Sponsored by:
Assemblyman HERB CONAWAY, JR.
District 7 (Burlington)
Assemblyman WILLIAM F. MOEN, JR.
District 5 (Camden and Gloucester)
SYNOPSIS
Requires controller or processor to de-identify personal data and prohibits re-identification of de-identified data.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning the regulation of data brokers and amending and supplementing P.L.2023, c.266.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. Section 1 of P.L.2023, c.266 (C.56:8-166.4) is amended to read as follows:
1. As used in P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill):
"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. For the purposes of this definition, "control" means: the ownership of or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; the control in any manner over the election of a majority of the directors or individuals exercising similar functions; or the power to exercise a controlling influence over the management or policies of a company.
"Biometric data" means data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual. "Biometric data" shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
"Child" shall have the same meaning as provided in COPPA.
"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. "Consent" may include a written statement, including by electronic means, or any other unambiguous affirmative action. "Consent shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.
"Consumer" means an identified person who is a resident of this State acting only in an individual or household context. "Consumer" shall not include a person acting in a commercial or employment context.
"Controller" means an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
"COPPA" means the federal Children's Online Privacy Protection Act, 15 U.S.C. s.6501 et seq., and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time.
"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the United States Federal Trade Commission refers to as a "dark pattern."
"Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods and services.
"De-identified data" means: data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (1) takes reasonable measures to ensure that the data cannot be associated with an individual, (2) publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data, and (3) contractually obligates any recipients of the information to comply with the requirements of this paragraph.
"Designated request address" means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.2023, c.266 (C.56:8-166.6).
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable person. "Personal data" shall not include de-identified data or publicly available information.
"Precise geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
"Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.
"Processor" means a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.
"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Publicly available information" means information that is lawfully made available from federal, State, or local government records or widely distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.
“Re-identify” means to link de-identified data to an identified or identifiable individual, or a device linked to such an individual.
"Sale" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. "Sale" shall not include:
The disclosure of personal data to a processor that processes the personal data on the controller's behalf;
The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;
The disclosure or transfer of personal data to an affiliate of the controller;
The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or
The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
"Sensitive data" means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
"Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer's preferences or interests. "Targeted advertising" shall not include: advertisements based on activities within a controller's own internet websites or online applications; advertisements based on the context of a consumer's current search query, visit to an internet website or online application; advertisements directed to a consumer in response to the consumer's request for information or feedback; or processing personal data solely to measure or report advertising frequency, performance, or reach.
"Third party" means a person, private entity, public entity, agency, or entity other than the consumer, controller, or affiliate or processor of the controller.
"Trade secret" has the same meaning as section 2 of P.L.2011, c.161 (C.56:15-2).
"Verified request" means the process through which a consumer may submit a request to exercise a right or rights established in P.L.2023, c.266 (C.56:8-166.4 et seq.), and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means.
(cf: P.L.2023, c.266, s.1)
2. Section 6 of P.L.2023, c.266 (C.56:8-166.9) is amended to read as follows:
6. A waiver of the requirements of, or an agreement that does not comply with, the provisions of P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill) shall be void and unenforceable.
(cf: P.L.2023, c.266, s.6)
3. Section 10 of P.L.2023, c.266 (C.56:8-166.13) is amended to read as follows:
10. Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill) shall apply to:
a. protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the "Health Insurance Portability and Accountability Act of 1996," Pub.L.104-191, and the "Health Information Technology for Economic and Clinical Health Act,"42 U.S.C. s.17921 et seq.;
b. a financial institution, data, or an affiliate of a financial institution that is subject to Title V of the federal "Gramm-Leach-Bliley Act," 15 U.S.C. s.6801 et seq., and the rules and implementing regulations promulgated thereunder;
c. the secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii);
d. an insurance institution subject to P.L.1985, c.179 (C.17:23A-1 et seq.);
e. the sale of a consumer's personal data by the New Jersey Motor Vehicle Commission that is permitted by the federal "Drivers' Privacy Protection Act of 1994," 18 U.S.C. s.2721 et seq.;
f. personal data collected, processed, sold, or disclosed by a consumer reporting agency, as defined in 15 U.S.C. s.1681a(f), if the collection, processing, sale, or disclosure of the personal data is limited, governed, and collected, maintained, disclosed, sold, communicated, or used only as authorized by the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681 et seq., and implementing regulations;
g. any State agency as defined in section 2 of P.L.1971, c.182 (C.52:13D-13), any political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision; or
h. personal data that is collected, processed, or disclosed, as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 C.F.R. Parts 50 and 56.
(cf: P.L.2023, c.266, s.10)
4. Section 13 of P.L.2023, c.266 (C.56:8-166.16) is amended to read as follows:
13. a. Controllers and processors shall meet their respective obligations established under P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill).
b. Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this act. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:
(1) taking appropriate technical and organizational measures, insofar as possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights under this act;
(2) helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to notification of a breach of the security of the system; and
(3) providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 9 of P.L.2023, c.266 (C.56:8-166.12). The controller and processor are each responsible for only the measures allocated to them.
c. Notwithstanding the instructions of the controller, a processor shall:
(1) ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
(2) engage a subcontractor pursuant to a written contract in accordance with subsection e. of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
d. Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.
e. Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets forth:
(1) the processing instructions to which the processor is bound, including the nature and purpose of the processing;
(2) the type of personal data subject to the processing[,] and the duration of the processing;
(3) the requirements imposed by this subsection and subsections c. and d. of this section; and
(4) the following requirements:
(a) At the discretion of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
(b) (i) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this act; and
(ii) The processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this act using an appropriate and accepted control standard or framework for the assessment as applicable. The processor shall provide a report of the assessment to the controller upon request.
f. In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by P.L.2023, c.266 (C.56:8-166.4 et seq.).
g. Determining whether a person is acting as a controller or processor with respect to a specific processing of data shall be a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, shall be deemed a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data shall remain a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it shall be deemed a controller with respect to the processing.
(cf: P.L.2023, c.266, s.13)
5. Section 14 of P.L.2023, c.266 (C.56:8-166.17) is amended to read as follows:
14. a. It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a controller or processor to violate the provisions of P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill).
b. Until the first day of the 18th month next following the effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.), prior to bringing an enforcement action before an administrative law judge or a court of competent jurisdiction in this State, the Division of Consumer Affairs in the Department of Law and Public Safety shall issue a notice to the controller or processor if a cure is deemed possible. If the [operator] controller or processor fails to cure the alleged violation of P.L.2023, c.266 (C.56:8-166.4 et seq.) within 30 days after receiving notice of alleged noncompliance from the division, such enforcement action may be brought.
(cf: P.L.2023, c.266, s.14)
6. Section 15 of P.L.2023, c.266 (C.56:8-166.18) is amended to read as follows:
15. The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill). The director shall promulgate rules and regulations that provide for standards for the de-identification of personal data pursuant to section 8 of P.L. , c. (C. ) (pending before the Legislature as this bill). The director may include in the rules and regulations one or more limited exceptions to the provisions of subsections a. and b. of section 8 of P.L. , c. (C. ) (pending before the Legislature as this bill), provided that:
a. the director expects any exception to benefit the public; and
b. any exception is limited to the purpose of medical studies or the purpose of preventing or alleviating environmental hazards.
(cf: P.L.2023, c.266, s.15)
7. Section 16 of P.L.2023, c.266 (C.56:8-166.19) is amended to read as follows:
16. The Office of the Attorney General shall have sole and exclusive authority to enforce a violation of P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill). Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) or P.L. , c. (C. ) (pending before the Legislature as this bill) shall be construed as providing the basis for, or subject to, a private right of action for violations of P.L.2023, c.266 (C.56:8-166.4 et seq.).
(cf: P.L.2023, c.266, s.16)
8. (New section) a. A controller or processor shall de-identify personal data prior to the sale of the personal data.
b. A controller or processor shall not:
(1) re-identify de-identified data before or after the sale of personal data that has been previously de-identified;
(2) provide a third party the means to re-identify personal data after the sale of de-identified data to the third party; or
(3) engage a third party to re-identify de-identified data before or after the sale of the de-identified data.
c. Notwithstanding the provisions of this section to the contrary, a controller or processor shall not be found to violate this section if an exception, established by the Director of the Division of Consumer Affairs pursuant to section 15 of P.L.2023, c.266 (C.56:8-166.18), applies.
9. This act shall take effect on the 365th day following the date of enactment, except that the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of this act.
STATEMENT
This bill amends current law on the sale or processing of personal data to provide that a controller or processor of personal data is required to de-identify personal data before sale. The bill also prohibits a controller or processor from (1) re-identifying de-identified data before or after the sale of personal data that has been previously de-identified; (2) providing a third party the means to re-identify personal data after the sale of de-identified data to the third party; or (3) engaging a third party to re-identify de-identified data before or after the sale of the de-identified data. Pursuant to the bill, “re-identify” means to link de-identified data to an identified or identifiable individual, or a device linked to such an individual.
The bill requires the Director of the Division of Consumer Affairs (director) in the Department of Law and Public Safety to establish standards for the de-identification of personal data. The bill also permits the director to allow exceptions to the requirements of de-identification or prohibitions on re-identification, provided that: (1) the director expects any exception to benefit the public; and (2) any exception is limited to the purpose of medical studies or the purpose of preventing or alleviating environmental hazards.