ASSEMBLY, Nos. 2340 and 2489
STATE OF NEW JERSEY
ADOPTED MARCH 5, 2020
Assemblyman PAUL D. MORIARTY
District 4 (Camden and Gloucester)
Assemblywoman ANNETTE QUIJANO
District 20 (Union)
Assemblywoman VALERIE VAINIERI HUTTLE
District 37 (Bergen)
Assemblyman Webber, Assemblywoman Timberlake, Assemblyman Benson, Assemblywoman Dunn, Assemblymen Mejia, Conaway, Freiman and Assemblywoman Downey
Prohibits commercial mobile service providers from disclosing customer’s geolocation data to third parties.
CURRENT VERSION OF TEXT
Substitute as adopted by the Assembly Consumer Affairs Committee.
An Act concerning commercial mobile service providers and geolocation data and supplementing Title 56 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. As used in P.L. , c. (C. ) (pending before the Legislature as this bill):
“Aggregate customer information” means information that relates to a group or category of customers, from which individual customer identities have been removed, that is not linked or reasonably linkable to any customer or household, including through use of a device. “Aggregate customer information” shall not mean one or more individual customer records that have been deidentified.
"Commercial mobile service" means a type of mobile telecommunications service as defined in subsection (d) of section 332 of the Communications Act of 1934 (47 U.S.C. s.332(d)).
“Commercial mobile service provider” or “provider” means an individual, proprietorship, partnership, corporation, association, or other legal entity that provides commercial mobile service on a mobile device.
“Customer” means an individual within this State who provides, either knowingly or unknowingly, geolocation data to a commercial mobile service provider in the course of using the provider’s service on a mobile device.
“Deidentified information” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular customer, provided that a provider that uses deidentified information has:
implemented technical safeguards that prohibit reidentification of the customer to whom the information pertains;
implemented business processes that specifically prohibit reidentification of the information;
implemented business processes to prevent inadvertent release of deidentified information; and
makes no attempt to reidentify the information.
“Device” means any physical object that is capable of connecting to the Internet, either directly or indirectly, or to another device.
“Disclose” means to release, transfer, share, disseminate, make available, sell, or otherwise communicate by any means to a third party a customer’s geolocation data.
“Geolocation data” means a customer’s physical location information collected by a satellite-based navigation system on a mobile device that is accessible to a commercial mobile service provider but shall not include deidentified or aggregate customer information.
“Mobile device” means wireless telecommunications device that is capable of collecting a customer’s geolocation data.
“Third party” means an individual, proprietorship, partnership, corporation, association, or other legal entity that may knowingly or willfully disclose a customer’s geolocation data.
2. a. A commercial mobile service provider that provides commercial mobile service to a customer shall not disclose the customer’s geolocation data to a third party, unless the customer has given consent for the third party to access the customer’s geolocation data.
b. A third party that accesses a customer’s geolocation data pursuant to subsection a. of this section shall not sell the geolocation data in any case, and shall disclose the geolocation data otherwise only as necessary to effectuate the purpose for which consent was given.
3. The provisions of section 2 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall not apply to:
a. information provided to a law enforcement agency in response to a legal process;
b. information provided to an emergency service organization responding to a 9-1-1 communication or any other communication reporting an imminent threat to life or property;
c. information required to be provided by federal, State, or local law; or
d. a customer providing the customer’s own location data to a commercial mobile service provider or mobile application developer to be disclosed for an authorized use.
4. It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a commercial mobile service provider or a third party to disclose a customer’s geolocation data in violation of section 2 of P.L. , c. (C. ) (pending before the Legislature as this bill).
5. The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L. , c. (C. ) (pending before the Legislature as this bill).
6. This act shall take effect on the first day of the third month next following the date of enactment.