This bill establishes new requirements for controllers and processors of personal data, mandating that they must de-identify such data before any sale occurs and explicitly prohibiting the re-identification of de-identified data. It introduces the definition of "re-identify," which refers to the process of linking de-identified data back to an identified or identifiable individual. The bill emphasizes the responsibilities of these entities to ensure compliance, including taking reasonable measures to maintain data anonymity and publicly committing to not attempt re-identification.

Furthermore, the bill amends existing law to ensure that any waivers or agreements that do not comply with the new de-identification requirements are void and unenforceable. It designates the Office of the Attorney General as the enforcement authority for these provisions, while also clarifying that no private right of action is available for violations. The Director of the Division of Consumer Affairs is tasked with creating regulations for the de-identification process, with potential exceptions for specific purposes such as medical studies or environmental hazard prevention. The act is set to take effect 365 days after enactment, although preliminary administrative actions may be taken in advance.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19