•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A02141 Summary:

BILL NOA02141
 
SAME ASSAME AS S00929
 
SPONSORRosenthal
 
COSPNSRReyes, Dinowitz, Simon, Cunningham, Tapia, Shimsky, Epstein, Bichotte Hermelyn, Burdick, Braunstein, Lucas, Seawright, Stirpe, Glick, Kim, Dilan, Taylor, Septimo, Gonzalez-Rojas, Levenberg, Mitaynes, Ramos, Otis, Weprin, Kelles, Lee, O'Pharrow, Pheffer Amato
 
MLTSPNSR
 
Add Art 42 §§1120 - 1128, Gen Bus L
 
Provides for the protection of health information; establishes requirements for communications to individuals about their health information; requires either written consent or a designated necessary purpose for the processing of an individual's health information.
Go to top    

A02141 Actions:

BILL NOA02141
 
01/15/2025referred to science and technology
01/22/2025reported referred to codes
01/22/2025reported referred to rules
01/22/2025reported
01/22/2025rules report cal.60
01/22/2025ordered to third reading rules cal.60
01/22/2025substituted by s929
 S00929 AMEND= KRUEGER
 01/08/2025REFERRED TO INTERNET AND TECHNOLOGY
 01/21/2025COMMITTEE DISCHARGED AND COMMITTED TO RULES
 01/21/2025ORDERED TO THIRD READING CAL.101
 01/21/2025PASSED SENATE
 01/21/2025DELIVERED TO ASSEMBLY
 01/21/2025referred to science and technology
 01/22/2025substituted for a2141
 01/22/2025ordered to third reading rules cal.60
 01/22/2025passed assembly
 01/22/2025returned to senate
Go to top

A02141 Memo:

NEW YORK STATE ASSEMBLY
MEMORANDUM IN SUPPORT OF LEGISLATION
submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A2141
 
SPONSOR: Rosenthal
  TITLE OF BILL: An act to amend the general business law, in relation to providing for the protection of health information   PURPOSE OR GENERAL IDEA OF BILL: This bill would govern companies that collect and sell healthcare infor- mation and provides additional rights and protections to users related to the sale and of their private health information.   SUMMARY OF SPECIFIC PROVISIONS: Section one amends the general business law by adding a new article 42. Section two provides a severability clause. Section three establishes the effective date.   JUSTIFICATION: Most residents of the State are under the impression that HIPAA protects them and their health data from being accessed by third parties and sold by and to other organizations. Residents are generally unaware that their technology is constantly tracking their movements, and geolocation data is being sold to companies for the purposes of targeted advertise- ments or tracking. Most users also do not have an understanding of how much information is being collected, stored, and sold for the benefit of third parties. For example, a mobile app to track menstruation cycles was recently caught selling users' data to antiabortion advocacy organ- izations. This bill creates a legal framework for residents to reclaim and retain control of their healthcare information. Electronic apps or websites, that are designed to provide a diagnosis or retain health information will be required to receive affirmative consent by the user to retain such information and would provide users the ability to rescind such consent. The bill also provides a legal remedy for those whose data was improperly collected or used.   PRIOR LEGISLATIVE HISTORY: 2022-23: A.4983-D - Advanced to Third Reading; S.158-E - Advanced to Third Reading   FISCAL IMPLICATIONS: None to the State.
Go to top

A02141 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          2141
 
                               2025-2026 Regular Sessions
 
                   IN ASSEMBLY
 
                                    January 15, 2025
                                       ___________
 
        Introduced  by  M.  of A. ROSENTHAL, REYES, DINOWITZ, SIMON, CUNNINGHAM,
          TAPIA,  SHIMSKY,  EPSTEIN,  BICHOTTE HERMELYN,  BURDICK,   BRAUNSTEIN,
          LUCAS,  SEAWRIGHT,  STIRPE, GLICK, KIM, DILAN, TAYLOR, SEPTIMO, GONZA-
          LEZ-ROJAS, LEVENBERG, MITAYNES, RAMOS, OTIS -- read once and  referred
          to the Committee on Science and Technology

        AN  ACT  to amend the general business law, in relation to providing for
          the protection of health information
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section 1. The general business law is amended by adding a new article
     2  42-A to read as follows:
     3                                ARTICLE 42-A
     4                   NEW YORK HEALTH INFORMATION PRIVACY ACT
     5  Section 1120. Definitions.
     6          1121. Requirements for communications to individuals.
     7          1122. Lawfulness of processing regulated health information.
     8          1123. Individual rights.
     9          1124. Security.
    10          1125. Service providers.
    11          1126. Exemptions.
    12          1127. Enforcement.
    13          1128. Contracts and waivers void and unenforceable.
    14    §  1120.  Definitions.  As  used  in this article, the following terms
    15  shall have the following meanings:
    16    1. "Deidentified information" means information that cannot reasonably
    17  be used to infer information about, or otherwise be linked to a  partic-
    18  ular individual, household, or device, provided that the regulated enti-
    19  ty or service provider that processes the information:
    20    (a)  Implements  reasonable  technical  safeguards  to ensure that the
    21  information cannot be  associated  with  an  individual,  household,  or
    22  device;
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01741-01-5

        A. 2141                             2
 
     1    (b)  Publicly  commits to process the information only as deidentified
     2  information and not attempt to reidentify the information,  except  that
     3  the  regulated  entity or service provider may attempt to reidentify the
     4  information solely for the purpose of determining  whether  its  deiden-
     5  tification processes satisfy the requirements of this section; and
     6    (c) Contractually obligates any recipient of the deidentified informa-
     7  tion to comply with all requirements of this section.
     8    2.  "Regulated  health  information"  means  any  information  that is
     9  reasonably linkable to an individual, or a device, and is  collected  or
    10  processed  in  connection with the physical or mental health of an indi-
    11  vidual. Location or payment information that relates to an  individual's
    12  physical  or  mental  health  or any inference drawn or derived about an
    13  individual's physical or mental health that is reasonably linkable to an
    14  individual, or a device, shall be considered, without limitation,  regu-
    15  lated  health  information.    Regulated  health  information  shall not
    16  include deidentified information.
    17    3. "Process" or "processing" means an operation or set  of  operations
    18  performed  on regulated health information, including but not limited to
    19  the collection, use,  access,  sharing,  sale,  monetization,  analysis,
    20  retention,  creation,  generation,  derivation, recording, organization,
    21  structuring, storage,  disclosure,  transmission,  disposal,  licensing,
    22  destruction,  deletion,  modification,  or deidentification of regulated
    23  health information.
    24    4. "Regulated entity" means any entity that (a) controls the  process-
    25  ing  of  regulated health information of an individual who is a New York
    26  resident, (b) controls the processing of regulated health information of
    27  an individual who is physically present in New York while that  individ-
    28  ual is in New York, or (c) is located in New York and controls the proc-
    29  essing of regulated health information. A regulated entity may also be a
    30  service  provider  depending  upon the context in which regulated health
    31  information is processed.
    32    5. "Sell" means to share regulated health information for monetary  or
    33  other  valuable  consideration.  Selling does not include the sharing of
    34  regulated health information for monetary or  other  valuable  consider-
    35  ation  to  a  third party as an asset that is part of a merger, acquisi-
    36  tion, bankruptcy, or other transaction in which the third party  assumes
    37  control of all or part of the regulated entity's assets.
    38    6.  "Service provider" means any person or entity that processes regu-
    39  lated health information on behalf of  a  regulated  entity.  A  service
    40  provider  may  also  be a regulated entity depending upon the context in
    41  which regulated health information is processed.
    42    7. "Third party" means a person or entity other than  the  individual,
    43  regulated  entity,  or  service  provider  involved  in a transaction or
    44  occurrence that involves regulated health information. A third party may
    45  also be a regulated  entity  or  service  provider  depending  upon  the
    46  context in which regulated health information is processed.
    47    §  1121.  Requirements for communications to individuals. All notices,
    48  disclosures, forms, and other  communications  to  individuals  provided
    49  pursuant to this article shall comply with the following:
    50    1.  In  general,  all  communications shall use plain, straightforward
    51  language, avoiding technical or  legal  jargon,  and  must  be  provided
    52  through  an  interface  the individual regularly uses in connection with
    53  the regulated entity's product or service.
    54    2. All communications shall be reasonably  accessible  to  individuals
    55  with disabilities, including by:
    56    (a) utilizing digital accessibility tools;

        A. 2141                             3
 
     1    (b)  for  notices, complying with generally recognized industry stand-
     2  ards, including, but not limited to, current standards set by  standards
     3  setting bodies such as the World Web Consortium, or other similar stand-
     4  ards setting bodies as determined by the attorney general; and
     5    (c) for other communications, providing information about how an indi-
     6  vidual  with a disability may access the communication in an alternative
     7  format.
     8    3. All communications shall be available in the languages in which the
     9  regulated entity provides information via its website and services.  Any
    10  direct  communication to an individual shall be provided in the language
    11  in which the individual ordinarily interacts with the  regulated  entity
    12  or its service provider.
    13    4. A regulated entity shall make any notice for processing pursuant to
    14  a permissible purpose, pursuant to subparagraph (ii) of paragraph (b) of
    15  subdivision one of section eleven hundred twenty-two of this article, or
    16  form  for processing pursuant to authorization, pursuant to subparagraph
    17  (i) of paragraph (b) of subdivision one of section eleven hundred  twen-
    18  ty-two of this article, publicly available on its website. If an author-
    19  ization form is customized for each individual, the regulated entity may
    20  instead publicly post a sample authorization form on its website.
    21    §  1122. Lawfulness of processing regulated health information.  1. In
    22  general, it shall be unlawful for a regulated entity to:
    23    (a) sell an individual's  regulated  health  information  to  a  third
    24  party; or
    25    (b)  otherwise  process  an  individual's regulated health information
    26  unless:
    27    (i) The individual has provided valid authorization for such  process-
    28  ing as set forth in paragraph (b) of subdivision two of this section; or
    29    (ii)  Processing  of  an  individual's regulated health information is
    30  strictly necessary for the purpose of:
    31    (A) providing or maintaining a specific product or  service  requested
    32  by such individual;
    33    (B)  conducting  the  regulated entity's internal business operations,
    34  which exclude any activities related to marketing, advertising, research
    35  and development, or providing products or services to third parties;
    36    (C) protecting against malicious, fraudulent, or illegal activity;
    37    (D) detecting, responding to,  or  preventing  security  incidents  or
    38  threats;
    39    (E) protecting the vital interests of an individual;
    40    (F) investigating, establishing, exercising, preparing for, or defend-
    41  ing legal claims; or
    42    (G) complying with the regulated entity's legal obligations.
    43    2.  Unless  processing of an individual's regulated health information
    44  is strictly necessary pursuant to subparagraph (ii) of paragraph (b)  of
    45  subdivision one of this section, a regulated entity that processes regu-
    46  lated  health information pursuant to valid authorization as required by
    47  subparagraph (i) of paragraph (b) of subdivision  one  of  this  section
    48  shall comply with the following:
    49    (a)  A  request for authorization to process an individual's regulated
    50  health information shall:
    51    (i) be made separately from any other transaction or part of a  trans-
    52  action;
    53    (ii) be made at least twenty-four hours after an individual creates an
    54  account or first uses the requested product or service;

        A. 2141                             4
 
     1    (iii)  be made in the absence of any mechanism that has the purpose or
     2  substantial effect of obscuring, subverting, or  impairing  an  individ-
     3  ual's decision-making regarding authorization for processing;
     4    (iv) if requesting authorization for multiple categories of processing
     5  activities,  allow  the  individual to provide or withhold authorization
     6  separately for each category of processing activity; and
     7    (v) not include any request for authorization for a processing  activ-
     8  ity for which an individual has withheld or revoked authorization within
     9  the past calendar year.
    10    (b) A valid authorization shall include:
    11    (i) the types of regulated health information to be processed;
    12    (ii) the nature of the processing activity;
    13    (iii) the specific purposes for such processing;
    14    (iv)  the  names  where  readily  available,  or categories of service
    15  providers and third parties to which the regulated entity  may  disclose
    16  the  individual's regulated health information and the purposes for such
    17  disclosure, including the circumstances under which the regulated entity
    18  may disclose regulated health information to law enforcement;
    19    (v) any monetary or other valuable consideration the regulated  entity
    20  may  receive  in  connection  with processing the individual's regulated
    21  health information, where applicable;
    22    (vi) that failing to provide authorization will not affect  the  indi-
    23  vidual's   experience  of  using  the  regulated  entity's  products  or
    24  services;
    25    (vii) the expiration date of the authorization, which may be up to one
    26  year from the date authorization was provided;
    27    (viii) the mechanism by which the individual may revoke  authorization
    28  prior to expiration;
    29    (ix)  the  mechanism by which the individual may request access to and
    30  deletion of their regulated health information;
    31    (x) any other information material to an individual's  decision-making
    32  regarding authorization for processing; and
    33    (xi)  the signature, which may be electronic, of the individual who is
    34  the subject of the regulated health information, or a parent or guardian
    35  authorized by law to take actions of legal consequence on behalf of  the
    36  individual  who  is the subject of the regulated health information, and
    37  the date.
    38    (c) (i) A regulated entity that receives authorization for  processing
    39  shall  provide  an  effective,  efficient,  and easy-to-use mechanism by
    40  which an individual may revoke authorization  at  any  time  through  an
    41  interface the individual regularly uses in connection with the regulated
    42  entity's product or service.
    43    (ii)  Upon  an individual's revocation of authorization, the regulated
    44  entity shall immediately  cease  all  processing  activities  for  which
    45  authorization was revoked, except to the extent necessary to comply with
    46  the regulated entity's legal obligations.
    47    (iii)  For  individuals  who have an online account with the regulated
    48  entity, the regulated entity must provide, in a conspicuous  and  easily
    49  accessible  place  within the account settings, a list of all processing
    50  activities for which the individual has provided authorization and,  for
    51  each  processing  activity, allow the individual to revoke authorization
    52  in the same place with one motion or action.
    53    (d) Upon obtaining valid authorization from an individual,  the  regu-
    54  lated  entity shall provide that individual a copy of the authorization.
    55  The authorization shall be provided in a manner that is capable of being
    56  retained by the individual.

        A. 2141                             5
 
     1    (e) The regulated entity shall limit its processing to what was clear-
     2  ly disclosed to an individual pursuant to paragraph (b) of this subdivi-
     3  sion when the regulated entity received authorization from the  individ-
     4  ual.
     5    (f)  If  the regulated entity seeks to materially alter its processing
     6  activities  for  regulated  health  information  collected  pursuant  to
     7  authorization, the regulated entity shall obtain a new authorization for
     8  the new or altered processing activity.
     9    (g) Providing a product or service requested by an individual must not
    10  be made contingent on providing authorization. The regulated entity must
    11  not  discriminate  against  an individual for withholding authorization,
    12  such as by charging different prices or rates for products or  services,
    13  including  through  the  use  of  discounts  or other benefits, imposing
    14  penalties, or providing a different level  or  quality  of  services  or
    15  goods to the individual.
    16    3.  A  regulated  entity  that  processes regulated health information
    17  pursuant to a permissible purpose pursuant to subparagraph (ii) of para-
    18  graph (b) of subdivision one of  this  section  shall  comply  with  the
    19  following:
    20    (a) A regulated entity shall provide clear and conspicuous notice that
    21  describes:
    22    (i) the types of regulated health information to be processed;
    23    (ii) the nature of the processing activity;
    24    (iii) the specific purposes for such processing;
    25    (iv)  the  names  where  readily  available,  or categories of service
    26  providers and third parties to which the regulated entity  may  disclose
    27  the  individual's regulated health information and the purposes for such
    28  disclosure, including the circumstances under which the regulated entity
    29  may disclose regulated health information to law enforcement; and
    30    (v) the mechanism by which the individual may request  access  to  and
    31  deletion of their regulated health information.
    32    (b)  If  the  regulated entity materially alters its processing activ-
    33  ities for regulated health information collected pursuant to a permissi-
    34  ble purpose, the regulated entity must provide a clear  and  conspicuous
    35  notice  in  plain  language,  separate  from  a privacy policy, terms of
    36  service, or similar document, that describes any material changes to the
    37  processing activities and provide the individual with an opportunity  to
    38  request deletion of their regulated health information.
    39    § 1123. Individual rights. 1. (a) A regulated entity shall make avail-
    40  able  an  effective,  efficient,  and  easy-to-use  mechanism through an
    41  interface the individual regularly uses in connection with the regulated
    42  entity's product or service by which an individual may request access to
    43  their regulated health information.
    44    (b) Within thirty days of receiving an access request,  the  regulated
    45  entity  shall  make available a copy of all regulated health information
    46  about the individual that the regulated entity maintains or that service
    47  providers maintain on behalf of the regulated entity.
    48    2. (a) A regulated entity shall make  available  an  effective,  effi-
    49  cient,  and  easy-to-use  mechanism  through an interface the individual
    50  regularly uses in connection with  the  regulated  entity's  product  or
    51  service  by  which an individual may request the deletion of their regu-
    52  lated health information.
    53    (b) An individual's request to delete or cancel their  online  account
    54  shall  be  treated  as  a  request  to delete the individual's regulated
    55  health information.

        A. 2141                             6
 
     1    (c) Within thirty days of receiving a deletion request, the  regulated
     2  entity shall:
     3    (i)  Delete all regulated health information associated with the indi-
     4  vidual in the regulated entity's possession or control,  except  to  the
     5  extent  necessary  to  comply  with  the  regulated entity's legal obli-
     6  gations; and
     7    (ii) Unless it proves impossible or involves  disproportionate  effort
     8  that  is documented in writing by the regulated entity, communicate such
     9  request to each service provider or third party that processed the indi-
    10  vidual's regulated health information in connection with  a  transaction
    11  involving  the  regulated entity occurring within one year preceding the
    12  individual's request.
    13    (d) Any service provider or third party that  receives  notice  of  an
    14  individual's  deletion request shall within thirty days delete all regu-
    15  lated  health  information  associated  with  the  individual   in   its
    16  possession or control, except to the extent necessary to comply with its
    17  legal obligations.
    18    3. Any right set forth in this section may be exercised at any time by
    19  the individual who is the subject of the regulated health information or
    20  an agent authorized by such individual.
    21    §  1124.  Security.  1.  In general, a regulated entity shall develop,
    22  implement, and maintain reasonable administrative, technical, and  phys-
    23  ical  safeguards to protect the security, confidentiality, and integrity
    24  of regulated health information.
    25    2. A regulated entity must securely dispose of an  individual's  regu-
    26  lated  health  information  pursuant  to  a publicly available retention
    27  schedule within a reasonable time, and in  no  event  later  than  sixty
    28  days,  after  it  is no longer necessary to maintain for the permissible
    29  purpose or purposes identified in the notice or for which the individual
    30  provided valid authorization.
    31    § 1125. Service providers. 1. In general, any processing of  regulated
    32  health information by a service provider on behalf of a regulated entity
    33  shall  be governed by a written, binding agreement. Such agreement shall
    34  clearly set forth instructions for processing regulated health  informa-
    35  tion,  the nature and purpose of processing, the duration of processing,
    36  and the rights and obligations of both parties.
    37    2. An agreement pursuant to subdivision  one  of  this  section  shall
    38  require that the service provider:
    39    (a) ensure that each person processing regulated health information is
    40  subject to a duty of confidentiality with respect to such information;
    41    (b)  protect  regulated health information in a manner consistent with
    42  the requirements of this article;
    43    (c) process regulated health information only when and to  the  extent
    44  necessary to comply with its obligations to the regulated entity;
    45    (d)  not  combine  the  regulated health information which the service
    46  provider receives from or on behalf of the  regulated  entity  with  any
    47  other  personal  information which the service provider receives from or
    48  on behalf of another party or collects from its  own  relationship  with
    49  individuals;
    50    (e)  comply with any exercises of an individual's rights under section
    51  eleven hundred twenty-three of this article  upon  the  request  of  the
    52  regulated  entity  and  notify any service providers or third parties to
    53  which it disclosed regulated health information of the request;
    54    (f) delete or return all regulated health information to the regulated
    55  entity at the end of the provision of services, unless retention of  the
    56  regulated health information is required by law;

        A. 2141                             7
 
     1    (g)  upon  the reasonable request of the regulated entity, make avail-
     2  able to the regulated entity all data in  its  possession  necessary  to
     3  demonstrate  the  service  provider's compliance with the obligations in
     4  this section;
     5    (h) allow, and cooperate with, reasonable assessments by the regulated
     6  entity  or  the  regulated  entity's designated assessor for purposes of
     7  evaluating compliance with the obligations of this  article.    Alterna-
     8  tively, the service provider may arrange for a qualified and independent
     9  assessor to conduct an assessment of the service provider's policies and
    10  technical  and  organizational  measures  in  support of the obligations
    11  under this article using an appropriate and accepted control standard or
    12  framework and assessment procedure for  such  assessments.  The  service
    13  provider  shall  provide  a  report  of such assessment to the regulated
    14  entity upon request;
    15    (i) notify the regulated entity a reasonable time  in  advance  before
    16  disclosing  or  transferring regulated health information to any further
    17  service providers, which may be in the form of a regularly updated  list
    18  of  further  service providers that may access regulated health informa-
    19  tion; and
    20    (j) engage any further service provider pursuant to a written, binding
    21  agreement that includes the contractual requirements  provided  in  this
    22  section,  containing  at  minimum  the same obligations that the service
    23  provider has entered into with regard to regulated health information.
    24    § 1126. Exemptions. Nothing in this article shall apply to:
    25    1. information processed by local, state, and federal governments, and
    26  municipal corporations;
    27    2. protected health information that is collected by a covered  entity
    28  or  business  associate  governed  by  the privacy, security, and breach
    29  notification rules issued by the United States Department of Health  and
    30  Human  Services,  Parts  160  and 164 of Title 45 of the Code of Federal
    31  Regulations, established pursuant to the  Health  Insurance  Portability
    32  and  Accountability  Act  of  1996  (Public  Law 104-191) and the Health
    33  Information Technology for Economic and Clinical Health Act (Public  Law
    34  111-5);
    35    3.  any  covered  entity governed by the privacy, security, and breach
    36  notification rules issued by the United States Department of Health  and
    37  Human  Services,  Parts  160  and 164 of Title 45 of the Code of Federal
    38  Regulations, established pursuant to the  Health  Insurance  Portability
    39  and  Accountability  Act of 1996 (Public Law 104-191), to the extent the
    40  covered entity maintains patient  information  in  the  same  manner  as
    41  protected  health  information  as  described in subdivision two of this
    42  section; and
    43    4. information collected as part of a clinical trial  subject  to  the
    44  Federal  Policy  for the Protection of Human Subjects, also known as the
    45  Common Rule, pursuant to good clinical practice guidelines issued by the
    46  International Council for Harmonisation or  pursuant  to  human  subject
    47  protection  requirements  of  the  United  States Food and Drug Adminis-
    48  tration.
    49    § 1127. Enforcement. 1. Whenever it appears to the  attorney  general,
    50  either  upon  complaint or otherwise, that any person or persons, within
    51  or outside the state, has engaged in or is about to engage in any of the
    52  acts or practices stated to be unlawful under this article, the attorney
    53  general may bring an action or special proceeding in  the  name  and  on
    54  behalf of the people of the state of New York to enjoin any violation of
    55  this  article,  to obtain restitution of any moneys or property obtained
    56  directly or indirectly by any such violation, to obtain disgorgement  of

        A. 2141                             8
 
     1  any  profits  obtained  directly or indirectly by any such violation, to
     2  obtain civil penalties of not more than  fifteen  thousand  dollars  per
     3  violation  or twenty percent of revenue obtained from New York consumers
     4  within  the  past  fiscal  year, whichever is greater, and to obtain any
     5  such other and further relief as the court may  deem  proper,  including
     6  preliminary relief.
     7    2.  The  remedies provided by this section shall be in addition to any
     8  other lawful remedy available.
     9    3. Any action or special proceeding brought by  the  attorney  general
    10  pursuant  to this section must be commenced within six years of the date
    11  on which the attorney general became aware of the violation.
    12    4. In connection with any proposed action or special proceeding  under
    13  this  section, the attorney general is authorized to take proof and make
    14  a determination of the relevant facts, and to issue subpoenas in accord-
    15  ance with the civil practice law and rules.  The  attorney  general  may
    16  also  require  such other data and information as they may deem relevant
    17  and may require written responses to questions under oath. Such power of
    18  subpoena and examination shall not abate or terminate by reason  of  any
    19  action  or special proceeding brought by the attorney general under this
    20  article.
    21    5. This section shall apply to all acts declared  to  be  unlawful  in
    22  this article, whether or not subject to any other law of this state, and
    23  shall  not  supersede, amend or repeal any other law of this state under
    24  which the attorney general is authorized to take any action  or  conduct
    25  any inquiry.
    26    6.  The  attorney general may promulgate such rules and regulations as
    27  are necessary to effectuate and enforce the provisions of this section.
    28    § 1128. Contracts and waivers void and unenforceable.  1. Any contrac-
    29  tual provision inconsistent with this article shall be  void  and  unen-
    30  forceable.
    31    2.  Any  waiver  by  any  individual of the provisions of this article
    32  shall be void and unenforceable.
    33    § 2. Severability. If any clause,  sentence,  paragraph,  subdivision,
    34  section  or part of this act shall be adjudged by any court of competent
    35  jurisdiction to be invalid, such judgment shall not affect,  impair,  or
    36  invalidate the remainder thereof, but shall be confined in its operation
    37  to the clause, sentence, paragraph, subdivision, section or part thereof
    38  directly  involved  in the controversy in which such judgment shall have
    39  been rendered. It is hereby declared to be the intent of the legislature
    40  that this act would have been enacted even if  such  invalid  provisions
    41  had not been included herein.
    42    §  3. This act shall take effect one year after it shall have become a
    43  law. Effective immediately, the addition, amendment and/or repeal of any
    44  rule or regulation necessary for the implementation of this act  on  its
    45  effective date are authorized to be made and completed on or before such
    46  effective date.
Go to top