Sponsored by:
Assemblywoman ANDREA KATZ
District 8 (Atlantic and Burlington)
Assemblywoman MARISA SWEENEY
District 25 (Morris and Passaic)
Assemblywoman LUANNE M. PETERPAUL
District 11 (Monmouth)
Co-Sponsored by:
Assemblyman Karabinchak, Assemblywoman Morales, Assemblymen Kearney and Singh
SYNOPSIS
“New Jersey Kids Code Act”; adopts Age-Appropriate Design Code for New Jersey and requires certain online services to implement certain measures concerning minors’ use of online service.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning online privacy for minors and amending and supplementing P.L.2023, c.266.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. (New section) Sections 1 and 2, and sections 5 through 18, of this act shall be known and may be cited as the “Age-Appropriate Design Code for New Jersey.”
2. (New section) The Legislature finds and declares that:
a. the United States Surgeon General released an advisory on social media and youth mental health in May 2023, which finds:
(1) social media use by young people is nearly universal, with up to 95 percent of American minors between ages 13 through 17 reporting using a social media platform;
(2) childhood and adolescence represent critical stages in brain development that can make young people more vulnerable to harms from social media;
(3) usage of social media can become harmful depending on the amount of time children spend on platforms, the type of content they consume or are otherwise exposed to, and the degree to which it disrupts activities that are essential for health, such as sleep and physical activity;
(4) recent research shows that adolescents who spend more than three hours per day on social media face double the risk of experiencing poor mental health outcomes, such as symptoms of depression and anxiety;
(5) social media may also perpetuate body dissatisfaction, disordered eating behaviors, social comparison, and low self-esteem, especially among adolescent girls; and
(6) extreme, inappropriate, and harmful content continues to be easily and widely accessible by children and adolescents, and in certain cases, childhood deaths have been linked to suicide and self-harm related content and risk-taking challenges on social media platforms;
b. as children spend more of their time interacting with the online world, the impact of the design of online products on their well-being has become a focus of significant concern;
c. there is widespread and bipartisan agreement in the United States that more needs to be done to create a safer online space for children to learn, explore, and play;
d. lawmakers around the United States and in New Jersey have taken steps to enhance privacy protections for children based on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being; and
e. children should be afforded protections not only by online products and services specifically directed at them, but by all online products they are likely to access, and thus covered entities should take into account the unique needs of different age ranges;
f. while it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and online products should adopt data protection regimes appropriate for children of the ages likely to access those products;
g. according to the Pew Research Center, in 2022, 46 percent of American teenagers aged 13 through 17 reported to using the Internet almost constantly; and, additionally, 36 percent of teens reported being concerned about their social media use, while an earlier Pew Research Center study found that 59 percent of teens have been bullied or harassed online;
h. the findings of the Pew Research Center are not surprising, given what is known about the use of personal data online and how personal data can be utilized to inform manipulative practices, to which children are particularly vulnerable;
i. online products that are likely to be accessed by children should offer strong privacy protections by design and by default, as well as prevent the use of children’s personal data for reasons that are likely to be materially detrimental to the physical health, mental health, or well-being of children;
j. ensuring robust privacy, and thus safety, protections for children by design is consistent with federal safety laws and policies applied to children’s products, regulating everything from toys to clothing to furniture and games;
k. the consumer protections that federal safety laws apply to children’s products require these products to comply with certain safety standards by their very design, so that harms to children, and in some cases other consumers, are prevented; and
l. it is the intent of the New Jersey Legislature that P.L. , c. (C. ) (pending before the Legislature as this bill)promote innovation by covered entities whose online products are likely to be accessed by children by ensuring that those online products are designed in a manner that recognizes the distinct needs of children within different age ranges.
3. Section 1 of P.L.2023, c.266 (C.56:8-166.4) is amended to read as follows:
1. As used in P.L.2023, c.266 (C.56:8-166.4 et seq.):
"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. For the purposes of this definition, "control" means: the ownership of or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; the control in any manner over the election of a majority of the directors or individuals exercising similar functions; or the power to exercise a controlling influence over the management or policies of a company.
"Biometric data" means data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual. "Biometric data" shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
"Child" shall have the same meaning as provided in COPPA.
"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. "Consent" may include a written statement, including by electronic means, or any other unambiguous affirmative action. "Consent" shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.
"Consumer" means an identified person who is a resident of this State acting only in an individual or household context. "Consumer" shall not include a person acting in a commercial or employment context.
"Controller" means an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
"COPPA" means the federal Children's Online Privacy Protection Act, 15 U.S.C. s.6501 et seq., and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time.
"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the United States Federal Trade Commission refers to as a "dark pattern."
"Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods and services.
"De-identified data" means: data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (1) takes reasonable measures to ensure that the data cannot be associated with an individual, (2) publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data, and (3) contractually obligates any recipients of the information to comply with the requirements of this paragraph.
"Designated request address" means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.2023, c.266 (C.56:8-166.6).
"Personal data" means any information , including derived data and unique identifiers, that is linked or reasonably linkable alone or in combination with other information to an identified or identifiable person , or a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household. Personal data includes, but is not limited to, an individual’s history of interactions with the controller. "Personal data" shall not include de-identified data or publicly available information.
"Precise geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
"Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.
"Processor" means a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.
"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Publicly available information" means information that is lawfully made available from federal, State, or local government records or widely distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.
"Sale" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. "Sale" shall not include:
The disclosure of personal data to a processor that processes the personal data on the controller's behalf;
The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;
The disclosure or transfer of personal data to an affiliate of the controller;
The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or
The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
"Sensitive data" means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include [a consumer's] an individual’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to [a consumer's] an individual’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; [or] precise geolocation data ; or an individual’s social security, driver license, State identification card, or passport number.
"Targeted advertising" means displaying advertisements to [a consumer] an individual where the advertisement is selected based on personal data obtained or inferred from that [consumer's] individual’s activities over time and across nonaffiliated Internet web sites or online applications to predict such [consumer's] individual’s preferences or interests. "Targeted advertising" shall not include: advertisements based on activities within a controller's own internet websites or online applications; advertisements based on the context of [a consumer's] an individual’s current search query, visit to an internet website or online application; advertisements directed to [a consumer] an individual in response to the [consumer's] individual’s request for information or feedback; or processing personal data solely to measure or report advertising frequency, performance, or reach.
"Third party" means a person, private entity, public entity, agency, or entity other than the consumer, controller, or affiliate or processor of the controller.
"Trade secret" has the same meaning as section 2 of P.L.2011, c.161 (C.56:15-2).
"Verified request" means the process through which a consumer may submit a request to exercise a right or rights established in P.L.2023, c.266 (C.56:8-166.4 et seq.), and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means.
(cf: P.L.2023, c.266, s.1)
4. Section 9 of P.L.2023, c.266 (C.56:8-166.12) is amended to read as follows:
9. a. A controller shall:
(1) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
(2) except as otherwise provided in P.L.2023, c.266 (C.56:8-166.4 et seq.), not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
(3) take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue;
(4) not process sensitive data concerning a consumer without first obtaining the consumer's consent, or, if the controller is not a covered online service provider as defined in section 5 of P.L. , c. (C. ) (pending before the Legislature as this bill), in the case of the processing of personal data concerning a known child, without processing such data in accordance with COPPA . A controller that is a covered online service provider as defined in section 5 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall not process the data of a known minor as defined in section 5 of P.L. , c. (C. ) (pending before the Legislature as this bill) except as provided for by P.L. , c. (C. ) (pending before the Legislature as this bill);
(5) not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination against consumers;
(6) provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request;
(7) if the controller is not a covered online service provider as defined in section 5 of P.L. , c. (C. ) (pending before the Legislature as this bill), not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer's personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer's consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age . A controller that is a covered online service provider as defined in section 5 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall not process the data of a known minor as defined in section 5 of P.L. , c. (C. ) (pending before the Legislature as this bill) except as provided for by P.L. , c. (C. ) (pending before the Legislature as this bill);
(8) specify the express purposes for which personal data are processed; and
(9) not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.) that present a heightened risk of harm to a consumer.
b. Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed. A controller shall make the data protection assessment available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request. The division may evaluate the data protection assessment for compliance with the duties contained in this section and with other laws. Data protection assessments shall be confidential and exempt from public inspection under P.L.1963 c.3 (C.47:1A-1 et al.). The disclosure of a data protection assessment pursuant to a request from the division under this section shall not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.
c. For the purposes of this section, "heightened risk" includes:
(1) processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
(2) selling personal data; and
(3) processing sensitive data.
d. A single data protection assessment may address a comparable set of processing operations that include similar activities
(cf: P.L.2023, c.266, s.9)
5. (New section) As used in P.L. , c. (C. ) (pending before the Legislature as this bill):
“Actual knowledge” includes all information and inferences known to the covered online service provider relating to the age of the individual, including, but not limited to, self-identified age, and any age the covered online service provider has attributed or associated with the individual for any purpose, including marketing, advertising, or product development. If a covered online service provider’s classification of an individual for purposes of marketing or advertising is inconsistent with the individual’s self-identified age, a covered online service provider shall disregard the self-identified age for purposes of P.L. , c. (C. ) (pending before the Legislature as this bill).
“Adult” means an individual who is 18 years of age or older.
“Biometric data” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
“Collect” means buying, renting, gathering, obtaining, receiving, or accessing any personal data pertaining to a consumer by any means. “Collect” includes, but is not limited to, receiving information from an individual, either actively or passively, or by observing the individual’s behavior.
“Common branding” means a shared name, service mark, or trademark for which the average consumer would understand that two or more entities are commonly owned.
“Consumer” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
“Consumer Price Index” means the most comprehensive index of consumer prices available for this State from the Bureau of Labor Statistics of the United States Department of Labor.
“Controls” or “controlled by” means:
a. ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the legal entity;
b. control in any manner over the election of a majority of the directors of the legal entity, or of individuals exercising similar functions in the legal entity; or
c. power to exercise a controlling influence over the management of the legal entity.
“Covered design feature” means a feature or component of an online service that is designed primarily to encourage or increase the frequency, time spent, or activity of a user on the online service. “Covered design feature” includes, but is not limited to:
a. infinite scroll or a design feature where content automatically and continuously loads at the bottom of a screen, other than what the user explicitly prompted, requested, or searched for;
b. auto-playing video or audio, or a design feature in which a video or audio automatically begins playing when a user navigates to or scrolls through a set of videos without any explicit action on the part of a user indicating the user’s desire to watch that specific video or listen to that audio;
c. quantification of engagement, including, but not limited to, providing a visible count of how many likes, comments, clicks, views, or reactions a user-generated item has received;
d. gamification, or a design feature that emulates gameplay, including, but not limited to, a streak, badge, or reward that motivates or causes more frequent or more extensive use of an online service through incentives or frequency of use;
e. the use of clustering, timing, or volume of notifications or push alerts, irrespective of content;
f. design features in which virtual currencies are used or where digital items are purchased;
g. image-altering filters or a design feature that facilitates a false perception of an image;
h. requiring or repeatedly prompting for account creation in order to access publicly available user-generated content;
i. using ephemerality to prompt the urgent use of an online service;
j. creating barriers to deleting an account or to removing connections to other users of the service; and
k. features that increase usage through the illusion of talking with a human being that seeks to elicit feelings of intimacy from the user.
“Covered minor” means a consumer that a covered online service provider has actual knowledge is a minor.
“Covered online service provider” means:
a. a sole proprietorship, a limited liability company, a corporation, an association, or any other legal entity that:
(1) owns, operates, controls, or provides an online service;
(2) conducts business in this State;
(3) alone, or jointly with its affiliates, subsidiaries, or parent companies, determines the purposes and means of the processing of consumers’ personal data; and
(4) (a) has gross revenue in excess of $25,000,000. Beginning January 1, 2029, and every 2 years thereafter, the Department of the Treasury shall adjust the amount of annual gross revenue to reflect the percentage change in the Consumer Price Index; or
(b) annually processes the personal data of not less than 50,000 consumers or households; or
b. a person that controls or is controlled by a legal entity described in subsection a. of this definition and that shares common branding with the legal entity.
“Covered online service provider” does not include a provider of an online service where the users of the online service who are known to be adults make up more than 98 percent of the online service’s users. “Covered online service providers” are controllers for the purpose of P.L.2023, c.266 (C.56:8-166.4 et seq.).
“Dark pattern” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
“Derived data” means data that is created by the derivation of information, data, assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another source of information or data about a covered minor or a covered minor’s device.
“Device” means any electronic equipment capable of collecting, processing, retaining, or transferring personal data.
“Knows to be an adult” means having actual knowledge that a user is an adult.
“Minor” means an individual who is less than 18 years of age.
“Online service” means a service, product, or feature that is accessible to the public via the Internet. “Online service” includes a website or application. “Online service” does not include:
a. a telecommunications service as that term is defined in 47 U.S.C. s.153;
b. a broadband internet access service as that term is defined in 47 C.F.R. s.8.1; or
c. the sale, delivery, or use of a physical device.
“Parent” includes a legal guardian.
“Personal data” means information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household. “Personal data” includes, but is not limited to, a user’s history of interactions with a covered online service provider. “Personal data” does not include publicly available data.
“Precise geolocation data” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
“Process” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
“Profile” means a form of automated processing of personal data to evaluate, analyze, or predict certain aspects relating to a covered minor, including, but not limited to, a covered minor’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
“Publicly available information” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4). “Publicly available information” does not include biometric data collected by a covered online service provider about a covered minor without the covered minor’s knowledge.
“Sensitive personal data” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
“Targeted advertising” has the same meaning as defined in section 1 of P.L.2023, c.266 (C.56:8-166.4).
6. (New section) A covered online service provider shall configure all default privacy settings provided for a covered minor to the highest level of privacy, including, but not limited to:
a. not displaying the existence of the covered minor’s account to any user the covered online service provider knows to be an adult, unless the covered minor has expressly and unambiguously allowed the adult user to view the covered minor’s account or the covered minor has expressly and unambiguously chosen to make the covered minor’s account’s existence public;
b. not displaying media created or posted by the covered minor to another user the covered online service provider knows to be an adult, unless the covered minor has expressly and unambiguously allowed the adult user to view the covered minor’s media or the covered minor has expressly and unambiguously chosen to make the covered minor’s media publicly available;
c. not permitting direct messaging between the covered minor and another user the covered online service provider knows to be an adult, unless the covered minor has expressly and unambiguously chosen to allow direct messaging with the adult user;
d. not displaying the covered minor’s location to other users, unless the covered minor has expressly and unambiguously chosen to share the covered minor’s location with a specific user;
e. not displaying the users connected to the covered minor on a covered online service provider, unless the covered minor has expressly and unambiguously chosen to share the information with a specific user; and
f. disabling search engine
indexing of the covered minor’s account profile, unless the covered minor has
expressly and unambiguously chosen to enable search engine indexing of the
covered minor’s account profile.
7. (New section) A covered online service provider shall not:
a. provide a covered minor with a single setting that makes all default privacy settings less protective at once;
b. request or prompt a covered minor to make the covered minor’s privacy settings less protective, unless the change is strictly necessary for the covered minor to access a service or feature the covered minor has expressly and unambiguously requested.
8. (New section) A covered online service provider shall:
a. provide a prominent, accessible, and responsive tool to allow a covered minor to request that the covered minor’s account be unpublished or deleted; and
b. honor a request under subsection a. of this section not later than 15 days after a covered online service provider receives the request.
9. (New section) a. A covered online service provider shall only process or retain the minimum amount of a covered minor’s personal data that is necessary to provide the specific elements of an online service with which the covered minor has knowingly engaged.
b. A covered online service provider shall not use personal data for any reason other than the reason for which the personal data was collected.
c. A covered online service provider is not required to collect the personal data of a user to comply with the provisions of P.L. , c. (C. ) (pending before the Legislature as this bill). A covered online service provider that collects personal data of a user for age verification shall not use that personal data for any other purpose and shall delete that personal data not later than 60 days after use for age verification.
10. (New section) A covered online service provider shall provide an obvious sign to a covered minor when precise geolocation information is being collected or used.
11. (New section) A covered online service provider shall not:
a. facilitate targeted advertising to a covered minor;
b. send a notification to a covered minor between 10 p.m. and 6 a.m. and, on a weekday between Labor Day and Memorial Day, between 8 a.m. and 4 p.m.;
c. profile a covered minor unless profiling is necessary to provide an online service requested by the covered minor, and only with respect to the aspects of the online service with which the covered minor is actively and knowingly engaged;
d. facilitate advertisements for prohibited products to covered minors, including, but not limited to, advertisements for narcotic drugs, tobacco products, gambling, and alcohol;
e. use dark patterns; or
f. use the personal data of a covered minor to select, recommend, or prioritize media for the covered minor unless the recommendation, prioritization, or selection of media is based on:
(1) the covered minor’s express and unambiguous request to receive:
(a) media from a specific account, feed, or user, or to receive more or less media from that account, feed, or user;
(b) a specific category of media, such as videos depicting specific types of content, or to view more or less of that category of media; or
(c) more or less media with similar characteristics as the media the covered minor is currently viewing;
(2) user-selected privacy or accessibility settings; or
(3) a search query by the covered minor if the search query is used only to select and prioritize media in response to the search.
12. (New section) A covered online service provider shall establish mechanisms to enable a covered minor or a parent of a covered minor to report any harms experienced by the covered minor on the online service.
13. (New section) a. No later than January 1st of each year, a covered online service provider that processes the personal data of covered minors as part of the covered online service provider’s business shall issue a public report, prominently posted to the covered online service provider’s Internet website, that is prepared by an independent third-party auditor. A report issued pursuant to this subsection shall include, but not be limited to:
(1) a detailed description of the online service as pertaining to minors, including the online service’s covered design features, use of personal data, and business practices;
(2) the purpose of the online service;
(3) the extent to which the online service is likely to be accessed by minors;
(4) whether, how, and for what purpose the covered online service provider processes minors’ personal data and sensitive personal data;
(5) the design safety features for minors, the privacy protections for minors, and the tools for parents that the online service has adopted;
(6) whether and how the online service used covered design features;
(7) the covered online service provider’s process for handling data access, deletion, and correction requests for minors’ data;
(8) age assurance, age verification, or age estimation methods used;
(9) whether and how the covered online service provider utilized algorithms; and
(10) if the covered online service provider uses a covered design feature, the average daily time spent on the online service by covered minors for the 90th, 95th, 99th, and 99.9th percentile of covered minors.
b. A report issued pursuant to subsection a. of this section shall include a comparison of how the information required in paragraphs (2) through (10) of subsection a. of this section differs between:
(1) individuals who are between 10 and 12 years of age;
(2) individuals who are between 13 and 15 years of age;
(3) individuals who are between 16 and 17 years of age; and
(4) individuals who are 18 years of age or older.
c. An independent third-party auditor that prepares a report under subsection a. of this section shall follow inspection and consultation practices designed to ensure that the report is comprehensive and accurate and shall consult with experts on the use of online services by minors in relation to the preparation of the report.
d. A covered online service provider shall provide an independent third-party auditor that prepares a report under subsection a. of this section full and complete cooperation and access to information and operations required to ensure that the report is comprehensive and accurate.
e. All personal data contained in the report required under subsection a. of this section shall be deidentified and aggregated.
14. (New section) A covered online service provider shall designate one or more of the covered online service provider’s officers to be responsible for the covered online service provider’s compliance with P.L. , c. (C. ) (pending before the Legislature as this bill).
15. (New section) a. The Attorney General shall adopt, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), rules and regulations as may be necessary to implement the provisions of P.L. , c. (C. ) (pending before the Legislature as this bill), including rules that prohibit or limit data processing practices or covered design features that facilitate compulsive use by covered minors or impair autonomy, decision making, or choice of covered minors.
b. The Attorney General
shall review all rules and regulations adopted under subsection a. of this
section no less than once every two years following the effective date of
P.L. , c.
(C. ) (pending before the
Legislature as this bill) and make any updates necessary to reflect new or
emerging technologies.
16. (New section) a. A violation of P.L. , c. (C. ) (pending before the Legislature as this bill) or the rules adopted thereunder shall constitute an unfair and deceptive act in violation of P.L.1960, c.39 (C.56:8-1 et seq.).
b. The Attorney General shall have the same authority under P.L. , c. (C. ) (pending before the Legislature as this bill) to conduct civil investigations, bring civil actions, and enter into assurances of discontinuance as provided under P.L.1960, c.39 (C.56:8-1 et seq.).
17. (New section) The provisions of P.L. , c. (C. ) (pending before the Legislature as this bill) do not apply to:
a. a federal, State, tribal, or local government entity in the ordinary course of operations;
b. personal data that is subject to a statute or regulation identified under P.L. , c. (C. ) (pending before the Legislature as this bill) that is controlled by a covered online service provider that is in compliance with the information security requirements and required to comply with:
(1) Title V of the Gramm-Leach-Bliley act, 15 USC ss.6801 to 6809;
(2) the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5; or
(3) regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191;
c. information including, but not limited to, personal data, that is collected as part of a clinical trial that is subject to the federal policy for the protection of human subjects under 5 C.F.R. Part 46;
d. information that is collected in accordance with the “Good Clinical Practice Guidelines” issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; or
e. information that is collected in accordance with the human subject protection requirements of the United States Food and Drug Administration under 21 C.F.R. Part 50.
18. (New section) a. The provisions of P.L. , c. (C. ) (pending before the Legislature as this bill) do not limit or restrict in any way the application of other laws, statutes, rules, or regulations of this State.
b. In the event of a conflict between P.L. , c. (C. ) (pending before the Legislature as this bill) and one or more other laws of this State, the law that affords the greatest protection from harm to minors controls.
c. If any clause, sentence, paragraph, subparagraph, subsection, section or part of P.L. , c. (C. ) (pending before the Legislature as this bill) shall be adjudged by any court of competent jurisdiction to be invalid, such judgment shall not affect, impair, or invalidate the remainder thereof, but shall be confined in its operation to the clause, sentence, paragraph, subparagraph, subsection, section or part thereof directly involved in the controversy in which such judgment shall have been rendered. It is hereby declared to be the intent of the Legislature that this act would have been enacted even if such invalid provisions had not been included herein.
19. This act shall take effect July 1 of the calendar year next following the date of enactment.
STATEMENT
This bill, which is designated as the “New Jersey Kids Code Act” and to be cited as the “Age-Appropriate Design Code for New Jersey,” requires a covered online service provider, as defined in the bill, to implement certain measures to protect minors’ online privacy. Under the bill, covered online service providers are required to provide a user that the covered online service provider knows to be a minor (covered minor) with default settings for safeguards at the option or level that provides the highest protection available for the safety of the covered minor, and are prohibited from reducing or prompting a covered minor to reduce certain privacy settings. The bill also creates requirements and prohibitions concerning the collection and use of covered minors’ personal data.
Additionally, under the bill, a covered online service provider is required to issue an annual report including: (1) a detailed description of the online service as pertaining to minors, including the online service’s covered design features, use of personal data, and business practices; (2) the purpose of the online service; (3) the extent to which the online service is likely to be accessed by minors; (4) whether, how, and for what purpose the covered online service provider processes minors’ personal data and sensitive personal data; (5) the design safety features for minors, the privacy protections for minors, and the tools for parents that the covered online service has adopted; (6) whether and how the online service used covered design features; (7) the covered online service provider’s process for handling data access, deletion, and correction requests for minors’ data; (8) age assurance, age verification, or age estimation methods used; (9) whether and how the covered online service provider utilized algorithms; and (10) if the covered online service provider uses a covered design feature, the average daily time spent on the online service by covered minors for the 90th, 95th, 99th, and 99.9th percentile of covered minors.
The bill further requires covered online service providers to engage independent third-party auditors for preparing annual reports. Under the bill, a covered online service provider is required to prominently post the annual report on the covered online service provider’s Internet website.
The bill also amends certain provisions of current law concerning data privacy, including amending the definitions of “personal data” and “sensitive data” under N.J.S.A.56:8-166.4.
The bill provides that a violation of the provisions of the bill constitutes an unfair and deceptive act under the New Jersey consumer fraud act.