BlogLine

New Jersey’s Continued Push to Expand its Data Breach and Privacy Laws

7/1/20

By: Zachary Danner

Following in the steps of California and other states considering consumer privacy legislation, New Jersey’s legislators have recently introduced a number of bills that would establish specific notification requirements for the collection and use of personally identifiable information (“PII”). While current law requires businesses to notify consumers if there is an unauthorized access to electronically stored personally PII, there is no current law in New Jersey that requires businesses to notify consumers when and if their PII is being collected or shared with a third party. There also is not an existing process for a consumer to request information about the collection or sharing of his or her PII or to request that it be destroyed.

However, there are two bills currently being considered by the New Jersey Senate and Assembly that would require specific steps by a business before collecting PII or sharing it with a third party. These bills also establish requirements for businesses handle PII that it collects from consumers to ensure its security and privacy. The following is a summary of the key provisions of each bill under consideration.

I. Senate Bill S1257

In February 2020, Senate Bill S1257, introduced by Assembly Member Troy Singleton, was referred to the Senate Commerce Committee. In short, if approved and signed, the bill would require commercial internet websites and online services to notify consumers of the collection and disclosure of PII and would allow the consumer to opt-out of the sale of their PII.

The notification to consumers prior to collection of PII must be clearly and conspicuously posted on the business’s website or online service, or in another prominently accessible location that the business maintains for consumer privacy settings, and include the following information:

  1. The categories of PII collected through the website or online service about a consumer who uses or visits the website or service;
  2. All third parties with which the operator may disclose a consumer’s PII;
  3. Whether a third party may collect PII about a consumer’s online activities over time and across different websites or online services when the consumer uses the operator’s website or online service;
  4. A description of the process for a consumer to review and request changes to any of his or her PII that is collected by the website or online service;
  5. The process by which the operator notifies consumers who use or visit the website or online service of material changes to the notification currently posted on the website; and
  6. One or more designated addresses that a consumer may use to request information under the bill.

As to selling information with third parties, the bill would require a business to provide a link on its website or online service that allows a consumer, by verified request, to opt out of the sale of the his or her PII to any third party. A consumer may request from the business information about his or her PII that was disclosed and the names and contact information of the third parties that received his or her PII. Once the request is received, the business must respond to the consumer within 60 days provide the information for all disclosures of PII that occurred in the prior 12 months. This information is to be provided free of charge.

The bill also creates protections for consumers who opt out of the sale of their PII. It specifically prohibits a business from discriminating against or penalizing a consumer who opts out. However, the business would not be prohibited from offering consumers discounts, loyalty programs, or other incentives for the sale of their PII, or from providing different services to consumers that are reasonably related to the value of the relevant data.

Lastly, the proposed legislation does not include a private right of action for alleged violations. Rather, the Attorney General is to have sole authority to enforce a violation of the statute, if it were to be adopted and put into law in its current form.

II. Assembly Bill A3255

A second similar, but even more consumer-friendly bill, was proposed to the General Assembly in February 2020. Assembly bill A3255, introduced by Assembly Member John J. Burzichelli, was referred to the Assembly’s Science, Innovation, and Technology Committee for consideration. 

This bill requires that businesses follow certain requirements concerning the collection of a consumer’s PII. Unlike Senate Bill S1257, Assembly Bill A3255 specifically prohibits a business from collecting a consumer’s PII unless a consumer affirmatively opts in to the collection. At or before the point of collection, a business that collects a consumer’s PII must inform consumers about the categories of PII to be collected and the purposes for which the categories of PII will be used. Further, the business may not collect other categories of PII or use PII collected for other purposes without providing the consumer prior notice. 

If the business wants to sell a consumer’s PII to a third party, the bill requires that it provide each consumer with notice that PII may be sold and that the consumer has the “right not to opt-in” to the sale of his or her PII.  Even if a consumer initially agrees to the sale of his or her PII, the consumer can at any time rescind that authorization, and the business must immediately stop selling the consumer’s PII.

A consumer also would have the right to request information about the disclosure of his or her PII. If a business receives a verifiable request from a consumer, it must promptly take steps to disclose and deliver, free of charge, the PII that was disclosed to a third party. The information may be delivered by mail or electronically, and if provided electronically, it must be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide PII to a consumer at any time, but is not to be required to provide PII to a consumer more than twice in a 12-month period.

The bill also provides that a consumer has a right to request that a business delete any PII it has collected from the consumer. Like Senate Bill S1257, this statute would also prohibit discrimination against any consumer who chooses to opt out of the sale of his or her PII to third parties.

Any violation of the bill would constitute an unlawful practice and violation of the New Jersey Consumer Fraud Act, which would be punishable by a monetary penalty of up to $10,000 for a first offense and $20,000 for a subsequent offense. However, a grace period would be provided to the business, allowing it 30 days to cure any alleged violation after being notified of the alleged noncompliance before it is assessed a penalty.

III. Takeaways from the proposed legislation

If adopted into law, each of these statutes would change the way businesses in New Jersey operate with regard to the collection and use of consumer information. Clearly, the California Consumer Privacy Act is the model by which New Jersey and other states are now looking to model themselves. As businesses in California already know, complying with these requirements is onerous and can take time. Therefore, businesses should stay informed on the proposed legislation and be aware of New Jersey’s developing efforts to protect PII, as they could have a significant impact on their operations.

Please be sure to visit our firm’s blog for updates and other up-to-date news and analysis of data security and privacy issues. If you have questions or would like more information, please contact Zachary Danner at zdanner@fmglaw.com.