STATE OF NEW JERSEY
220th LEGISLATURE
PRE-FILED FOR INTRODUCTION IN THE 2022 SESSION
Sponsored by:
Assemblyman RAJ MUKHERJI
District 33 (Hudson)
Assemblyman DANIEL R. BENSON
District 14 (Mercer and Middlesex)
Assemblyman PAUL D. MORIARTY
District 4 (Camden and Gloucester)
Co-Sponsored by:
Assemblywoman McKnight, Assemblymen DeAngelo and Verrelli
SYNOPSIS
Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.
CURRENT VERSION OF TEXT
Introduced Pending Technical Review by Legislative Counsel.
An Act concerning commercial Internet websites, consumers, and personally identifiable information and supplementing Title 56 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. As used in P.L. , c. (C. ) (pending before the Legislature as this bill):
Affiliate means a legal entity that controls, is controlled by, or is under common control with another legal entity.
Commercial Internet website means a website operated for business purposes, including, but not limited to, the sale of goods and services, which collects and maintains personally identifiable information from a consumer.
Consumer means an identified person who is a resident of this State acting only in an individual or household context. Consumer shall not include a person acting in a commercial or employment context.
De-identified data means: data that cannot be linked to a consumer without additional information that is kept separately; or data that has been modified to a degree that the risk of re-identification, consistent with guidance from the Federal Trade Commission and the National Institute of Standards and Technology, is small, as determined by the Director of the Division of Consumer Affairs in the Department of Law and Public Safety pursuant to section 8 of P.L. , c. (C. ) (pending before the Legislature as this bill), that is subject to a public commitment by the operator not to attempt to re-identify the data, and to which one or more enforceable controls to prevent re-identification has been applied, which may include legal, administrative, technical, or contractual controls.
Designated request address means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L. , c. (C. ) (pending before the Legislature as this bill).
Disclose means to release, transfer, share, disseminate, make available, or otherwise communicate orally, in writing, or by electronic or any other means to a third party a consumers personally identifiable information. Disclose shall not include:
the disclosure of a consumers personally identifiable information by an operator to a third party under a written contract authorizing the third party to use the personally identifiable information to perform services on behalf of the operator, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying consumer information, processing payments, providing financing, or similar services, but only if the contract prohibits the third party from using the personally identifiable information for any reason other than performing the specified service on behalf of the operator and from disclosing personally identifiable information to additional third parties unless expressly authorized by the consumer;
the disclosure of personally identifiable information by an operator to a third party based on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or court order;
the disclosure of personally identifiable information by an operator to a third party that is reasonably necessary to address fraud, risk management, security, or technical issues, to protect the operators rights or property, or to protect a consumer or the public from illegal activities as required by law; or
the disclosure of personally identifiable information by an operator to a third party in connection with the proposed or actual sale or merger of the operator, or sale of all or part of its assets, to a third party.
Online service means an information service provided over the Internet that collects and maintains personally identifiable information from a consumer.
Operator means a person or entity that operates a commercial Internet website or an online service. Operator shall not include any third party that operates, hosts, or manages, but does not own, a commercial Internet website or online service on the operators behalf, or processes information on behalf of the operator.
Personally identifiable information means any information that
is linked or reasonably linkable to an identified or identifiable person. Personally identifiable information shall not include de-identified data or publicly available information.
Publicly available information means information that is lawfully made available from federal, State, or local government records, or widely-distributed media.
Sale means the exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party's discretion to additional third parties. "Sale" shall not include the following:
the disclosure of personally identifiable information to a service provider that processes that information on behalf of the operator;
the disclosure of personally identifiable information to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personally identifiable information to the operator;
the disclosure or transfer of personally identifiable information to an affiliate of the operator; or
the disclosure or transfer of personally identifiable information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the operators assets.
Service provider means a person, private entity, public entity, agency, or other entity that processes personally identifiable information on behalf of the operator and who shall provide sufficient guarantees to the operator to implement appropriate technical and organizational measures in a manner that processing shall ensure the protection of the consumers personally identifiable information.
Third party means a person, private entity, public entity, agency, or entity other than the consumer, operator, or affiliate or service provider of the operator.
"Verified request" means the