Acceptable Use Policy (New York)

ACCEPTABLE USE POLICY — NEW YORK

Effective Date: [__/__/____]
Last Updated: [__/__/____]
Company: [________________________________] ("Provider" or "Company")
Website/Service: [________________________________] (the "Service")

TABLE OF CONTENTS

1. Definitions
2. Scope and Applicability
3. Permitted Use
4. Prohibited Conduct
5. Content Standards
6. AI and Automated Systems Usage Restrictions
7. Data Protection and Privacy Compliance (New York-Specific)
8. Network and System Security
9. Email and Communication Standards
10. Monitoring and Enforcement
11. Violation Consequences
12. Reporting Violations
13. New York-Specific Legal Provisions
14. Amendments and Updates
15. Acknowledgment and Acceptance
    Exhibit A — Prohibited Content Examples
    Exhibit B — Violation Reporting Form

1. DEFINITIONS

1.1 "Authorized User" means any individual or entity granted access to the Service under a valid agreement.

1.2 "Computer" means a device or group of devices which, by manipulation of electronic, magnetic, optical, or electrochemical impulses, pursuant to a computer program, can automatically perform arithmetic, logical, storage, or retrieval operations with or on computer data, as defined in N.Y. Penal Law § 156.00(1).

1.3 "Computer Material" means any computer data or computer program, as defined in N.Y. Penal Law § 156.00(3).

1.4 "Computer Program" means an ordered set of data representing coded instructions or statements that can be executed by a Computer, as defined in N.Y. Penal Law § 156.00(4).

1.5 "Content" means any data, text, images, audio, video, software, code, or other materials uploaded, transmitted, stored, or made available through the Service.

1.6 "Customer" means the entity with a valid agreement for access to the Service.

1.7 "Intimate Image" means a still or video image of a person engaging in sexual conduct or exhibiting a nude body part, taken under circumstances in which a reasonable person would have expected the image to remain private, as referenced in N.Y. Penal Law § 245.15.

1.8 "Malicious Code" means viruses, worms, Trojan horses, ransomware, spyware, rootkits, or any other harmful software.

1.9 "Minor" means any individual under 18 for New York law, or under 13 for COPPA.

1.10 "Private Information" shall have the meaning set forth in N.Y. Gen. Bus. Law § 899-aa(1).

1.11 "Prohibited Content" means Content violating this AUP, applicable law, or third-party rights.

1.12 "Service" means the SaaS platform, applications, APIs, websites, and related services provided by Provider.

1.13 "Spam" means unsolicited commercial electronic communications sent in violation of applicable law.

2. SCOPE AND APPLICABILITY

2.1 Applicability. This AUP applies to all Authorized Users.

2.2 Customer Responsibility. Customer is responsible for compliance by all Authorized Users.

2.3 Age Restrictions. The Service is not intended for individuals under [____] (default: 18) without verifiable parental consent. COPPA compliance required for children under 13.

2.4 New York Nexus. This AUP applies New York-specific requirements to use involving New York residents, content directed to New York users, or activities conducted within New York.

3. PERMITTED USE

3.1 Authorized Purposes. Lawful business purposes within the scope of the applicable agreement.

3.2 Compliance. All use must comply with federal, New York, and local laws.

3.3 Capacity Limits. Use within published limits and fair use parameters.

4. PROHIBITED CONDUCT

4.1 Illegal Activities. Authorized Users shall not:

• (a) Violate any applicable federal, New York, or local law;
• (b) Engage in fraud, identity theft, or social engineering;
• (c) Facilitate financial crimes;
• (d) Infringe intellectual property rights; or
• (e) Violate the CFAA (18 U.S.C. § 1030) or New York Penal Law Article 156.

4.2 New York Penal Law Article 156 — Computer Crimes. The following are prohibited:

• (a) Unauthorized Use of a Computer (§ 156.05): Knowingly using a Computer or computer service without authorization — Class A misdemeanor;
• (b) Computer Trespass (§ 156.10): Knowingly using a Computer without authorization and thereby gaining access to Computer Material — Class E felony (up to 4 years imprisonment); elevated to Class D felony if the computer belongs to a government entity or the person acts with intent to commit a felony;
• (c) Computer Tampering — Fourth Degree (§ 156.20): Intentionally altering or destroying Computer Material or a Computer Program without authorization — Class A misdemeanor;
• (d) Computer Tampering — Third Degree (§ 156.25): Computer tampering that causes aggregate damage exceeding $1,000 — Class E felony;
• (e) Computer Tampering — Second Degree (§ 156.26): Computer tampering that causes aggregate damage exceeding $3,000 and intentionally alters medical records — Class D felony;
• (f) Computer Tampering — First Degree (§ 156.27): Computer tampering that causes aggregate damage exceeding $50,000 — Class C felony (up to 15 years imprisonment); and
• (g) Unlawful Duplication of Computer-Related Material (§ 156.30): Copying Computer Material without authorization when no right to do so exists — Class E felony.

4.3 Security Violations. Authorized Users shall not:

• (a) Gain unauthorized access to any system, network, or data;
• (b) Conduct vulnerability scanning or penetration testing without authorization;
• (c) Launch DoS or DDoS attacks;
• (d) Introduce Malicious Code;
• (e) Intercept or alter communications;
• (f) Bypass security features or access controls; or
• (g) Forge headers or manipulate identifiers.

4.4 Abuse and Misuse. Authorized Users shall not:

• (a) Resell or sublicense the Service;
• (b) Use the Service to develop competing products;
• (c) Publish unauthorized benchmarks;
• (d) Engage in cryptomining;
• (e) Deliberately consume excessive resources; or
• (f) Scrape or data mine outside documented APIs.

4.5 Harassment and Harmful Conduct. Authorized Users shall not:

• (a) Harass, threaten, or intimidate any individual;
• (b) Disseminate hate speech;
• (c) Distribute non-consensual Intimate Images in violation of N.Y. Penal Law § 245.15 — unlawful dissemination or publication of an intimate image is a Class A misdemeanor (up to 1 year imprisonment, $1,000 fine);
• (d) Victims may pursue civil actions under N.Y. Civ. Rights Law § 52-b for actual damages, punitive damages, and attorneys' fees;
• (e) Create or distribute AI-generated non-consensual explicit images in violation of S1042A (signed into law 2023), making it illegal to create and disseminate deepfake intimate images without consent — Class A misdemeanor (up to 1 year imprisonment, $1,000 fine) with a civil right of action;
• (f) Engage in aggravated harassment under N.Y. Penal Law § 240.30, including communicating threats or causing annoyance or alarm through electronic means;
• (g) Engage in cyberbullying, particularly conduct directed at students in violation of the Dignity for All Students Act (N.Y. Educ. Law § 10 et seq.);
• (h) Dox any individual by publishing private information without consent; or
• (i) File false emergency reports.

5. CONTENT STANDARDS

5.1 Prohibited Content. Strictly prohibited:

• (a) Unlawful, fraudulent, or deceptive Content;
• (b) IP-infringing Content;
• (c) CSAM or content exploiting Minors;
• (d) Non-consensual Intimate Images (real or AI-generated/deepfake);
• (e) Terrorist or extremist Content;
• (f) Malicious Code;
• (g) Stolen credentials, Private Information, or financial data;
• (h) Spam and phishing payloads;
• (i) Content violating privacy rights; and
• (j) Content constituting aggravated harassment under New York law.

5.2 DMCA Compliance. Provider maintains a DMCA agent. Contact: [________________________________].

• (a) Takedown: Expeditious removal upon valid notice.
• (b) Counter-Notification: Available under 17 U.S.C. § 512(g).
• (c) Repeat Infringers: Terminated.

5.3 New York Right of Privacy and Publicity. Content shall not use any individual's name, portrait, or picture for trade purposes without written consent in violation of N.Y. Civ. Rights Law §§ 50-51.

6. AI AND AUTOMATED SYSTEMS USAGE RESTRICTIONS

6.1 Prohibited AI Uses. Authorized Users shall not:

• (a) Use Service outputs to train competing models without permission;
• (b) Make fully automated decisions with legal or significant effects without human review;
• (c) Generate deceptive synthetic media or deepfakes;
• (d) Create AI-generated Intimate Images of real individuals without consent;
• (e) Use AI to impersonate individuals;
• (f) Hold out AI outputs as professional advice without disclaimers; or
• (g) Use AI to circumvent content moderation.

6.2 New York-Specific AI Provisions.

• (a) Deepfake Intimate Images (S1042A): AI-generated explicit images of identifiable persons distributed without consent constitute a Class A misdemeanor. Victims may pursue civil actions for damages. Distribution of deepfake pornography became a criminal offense in New York on December 1, 2023.
• (b) TAKE IT DOWN Act (2025, Federal): Prohibits publishing intimate visual depictions or deepfakes of non-consenting adults and minors. Platforms must provide notice and takedown mechanisms.
• (c) Automated Employment Decision Tools (NYC Local Law 144): If Customer uses the Service for automated employment decision tools within New York City, compliance with NYC Local Law 144 (effective July 5, 2023) is required, including bias audits and public summaries.
• (d) AI Transparency: Where AI-generated Content is used in communications directed to New York consumers, disclosure may be required to avoid deceptive practices under GBL § 349.

6.3 Disclosure. AI-generated Content must be labeled where required by law or where non-disclosure would be misleading.

7. DATA PROTECTION AND PRIVACY COMPLIANCE (NEW YORK-SPECIFIC)

7.1 SHIELD Act Compliance (N.Y. Gen. Bus. Law §§ 899-aa, 899-bb). Authorized Users shall:

• (a) Develop, implement, and maintain reasonable safeguards to protect Private Information, including administrative, technical, and physical safeguards as specified in § 899-bb;
• (b) Not engage in activities that would compromise the confidentiality, security, or integrity of Private Information accessible through the Service;
• (c) Promptly notify Provider of any suspected breach of security involving Private Information; and
• (d) Cooperate with breach notification obligations.

7.2 SHIELD Act — Data Security Requirements. The reasonable safeguards required by § 899-bb include:

(a) Administrative Safeguards:

• Designating employee(s) to coordinate the security program;
• Identifying reasonably foreseeable internal and external risks;
• Assessing safeguard sufficiency;
• Employee training;
• Service provider selection and management; and
• Adjusting the program to address business changes.

(b) Technical Safeguards:

• Assessing risks in network and software design;
• Detecting, preventing, and responding to attacks;
• Regularly testing key controls and systems.

(c) Physical Safeguards:

• Assessing risks of information storage and disposal;
• Detecting and preventing intrusions;
• Protecting against unauthorized access during disposal;
• Erasing electronic media so data cannot be reconstructed.

7.3 Breach Notification. In the event of a breach of the security of the system:

• (a) Notification to affected New York residents within 30 days of discovery (as amended December 2024);
• (b) Notification to the New York Attorney General, Division of State Police, and Department of State;
• (c) Civil penalties of up to $20 per instance of failed notification (capped at $250,000);
• (d) Civil penalties of up to $5,000 per violation for failure to maintain reasonable safeguards; and
• (e) The Attorney General may bring an action for injunctive relief and damages.

7.4 COPPA. Verifiable parental consent required for children under 13.

7.5 New York Children's Privacy. The Dignity for All Students Act requires school districts to address cyberbullying. If the Service is used in educational settings, Customer shall implement policies consistent with DASA requirements.

7.6 Biometric Information. New York City's Biometric Identifier Information Law (NYC Admin. Code § 22-1201) restricts commercial use of biometric identifier information. If the Service collects or uses biometric data in New York City, compliance with this local law is required.

8. NETWORK AND SYSTEM SECURITY

8.1 Security Requirements. Authorized Users shall:

• (a) Maintain credential confidentiality and use MFA where available;
• (b) Report compromised credentials immediately;
• (c) Keep client-side software current; and
• (d) Comply with Provider's security policies and API rate limits.

8.2 Vulnerability Testing. Prohibited without written authorization.

8.3 Reverse Engineering. Prohibited except as permitted by applicable law.

8.4 New York Computer Crimes Protections. Provider's systems are protected under N.Y. Penal Law Article 156. Unauthorized access, tampering, or duplication of Computer Material through the Service may result in criminal prosecution.

9. EMAIL AND COMMUNICATION STANDARDS

9.1 Federal CAN-SPAM. Full compliance per 15 U.S.C. § 7701 et seq.

9.2 New York Anti-Spam. New York does not have a comprehensive state anti-spam statute, but unsolicited commercial email that contains deceptive content may violate GBL § 349 (deceptive practices) and GBL § 350 (false advertising). Additionally:

• (a) Deceptive header information in emails directed to New York recipients may constitute fraud;
• (b) Bulk unsolicited messaging may constitute aggravated harassment under N.Y. Penal Law § 240.30 in certain circumstances; and
• (c) All commercial communications must be truthful and not misleading under GBL § 349.

9.3 TCPA Compliance. Prior express written consent for automated calls and texts per 47 U.S.C. § 227. New York's Telephone Consumer Protection Act equivalent provisions apply to calls to New York residents.

9.4 Do Not Call. New York maintains a state Do Not Call registry under N.Y. Gen. Bus. Law § 399-z. Telemarketers using the Service must honor this registry.

9.5 Anti-Spam. No Spam through any format using the Service.

10. MONITORING AND ENFORCEMENT

10.1 Monitoring. Provider may monitor for compliance as permitted by law.

10.2 Investigation. Provider may investigate and cooperate with law enforcement, including the New York Attorney General and NYPD Cybercrime Unit.

10.3 Content Removal. Provider may remove violating Content with or without notice.

10.4 Preservation. Content preserved pursuant to valid legal process.

11. VIOLATION CONSEQUENCES

11.1 Graduated Enforcement.

11.2 Immediate Suspension. Without notice for imminent threats, criminal activity, or CSAM.

11.3 Customer Liability. Fees continue during violation-caused suspension.

11.4 New York Attorney General. Violations involving New York consumers may be referred to the New York Attorney General for enforcement under GBL § 349, the SHIELD Act, or other statutes.

11.5 GBL § 349 Remedies. Persons injured by deceptive practices may bring actions for actual damages or $50 (whichever is greater), treble damages up to $1,000 for knowing/willful violations, and reasonable attorneys' fees.

12. REPORTING VIOLATIONS

12.1 Contact.

• Email: [________________________________]
• Online: [________________________________]
• DMCA Agent: [________________________________]

12.2 Report Contents. Description, evidence, dates, and user information.

12.3 Response. Acknowledgment within [____] Business Days; assessment within [____] Business Days.

12.4 No Retaliation. Good-faith reporters protected.

12.5 Intimate Image Reports. Reports of non-consensual Intimate Images (including deepfakes) shall be prioritized. If involving a Minor, immediately report to NCMEC and law enforcement.

13. NEW YORK-SPECIFIC LEGAL PROVISIONS

13.1 Governing Law. This AUP is governed by the laws of the State of New York.

13.2 GBL § 349 and § 350. This AUP shall be enforced in a manner consistent with New York's prohibition on deceptive acts and practices (§ 349) and false advertising (§ 350). GBL § 349 does not require privity and applies an objective "reasonable consumer" standard.

13.3 Forum Selection. Disputes shall be brought in state or federal courts in [________________________________] County, New York.

13.4 New York Constitution. Monitoring and enforcement shall respect rights under the New York State Constitution, including Article I (Bill of Rights).

13.5 Section 230. Provider may take good-faith actions to restrict objectionable Content consistent with 47 U.S.C. § 230.

13.6 New York City Additional Requirements. If the Service operates within New York City, additional local laws may apply, including:

• (a) NYC Biometric Identifier Information Law (Admin. Code § 22-1201);
• (b) NYC Local Law 144 (Automated Employment Decision Tools); and
• (c) NYC Consumer Protection Law (Admin. Code Title 20, Chapter 2).

14. AMENDMENTS AND UPDATES

14.1 Right to Amend. Provider may modify this AUP at any time.

14.2 Notice. Not less than [____] days' notice for material changes.

14.3 Continued Use. Continued use after effective date constitutes acceptance.

15. ACKNOWLEDGMENT AND ACCEPTANCE

Customer Acknowledgment:

Organization: [________________________________]
Authorized Representative: [________________________________]
Title: [________________________________]
Signature: [________________________________]
Date: [__/__/____]

☐ I confirm that I have read and understood this Acceptable Use Policy.
☐ I agree to communicate this AUP to all Authorized Users.
☐ I accept responsibility for Authorized User compliance.
☐ I acknowledge the New York-specific obligations, including Penal Law Article 156, the SHIELD Act, and GBL § 349.

EXHIBIT A — PROHIBITED CONTENT EXAMPLES (NEW YORK)

EXHIBIT B — VIOLATION REPORTING FORM

Report Date: [__/__/____]

Reporter Information:
☐ Anonymous report

Name: [________________________________]
Email: [________________________________]
Phone: [________________________________]

Violation Type:
☐ N.Y. Penal Law Art. 156 — Computer crimes
☐ Non-consensual intimate images (real or deepfake)
☐ Aggravated harassment
☐ Cyberbullying (DASA)
☐ SHIELD Act / data security violation
☐ GBL § 349 deceptive practices
☐ CSAM or child exploitation
☐ DMCA / IP infringement
☐ Spam or deceptive communications
☐ Biometric data misuse (NYC)
☐ Other: [________________________________]

Description: [________________________________]

Date/Time: [__/__/____] at [____]

Evidence: ☐ Screenshots ☐ Logs ☐ Email headers ☐ Other

Severity: ☐ Low ☐ Medium ☐ High ☐ Critical

Does this involve a minor? ☐ Yes ☐ No ☐ Unknown

☐ I certify this report is made in good faith.

Signature: [________________________________]
Date: [__/__/____]

This Acceptable Use Policy template is provided for informational purposes only and does not constitute legal advice. Have this document reviewed by a qualified New York attorney before use.