This bill amends existing legislation to mandate that controllers or processors de-identify personal data before its sale and prohibits the re-identification of such data. It introduces the definition of "re-identify," which refers to the process of linking de-identified data back to an identified or identifiable individual. The bill emphasizes the responsibilities of these entities to ensure compliance, including taking reasonable measures to maintain data anonymity and publicly committing to refrain from re-identification. Furthermore, it clarifies that any waiver of these requirements will be void and unenforceable, and it designates the Office of the Attorney General as the exclusive authority for enforcing violations, with no private right of action for individuals.

Additionally, the bill empowers the Director of the Division of Consumer Affairs to establish standards for the de-identification process and allows for specific exceptions to the de-identification requirements if they are deemed beneficial to the public, such as for medical studies or addressing environmental hazards. The act is set to take effect 365 days after its enactment, although the Director may take necessary administrative actions prior to that date.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19