(f) Each covered entity shall collect and store only information that does not conflict with a trusted party's best interests, which must be: (1) Sufficient to fulfill a legitimate purpose of the covered entity; (2) Relevant to the legitimate purpose of the covered entity; and (3) The minimum amount of information needed for the legitimate purpose of the covered entity.

A chatbot provider may not: 1. Process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent.

A chatbot provider may not: 2. Process a user's chat log: (a) To determine whether to display an advertisement for a product or service to a user. (b) To determine a product or service or category of a product or service to advertise to a user. (c) To customize an advertisement for presentation to a user.

A chatbot provider may not: 3. Process a user's chat log and personal data: (a) If the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent. (b) For training purposes if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent.

A chatbot provider may not: 3. Process a user's chat log and personal data: (c) for training purposes if the user is an adult, unless the chatbot provider first obtains affirmative consent.

A chatbot provider may not: 3. Process a user's chat log and personal data: (d) To engage in profiling beyond what is necessary to fulfill an express request. 4. Profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user.

A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide a user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user pursuant to subsection A paragraph 7 of this section that requests the user's chat.

(b) An employer shall not use an ADS to collect worker data for a purpose that is not disclosed pursuant to the notice requirements in Chapter 2 (commencing with Section 1522).

(e) A worker shall have the right to request, and an employer shall provide, a copy of the most recent 12 months of the worker's own data primarily used by an ADS to make a discipline, termination, or deactivation decision. A worker is limited to one request every 12 months for a copy of their own data used by an ADS to make a discipline, termination, or deactivation decision. (f) For purposes of safeguarding the privacy rights of consumers, workers, and individuals, when an employer is required to provide worker data pursuant to this part, that worker data shall be provided in a manner that anonymizes the customer's, other worker's, or individual's personal information.

(5) Use or rely upon individualized worker data as inputs or outputs to inform compensation unless the employer can clearly demonstrate that any differences in compensation for substantially similar or comparable work assignments are based upon cost differentials in performing the task involved, or that the data was directly related to the tasks that the worker was hired to perform.

(e) A worker shall have the right to request, and an employer shall provide, a copy of the most recent 12 months of the worker's own data primarily used by an ADS to make a disciplinary, termination, or deactivation decision. A worker is limited to one request every 12 months for a copy of their own data used by an ADS to make a disciplinary, termination, or deactivation decision.
(f) For purposes of safeguarding the privacy rights of consumers, workers, and individuals, when an employer is required to provide worker data pursuant to this part, that worker data shall be provided in a manner that anonymizes the customer's, other worker's, or individual's personal information.

On and after January 1, 2027, if an operator knows or has reasonable certainty that a user of a conversational artificial intelligence service is a minor, the operator shall: (f) (I) Offer tools for the minor user to manage the minor user's privacy and account settings, including the ability to control whether the conversational artificial intelligence service retains substantive information from each interaction with the conversational artificial intelligence service for the purpose of personalizing the content of future interactions and whether the minor user's personal data is used for the purposes of training the conversational artificial intelligence service; (II) For a minor user who is under thirteen years old, offer tools for a parent or guardian of the minor user to manage the minor user's privacy and account settings; and (III) For a minor user who is thirteen years old or older, offer tools for a parent or guardian of the minor user to manage the minor user's privacy and account settings as appropriate, based on relevant risks.

(1) (a) WHEN A CONSUMER EXPERIENCES AN ADVERSE OUTCOME RESULTING FROM A CONSEQUENTIAL DECISION IN WHICH A COVERED ADMT MATERIALLY INFLUENCES THE CONSEQUENTIAL DECISION, THE CONSUMER MAY REQUEST AND THE DEPLOYER SHALL PROVIDE IN RESPONSE TO THE REQUEST: (I) INSTRUCTIONS FOR REQUESTING PERSONAL DATA AND CORRECTING FACTUALLY INCORRECT OR MATERIALLY INACCURATE PERSONAL DATA USED IN A CONSEQUENTIAL DECISION THAT USED A COVERED ADMT CONSISTENT WITH SECTION 6-1-1306; ... (b) FOR THE PURPOSES OF THIS SUBSECTION (1), THE EXCEPTIONS TO THE DEFINITION OF "CONSUMER" IN SECTION 6-1-1303 (6)(b) AND THE EXCEPTIONS IN SECTION 6-1-1304 (2)(k), (2)(n), AND (2)(o) DO NOT APPLY TO THE RIGHT TO REQUEST CORRECTION OF FACTUALLY INCORRECT OR MATERIALLY INACCURATE PERSONAL DATA PURSUANT TO THIS SUBSECTION (1). (c) SUBSECTION (1)(a) OF THIS SECTION DOES NOT REQUIRE CORRECTION OF OPINIONS, PREDICTIONS, SCORES, OR PROTECTED EVALUATIONS.

(a) Right to opt out. (I) A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of: (A) Targeted advertising; (B) The sale of personal data; or (C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. (II) A consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in subsection (1)(a)(I) of this section, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. A controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. (III) A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of this section. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice. (IV) (A) A controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. This subsection (1)(a)(IV)(A) is repealed, effective July 1, 2024. (B) Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. (C) Notwithstanding a consumer's decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. Before obtaining a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. The web page, application, or other means by which a controller obtains a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.

(b) Right of access. A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data. (c) Right to correction. A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. (d) Right to deletion. A consumer has the right to delete personal data concerning the consumer. (e) Right to data portability. When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets.

(3) Duty of data minimization. A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed. (4) Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer's consent.

(7) Duty regarding sensitive data. A controller shall not process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.

Except as provided in subsection (b) of section 2 of this act, prior to collecting any personal data of an applicant for employment or employee in the state for processing in an automated employment-related decision process, a deployer shall provide to such applicant or employee a written notice disclosing: (1) The purpose of such data collection; (2) The categories of personal data that will be collected for processing in such automated employment-related decision process; (3) The retention period for any personal data collected; (4) The categories of persons who will have access to such personal data; and (5) Information concerning the right, under subparagraph (C) of subdivision (5) of subsection (a) of section 42-518 of the general statutes, to opt out of the processing of personal data for the purposes set forth in said subparagraph.

3. If not disclosed on the employer or employment agency's website, information about the type of data collected for the automated employment decision tool, the source of such data and the employer or employment agency's data retention policy shall be available upon written request by a candidate or employee. Such information shall be provided within 30 days of the written request. Information pursuant to this section shall not be disclosed where such disclosure would violate local, state, or federal law, or interfere with a law enforcement investigation.

(1) An artificial intelligence technology company may not sell or disclose personal information of users unless the information is deidentified data. This subsection does not prohibit the sale or disclosure of information specifically authorized by federal law. (2) An artificial intelligence technology company in possession of deidentified data shall do all of the following: (a) Take reasonable measures to ensure that the data cannot be associated with a user. (b) Maintain and use the data in deidentified form. An artificial intelligence technology company may not attempt to reidentify the data, except that the artificial intelligence technology company may attempt to reidentify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of this section. (c) Contractually obligate a recipient of the deidentified data to comply with this section. (d) Implement business processes to prevent the inadvertent release of deidentified data.

(a) A parent of a minor student must be provided the opportunity to opt out of the student's use of an artificial intelligence instructional tool. (b) The opt-out process must align with the educational entity's existing policies for parental notice, consent, objection, or opt out for instructional materials, digital tools, or online accounts, as applicable. (c) If a parent opts out of a student's use of an artificial intelligence instructional tool and the student is enrolled in a public school, the school district or public school must provide an alternative instructional activity that allows the student to meet a comparative educational requirement without penalty.

(1) An artificial intelligence technology company may not sell or disclose personal information of users unless the information is deidentified data. This subsection does not prohibit the sale or disclosure of information specifically authorized by federal law. (2) An artificial intelligence technology company in possession of deidentified data shall do all of the following: (a) Take reasonable measures to ensure that the data cannot be associated with a user. (b) Maintain and use the data in deidentified form. An artificial intelligence technology company may not attempt to reidentify the data, except that the artificial intelligence technology company may attempt to reidentify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of this section. (c) Contractually obligate a recipient of the deidentified data to comply with this section. (d) Implement business processes to prevent the inadvertent release of deidentified data.

(6) An operator shall protect the confidentiality of age information provided by a user for age verification in accordance with s. 501.1738.

(6) An operator shall protect the confidentiality of age information provided by a user for age verification in accordance with s. 501.1738.

(1) An artificial intelligence technology company may not sell or disclose personal information of users unless the information is deidentified data. This subsection does not prohibit the sale or disclosure of information specifically authorized by federal law. (2) An artificial intelligence technology company in possession of deidentified data shall do all of the following: (a) Take reasonable measures to ensure that the data cannot be associated with a user. (b) Maintain and use the data in deidentified form. An artificial intelligence technology company may not attempt to reidentify the data, except that the artificial intelligence technology company may attempt to reidentify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of this section. (c) Contractually obligate a recipient of the deidentified data to comply with this section. (d) Implement business processes to prevent the inadvertent release of deidentified data.

(4) Allows the patient to opt out of the processing of the patient's individually identifiable health information or other personal data for purposes of profiling in furtherance of decisions that have legal or similarly significant effects concerning the patient.

A deployer of a chatbot shall do all of the following: ... 2. Limit the collection and storage of user information collected by the chatbot to what is necessary to fulfill the deployer's purpose for making the chatbot publicly available.

b. Limit the collection and storage of user information collected by the public-facing chatbot to what is necessary to fulfill the deployer's purpose for making the public-facing chatbot publicly available.

A deployer of a chatbot shall do all of the following: 2. Limit the collection and storage of user information collected by the chatbot to what is necessary to fulfill the deployer's purpose for making the chatbot publicly available.

An employee has the right to request a copy of the most recent twelve months of the employee's own data primarily used by an automated decision system to make a discipline, termination, or deactivation decision. An employer shall provide a copy upon request. An employee is limited to one such request every twelve months.

For purposes of safeguarding the privacy rights of consumers, employees, and individuals, when an employer is required to provide employee data pursuant to this chapter, the employer shall provide the data in a manner that anonymizes the personal information of any customer, employee, or other individual.

1. a. A private entity in possession of biometric data shall develop a written policy to establish a schedule for how long the private entity will retain biometric data before the private entity destroys the biometric data. b. A written policy shall be available to the public. c. A private entity shall not retain biometric data for more than three years after the subject of the biometric data last interacts with the private entity or until the purposes for which the biometric data was collected have been accomplished, whichever is longer.

2. A private entity shall not collect, capture, purchase, or otherwise obtain an individual's biometric data unless, prior to receiving the biometric data, the private entity does all of the following: a. Informs the subject of the biometric data, or the subject's legal representative, in writing, that the private entity intends to collect the subject's biometric data. b. Informs the subject of the biometric data, or the subject's legal representative, in writing, of the purposes and length of time for which the private entity intends to retain the biometric data.

3. A private entity shall not sell, lease, trade, or otherwise profit from an individual's biometric data.

(2)(a) A person may not capture a biometric identifier of an individual for a commercial purpose unless the person: (i) Informs the individual before capturing the biometric identifier; and (ii) Receives the individual's consent to capture the biometric identifier. (b) For the purposes of this subsection, an individual has not been informed of and has not provided consent for the capture or storage of a biometric identifier for a commercial purpose based solely on the existence of an image or other media containing one (1) or more biometric identifiers of the individual on the internet or other publicly available source unless the image or other media was made publicly available by the individual to whom the biometric identifiers relate.

(d) Shall provide a method for an individual to revoke consent to the storage and transmission of a biometric identifier at any time and shall immediately destroy the biometric identifier upon receiving a revocation of consent unless maintaining the biometric identifier is required by another law.

(f) If an automated decision-making system is collecting employee data, employees and their exclusive bargaining representatives have a right to view the data collected by the automated decision-making system.

(b) A large online platform shall not: (2) retain any personal provenance data from content shared on the large online platform.

(a) It is the policy of this State that a student and the student's parent have the right to: (1) opt out of school-issued personal electronic devices, electronic textbooks, electronic required reading, or electronic or online assignments; (3) opt out of predictive analytics systems without academic penalty. (b) If a student or a student's parent exercises the right outlined in subsection (a), the school shall provide the student with a comparable analog version of what the educational technology provides. As used in this subsection, "comparable analog version" includes, but is not limited to, providing the assignment on physical paper, a physical copy of the required reading, or the option of a physical paper textbook.

(3) Sell or rent a student's information or data, including covered information or any other person's information collected by the operator for K through 12 school purposes. This subdivision (3) does not apply to the purchase, merger, or other type of acquisition of an operator by another entity if the operator or successor entity complies with this Act regarding previously acquired student information. (3.5) Permit artificial intelligence to train on covered information unless for K through 12 school purposes or in furtherance of improving operability and functionality of the operator's service.

(4) Except as otherwise provided in Section 20 of this Act, disclose covered information, unless the disclosure is made for the following purposes: (A) In furtherance of the K through 12 school purposes of the site, service, application, or model if the recipient of the covered information disclosed under this clause (A) does not further disclose the information, unless done to allow or improve operability and functionality of the operator's site, service, or application. Improving operability does not include disclosing covered information to any third party to train artificial intelligence that is not for K through 12 school purposes.

An operator's artificial intelligence model shall not train on a student's covered information and retain the training data indefinitely, unless it first: (A) informs the student or his or her parent in writing that the operator's artificial intelligence model will retain training data indefinitely; and (B) receives a written consent from the student or his or her parent.

(2) Use information, including persistent unique identifiers, created or gathered by the operator's site, service, application, or model to amass a profile about a student, except in furtherance of K through 12 school purposes. "Amass a profile" does not include the collection and retention of account information that remains under the control of the student, the student's parent, or the school.

Sec. 13. An employer that manages a covered individual through an automated decision system shall allow the covered individual to: (1) opt out of the management through the automated decision system; and (2) be managed through a human manager who is able to make employment related decisions with respect to the covered individual.

(d) A covered entity shall protect the confidentiality of age information provided by a user for age verification by limiting the collection, processing, use and storage of such information to what is strictly necessary to verify a user's age, obtain verifiable parental consent or maintain compliance records.

(3) The Commonwealth Office of Technology shall prioritize personal privacy and the protection of the data of individuals and businesses as the state develops, implements, employs, and procures artificial intelligence systems, generative artificial intelligence systems, and high-risk artificial intelligence systems by ensuring all departments, agencies, and administrative bodies: (a) Allow only the use of necessary data in artificial intelligence systems; (b) Do not allow unrestricted access to personal data controlled by the Commonwealth; and (c) Secure all data and implement a timeframe for data retention.

B. An employer shall not use an ADS to collect worker data for a purpose that is not disclosed pursuant to the notice requirements as provided in R.S. 23:972.

(4)(a) An employer shall allow a worker to access worker data collected, used by, or produced by an ADS and correct errors in any input or output data used by or produced by the ADS or used as corroborating evidence by a human reviewer. (b) An affected worker shall be allowed to choose an authorized representative to request access to the worker's data on his behalf.

F. A worker has the right to request, and an employer shall provide, a copy of the most recent twelve months of the worker's own data primarily used by an ADS to make a discipline, termination, or deactivation decision. A worker shall be limited to one request every twelve months for a copy of his own data used by an ADS to make a discipline, termination, or deactivation decision. G. For purposes of safeguarding the privacy rights of consumers, workers, and individuals, when an employer is required to provide worker data pursuant to this Part, the worker data shall be provided in a manner that provides anonymity regarding the customer's, other worker's, or individual's personal information.

D.(1) An operator of a mental health chatbot may not sell to or share with any third party any individually identifiable health information of a user or the user's input. This Subsection shall not apply to individually identifiable health information that is requested by a healthcare provider with the consent of the user, provided to a health plan of a user upon request of the user, or shared to ensure the effective functionality of the mental health chatbot with another party with which the operator has a contract related to such functionality. (2) When sharing information pursuant to this Subsection, the operator and the other entity shall comply with all applicable privacy and security provisions of 45 CFR Part 160 and 45 CFR Part 164, Subparts A and E, as if the operator were a covered entity and the other entity were a business associate, as such terms are defined in 45 CFR 160.103.

(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user;

(a) A covered entity shall be prohibited from taking any actions with respect to processing biometric data or designing biometric recognition technologies that conflict with an end user's best interests.

(c) A covered entity shall not: (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.

(e) A covered entity shall not discriminate against a consumer because of the withheld consent under this title, including, but not limited to: (i) denying goods or services to the end user; (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end user; (iv) suggesting that the end user will receive a different price or rate for goods or services or a different level or quality of goods or services.

(a) It shall be unlawful for an employer to use an electronic monitoring tool to collect employee information unless: (i) the electronic monitoring tool is primarily used to accomplish any of the following purposes: (A) allowing a worker to accomplish or facilitating the accomplishment of an essential job function; (B) ensuring the quality of goods and services; (C) conducting periodic assessment of worker performance; (D) ensuring or facilitating compliance with employment, labor, or other relevant laws; (E) protecting the health, safety, or security of workers, or the security of the employer's facilities or computer networks; or (F) administering wages and benefits. The department of labor standards may establish additional exceptions under clause (i) through notice and comment rulemaking in compliance with chapter 30A. (ii) the specific type and activated capabilities of an electronic monitoring tool must be narrowly tailored to accomplish the employer's intended, legitimate purpose specified under (i). (iii) the electronic monitoring tool may only be used to accomplish the employer's intended, legitimate purpose specified in (i), and must be customized and implemented in a manner ensuring that the execution of its duties undertaken in the manner least invasive to employees of the employer while accomplishing the employer's legitimate purposes as defined by (i); (iv) the specific form of electronic monitoring is limited to the smallest number of workers, collects the least amount of data and is collected no more frequently than is necessary to accomplish the purpose, and the data collected is deleted once the purpose has been achieved.

(v) the employer must ensure that any employee data that is collected utilizing an electronic monitoring tool that is not necessary to accomplish the employer's intended, legitimate purpose is not disclosed to the employer and is promptly disposed of by the vendor; (vi) the employer must ensure that employee data is not collected when the employee is off-duty; and (vii) the employer must ensure that any employee data collected utilizing an electronic monitoring tool that is necessary to accomplish the employer's intended, legitimate purpose, is stored consistent with the commonwealth's data- and cyber- privacy laws, promptly disposed of as soon as the data is no longer needed, and is not utilized by the employer, the vendor or any other third party for any reason except as provided in section 2(c) and section 3(c) of this chapter.

(b) Any employer that uses an electronic monitoring tool shall give prior written notice and must obtain written consent from all candidates and employees subject to electronic monitoring and must also post said notice in a conspicuous place which is readily available for viewing by candidates and employees, pursuant to sections 19B, 52C, and 190(i) of chapter 149 and section 99 of chapter 272. Such notice shall include, at a minimum, the following: (i) a description of the purpose for which the electronic monitoring tool will be used, as specified in subparagraph (i) of paragraph (a) of this subdivision; (ii) a description of the specific employee data to be collected, stored, secured, and disposed of (and the schedule therefore), and the activities, locations, communications, and job roles that will be electronically monitored by the tool; (iii) a description of the dates, times, and frequency that electronic monitoring will occur; (iv) whether and how any employee data collected by the electronic monitoring tool will be used as an input in an automated employment decision tool; (v) whether and how any employee data collected by the electronic monitoring tool will alone or in conjunction with an automated employment decision tool be used to make an employment decision by the employer or employment agency; (vi) whether and how any employee data collected by the electronic monitoring tool may be stored and utilized in discipline, in internal policy compliance, in administrative agency adjudications, and in litigation (whether or not it involves the employee as a party); (vii) whether any employee data collected by the electronic monitoring tool will be used to assess employees' productivity performance or to set productivity standards, and if so, how; (viii) a description of where any employee data collected by the electronic monitoring tool will be stored and the length of time it will be retained; (ix) an explanation for how the specific electronic monitoring practice is the least invasive means available to accomplish the monitoring purpose; (x) a statement that an employee is entitled to notice and maintains the right to refuse the sale, transfer, or disclosure of the employee's employee data subject to the provisions of section 2(f); and (xi) a clear and reasonably understandable description of how an employee can exercise the rights described in this chapter.

(e) An employer shall not use employee data collected via an electronic monitoring tool for purposes other than those specified in the notice provided pursuant to paragraph (c) of subdivision one of this section. (f) An employer shall not sell, transfer, or disclose employee data collected via an electronic monitoring tool to any other entity unless it is required to do so under federal law or the laws of the commonwealth, or necessary to do so to comply with an impact assessment of an automated employment decision tool pursuant to section one thousand twelve of this article.

(d) If an initial or subsequent impact assessment requires the collection of employee data to assess a tool's disparate impact on employees, such data shall be collected, processed, stored, retained, and disposed of in such a manner as to protect the privacy of employees, and shall comply with any data retention and security requirements specified by the commissioner. Employee data provided to auditors for the purpose of an impact assessment shall not be shared with the employer, nor shall it be shared with any person, business entity, or other organization unless strictly necessary for the completion of the impact assessment.

(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user; (ii) engage in the sale of biometric data to a third party;  (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.

(a) Covered entities shall not use biometric data to help make decisions that produce legal effects or similarly significant effects concerning end users. Decisions that include legal effects or similarly significant effects concerning end users include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives written consent executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative. Written consent may be obtained by electronic means.

(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the person from whom biometric information is to be collected or was collected, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 1 year of the individual's last interaction with the private entity, whichever occurs first. Absent a valid order, warrant, or subpoena issued by a court of competent jurisdiction or a local or federal governmental agency, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative provides written consent to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

(10) patient data is not used beyond its intended and stated purpose, consistent with the federal Health Insurance Portability and Accountability Act of 1996, as applicable;

(F) (1) A CONTROLLER SHALL LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS REASONABLY NECESSARY AND PROPORTIONATE TO SATISFY THE REQUIREMENTS OF THIS SUBTITLE.

Data under this paragraph may not be used beyond its intended and stated purpose. Data under this paragraph must be protected from risk that may directly or indirectly cause harm to the enrollee.

5. Disclosure of records and communications. All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional or between a client and a licensed professional are confidential and may not be disclosed except as required under law.

2. User information collection and storage. A deployer shall collect and store only information that does not conflict with a user's safety and well-being. A deployer may not collect and store information except to fulfill a legitimate purpose of the deployer. A deployer may collect and store information that is adequate to fulfill a legitimate purpose of the deployer, but only to the extent that the information: A. Is relevant to that legitimate purpose; and B. Is the minimum amount of information necessary to fulfill that legitimate purpose.

Sec. 5. (1) Except as provided in this act, an employer shall not use an electronic monitoring tool or automated decisions tool to collect a covered individual's data. (2) An employer may use an electronic monitoring tool for only the following purposes: (a) To allow an employee to accomplish or facilitate an essential job function. (b) To monitor production processes or quality. (c) To periodically assess an employee's performance. (d) To ensure or facilitate compliance with state or federal labor or employment law. (e) To protect the health, safety, or security of covered individuals. (f) To administer wages and benefits, if it can be determined that the electronic monitoring system uses only data regarding the city where the covered individual works and the costs of living in that area. (g) To accomplish any other purpose that enables business operations as determined by the department.

(3) An employer that uses an electronic monitoring tool or automated decisions tool must do all of the following: (a) Provide written notice that the employer is using an electronic monitoring tool or automated decisions tool to all covered individuals who are subject to the tool. (b) Obtain written consent from each covered individual to electronically monitor or use an automated decisions tool on the covered individual in accordance with this act. (c) Ensure that data collected through the electronic monitoring tool or automated decisions tool is accurate and up to date. (d) Allow a covered individual to correct inaccurate data about that covered individual.

(e) Use the tool in a narrowly tailored manner to accomplish a purpose described in subsection (2) or section 4(2). (f) Use the tool through the least invasive means possible for the covered individual whom the tool monitors. (g) Ensure the tool applies to the smallest number of covered individuals, collects the least amount of data, and is used no more frequently than necessary to accomplish a purpose described in subsection (2) or section 4(2). (h) Ensure that the tool does not collect any data of an employee when the employee is off duty.

(4) An employer that uses an electronic monitoring tool for a purpose described in subsection (2) or an automated decisions tool for a purpose described in section 4(2) shall not do any of the following: (a) Collect any of the following data of a covered individual: (i) Health, medical, lifestyle, and wellness information, including, but not limited to, the covered individual's medical history, physical or mental condition, diet or physical activity patterns, heart rate, medical treatment or diagnosis by a health care professional, health insurance policy number, subscriber identification number, or other unique identifier used to identify the covered individual. (ii) A qualified characteristic. (iii) Information related to workplace activities, including, but not limited, all of the following: (A) Human resources information, including contents of a covered individual's personnel file or performance evaluations. (B) Work process information, such as productivity and efficiency information. (C) Information that captures workplace communications and interactions, including emails, texts, internal message boards, and customer interaction and ratings. (D) Device usage, including calls placed or geolocation information. (E) Audio-video information and other information collected from sensors, including movement tracking, thermal sensors, voiceprints, or facial, emotion, and gait recognition. (F) Inputs of or outputs generated by an automated decisions tool that are linked to a covered individual. (G) Online information, including a covered individual's internet protocol address, private social media activity, or other digital sources or unique identifiers associated with a covered individual. (b) Identify, punish, or obtain data about a covered individual who engages in an activity that is protected under state or federal labor or employment law. (c) Monitor bathrooms or other similar private areas, including, but not limited to, locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, lounges, areas designated to express breast milk, or areas designated for prayer or other religious activity. The prohibition under this subdivision includes data collection on the frequency of use of those private areas and conducting audio or visual monitoring of a workplace in an employee's residence, an employee's personal vehicle, or property owned or leased by an employee.

A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.

A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant;

(2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses;

(3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.

Subd. 2. Record requests. (a) A worker has the right to request a copy of: (1) any of the worker's data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) corroborating evidence used by a human reviewer. (b) The employer must provide copies of the data requested within seven days of receiving a worker's request. Subd. 3. Record corrections. (a) A worker has the right to request corrections to: (1) any worker data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) any corroborating evidence used by a human reviewer. (b) An employer that receives a request to correct any of the information listed in paragraph (a) must investigate and determine whether the disputed data is inaccurate. (c) If an employer determines that the disputed data is inaccurate, the employer must: (1) promptly correct the disputed data and inform the worker of the employer's decision and action; (2) review and adjust any employment-related decisions that were partially or solely based on the inaccurate data and inform the worker of the adjustment; and (3) inform any third parties with which the employer shared the inaccurate data, or from which the employer received the inaccurate data, of the error and direct those third parties to correct the data. (d) If an employer, upon investigation, determines that the disputed data is accurate, the employer must inform the worker of: (1) the decision not to amend the disputed data; (2) the steps taken to verify the accuracy of the data; and (3) the evidence supporting the decision not to amend the disputed data.

A person is prohibited from collecting biometric data from an individual unless the person receives the individual's consent to collect the biometric data before the collection occurs.

A person who obtains biometric data: (1) must not sell, lease, or otherwise disclose the biometric data to another person unless: (i) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (ii) the disclosure completes a financial transaction that the individual requested or authorized; (iii) the disclosure is required or permitted by a federal or state law; or (iv) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant; (2) must store, transmit, and protect from disclosure the biometric data using reasonable care and in a manner that is at least as or more protective than the manner in which the person stores, transmits, and protects other confidential information the person possesses; and (3) must delete and destroy the biometric data within a reasonable time, but no later than one year from the date the purpose for collecting the data expires, unless the data is maintained pursuant to a federal or state law that requires a longer retention period, in which case the biometric data must be destroyed within a reasonable time frame but no later than one year from the date that the state or federal law retention period expires. If an employer collects an employee's biometric data for security purposes, the purpose for collecting the data expires upon termination of the employment relationship.

Subd. 2. Record requests. (a) A worker has the right to request a copy of: (1) any of the worker's data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) corroborating evidence used by a human reviewer. (b) The employer must provide copies of the data requested within seven days of receiving a worker's request. Subd. 3. Record corrections. (a) A worker has the right to request corrections to: (1) any worker data collected, used, or produced by an automated decision system; (2) any input or output data used or produced by the automated decision system; and (3) any corroborating evidence used by a human reviewer. (b) An employer that receives a request to correct any of the information listed in paragraph (a) must investigate and determine whether the disputed data is inaccurate. (c) If an employer determines that the disputed data is inaccurate, the employer must: (1) promptly correct the disputed data and inform the worker of the employer's decision and action; (2) review and adjust any employment-related decisions that were partially or solely based on the inaccurate data and inform the worker of the adjustment; and (3) inform any third parties with which the employer shared the inaccurate data, or from which the employer received the inaccurate data, of the error and direct those third parties to correct the data. (d) If an employer, upon investigation, determines that the disputed data is accurate, the employer must inform the worker of: (1) the decision not to amend the disputed data; (2) the steps taken to verify the accuracy of the data; and (3) the evidence supporting the decision not to amend the disputed data.

(b) An employer must not use an automated decision system that uses individualized worker data as inputs or outputs to set compensation, unless the employer can demonstrate that: (1) the input data is directly related to the ability of the worker to complete the task, such as education, training, experience, or seniority; (2) the inputs used are clearly communicated to the worker such that the worker knows their compensation is a function of the identified attributes; and (3) the employer uses the automated decision system either: (i) not more than once per six-month period per worker; or (ii) only in conjunction with a meaningful change in work duties, such as hiring or promotion.

2. No private entity shall collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information unless it first: (1) Informs the person or customer, or the person's or customer's legally authorized representative, in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the person or customer, or the person's or customer's legally authorized representative, of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the person or customer, or the person's or customer's legally authorized representative.

(2) No private entity in possession of a biometric identifier or biometric information shall sell, lease, or trade a person's or a customer's biometric identifier or biometric information.

4. No private entity in possession of a biometric identifier or biometric information shall disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The person or customer, or the person's or customer's legally authorized representative, provides written release to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the person or customer, or the person's or customer's legally authorized representative; (3) The disclosure or redisclosure is required by state law, federal law, or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

(e) A covered entity shall: a. Establish, implement, and maintain reasonable data security to: (i) Limit collection of personal data to that which is minimally necessary to verify a user's age or maintain compliance with this section; and (ii) Protect such age verification data against unauthorized access; b. Protect such age verification data against unauthorized access; c. Protect the integrity and confidentiality of such data by only transmitting such data using industry-standard encryption protocols; d. Retain such data for no longer than is reasonably necessary to verify a user's age or maintain compliance with this section; and e. Not share with, transfer to, or sell to any other entity such data.

(e) A covered entity shall: a. Establish, implement, and maintain reasonable data security to: (i) Limit collection of personal data to that which is minimally necessary to verify a user's age or maintain compliance with this section; and (ii) Protect such age verification data against unauthorized access; b. Protect such age verification data against unauthorized access; c. Protect the integrity and confidentiality of such data by only transmitting such data using industry-standard encryption protocols; d. Retain such data for no longer than is reasonably necessary to verify a user's age or maintain compliance with this section; and e. Not share with, transfer to, or sell to any other entity such data.

(3) Obtain explicit user consent for data collection and use. (4) Provide users with access to their personal data. (5) Provide users with the ability to delete their data upon request.

(5) Duty of loyalty in collection. — A covered platform shall collect and store only that information that does not conflict with a trusting party's best interests. Such information must be (i) adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the platform; (ii) relevant, in the sense that the information has a relevant link to that legitimate purpose, and (iii) necessary, in the sense that it is the minimum amount of information which is needed for that legitimate purpose.

(7) Duty of loyalty in gatekeeping. — A covered platform shall be a loyal gatekeeper of personal information from a trusted party, including avoiding conflicts to the best interests of trusting parties when allowing government or other third-party access to trusting parties and their data.

(a) A covered platform must do each of the following: (1) Ensure that all user-related data disclosed collected through conversations between users and chatbots or through third-party cookies, undergoes a process of de-identification prior to storage and analysis; (2) Take reasonable care to prohibit the incorporation or inclusion of any sensitive personal information derived from a user during the use of a chatbot into an aggregate dataset used to train any chatbot or generative artificial intelligence system. (3) Store all chatbot conversations which does not include sensitive personal information for at least sixty (60) days. (b) Each covered platform that meets the standard set forth in subsection (a) of this section shall utilize self-destructing messages with a predetermined destruction period of thirty (30) days after the data has been acquired. (c) The requirements of subsection (b) of this section shall apply to all chatbots which are employed in: healthcare, financial services, the legal field, government services, mental health support, and education. In general, this applies to any domain, beyond those specifically listed, where chatbots are employed primarily for the processing or storage of sensitive personal information. (d) All covered platforms shall utilize transport encryption for all messages between a user and a chatbot.

A licensee shall do all of the following: (3) Obtain explicit user consent for data collection and use. (4) Provide users with access to their personal data. (5) Provide users with the ability to delete their data upon request.

Duty of loyalty in collection. – A covered platform shall collect and store only that information that does not conflict with a trusting party's best interests. Such information must be (i) adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the platform, (ii) relevant, in the sense that the information has a relevant link to that legitimate purpose, and (iii) necessary, in the sense that it is the minimum amount of information which is needed for that legitimate purpose.

Duty of loyalty in gatekeeping. – A covered platform shall be a loyal gatekeeper of personal information from a trusted party, including avoiding conflicts to the best interests of trusting parties when allowing government or other third-party access to trusting parties and their data.

A covered platform must do all of the following: (1) Ensure that all user-related data disclosed collected through conversations between users and chatbots or through third-party cookies undergoes a process of de-identification prior to storage and analysis. (2) Take reasonable care to prohibit the incorporation or inclusion of any sensitive personal information derived from a user during the use of a chatbot into an aggregate dataset used to train any chatbot or generative artificial intelligence system. (3) Store all chatbot conversations which does not include sensitive personal information for at least 60 days.

(b) Each covered platform that meets the standard set forth in subsection (a) of this section shall utilize self-destructing messages with a predetermined destruction period of 30 days after the data has been acquired. (c) The requirements of subsection (b) of this section shall apply to all chatbots which are employed in healthcare, financial services, the legal field, government services, mental health support, and education. In general, this applies to any domain, beyond those specifically listed, where chatbots are employed primarily for the processing or storage of sensitive personal information.

Sec. 4. (1) A person may provide written consent to any potential controller of such person's agricultural data that authorizes: (a) The potential controller to process such person's agricultural data; or (b) A third party to process such person's agricultural data on behalf of the potential controller. (2) A person that has provided written consent under this section may rescind such consent by providing a written notice of such rescission to the controller of the agricultural data.

Sec. 5. (1) A controller shall not: (a) Require any person to submit to any processing of such person's agricultural data without the written consent of such person;

A controller shall not: (b) Provide any difference in any service, good, benefit, or reward provided to any person who does not consent to the collection or possession of agricultural data;

A controller shall not: (c) Sell, provide, or use the agricultural data of any person without such person's authorization.

A controller shall delete the agricultural data relating to a person that has provided a written notice rescinding the authorization pursuant to section 4 of this act within thirty days after receiving such written notice.

A processor shall not process, sell to any person, provide to any person, or use the agricultural data of a person without such person providing written consent that authorizes such processing to the controller of the agricultural data under section 4 of this act.

(iii) If applicable, provide information to the consumer regarding the consumer's right to opt out of the processing of personal data concerning the consumer for any purpose of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer under subdivision (2)(e)(iii) of section 87-1107.

a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).

No employer or public entity, vendor, or contractor acting on behalf of the employer or public entity shall: k. Transfer or otherwise disclose biometric, health, or wellness data or information, however obtained, to any third party or government entity unless required to do so under State or federal law; use biometric, health, or wellness data or information in making an employment-related decision or decision regarding public benefits or services; or retain biometric, health, or wellness data or information of an applicant for employment who has not been hired or a former employee after employment ends, or after the service beneficiary no longer receives services or benefits;

a. (1) An employer, public entity, vendor, or contractor shall ensure that no data or information about an employee or applicant, or service beneficiary, or applicant for employment collected by an EMT or other surveillance, and no output of an AEDS, or data or information used to produce that output, is sold, licensed, transferred, disclosed, or shared to or with any third party by the employer, public entity, or vendor, without the uncoerced written consent of the employee, service beneficiary, or applicant for employment, except that the data or information may be provided to the applicant, service beneficiary, employee, or an authorized representative, or to a law enforcement authority or a court when required by law. All information about an applicant for employment or public benefits or services, including any applicant video, shall be destroyed at the request of the applicant. A vendor shall return to the employer or public entity and delete all employee, applicant, and service beneficiary information once the contract between the vendor and the employer or public entity is terminated. (2) An employer, public entity, or vendor acting on behalf of an employer shall ensure that all information and data and information about an employee or service beneficiary, held by the employer, public entity, or vendor is accurate and up to date. An employer or public entity shall notify an employee or service beneficiary of any significant change in the data or information held by the employer or public entity or vendor. The notification shall inform the employee or service beneficiary of the change and the right of the employee, service beneficiary, or a designated representative, to access to any data or information about the employee or service beneficiary held by the employer, public entity, or vendor and make a written request to correct inaccurate information or remove information being retained or used in a manner that violates the provisions of this act, and, in addition, the employee or service beneficiary, even if not notified of any change, shall, at least one time per year, have the right to have access to the data and information and seek any needed corrections or removals. If the employer or public entity does not change or remove the information as requested, the employer or public entity shall provide a written explanation of the reason for that decision, and retain copies of the request and the written explanation, to be available for consideration in any appeal of an adverse decision made pursuant to section 8 of this act.

a. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a business entity to use any biometric surveillance system on a consumer at the physical premises of the business entity, except as provided in subsection c. of this section. b. A business entity may use a biometric surveillance system on a consumer at the physical premises of the business entity, if: (1) the business entity provides clear and conspicuous notice to the consumer regarding its use of a biometric surveillance system; and (2) the biometric surveillance system is used for a lawful purpose. The business entity may satisfy the notice requirement of paragraph (1) of this section by posting a sign in a conspicuous location at the perimeter of any area where a biometric surveillance system is being used.

a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).

An employer shall not share an applicant's video except with a service provider whose expertise or technology is necessary to evaluate the applicant's fitness for a position.

Upon request from the applicant, an employer, within 30 days after receipt of the request, shall delete an applicant's interviews and instruct any other persons who received copies of the applicant's video interviews to also delete the videos, including all electronically generated backup copies. Any other person or service provider shall comply with the employer's instructions.

(iii) Information about the type of data collected for such automated employment decision tool, the source of such data, and the employer or employment agency's data retention policy.

(b) The notice required by paragraph (a) of this subdivision shall be made no less than ten business days before the use of such automated employment decision tool and shall allow such candidate to request an alternative selection process or accommodation.

1. New York residents shall be protected from abusive data practices via built-in protections and shall maintain agency over the use of their personal data.
2. Privacy violations shall be mitigated through design choices that include privacy protections by default, ensuring that data collection conforms to reasonable expectations and that only strictly necessary data for the specific context is collected.

3. Designers, developers, and deployers of automated systems must seek and respect the decisions of New York residents regarding the collection, use, access, transfer, and deletion of their data in all appropriate ways and to the fullest extent possible. Where not possible, alternative privacy by design safeguards must be implemented.
4. Automated systems shall not employ user experience or design decisions that obscure user choice or burden users with default settings that are privacy-invasive.
5. Consent shall be used to justify the collection of data only in instances where it can be appropriately and meaningfully given. Any consent requests shall be brief, understandable in plain language, and provide New York residents with agency over data collection and its specific context of use.
6. Any existing practice of complex notice-and-choice for broad data use shall be transformed, emphasizing clarity and user comprehension.

7. Enhanced protections and restrictions shall be established for data and inferences related to sensitive domains. In sensitive domains, individual data and related inferences may only be used for necessary functions, safeguarded by ethical review and use prohibitions.

10. Whenever possible, New York residents shall have access to reporting that confirms respect for their data decisions and provides an assessment of the potential impact of surveillance technologies on their rights, opportunities, or access.

1. Licensees shall be permitted to share information and source code with any third party, provided however, that where information is biometric information such party shall be jointly liable for any harm or violations under this article with the licensee. The secretary may, in their discretion, prohibit any person from accessing the information or source code of a licensee provided however that the secretary shall provide a written justification for such a prohibition. 2. For purposes of this section, "biometric information" shall include a person's: (a) faceprint; (b) voiceprint; (c) fingerprint; (d) gaitprint; (e) irisprint; (f) psychological profile; or (g) any other data related to a person's body or mind that can be used to identify a person. 3. This section shall only apply to the sharing of information received or generated by the licensee or source code created by the licensee and shall not apply to a third party integrating their systems with the licensee.

2. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (a) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (b) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (c) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

2. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (a) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (b) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (c) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

News media employers shall not directly or through a third party authorize the training of a generative artificial intelligence system on the work product of a news media worker without notice, consent and an opportunity to bargain over appropriate remuneration. A news media employer shall not penalize a news media worker for declining to consent to allow their work product to be used to train a generative artificial intelligence system.

(a) It shall be an unlawful discriminatory practice for an employer to use artificial intelligence for recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment that has the effect of subjecting employees to discrimination on the basis of age, race, creed, color, national origin, citizenship or immigration status, sexual orientation, gender identity or expression, military status, sex, disability, predisposing genetic characteristics, familial status, marital status, or status as a victim of domestic violence or to use zip codes as a proxy for such protected classes.

B. Deployers shall collect and store only that information that does not conflict with a trusting party's best interests. Such information must be: 1. Adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the deployer; 2. Relevant, in the sense that the information has a relevant link to that legitimate purpose; and 3. Necessary, in the sense that it is the minimum amount of information which is needed for that legitimate purpose.

(6) Patient data must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and 42 U.S.C. Ch. 7 Subch. XI Part C (relating to administrative simplification), as applicable.

(8) The data of the covered person must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with Commonwealth law and 42 U.S.C. Ch. 7, Subch. XI Part C (relating to administrative simplification), as applicable.

(8) The data of the covered person or enrollees must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936), as applicable.

(a) Prohibition.--Except as provided under subsections (b) and (c), a supplier may not sell to or share with a third party the following: (1) Individually identifiable health information of a consumer. (2) Consumer input. (b) Applicability.--The prohibition under subsection (a) shall not apply if: (1) Either: (i) A health care provider requests access to the individually identifiable health information of the consumer and the consumer consents to the access in accordance with subsection (d). (ii) The consumer requests that a health plan be provided access to the individually identifiable health information of the consumer and the consumer consents to the access in accordance with subsection (d). (2) The individually identifiable health information is shared in accordance with subsection (c). (c) Sharing information.-- (1) A supplier may share a consumer's individually identifiable health information if: (i) the sharing of the information is necessary to ensure the effective functionality of the chatbot with a third party with which the supplier has a contract related to the functionality; and (ii) the consumer consents to the sharing of the information in accordance with subsection (d). (2) When sharing information in accordance with this subsection, the supplier and the third party shall comply with all applicable privacy and security provisions of 45 CFR Pts. 160 (relating to general administrative requirements) and 164 (relating to security and privacy), as if the supplier were a covered entity and the third party were a business associate. (d) Consent.-- (1) A consumer may consent to access to individually identifiable health information of the consumer by a health care provider or health plan in accordance with this section. (2) To be effective, the consent under this subsection must: (i) Be in writing. (ii) Acknowledge that the consumer understands and agrees to the access of the individually identifiable health information of the consumer by a health care provider or health plan. (3) The consent under this subsection may involve the consumer initialing or signing the acknowledgment described in paragraph (2)(ii), checking a box, providing an electronic signature or hitting a button.

(6) Patient data must not be used beyond the intended and stated purpose of the artificial-intelligence-based algorithms, consistent with the laws of this Commonwealth and 42 U.S.C. Ch. 7 Subch. XI Part C (relating to administrative simplification), as applicable.

(8) The data of the covered person must not be used beyond the intended and stated purpose of the artificial-intelligence-based algorithms, consistent with Commonwealth law and 42 U.S.C. Ch. 7, Subch. XI Part C (relating to administrative simplification), as applicable.

(8) The data of the covered person or enrollees must not be used beyond the intended and stated purpose of the artificial-intelligence-based algorithms, consistent with the laws of this Commonwealth and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936), as applicable.

All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional shall be confidential and shall not be disclosed except as provided pursuant to the provisions of § 40.1-5-26.

(a) It shall be unlawful for an employer to use an electronic monitoring tool to collect employee information unless: (1) The electronic monitoring tool is primarily used to accomplish any of the following legitimate purposes: (i) Allowing a worker to accomplish or facilitating the accomplishment of an essential job function; (ii) Ensuring the quality of goods and services; (iii) Conducting periodic assessment of worker performance; (iv) Ensuring or facilitating compliance with employment, labor, or other relevant laws; (v) Protecting the health, safety, or security of workers, or the security of the employer's facilities or computer networks; or (vi) Administering wages and benefits. (2) The department of labor and training standards may establish additional exceptions under this subsection, pursuant to chapter 35 of title 42 ("administrative procedures act.") (b)(1) The specific type and activated capabilities of an electronic monitoring tool shall be narrowly tailored to accomplish the employer's intended, legitimate purpose specified under subsection (a)(1) of this section; (2) The electronic monitoring tool shall only be used to accomplish the employer's intended, legitimate purpose specified in subsection (a)(1) of this section, and shall be customized and implemented in a manner ensuring that the execution of its duties are undertaken in the manner least invasive to employees of the employer, while still accomplishing the employer's legitimate purposes as defined by subsection (a)(1) of this section; (3) The specific form of electronic monitoring is limited to the smallest number of workers, collection of the least amount of data which shall be collected no more frequently than is necessary to accomplish the purpose, and the data collected, shall be deleted once the purpose has been achieved; (4) The employer shall ensure that any employee data that is collected utilizing an electronic monitoring tool that is not necessary to accomplish the employer's intended, legitimate purpose shall not be disclosed to the employer and shall be promptly disposed of by the vendor; (5) The employer shall ensure that employee data is not collected when the employee is off-duty; and (6) The employer shall ensure that any employee data collected utilizing an electronic monitoring tool that is necessary to accomplish the employer's intended, legitimate purpose, is stored consistent with the state's data and cyber privacy laws, promptly disposed of as soon as the data is no longer needed, and is not utilized by the employer, the vendor or any other third party for any reason except, as provided in subsection (c) of this section.

(c) Any employer that uses an electronic monitoring tool shall give prior written notice and shall obtain written acknowledgment from all candidates and employees subject to electronic monitoring and shall also post said notice in a conspicuous place which is readily available for viewing by candidates for employment and employees. Such notice shall include, at a minimum, the following: (1) A description of the purpose for which the electronic monitoring tool will be used, as specified in subsection (a)(1) of this section; (2) A description of the specific employee data to be collected, stored, secured, and disposed of (and the schedule therefor), and the activities, locations, communications, and job roles that will be electronically monitored by the tool; (3) A description of the dates, times, and frequency that electronic monitoring will occur; (4) Whether and how any employee data collected by the electronic monitoring tool will be used as an input in an automated decision system; (5) Whether and how any employee data collected by the electronic monitoring tool will alone or in conjunction with an automated decision system be used to make an employment decision by the employer or employment agency; (6) Whether and how any employee data collected by the electronic monitoring tool may be stored and utilized in discipline, in internal policy compliance, in administrative agency adjudications, in litigation (whether or not it involves the employee or not as a party); (7) Whether any employee data collected by the electronic monitoring tool will be used to assess employees' productivity performance or to set productivity standards, and if so, how; (8) A description of where any employee data collected by the electronic monitoring tool will be stored and the length of time it will be retained; (9) An explanation for how the specific electronic monitoring practice is the least invasive means available to accomplish the monitoring purpose; (10) That an employee is entitled to notice and maintains the right to refuse the sale, transfer, or disclosure of their employee data, subject to the provisions of subsection (g) of this section; and (11) A clear and reasonably understandable description of how an employee can exercise the rights described in this chapter.

(f) An employer shall not use employee data collected via an electronic monitoring tool for purposes other than those specified in the notice provided pursuant to subsection (c) of this section. (g) An employer shall not sell, transfer, or disclose employee data collected via an electronic monitoring tool to any other entity unless it is required to do so under federal law or the laws of the state, or necessary to do so to comply with an impact assessment of an automated decision system used pursuant to this section.

All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional shall be confidential and shall not be disclosed except as provided pursuant to the provisions of § 40.1-5-26.

(a) It shall be unlawful for an employer to use an electronic monitoring tool to collect employee information unless: (1) The electronic monitoring tool is primarily used to accomplish any of the following legitimate purposes: (i) Allowing a worker to accomplish or facilitating the accomplishment of an essential job function; (ii) Ensuring the quality of goods and services; (iii) Conducting periodic assessment of worker performance; (iv) Ensuring or facilitating compliance with employment, labor, or other relevant laws; (v) Protecting the health, safety, or security of workers, or the security of the employer's facilities or computer networks; or (vi) Administering wages and benefits. (2) The department of labor and training standards may establish additional exceptions under this subsection, pursuant to chapter 35 of title 42 ("administrative procedures act.") (b)(1) The specific type and activated capabilities of an electronic monitoring tool shall be narrowly tailored to accomplish the employer's intended, legitimate purpose specified under subsection (a)(1) of this section; (2) The electronic monitoring tool shall only be used to accomplish the employer's intended, legitimate purpose specified in subsection (a)(1) of this section, and shall be customized and implemented in a manner ensuring that the execution of its duties are undertaken in the manner least invasive to employees of the employer, while still accomplishing the employer's legitimate purposes as defined by subsection (a)(1) of this section; (3) The specific form of electronic monitoring is limited to the smallest number of workers, collection of the least amount of data which shall be collected no more frequently than is necessary to accomplish the purpose, and the data collected, shall be deleted once the purpose has been achieved; (4) The employer shall ensure that any employee data that is collected utilizing an electronic monitoring tool that is not necessary to accomplish the employer's intended, legitimate purpose shall not be disclosed to the employer and shall be promptly disposed of by the vendor; (5) The employer shall ensure that employee data is not collected when the employee is off-duty; and (6) The employer shall ensure that any employee data collected utilizing an electronic monitoring tool that is necessary to accomplish the employer's intended, legitimate purpose, is stored consistent with the state's data and cyber privacy laws, promptly disposed of as soon as the data is no longer needed, and is not utilized by the employer, the vendor or any other third party for any reason except, as provided in subsection (c) of this section.

(c) Any employer that uses an electronic monitoring tool shall give prior written notice and shall obtain written acknowledgment from all candidates and employees subject to electronic monitoring and shall also post said notice in a conspicuous place which is readily available for viewing by candidates for employment and employees. Such notice shall include, at a minimum, the following: (1) A description of the purpose for which the electronic monitoring tool will be used, as specified in subsection (a)(1) of this section; (2) A description of the specific employee data to be collected, stored, secured, and disposed of (and the schedule therefor), and the activities, locations, communications, and job roles that will be electronically monitored by the tool; (3) A description of the dates, times, and frequency that electronic monitoring will occur; (4) Whether and how any employee data collected by the electronic monitoring tool will be used as an input in an automated decision system; (5) Whether and how any employee data collected by the electronic monitoring tool will alone or in conjunction with an automated decision system be used to make an employment decision by the employer or employment agency; (6) Whether and how any employee data collected by the electronic monitoring tool may be stored and utilized in discipline, in internal policy compliance, in administrative agency adjudications, in litigation (whether or not it involves the employee or not as a party); (7) Whether any employee data collected by the electronic monitoring tool will be used to assess employees' productivity performance or to set productivity standards, and if so, how; (8) A description of where any employee data collected by the electronic monitoring tool will be stored and the length of time it will be retained; (9) An explanation for how the specific electronic monitoring practice is the least invasive means available to accomplish the monitoring purpose; (10) That an employee is entitled to notice and maintains the right to refuse the sale, transfer, or disclosure of their employee data, subject to the provisions of subsection (g) of this section; and (11) A clear and reasonably understandable description of how an employee can exercise the rights described in this chapter.

(f) An employer shall not use employee data collected via an electronic monitoring tool for purposes other than those specified in the notice provided pursuant to subsection (c) of this section. (g) An employer shall not sell, transfer, or disclose employee data collected via an electronic monitoring tool to any other entity unless it is required to do so under federal law or the laws of the state, or necessary to do so to comply with an impact assessment of an automated decision system used pursuant to this section.

(A) A chatbot provider may not: (1) process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent;

(A) A chatbot provider may not: (2) process a user's chat log: (a) to determine whether to display an advertisement for a product or service to a user; (b) to determine a product or service or category of a product or service to advertise to a user; or (c) to customize an advertisement for presentation to a user;

(A) A chatbot provider may not: (3) process a user's chat log and personal data: (a) if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent; (b) for training purposes if the chatbot provider knows or reasonably should have known that based on knowledge of objective circumstances the user is a minor and the user's parent or legal guardian did not provide affirmative consent; (c) for training purposes if the user is an adult, unless the chatbot provider first obtains affirmative consent; or (d) to engage in profiling beyond what is necessary to fulfill an express request;

(A) A chatbot provider may not: (4) profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user;

(A) A chatbot provider may not: (5) sell a user's chat logs; (6) retain a user's chat log for more than ten years, unless retention is necessary to comply with this chapter or otherwise required by law;

(A) A chatbot provider may not: (7) discriminate or retaliate against a user, including: (a) denying products or services to the user; (b) charging different prices or rates for products or services to the user; or (c) providing lower quality products or services to the user for refusing to consent to the use of chat logs or personal data for training purposes.

(B) A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide a user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user that requests the user's chat.

(E) A chatbot provider shall take the necessary physical, administrative, and technical measures to prevent deidentified data from being reidentified and to process, retain, and transfer deidentified data without any reasonable means of reidentification.

All records kept by a licensed professional and all communications between an individual seeking therapy or psychotherapy services and a licensed professional shall be confidential and shall not be disclosed except as required pursuant to Section 44-22-100.

(A) A chatbot provider may not: (1) process personal data to inform a chatbot output unless processing personal data is necessary to fulfill an express request that is made by a user and the user provides affirmative consent;

(A) A chatbot provider may not: (2) process a user's chat log: (a) to determine whether to display an advertisement for a product or service to a user; (b) to determine a product or service or category of a product or service to advertise to a user; or (c) to customize an advertisement for presentation to a user;

(A) A chatbot provider may not: (3) process a user's chat log and personal data: (c) for training purposes if the user is an adult, unless the chatbot provider first obtains affirmative consent; or (d) to engage in profiling beyond what is necessary to fulfill an express request;

(A) A chatbot provider may not: (4) profile a user based on any classification or designation of the user's personality or behavioral characteristic beyond what is necessary to fulfill an express request made by the user;

(B) A user has a right to access the user's own chat logs at any time. A chatbot provider shall provide a user's own chat log on request by the user and shall provide the chat log in a downloadable and easy to read format. A chatbot provider may not discriminate or retaliate against a user that requests the user's chat.

A covered entity may not collect, store, or share any information regarding an individual's credit score or voter registration status in the individual's electronic health record.

The Director shall require any state agency that uses an automated decision system as a substantial factor in any employment decision to: 3. Provide to all individuals the right to opt out of the use of the automated decision system for employment decisions and a process by which individuals with disabilities may seek accommodations for the automated decision system;

Any department, office, board, commission, agency, or instrumentality of local government that uses an automated decision system as a substantial factor in any employment decision shall: 3. Provide to all individuals the right to opt out of the use of the automated decision system for employment decisions and a process by which individuals with disabilities may seek accommodations for the automated decision system;

An operator shall not train the underlying model of a companion chatbot with the inputs of a minor unless the minor's parent or guardian has affirmatively provided written consent to the operator to use the minor's personal information for that specific purpose.

A deployer shall collect and store only such information as does not conflict with a user's best interests. Such information shall be (i) adequate, in the sense that it is sufficient to fulfill a legitimate purpose of the deployer; (ii) relevant, in the sense that the information has a relevant link to such legitimate purpose; and (iii) necessary, in the sense that it is the minimum amount of information that is needed for such legitimate purpose.

(b) Employee monitoring restricted. An employer shall not engage in electronic monitoring of an employee unless all of the following requirements are met: (1) the employer's purpose in utilizing the electronic monitoring is to: (A) assist or allow the employee to accomplish an essential job function; (B) monitor production processes or quality; (C) ensure compliance with applicable employment or labor laws; (D) protect the health, safety, or security of the employee, clients, or the public; (E) secure the employer's physical or digital property; (F) conduct periodic assessment of employee performance; or (G) track time worked or production output for purposes of determining the employee's compensation; (2) the specific form of electronic monitoring is necessary to accomplish the purpose identified pursuant to subdivision (1) of this subsection and is used exclusively to accomplish that purpose; (3) the specific form of electronic monitoring is the least invasive means, with respect to the employee, of accomplishing the purpose identified pursuant to subdivision (1) of this subsection; (4) the specific form of electronic monitoring is used with the smallest number of employees, collects the smallest amount of data necessary to accomplish the purpose identified pursuant to subdivision (1) of this subsection, and is collected not more frequently than necessary to accomplish that purpose; and (5) the employer ensures that only authorized persons have access to any data produced through the electronic monitoring and that the data is only used for the purpose and duration that the employee has been notified of pursuant to subsection (c) of this section.

(c) Required notice for employee monitoring. (1) At least 15 calendar days prior to commencing any form of electronic monitoring, an employer shall provide notice of the electronic monitoring to each employee who will be subject to it. The notice shall, at a minimum, include the following information: (A) the specific form of electronic monitoring; (B) a description of the intended purpose of the electronic monitoring and why the electronic monitoring is necessary to accomplish that purpose; (C) a description of how any data generated by the electronic monitoring will be used, including whether and how the data generated by the electronic monitoring will be used to inform employment-related decisions; (D) a description of the technologies that will be used to conduct the electronic monitoring; (E) a description of the specific activities, locations, communications, and job roles that will be electronically monitored; (F) the name of any person conducting electronic monitoring on the employer's behalf and any associated contract language related to the monitoring; (G) the name of any person, apart from the employer, who will have access to any data generated by the electronic monitoring and the reason why the person will have access to the data; (H) the positions within the employer that will have access to any data generated by the electronic monitoring; (I) when, where, and how frequently monitoring will occur; (J) the period of time for which any data generated by the electronic monitoring will be retained by the employer or another person and when that data will be destroyed; (K) notice of how an employee may access the data generated by the electronic monitoring and the process to correct any errors in the data; (L) a cover sheet that concisely summarizes the details contained in the notice; (M) notice of an employee's rights pursuant to this section and the judicial and administrative remedies available for redressing the wrongful use of electronic monitoring; and (N) instructions on how an employee can file a complaint against an employer for violations of this section. (2) If an employer uses electronic monitoring to track employee productivity or performance, the employer shall include the following information in the notice required by subdivision (1) of this subsection: (A) the performance or productivity standards by which employees will be assessed and how employees will be measured against those standards; (B) how performance or productivity data will be monitored and collected, including the identity of the employees subject to such monitoring and when, where, and how the monitoring and data collection will occur; and (C) any adverse consequences for failing to meet a performance or productivity standard and whether there is any bonus or incentive program associated with meeting or exceeding each standard. (3)(A) Notice of electronic monitoring provided pursuant to this section shall be written in plain, clear, and concise language and provided to each employee in the employee's primary language. (B) An employer shall provide a new, updated notice to employees if it makes any significant changes to the manner of electronic monitoring or to the way that the employer utilizes the electronic monitoring or any data generated by it.

(3) An employer shall not use any automated decision system outputs regarding an employee's physical or mental health in relation to an employment-related decision.

(j) Employee right to access and correct data. (1) Within seven days of receiving a request, an employer shall provide an employee with access to any data that relates to the employee that was produced or utilized by electronic monitoring or an automated decision system used by the employer. (2) Within seven days of receiving a request to correct potential errors identified by an employee, an employer shall: (A) correct the erroneous information or data and provide the employee with a notice that complies with subdivision (c)(3)(A) of this section, explaining the steps taken by the employer; or (B) provide the employee with a notice explaining that the employer has not corrected the information or data and describing the steps the employer has taken to verify the accuracy of the disputed information or data.

(5)(A) An employer that utilizes electronic monitoring shall annually provide each of its employees with a list of all electronic monitoring systems currently in use by the employer in relation to that employee. The list shall be provided in the primary language of the employee. (B) As used in this subdivision (5), "currently in use" means that the employer: (i) is currently using the system in relation to the employee; (ii) used the electronic monitoring system in relation to the employee within the past 90 days; or (iii) intends to use the electronic monitoring system in relation to the employee within the next 30 days.

(1) process personal data other than input data to inform chatbot outputs unless the processing of personal data is necessary to fulfill an express request made by a user and that user has provided affirmative consent;

(2) process a user's chat log to: (A) determine whether to display an advertisement for a product or service to the user; (B) determine a product, service, or category of product or service to advertise to the user; or (C) customize an advertisement or how an advertisement is presented to the user;

(3) process a user's chat log or personal data: (C) of a user over 18 years of age for training purposes, unless the chatbot provider first obtains affirmative consent; or (D) to engage in profiling beyond what is necessary to fulfill an express request from the user;

(3) process a user's chat log or personal data: (A) if the chatbot provider knows or should have known, based on knowledge fairly implied on the basis of objective circumstances, that the user is under 18 years of age without the affirmative consent of that user's parent or legal guardian; (B) for training purposes, if the chatbot provider knows or should have known, based on knowledge fairly implied on the basis of objective circumstances, that a user is under 18 years of age;

(4) use any classification or designation of a user's personality or behavioral characteristics created through profiling beyond what is necessary to fulfill an express request made by the user;

(b) Right to access. A user has the right to access, in a portable and readily usable format and at any time, any of the user's own chat logs that a chatbot provider has retained. (1) Chat logs must be made available to users in a downloadable and human- and machine-readable format. (2) A chatbot provider shall not discriminate or retaliate against any user, including by denying products or services, charging different prices or rates for products or services, or providing lower-quality products or services to the user, for accessing their own chat logs.

(a) Prohibition. Subject to the limited exceptions provided in this section, no person shall: (1) collect or record an individual's neural data gathered from a brain-computer interface; or (2) share with a third party an individual's neural data gathered from a brain-computer interface. (b) Consent to collect. A person shall not collect or record an individual's neural data gathered from a brain-computer interface unless the person: (1) provides the individual with a written notice explaining how the person will use the individual's neural data; and (2) thereafter receives written informed consent from the individual to collect or record the individual's neural data.

(c) Consent to share. A person shall not share with a third party an individual's neural data gathered from a brain-computer interface unless the person: (1) provides the individual with a written request for the individual's neural data to be shared with a third party and for what purposes, including the name and address of the third party; and (2) thereafter receives written informed consent from the individual to share the individual's neural data with the third party.

(d) Revocation of consent. (1) An individual who has provided written informed consent allowing a person to collect, record, or share the individual's neural data pursuant to this section has the right to revoke consent at any time thereafter by providing written notice to the person initially receiving the consent. This revocation of consent notice shall be as easy or easier for the individual to provide as compared to the requirements for initially providing consent. (2) A person who receives written notice from an individual revoking consent pursuant to subdivision (1) of this subsection shall: (A) destroy all records of the individual's neural data not later than 10 days after receiving the notice; and (B) in the case of the revocation of consent to share an individual's neural data, immediately: (i) cease sharing an individual's neural data with all third parties upon receipt of the notice; and (ii) inform all third parties with whom the person has shared the individual's neural data that the individual has revoked consent.

(a)(1) Except as provided in subdivision (2) of this subsection, a supplier of a mental health chatbot shall not sell to or share with any third party any: (A) individually identifiable health information of a Vermont user; or (B) user input of a Vermont user. (2) The prohibition set forth in subdivision (1) of this subsection shall not apply to individually identifiable health information that is: (A) requested by a health care provider with the consent of the Vermont user; (B) provided to a health plan of a Vermont user upon request of the Vermont user; or (C) shared in compliance with subsection (b) of this section. (b)(1) A supplier may share individually identifiable health information necessary to ensure the effective functionality of the mental health chatbot with another person with whom the supplier has a contract related to such functionality. (2) When sharing information pursuant to subdivision (1) of this subsection, the supplier and the other person shall comply with all applicable privacy and security provisions of 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E, as if the supplier were a covered entity and the other person were a business associate, as those terms are defined in 45 C.F.R. § 160.103.

To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, an entity shall: (1) Provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer: (A) A high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data; and (B) A prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data; (2) Obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic data that: (A) Clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service; (B) Specifies the categories of individuals within the entity that have access to test results; and (C) Specifies how the entity may share the genetic data;

(4) If the entity engages in any of the following, obtain a consumer's: (A) Separate express consent for: (i) The transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed with the consumer's express consent; (ii) The use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or (iii) The entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer; (B) Informed express consent for transfer or disclosure of the consumer's genetic data to third party persons for: (i) Research purposes; or (ii) Research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and (C) Express consent for: (i) Marketing to a consumer based on the consumer's genetic data; (ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or (iii) Sale or other valuable consideration of the consumer's genetic data.

(6) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and (A) Provide a process for a consumer to: (i) Access the consumer's genetic data; (ii) Delete the consumer's genetic data; (iii) Revoke any consent provided by the consumer; and (iv) Request and obtain the destruction of the consumer's biological sample.

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.