New York City Council     Members

This bill requires entities licensed by the Taxi and Limousine Commission to protect passenger information—including names, addresses, credit card information, and any GPS data collected a passenger traveling in a TLC-licensed vehicle—and to only use that information for purposes the passenger has authorized. Those who misuse personal informational information would be subject to a penalty of $1,000 per violation.

  • Enacted

History

City Council
Recved from Mayor by Council
Mayor
Signed Into Law by Mayor
Mayor
Hearing Held by Mayor
City Council
Sent to Mayor by Council
City Council
Pass
Approved by Council
Committee on Transportation
Hearing Held by Committee
Committee on Transportation
Amendment Proposed by Comm
Committee on Transportation
Amended by Committee
Committee on Transportation
Pass
Approved by Committee
Committee on Transportation
Hearing Held by Committee
Committee on Transportation
Laid Over by Committee
City Council
Referred to Comm by Council
City Council
Introduced by Council

Int. No. 658-A

 

By Council Members Garodnick, Rodriguez, Chin, Constantinides, Rose, Espinal, Williams, Cabrera, Mendez, Rosenthal, Menchaca and Kallos

 

A Local Law to amend the administrative code of the city of New York, in relation to requiring information security and use of personal information policies for services licensed by taxi and limousine commission

 

Be it enacted by the Council as follows:

 

Section 1. Section 19-502 of the administrative code of the city of New York is amended by adding new subdivisions aa, bb, and cc to read as follows:

aa. “Breach of the security of the system” has the same meaning as in paragraph c of subdivision 1 of section 899-aa of the general business law.

bb. “Personal information” has the same meaning as in paragraph a of subdivision 1 of section 899-aa of the general business law and includes such information pertaining to passengers and drivers.

cc. “Passenger geolocation information” means information concerning the location of a wireless communication device that, in whole or in part, is generated by or derived from the operation of such device and that could be used to determine or infer information regarding the present, prospective, or historical location of an individual.

§ 2. Chapter 5 of title 19 of the administrative code of the city of New York is amended by adding a new section 19-546 to read as follows:

§ 19-546 Information security and use of personal information. a. All entities licensed by the commission, or authorized by the commission to provide services regulated by the commission, that collect or maintain passenger personal information or passenger geolocation information shall file with the commission an information security and use of personal information policy. Any policy filed pursuant to this section must include, at a minimum, the following provisions:

(i) a statement of internal access policies relating to passenger and driver personal information for employees, contractors, and third party access, if applicable;

(ii) a statement that, except to the extent necessary to provide credit, debit, and prepaid card services and services for any application that provides for electronic payment, personal information will only be collected and used with such passenger’s affirmative express consent and that such personal information will not be used, shared, or disclosed, except for lawful purposes;

(iii) procedures for notifying the commission and affected parties of any breach of the security of the system, pursuant to section 899-aa of the general business law;

(iv) a statement that any credit, debit, or prepaid card information collected by the entity or a credit, debit, or prepaid card services provider is processed by the entity or such provider in compliance with applicable payment card industry standards;

(v) a statement of the entity’s policies regarding the use of passenger geolocation information, which must include, at a minimum, a prohibition on the use, monitoring, or disclosure of trip information, including the date, time, pick-up location, drop-off location, and real-time vehicle location and any retained vehicle location records, without such passenger's affirmative express consent; and

(vi) and other provisions related to the protection of passenger or driver information that the commission may require by rule.

b. Any entity that files an information security and use of personal information policy pursuant to subdivision a of this section shall comply with the terms of such policy.

c. Any entity that has been found to have violated subdivisions a or b of this section shall be subject to a civil penalty of $1,000 for each offense.

§ 3. This local law shall take effect 120 days after its enactment into law, except that the Taxi and Limousine Commission shall take all necessary action, including the promulgation of rules, prior to such effective date.

 

KET 3/30/16 8:14PM

LS 3441/2014