This bill amends existing legislation to enhance consumer privacy by requiring that controllers or processors de-identify personal data before its sale and explicitly prohibits the re-identification of such de-identified data. It introduces the definition of "re-identify," which refers to the process of linking de-identified data back to an identified or identifiable individual. The bill emphasizes the responsibilities of these entities to maintain data anonymity and publicly commit to using the data solely in a de-identified manner. Furthermore, any waivers or agreements that do not comply with the bill's provisions will be considered void and unenforceable.

The bill also grants the Director of the Division of Consumer Affairs the authority to create regulations for implementing these requirements, including establishing standards for the de-identification process. It allows for exceptions to the de-identification requirements if deemed beneficial to the public, such as for medical studies or addressing environmental hazards. Enforcement of violations will be under the sole authority of the Office of the Attorney General, and the bill clarifies that it does not create a private right of action for individuals. The act is set to take effect 365 days after its enactment, although preliminary administrative actions may be taken by the Director to facilitate implementation.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19