WHAT THIS BILL REGULATES · 8 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
As used in this article, the following terms shall have the following meanings: 1. "Civil rights, civil liberties, and privacyCivil rights, civil liberties, and privacy"Civil rights, civil liberties, and privacy" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance.State Tech. Law § 401(1)" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance. 2. "Equal opportunityEqual opportunity"Equal opportunity" means equal access to education, housing, credit, employment, and other programs.State Tech. Law § 401(2)" means equal access to education, housing, credit, employment, and other programs. 3. "Access to critical resources or servicesAccess to critical resources or services"Access to critical resources or services" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits.State Tech. Law § 401(3)" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits. 4. "Algorithmic discriminationAlgorithmic discrimination"Algorithmic discrimination" means circumstances where an automated system contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law.State Tech. Law § 401(4)" means circumstances where an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law. 5. "Automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5)" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7). Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructurePassive computing infrastructure"Passive computing infrastructure" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity.State Tech. Law § 401(6). 6. "Passive computing infrastructurePassive computing infrastructure"Passive computing infrastructure" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity.State Tech. Law § 401(6)" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity. 7. "CommunitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7)" means neighborhoods, social networkSocial network"Social network" means any connection of persons which exists online or offline.State Tech. Law § 401(8) connections, familiesFamilies"Families" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being.State Tech. Law § 401(9), people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7). 8. "Social networkSocial network"Social network" means any connection of persons which exists online or offline.State Tech. Law § 401(8)" means any connection of persons which exists online or offline. 9. "FamiliesFamilies"Families" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being.State Tech. Law § 401(9)" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being. 10. "EquityEquity"Equity" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality.State Tech. Law § 401(10)" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communitiesUnderserved communities"Underserved communities" means communities that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.State Tech. Law § 401(14) that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. 11. "Sensitive dataSensitive data"Sensitive data" means any data and metadata: (a) that pertains to a New York resident in a sensitive domain; (b) that are generated by technologies in a sensitive domain; (c) that can be used to infer data from a sensitive domain; (d) about a New York resident, such as disability-related data, genomic data, biometric data, behavioral data, geolocation data, data related to the criminal justice system, relationship history, or legal status such as custody and divorce information, and home, work, or school environmental data; (e) that has the reasonable potential to be used in ways that are likely to expose New York residents to meaningful harm, such as a loss of privacy or financial harm due to identity theft; or (f) that is generated by a person under the age of eighteen.State Tech. Law § 401(11)" means any data and metadata: (a) that pertains to a New York resident in a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12); (b) that are generated by technologies in a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12); (c) that can be used to infer data from a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12); (d) about a New York resident, such as disability-related data, genomic data, biometric data, behavioral data, geolocation data, data related to the criminal justice system, relationship history, or legal status such as custody and divorce information, and home, work, or school environmental data; (e) that has the reasonable potential to be used in ways that are likely to expose New York residents to meaningful harm, such as a loss of privacy or financial harm due to identity theft; or (f) that is generated by a person under the age of eighteen. 12. "Sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12)" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights. 13. "Surveillance technologySurveillance technology"Surveillance technology" means products or services marketed for or that can be lawfully used to detect, monitor, intercept, collect, exploit, preserve, protect, transmit, or retain data, identifying information, or communications concerning New York residents or groups.State Tech. Law § 401(13)" means products or services marketed for or that can be lawfully used to detect, monitor, intercept, collect, exploit, preserve, protect, transmit, or retain data, identifying information, or communications concerning New York residents or groups. 14. "Underserved communitiesUnderserved communities"Underserved communities" means communities that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.State Tech. Law § 401(14)" means communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7) that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.
Section 401 establishes fourteen defined terms that govern the scope and interpretation of the bill. The most consequential definition is automated system, which is extraordinarily broad — covering any system, software, or process that uses computation to determine outcomes, make or aid decisions, inform policy, collect data, or otherwise interact with New York residents. The only carve-out is for passive computing infrastructure such as web hosting, networking, and data storage. The definition of algorithmic discrimination tracks New York's extensive list of protected characteristics, including domestic violence victim status, predisposing genetic characteristics, and prior arrest or conviction record.
The rights contained within this article shall be construed as applying to New York residents against persons developing automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) that have the potential to meaningfully impact New York residents': 1. civil rights, civil liberties, and privacyCivil rights, civil liberties, and privacy"Civil rights, civil liberties, and privacy" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance.State Tech. Law § 401(1); 2. equal opportunities; or 3. access to critical resources or servicesAccess to critical resources or services"Access to critical resources or services" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits.State Tech. Law § 401(3).
Section 402 defines the scope of the entire article: it applies to New York residents against persons developing automated systems that have the potential to meaningfully impact residents' civil rights, civil liberties, and privacy; equal opportunities; or access to critical resources or services. Notably, the statute does not formally define the term operator or any other covered-entity term in the definitions section, though § 409 uses the word 'operator' to identify the party subject to penalties. The application section itself refers to 'persons developing automated systems,' which is broader than the penalty section's use of 'operator.'
The rights contained within this article shall be construed as harmonious and mutually supportive.
Section 403 is a construction clause directing that all rights in the article be construed as harmonious and mutually supportive. It creates no independent compliance obligation.
(1) 1 New York residents have the right to be protected from unsafe or ineffective automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5). These systems must be developed in collaboration with diverse communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7), stakeholders, and domain experts to identify and address any potential concerns, risks, or impacts.
(2) 2 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall undergo pre-deployment testing, risk identification and mitigation, and shall also be subjected to ongoing monitoring that demonstrates they are safe and effective based on their intended use, mitigation of unsafe outcomes including those beyond the intended use, and adherence to domain-specific standards.
(3) 3 If an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) fails to meet the requirements of this section, it shall not be deployed or, if already in use, shall be removed. No automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall be designed with the intent or a reasonably foreseeable possibility of endangering the safety of any New York resident or New York communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7).
(4) 2 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall be designed to proactively protect New York residents from harm stemming from unintended, yet foreseeable, uses or impacts.
(5) 4 New York residents are entitled to protection from inappropriate or irrelevant data use in the design, development, and deployment of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5), and from the compounded harm of its reuse.
(6) 5 Independent evaluation and reporting that confirms that the system is safe and effective, including reporting of steps taken to mitigate potential harms, shall be performed and the results made public whenever possible.
Section 404 imposes safety and effectiveness requirements on automated systems that meaningfully impact New York residents. It requires pre-deployment testing, risk identification and mitigation, and ongoing monitoring. Systems that fail to meet these requirements must not be deployed or must be removed. An independent evaluation and public reporting obligation applies 'whenever possible.' The section also imposes a design-level obligation: no system may be designed with the intent or reasonably foreseeable possibility of endangering residents, and systems must proactively protect against foreseeable unintended uses. The broad framing — covering any automated system with meaningful impact — combined with the aspirational qualifiers ('whenever possible') makes operational compliance challenging to scope.
(1) 6 No New York resident shall face discrimination by algorithms, and all automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall be used and designed in an equitable manner.
(2)–(3) 7 The designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall take proactive and continuous measures to protect New York residents and communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7) from algorithmic discriminationAlgorithmic discrimination"Algorithmic discrimination" means circumstances where an automated system contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law.State Tech. Law § 401(4), ensuring the use and design of these systems in an equitable manner. The protective measures required by this section shall include proactive equityEquity"Equity" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality.State Tech. Law § 401(10) assessments as part of the system design, use of representative data, protection against proxies for demographic features, and assurance of accessibility for New York residents with disabilities in design and development.
(4) 8 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall undergo pre-deployment and ongoing disparity testing and mitigation, under clear organizational oversight.
(5)–(6) 9 Independent evaluations and plain language reporting in the form of an algorithmic impact assessment, including disparity testing results and mitigation information, shall be conducted for all automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5). New York residents shall have the right to view such evaluations and reports.
Section 405 establishes a prohibition on algorithmic discrimination and requires proactive and continuous measures to ensure equitable use and design of automated systems. The required protective measures include proactive equity assessments, use of representative data, protection against proxies for demographic features, and accessibility for persons with disabilities. Pre-deployment and ongoing disparity testing with clear organizational oversight is mandated. Independent evaluations in the form of algorithmic impact assessments — including disparity testing results and mitigation information — must be conducted for all automated systems, and New York residents must have the right to view them. The section imposes obligations on designers, developers, and deployers collectively.
(1)–(2) 10 New York residents shall be protected from abusive data practices via built-in protections and shall maintain agency over the use of their personal data. Privacy violations shall be mitigated through design choices that include privacy protections by default, ensuring that data collection conforms to reasonable expectations and that only strictly necessary data for the specific context is collected.
(3) 11 Designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) must seek and respect the decisions of New York residents regarding the collection, use, access, transfer, and deletion of their data in all appropriate ways and to the fullest extent possible. Where not possible, alternative privacy by design safeguards must be implemented.
(4) 12 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall not employ user experience or design decisions that obscure user choice or burden users with default settings that are privacy-invasive.
(5)–(6) 13 Consent shall be used to justify the collection of data only in instances where it can be appropriately and meaningfully given. Any consent requests shall be brief, understandable in plain language, and provide New York residents with agency over data collection and its specific context of use. Any existing practice of complex notice-and-choice for broad data use shall be transformed, emphasizing clarity and user comprehension.
(7) 14 Enhanced protections and restrictions shall be established for data and inferences related to sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12). In sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12), individual data and related inferences may only be used for necessary functions, safeguarded by ethical review and use prohibitions.
(8)–(9) 15 New York residents and New York communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7) shall be free from unchecked surveillance; surveillance technologies shall be subject to heightened oversight, including at least pre-deployment assessment of their potential harms and scope limits to protect privacy and civil liberties. Continuous surveillance and monitoring shall not be used in education, work, housing, or any other contexts where the use of such surveillance technologies is likely to limit rights, opportunities, or access.
(10) 16 Whenever possible, New York residents shall have access to reporting that confirms respect for their data decisions and provides an assessment of the potential impact of surveillance technologies on their rights, opportunities, or access.
Section 406 is the bill's data-privacy section, imposing a sweeping set of data governance obligations on designers, developers, and deployers of automated systems. It requires privacy-by-design and data minimization, respect for resident data decisions regarding collection, use, access, transfer, and deletion, prohibition on dark patterns that obscure privacy choices, meaningful consent practices, enhanced restrictions for sensitive-domain data and inferences, heightened oversight of surveillance technologies including pre-deployment harm assessment and scope limits, a prohibition on continuous surveillance in education, work, and housing contexts, and a public reporting obligation regarding data practices and surveillance impact assessments. Many provisions use aspirational qualifiers ('whenever possible,' 'to the fullest extent possible') that temper their enforceability.
(1) 17 New York residents shall be informed when an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) is in use and New York residents shall be informed how and why the system contributes to outcomes that impact them.
(2) 18 Designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall provide accessible plain language documentation, including clear descriptions of the overall system functioning, the role of automation, notice of system use, identification of the individual or organization responsible for the system, and clear, timely, and accessible explanations of outcomes.
(3) 18 The provided notice shall be kept up-to-date, and New York residents impacted by the system shall be notified of any significant changes to use cases or key functionalities.
(4)–(5) 19 New York residents shall have the right to understand how and why an outcome impacting them was determined by an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5), even when the automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) is not the sole determinant of the outcome. Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall provide explanations that are technically valid, meaningful to the individual and any other persons who need to understand the system and proportionate to the level of risk based on the context.
(6) 20 Summary reporting, including plain language information about these automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) and assessments of the clarity and quality of notice and explanations, shall be made public whenever possible.
Section 407 establishes a comprehensive notice-and-explanation framework for automated systems. It requires that New York residents be informed when an automated system is in use and receive explanations of how and why the system contributes to outcomes impacting them. Designers, developers, and deployers must provide accessible plain-language documentation covering system functioning, the role of automation, notice of system use, the responsible individual or organization, and clear explanations of outcomes. Notice must be kept current and residents must be notified of significant changes. Residents have a right to understand outcome determinations even when the system is not the sole determinant. Explanations must be technically valid, meaningful to the individual, and proportionate to risk level. Summary reporting must be made public 'whenever possible.'
(1) 21 New York residents shall have the right to opt out of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5), where appropriate, in favor of a human alternative. The appropriateness of such an option shall be determined based on reasonable expectations in a given context, with a focus on ensuring broad accessibility and protecting the public from particularly harmful impacts. In some instances, a human or other alternative may be mandated by law.
(2)–(3) 22 New York residents shall have access to a timely human consideration and remedy through a fallback and escalation process if an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) fails, produces an error, or if they wish to appeal or contest its impacts on them. The human consideration and fallback process shall be accessible, equitable, effective, maintained, accompanied by appropriate operator training, and should not impose an unreasonable burden on the public.
(4) 23 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) intended for use within sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12), including but not limited to criminal justice, employment, education, and health, shall additionally be tailored to their purpose, provide meaningful access for oversight, include training for New York residents interacting with the system, and incorporate human consideration for adverse or high-risk decisions.
(5) 24 Summary reporting, which includes a description of such human governance processes and an assessment of their timeliness, accessibility, outcomes, and effectiveness, shall be made publicly available whenever possible.
Section 408 establishes rights to opt out of automated systems in favor of human alternatives, to access a timely human consideration and remedy process when a system fails or produces errors, and to contest automated outcomes. The human fallback process must be accessible, equitable, effective, maintained, and accompanied by operator training. In sensitive domains — including criminal justice, employment, education, and health — additional tailoring is required, including meaningful access for oversight, user training, and human consideration for adverse or high-risk decisions. Summary reporting on governance processes and their timeliness, accessibility, outcomes, and effectiveness must be publicly available 'whenever possible.'
(1)–(3) Where an operator of an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) violates or causes a violation of any of the rights stated within this article, such operator shall be liable to the people of this state for a penalty not less than three times such damages caused. The penalty provided for in subdivision one of this section may be recovered by an action brought by the attorney general in any court of competent jurisdiction. Nothing set forth in this article shall be construed as creating, establishing, or authorizing a private cause of action by an aggrieved person against an operator of an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) who has violated, or is alleged to have violated, any provision of this article.
Section 409 establishes the enforcement framework: an operator of an automated system that violates any right in the article is liable for a penalty of not less than three times the damages caused. The penalty is recoverable only by the Attorney General; the statute explicitly bars private causes of action. The treble-damages floor is notable, but the absence of statutory minimum dollar amounts and the requirement to prove actual damages may limit practical enforcement. The term 'operator' is used here as the liable party but is not defined in § 401.