NY S09599

Establishes privacy standards for electronic health products and services by requiring affirmative express consent from users before any data processing, geofencing, or data brokering can occur, with separate consent required for data brokering activities.

Mandates covered organizations disclose all data collected, third parties with whom data will be shared, collection purposes, and allow users to withdraw consent at any time.

Requires deletion of personal health information immediately upon user request, consent withdrawal, or account deactivation, and limits data collection and sharing to what is strictly necessary for requested services or security/fraud prevention.

Prohibits digital advertisers from using geofencing to deliver targeted advertisements to users at health care facilities.

Creates private right of action allowing individuals to sue for violations, recover actual damages, and receive statutory damages of $500 per violation with attorney's fees awarded to prevailing plaintiffs; exempts actions compliant with federal HIPAA regulations.