups. 14. "Underserved communitiesUnderserved communities"Underserved communities" means communities that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.State Tech. Law § 501(14)" means communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7) that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.
Section 501 establishes fourteen definitions for the new Article V. The definition of automated system is remarkably broad — it covers any system, software, or process using computation that affects New York residents, with only passive computing infrastructure excluded. Unlike most state AI bills, this section does not define a specific covered entity type (such as 'developer,' 'deployer,' or 'operator'); the application section (§ 502) instead applies obligations to 'persons developing automated systems.' The algorithmic discrimination definition tracks New York Human Rights Law protected classes and adds a catch-all for any classification protected by law.
§ 502. Application. The rights contained within this article shall be construed as applying to New York residents against persons developing automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) that have the potential to meaningfully impact New York residents': 1. civil rights, civil liberties, and privacyCivil rights, civil liberties, and privacy"Civil rights, civil liberties, and privacy" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance.State Tech. Law § 501(1); 2. equal opportunities; or 3. access to critical resources or servicesAccess to critical resources or services"Access to critical resources or services" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits.State Tech. Law § 501(3).
Section 502 defines the scope of the bill's application. The rights apply to New York residents against persons developing automated systems that have the potential to meaningfully impact residents' civil rights, equal opportunities, or access to critical resources. The bill does not formally define 'persons developing automated systems' as a term of art, but this phrase functions as the bill's covered entity concept. The scope is extremely broad — any automated system with the potential to meaningfully impact the enumerated interests triggers coverage.
§ 503. Construction. The rights contained within this article shall be construed as harmonious and mutually supportive.
Section 503 is a construction clause directing that the rights in the article be read as harmonious and mutually supportive. It creates no independent compliance obligation.
(1) 1 New York residents have the right to be protected from unsafe or ineffective automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5). These systems must be developed in collaboration with diverse communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7), stakeholders, and domain experts to identify and address any potential concerns, risks, or impacts.
(2) 2 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall undergo pre-deployment testing, risk identification and mitigation, and shall also be subjected to ongoing monitoring that demonstrates they are safe and effective based on their intended use, mitigation of unsafe outcomes including those beyond the intended use, and adherence to domain-specific standards.
(3) 3 If an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) fails to meet the requirements of this section, it shall not be deployed or, if already in use, shall be removed. No automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall be designed with the intent or a reasonably foreseeable possibility of endangering the safety of any New York resident or New York communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7).
(4) 4 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall be designed to proactively protect New York residents from harm stemming from unintended, yet foreseeable, uses or impacts.
(5) 5 New York residents are entitled to protection from inappropriate or irrelevant data use in the design, development, and deployment of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5), and from the compounded harm of its reuse.
(6) 6 Independent evaluation and reporting that confirms that the system is safe and effective, including reporting of steps taken to mitigate potential harms, shall be performed and the results made public whenever possible.
Section 504 establishes the right to be protected from unsafe or ineffective automated systems. It imposes a layered safety framework: community-collaborative development (subd. 1), pre-deployment testing with ongoing monitoring (subd. 2), a deployment-bar and removal obligation for non-compliant systems plus a prohibition on systems designed to endanger safety (subd. 3), proactive protection against foreseeable misuse (subd. 4), protection from inappropriate data use (subd. 5), and independent evaluation with public reporting (subd. 6). The obligations are drafted broadly and aspirationally, with limited specificity regarding testing methodologies or reporting standards.
(1) 7 No New York resident shall face discrimination by algorithms, and all automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall be used and designed in an equitable manner.
(2)–(3) 8 2. The designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall take proactive and continuous measures to protect New York residents and communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7) from algorithmic discriminationAlgorithmic discrimination"Algorithmic discrimination" means circumstances where an automated system contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law.State Tech. Law § 501(4), ensuring the use and design of these systems in an equitable manner. 3. The protective measures required by this section shall include proactive equityEquity"Equity" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality.State Tech. Law § 501(10) assessments as part of the system design, use of representative data, protection against proxies for demographic features, and assurance of accessibility for New York residents with disabilities in design and development.
(4) 9 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall undergo pre-deployment and ongoing disparity testing and mitigation, under clear organizational oversight.
(5)–(6) 10 5. Independent evaluations and plain language reporting in the form of an algorithmic impact assessment, including disparity testing results and mitigation information, shall be conducted for all automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5). 6. New York residents shall have the right to view such evaluations and reports.
Section 505 establishes a prohibition on algorithmic discrimination and requires proactive, continuous protective measures by designers, developers, and deployers. The required measures include equity assessments, representative data use, proxy-variable protections, and accessibility for persons with disabilities (subd. 3). Pre-deployment and ongoing disparity testing is mandated under organizational oversight (subd. 4). Independent evaluations in the form of algorithmic impact assessments, including disparity testing results and mitigation, must be conducted and made available to residents (subds. 5–6). The section is notable for explicitly applying obligations to all three actor types — designers, developers, and deployers — rather than just one.
(1)–(2) 11 1. New York residents shall be protected from abusive data practices via built-in protections and shall maintain agency over the use of their personal data. 2. Privacy violations shall be mitigated through design choices that include privacy protections by default, ensuring that data collection conforms to reasonable expectations and that only strictly necessary data for the specific context is collected.
(3) 12 Designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) must seek and respect the decisions of New York residents regarding the collection, use, access, transfer, and deletion of their data in all appropriate ways and to the fullest extent possible. Where not possible, alternative privacy by design safeguards must be implemented.
(4) 13 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall not employ user experience or design decisions that obscure user choice or burden users with default settings that are privacy-invasive.
(5)–(6) 14 5. Consent shall be used to justify the collection of data only in instances where it can be appropriately and meaningfully given. Any consent requests shall be brief, understandable in plain language, and provide New York residents with agency over data collection and its specific context of use. 6. Any existing practice of complex notice-and-choice for broad data use shall be transformed, emphasizing clarity and user comprehension.
(7) 15 Enhanced protections and restrictions shall be established for data and inferences related to sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12). In sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12), individual data and related inferences may only be used for necessary functions, safeguarded by ethical review and use prohibitions.
(8)–(9) 16 8. New York residents and New York communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 501(7) shall be free from unchecked surveillance; surveillance technologies shall be subject to heightened oversight, including at least pre-deployment assessment of their potential harms and scope limits to protect privacy and civil liberties. 9. Continuous surveillance and monitoring shall not be used in education, work, housing, or any other contexts where the use of such surveillance technologies is likely to limit rights, opportunities, or access.
(10) 17 Whenever possible, New York residents shall have access to reporting that confirms respect for their data decisions and provides an assessment of the potential impact of surveillance technologies on their rights, opportunities, or access.
Section 506 establishes a comprehensive set of data privacy rights and restrictions for automated systems. It covers privacy-by-default design (subd. 2), user agency over data collection, use, access, transfer, and deletion (subd. 3), a prohibition on privacy-invasive default settings and dark patterns (subd. 4), meaningful consent requirements (subd. 5), transformation of complex notice-and-choice practices (subd. 6), enhanced protections for sensitive-domain data (subd. 7), restrictions on surveillance technologies (subds. 8–9), and user access to reporting on data practices and surveillance impact (subd. 10). The scope is extremely broad — obligations apply to all automated systems, not just high-risk ones.
(1) 18 New York residents shall be informed when an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) is in use and New York residents shall be informed how and why the system contributes to outcomes that impact them.
(2) 19 Designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall provide accessible plain language documentation, including clear descriptions of the overall system functioning, the role of automation, notice of system use, identification of the individual or organization responsible for the system, and clear, timely, and accessible explanations of outcomes.
(3) 19 The provided notice shall be kept up-to-date, and New York residents impacted by the system shall be notified of any significant changes to use cases or key functionalities.
(4)–(5) 20 4. New York residents shall have the right to understand how and why an outcome impacting them was determined by an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5), even when the automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) is not the sole determinant of the outcome. 5. Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) shall provide explanations that are technically valid, meaningful to the individual and any other persons who need to understand the system and proportionate to the level of risk based on the context.
(6) 21 Summary reporting, including plain language information about these automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) and assessments of the clarity and quality of notice and explanations, shall be made public whenever possible.
Section 507 establishes rights to notice and explanation when automated systems are in use. It requires accessible plain language documentation covering system functioning, the role of automation, notice of system use, identification of the responsible party, and explanations of outcomes (subd. 2). Notice must be kept up to date, with notification of significant changes (subd. 3). Residents have a right to understand how and why an automated system determined an outcome impacting them, even when the system is not the sole determinant (subd. 4). Explanations must be technically valid, meaningful to the individual, and proportionate to risk (subd. 5). Summary reporting on system functioning and notice quality must be made public whenever possible (subd. 6).
(1) 22 New York residents shall have the right to opt out of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5), where appropriate, in favor of a human alternative. The appropriateness of such an option shall be determined based on reasonable expectations in a given context, with a focus on ensuring broad accessibility and protecting the public from particularly harmful impacts. In some instances, a human or other alternative may be mandated by law.
(2)–(3) 23 2. New York residents shall have access to a timely human consideration and remedy through a fallback and escalation process if an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) fails, produces an error, or if they wish to appeal or contest its impacts on them. 3. The human consideration and fallback process shall be accessible, equitable, effective, maintained, accompanied by appropriate operator training, and should not impose an unreasonable burden on the public.
(4) 24 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) intended for use within sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 501(12), including but not limited to criminal justice, employment, education, and health, shall additionally be tailored to their purpose, provide meaningful access for oversight, include training for New York residents interacting with the system, and incorporate human consideration for adverse or high-risk decisions.
(5) 25 Summary reporting, which includes a description of such human governance processes and an assessment of their timeliness, accessibility, outcomes, and effectiveness, shall be made publicly available whenever possible.
Section 508 establishes rights to opt out of automated systems in favor of human alternatives (subd. 1), access to timely human consideration and remedy through fallback and escalation processes (subd. 2), and requirements for the human fallback process to be accessible, equitable, effective, maintained, and accompanied by operator training (subd. 3). Sensitive-domain systems face additional requirements: tailoring to purpose, meaningful oversight access, user training, and human consideration for adverse or high-risk decisions (subd. 4). Summary reporting on human governance processes must be made public whenever possible (subd. 5). The opt-out right is qualified by 'where appropriate,' introducing significant discretion.
(1)–(3) 1. Where an operator of an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) violates or causes a violation of any of the rights stated within this article, such operator shall be liable to the people of this state for a penalty not less than three times such damages caused. 2. The penalty provided for in subdivision one of this section may be recovered by an action brought by the attorney general in any court of competent jurisdiction. 3. Nothing set forth in this article shall be construed as creating, establishing, or authorizing a private cause of action by an aggrieved person against an operator of an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 501(5) who has violated, or is alleged to have violated, any provision of this article.
Section 509 establishes the enforcement mechanism. An operator who violates any right in the article is liable for a penalty of not less than three times the damages caused, recoverable only by the attorney general. The section expressly disclaims any private cause of action. The treble-damages penalty floor requires proof of actual damages, as there is no fixed statutory minimum or maximum.