WHAT THIS BILL REGULATES · 8 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
As used in this article, the following terms shall have the following meanings: 1. "Civil rights, civil liberties, and privacyCivil rights, civil liberties, and privacy"Civil rights, civil liberties, and privacy" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance.State Tech. Law § 401(1)" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance. 2. "Equal opportunityEqual opportunity"Equal opportunity" means equal access to education, housing, credit, employment, and other programs.State Tech. Law § 401(2)" means equal access to education, housing, credit, employment, and other programs. 3. "Access to critical resources or servicesAccess to critical resources or services"Access to critical resources or services" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits.State Tech. Law § 401(3)" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits. 4. "Algorithmic discriminationAlgorithmic discrimination"Algorithmic discrimination" means circumstances where an automated system contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law.State Tech. Law § 401(4)" means circumstances where an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law. 5. "Automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5)" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7). Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructurePassive computing infrastructure"Passive computing infrastructure" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity.State Tech. Law § 401(6). 6. "Passive computing infrastructurePassive computing infrastructure"Passive computing infrastructure" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity.State Tech. Law § 401(6)" shall include any intermediary technology that does not influence or determine the outcome of decisions, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity. 7. "CommunitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7)" means neighborhoods, social networkSocial network"Social network" means any connection of persons which exists online or offline.State Tech. Law § 401(8) connections, familiesFamilies"Families" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being.State Tech. Law § 401(9), people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7). 8. "Social networkSocial network"Social network" means any connection of persons which exists online or offline.State Tech. Law § 401(8)" means any connection of persons which exists online or offline. 9. "FamiliesFamilies"Families" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being.State Tech. Law § 401(9)" means any relationship, whether by blood, choice, or otherwise, where one or more persons assume a caregiver role, primary or shared, for one or more others, or where individuals mutually support and are committed to each other's well-being. 10. "EquityEquity"Equity" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality.State Tech. Law § 401(10)" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communitiesUnderserved communities"Underserved communities" means communities that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.State Tech. Law § 401(14) that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. 11. "Sensitive dataSensitive data"Sensitive data" means any data and metadata: (a) that pertains to a New York resident in a sensitive domain; (b) that are generated by technologies in a sensitive domain; (c) that can be used to infer data from a sensitive domain; (d) about a New York resident, such as disability-related data, genomic data, biometric data, behavioral data, geolocation data, data related to the criminal justice system, relationship history, or legal status such as custody and divorce information, and home, work, or school environmental data; (e) that has the reasonable potential to be used in ways that are likely to expose New York residents to meaningful harm, such as a loss of privacy or financial harm due to identity theft; or (f) that is generated by a person under the age of eighteen.State Tech. Law § 401(11)" means any data and metadata: (a) that pertains to a New York resident in a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12); (b) that are generated by technologies in a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12); (c) that can be used to infer data from a sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12); (d) about a New York resident, such as disability-related data, genomic data, biometric data, behavioral data, geolocation data, data related to the criminal justice system, relationship history, or legal status such as custody and divorce information, and home, work, or school environmental data; (e) that has the reasonable potential to be used in ways that are likely to expose New York residents to meaningful harm, such as a loss of privacy or financial harm due to identity theft; or (f) that is generated by a person under the age of eighteen. 12. "Sensitive domainSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12)" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights. 13. "Surveillance technologySurveillance technology"Surveillance technology" means products or services marketed for or that can be lawfully used to detect, monitor, intercept, collect, exploit, preserve, protect, transmit, or retain data, identifying information, or communications concerning New York residents or groups.State Tech. Law § 401(13)" means products or services marketed for or that can be lawfully used to detect, monitor, intercept, collect, exploit, preserve, protect, transmit, or retain data, identifying information, or communications concerning New York residents or groups. 14. "Underserved communitiesUnderserved communities"Underserved communities" means communities that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.State Tech. Law § 401(14)" means communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7) that have been systematically denied a full opportunity to participate in aspects of economic, social, and civic life.
Section 401 establishes fourteen defined terms that govern the scope and application of the entire article. The most consequential definition is automated system, which is extraordinarily broad — covering any computation-based system, software, or process that affects New York residents by determining outcomes, making or aiding decisions, informing policy, collecting data, or otherwise interacting with residents or communities. The definition expressly includes systems derived from machine learning, statistics, or AI techniques, and excludes only passive computing infrastructure. Algorithmic discrimination is defined to cover unjustified differential treatment across an extensive list of protected characteristics that mirrors and exceeds typical state civil rights categories.
The rights contained within this article shall be construed as applying to New York residents against persons developing automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) that have the potential to meaningfully impact New York residents': 1. civil rights, civil liberties, and privacyCivil rights, civil liberties, and privacy"Civil rights, civil liberties, and privacy" or "rights, opportunity, and access" means such rights and protections provided for in the United States Constitution, federal law, the laws and constitution of the state of New York, and privacy and other freedoms that exist in both the public and private sector contexts, which shall include, but shall not be limited to: (a) freedom of speech; (b) voting rights; (c) protections from discrimination; (d) protections from excessive or unjust punishment; and (e) protections from unlawful surveillance.State Tech. Law § 401(1); 2. equal opportunities; or 3. access to critical resources or servicesAccess to critical resources or services"Access to critical resources or services" means such resources and services that are fundamental for the well-being, security, and equitable participation of New York residents in society, which shall include, but shall not be limited to: (a) healthcare; (b) financial services; (c) safety; (d) social services; (e) non-deceptive information about goods and services; and (f) government benefits.State Tech. Law § 401(3).
Section 402 defines the article's scope by establishing that the rights apply to New York residents against persons developing automated systems that have the potential to meaningfully impact residents' civil rights, civil liberties, and privacy; equal opportunities; or access to critical resources or services. The bill uses the broad term persons developing automated systems rather than defining specific covered-entity categories such as 'developer,' 'deployer,' or 'operator.' This creates an unusually wide applicability scope — any person involved in developing a system that could meaningfully impact the enumerated interests is potentially subject to the article's obligations.
The rights contained within this article shall be construed as harmonious and mutually supportive.
Section 403 is a brief construction clause directing that the rights within the article be interpreted as harmonious and mutually supportive. This is a standard savings-clause provision that creates no independent compliance obligation.
(1) 1 New York residents have the right to be protected from unsafe or ineffective automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5). These systems must be developed in collaboration with diverse communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7), stakeholders, and domain experts to identify and address any potential concerns, risks, or impacts.
(2)–(3) 2 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall undergo pre-deployment testing, risk identification and mitigation, and shall also be subjected to ongoing monitoring that demonstrates they are safe and effective based on their intended use, mitigation of unsafe outcomes including those beyond the intended use, and adherence to domain-specific standards. If an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) fails to meet the requirements of this section, it shall not be deployed or, if already in use, shall be removed. No automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall be designed with the intent or a reasonably foreseeable possibility of endangering the safety of any New York resident or New York communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7).
(4) 2 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall be designed to proactively protect New York residents from harm stemming from unintended, yet foreseeable, uses or impacts.
(5) 3 New York residents are entitled to protection from inappropriate or irrelevant data use in the design, development, and deployment of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5), and from the compounded harm of its reuse.
(6) 4 Independent evaluation and reporting that confirms that the system is safe and effective, including reporting of steps taken to mitigate potential harms, shall be performed and the results made public whenever possible.
Section 404 establishes a multi-layered safety obligation for automated systems. It requires collaborative development with diverse communities and domain experts, mandatory pre-deployment testing and risk identification, ongoing monitoring post-deployment, and removal of systems that fail safety requirements. Systems may not be designed with the intent or a reasonably foreseeable possibility of endangering residents. The section also requires independent evaluation and public reporting of safety results whenever possible, and mandates that systems proactively protect against foreseeable harms from unintended uses.
Notably, subdivision 5 introduces a data-relevance requirement — protecting residents from inappropriate or irrelevant data use — that straddles safety and data governance. Subdivision 6 requires independent evaluation results to be made public, creating an affirmative transparency obligation tied to safety.
(1)–(2) 5 No New York resident shall face discrimination by algorithms, and all automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall be used and designed in an equitable manner. The designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall take proactive and continuous measures to protect New York residents and communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7) from algorithmic discriminationAlgorithmic discrimination"Algorithmic discrimination" means circumstances where an automated system contributes to an unjustified different treatment or impact which disfavors people based on their age, color, creed, disability, domestic violence victim status, gender identity or expression, familial status, marital status, military status, national origin, predisposing genetic characteristics, pregnancy-related condition, prior arrest or conviction record, race, sex, sexual orientation, or veteran status or any other classification protected by law.State Tech. Law § 401(4), ensuring the use and design of these systems in an equitable manner.
(3)–(4) 6 The protective measures required by this section shall include proactive equityEquity"Equity" means the consistent and systematic fair, just, and impartial treatment of all New York residents. Systemic, fair, and just treatment shall take into account the status of New York residents who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; women, girls, and non-binary people; lesbian, gay, bisexual, transgender, queer, and intersex persons; older adults; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality.State Tech. Law § 401(10) assessments as part of the system design, use of representative data, protection against proxies for demographic features, and assurance of accessibility for New York residents with disabilities in design and development. Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall undergo pre-deployment and ongoing disparity testing and mitigation, under clear organizational oversight.
(5)–(6) 7 Independent evaluations and plain language reporting in the form of an algorithmic impact assessment, including disparity testing results and mitigation information, shall be conducted for all automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5). New York residents shall have the right to view such evaluations and reports.
Section 405 prohibits algorithmic discrimination and imposes affirmative anti-discrimination obligations on designers, developers, and deployers of automated systems. It requires proactive and continuous equity measures, including equity assessments during system design, use of representative data, protection against demographic-proxy variables, and accessibility for persons with disabilities. Systems must undergo pre-deployment and ongoing disparity testing under clear organizational oversight.
Subdivision 5 mandates independent evaluations in the form of algorithmic impact assessments with plain-language reporting, including disparity testing results and mitigation information. Subdivision 6 grants residents the right to view those evaluations and reports, creating an affirmative public-disclosure obligation.
(1)–(2) 8 New York residents shall be protected from abusive data practices via built-in protections and shall maintain agency over the use of their personal data. Privacy violations shall be mitigated through design choices that include privacy protections by default, ensuring that data collection conforms to reasonable expectations and that only strictly necessary data for the specific context is collected.
(3) 9 Designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) must seek and respect the decisions of New York residents regarding the collection, use, access, transfer, and deletion of their data in all appropriate ways and to the fullest extent possible. Where not possible, alternative privacy by design safeguards must be implemented.
(4) 10 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall not employ user experience or design decisions that obscure user choice or burden users with default settings that are privacy-invasive.
(5)–(6) 11 Consent shall be used to justify the collection of data only in instances where it can be appropriately and meaningfully given. Any consent requests shall be brief, understandable in plain language, and provide New York residents with agency over data collection and its specific context of use. Any existing practice of complex notice-and-choice for broad data use shall be transformed, emphasizing clarity and user comprehension.
(7) 12 Enhanced protections and restrictions shall be established for data and inferences related to sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12). In sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12), individual data and related inferences may only be used for necessary functions, safeguarded by ethical review and use prohibitions.
(8)–(9) 13 New York residents and New York communitiesCommunities"Communities" means neighborhoods, social network connections, families, people connected by affinity, identity, or shared traits and formal organizational ties. This includes Tribes, Clans, Bands, Rancherias, Villages, and other Indigenous communities.State Tech. Law § 401(7) shall be free from unchecked surveillance; surveillance technologies shall be subject to heightened oversight, including at least pre-deployment assessment of their potential harms and scope limits to protect privacy and civil liberties. Continuous surveillance and monitoring shall not be used in education, work, housing, or any other contexts where the use of such surveillance technologies is likely to limit rights, opportunities, or access.
(10) 14 Whenever possible, New York residents shall have access to reporting that confirms respect for their data decisions and provides an assessment of the potential impact of surveillance technologies on their rights, opportunities, or access.
Section 406 is the article's most detailed section, establishing ten subdivisions covering data privacy, consent, surveillance restrictions, and sensitive-data protections. It requires privacy-by-default design, meaningful consent practices, data minimization (only strictly necessary data for the specific context), and respect for resident data decisions regarding collection, use, access, transfer, and deletion. Designers, developers, and deployers may not use deceptive interface patterns that obscure user choice or impose privacy-invasive defaults.
Subdivisions 7 through 9 address sensitive domains and surveillance. Sensitive-domain data and related inferences may only be used for necessary functions subject to ethical review and use prohibitions. Surveillance technologies must undergo pre-deployment assessment and be subject to heightened oversight. Continuous surveillance and monitoring are prohibited in education, work, housing, and other contexts where use is likely to limit rights, opportunities, or access. Subdivision 10 requires resident access to reporting on data-decision compliance and surveillance-impact assessments whenever possible.
(1) 15 New York residents shall be informed when an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) is in use and New York residents shall be informed how and why the system contributes to outcomes that impact them.
(2)–(3) 16 Designers, developers, and deployers of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall provide accessible plain language documentation, including clear descriptions of the overall system functioning, the role of automation, notice of system use, identification of the individual or organization responsible for the system, and clear, timely, and accessible explanations of outcomes. The provided notice shall be kept up-to-date, and New York residents impacted by the system shall be notified of any significant changes to use cases or key functionalities.
(4)–(5) 17 New York residents shall have the right to understand how and why an outcome impacting them was determined by an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5), even when the automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) is not the sole determinant of the outcome. Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) shall provide explanations that are technically valid, meaningful to the individual and any other persons who need to understand the system and proportionate to the level of risk based on the context.
(6) 18 Summary reporting, including plain language information about these automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) and assessments of the clarity and quality of notice and explanations, shall be made public whenever possible.
Section 407 establishes notice, explanation, and transparency obligations for automated systems. Residents must be informed when an automated system is in use, must be told how and why the system contributes to outcomes that impact them, and must receive accessible plain-language documentation covering overall system functioning, the role of automation, notice of system use, identification of the responsible individual or organization, and clear explanations of outcomes. Notice must be kept current and residents must be notified of significant changes to use cases or key functionalities.
Subdivision 4 creates an individual explanation right — residents have the right to understand how and why an automated system determined an outcome impacting them, even when the system is not the sole determinant. Subdivision 5 requires that explanations be technically valid, meaningful to the individual, and proportionate to the risk context. Subdivision 6 requires public summary reporting on system assessments and the clarity of notice and explanations whenever possible.
(1) 19 New York residents shall have the right to opt out of automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5), where appropriate, in favor of a human alternative. The appropriateness of such an option shall be determined based on reasonable expectations in a given context, with a focus on ensuring broad accessibility and protecting the public from particularly harmful impacts. In some instances, a human or other alternative may be mandated by law.
(2)–(3) 20 New York residents shall have access to a timely human consideration and remedy through a fallback and escalation process if an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) fails, produces an error, or if they wish to appeal or contest its impacts on them. The human consideration and fallback process shall be accessible, equitable, effective, maintained, accompanied by appropriate operator training, and should not impose an unreasonable burden on the public.
(4) 21 Automated systemsAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) intended for use within sensitive domainsSensitive domain"Sensitive domain" means a particular area, field, or sphere of activity in which activities being conducted can cause material harms, including significant adverse effects on human rights such as autonomy and dignity, as well as civil liberties and civil rights.State Tech. Law § 401(12), including but not limited to criminal justice, employment, education, and health, shall additionally be tailored to their purpose, provide meaningful access for oversight, include training for New York residents interacting with the system, and incorporate human consideration for adverse or high-risk decisions.
(5) 22 Summary reporting, which includes a description of such human governance processes and an assessment of their timeliness, accessibility, outcomes, and effectiveness, shall be made publicly available whenever possible.
Section 408 establishes the right of New York residents to opt out of automated systems in favor of human alternatives where appropriate, and to access a timely human-consideration and remedy process through a fallback and escalation mechanism when systems fail, produce errors, or when residents wish to appeal or contest outcomes. The human fallback process must be accessible, equitable, effective, maintained, accompanied by operator training, and must not impose an unreasonable burden on the public.
Subdivision 4 imposes heightened requirements for automated systems in sensitive domains — including criminal justice, employment, education, and health — requiring systems to be tailored to their purpose, provide meaningful oversight access, include user training, and incorporate human consideration for adverse or high-risk decisions. Subdivision 5 requires public summary reporting on human governance processes including timeliness, accessibility, outcomes, and effectiveness assessments.
(1)–(2) Where an operator of an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) violates or causes a violation of any of the rights stated within this article, such operator shall be liable to the people of this state for a penalty not less than three times such damages caused. The penalty provided for in subdivision one of this section may be recovered by an action brought by the attorney general in any court of competent jurisdiction.
(3) Nothing set forth in this article shall be construed as creating, establishing, or authorizing a private cause of action by an aggrieved person against an operator of an automated systemAutomated system"Automated system" means any system, software, or process that affects New York residents and that uses computation as a whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with New York residents or communities. Automated systems shall include, but not be limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and shall exclude passive computing infrastructure.State Tech. Law § 401(5) who has violated, or is alleged to have violated, any provision of this article.
Section 409 establishes the enforcement mechanism for the article. Operators who violate the article are liable for a penalty of not less than three times the damages caused — a treble-damages floor with no stated ceiling. Only the attorney general may bring an action to recover the penalty; no private right of action is created. The express no-private-cause-of-action provision in subdivision 3 forecloses individual enforcement.