ASSEMBLY SCIENCE, INNOVATION AND TECHNOLOGY COMMITTEE

 

STATEMENT TO

 

[Third Reprint]

SENATE, No. 332

 

with committee amendments

 

STATE OF NEW JERSEY

 

DATED:  MAY 11, 2023

 

      The Assembly Science, Innovation and Technology Committee reports favorably and with committee amendments Senate Bill No. 332 (3R).

      As amended and reported, this bill requires an online service operator (operator) to notify consumers of the collection and disclosure of “personally identifiable information,” as that term is defined in the bill, to third parties. An operator that collects the personally identifiable information of a consumer through an online service is to provide on its online service notification to a consumer that includes, but is not limited to:

      1)   the categories of the personally identifiable information that the operator collects through the online service about a consumer who uses or visits the online service;

      2)   all third parties to which the operator may disclose a consumer’s personally identifiable information;

      3)   whether a third party may collect personally identifiable information about a consumer’s online activities over time and across different online services when the consumer uses the online service of the operator;

      4)   a description of the process for an individual consumer who uses or visits the online service to review and request changes to any of the consumer’s personally identifiable information that is collected by the online service of the operator;

      5)   the process by which the operator notifies consumers who use or visit the online service of material changes to the notification required to be made available pursuant to the bill, along with the effective date of the notice; and

      6)   information concerning one or more designated request addresses of the operator.

      This bill requires that an operator that discloses a consumer’s personally identifiable information to a third party make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address: the category or categories of a consumer’s personally identifiable information that were disclosed; and the category or categories of the third parties that received the consumer’s personally identifiable information. An operator that receives a request from a consumer is to provide a response to the consumer within 60 days of its verification of the request and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

      The bill provides that an operator that collects the personally identifiable information of a consumer through its online service and sells the personally identifiable information of the consumer is to clearly and conspicuously post a link on its online service, or in another prominently accessible location the online service maintains for consumer privacy settings, to an Internet webpage maintained by the operator which enables a consumer, by verified request, to opt into the sale of the consumer’s personally identifiable information. The method by which a consumer may opt in is required to be in a form and manner determined by the operator, provided that a consumer is not to be required to establish an account with the operator in order to opt into the sale of a consumer’s personally identifiable information.

      An operator is prohibited from discriminating against a consumer if the consumer chooses to opt out of the sale of the consumer’s personally identifiable information. The provisions of the bill are not to prohibit the operator from offering consumer discounts, loyalty programs, or other incentives for the sale of the consumer’s personally identifiable information, or to provide different services to consumers that are reasonably related to the value of the relevant data, provided the operator has clearly and conspicuously disclosed to the consumer that the offered incentives require consenting to the sale or processing of personally identifiable information that the consumer otherwise has a right to opt out of.

      The provisions of the bill are not to apply to certain types of information and institutions listed in the bill.

      Nothing in the bill is to require an operator to re-identify de-identified data or to collect, retain, use, link, or combine personally identifiable information concerning a consumer that it otherwise would not.

      Additionally, as amended and reported, nothing in this bill is to be construed as the basis for, or subject to, a private right of action.

      The Attorney General is to have sole authority to enforce a violation of the bill.

      As amended and reported by the committee, this bill is identical to Assembly Bill No. 1971, which was also amended and reported by the committee on this date.

COMMITTEE AMENDMENTS:

      The committee amendments make the following changes to the definition section of this bill: add a definition for “business”; clarify that the definition of “disclose” means the disclosure of information by an operator; remove the definition of “commercial Internet website”; and remove the word “information” from the definition of “online service.”

      The committee amendments remove all references to “commercial Internet website” from the bill.  The committee amendments also apply section 3 of the bill to personally identifiable information collected prior to the effective date of this bill if the controller continues to store such information thereafter.

      The committee amendments remove the language “through the internet” in section 4 of the bill, which broadens the scope of where operators may sell a consumer’s personally identifiable information.  The amendments require an operator that collects personally identifiable information of a consumer through its online service and sells the information to enable a consumer to “opt into” the sale of the consumer’s personally identifiable information, rather than to “opt out of” the sale.  The amendments provide that an operator may offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer’s personally identifiable information so long as the operator clearly and conspicuously discloses to the customer that the incentives require consenting to the sale or processing of personally identifiable information the consumer otherwise may opt out of.

      Additionally, the committee amendments replace the title and synopsis of the bill to reflect the changes made to the bill and make other grammatical changes.