Sponsored by:
Assemblyman HERB CONAWAY, JR.
District 7 (Burlington)
Assemblyman WILLIAM F. MOEN, JR.
District 5 (Camden and Gloucester)
SYNOPSIS
Requires controller or processor to de-identify personal data and prohibits re-identification of de-identified data.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning the regulation of data brokers and amending and supplementing P.L.2023, c.266.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. Section 1 of P.L.2023, c.266 (C.56:8-166.4) is amended to read as follows:
1. As used in P.L.2023, c.266 (C.56:8-166.4 et seq.) and P.L. , c. (C. ) (pending before the Legislature as this bill):
"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. For the purposes of this definition, "control" means: the ownership of or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; the control in any manner over the election of a majority of the directors or individuals exercising similar functions; or the power to exercise a controlling influence over the management or policies of a company.
"Biometric data" means data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual. "Biometric data" shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
"Child" shall have the same meaning as provided in COPPA.
"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. "Consent" may include a written statement, including by electronic means, or any other unambiguous affirmative action. "Consent shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.
"Consumer" means an identified person who is a resident of this State acting only in an individual or household context. "Consumer" shall not include a person acting in a commercial or employment context.
"Controller" means an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
"COPPA" means the federal Children's Online Privacy Protection Act, 15 U.S.C. s.6501 et seq., and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time.
"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the United States Federal Trade Commission refers to as a "dark pattern."
"Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods and services.
"De-identified data" means: data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (1) takes reasonable measures to ensure that the data cannot be associated with an individual, (2) publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data, and (3) contractually obligates any recipients of the information to comply with the requirements of this paragraph.
"Designated request address" means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.2023, c.266 (C.56:8-166.6).
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable person. "Personal data" shall not include de-identified data or publicly available information.
"Precise geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
"Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.
"Processor" means a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.
"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Publicly available information" means information that is lawfully made available from federal, State, or local government records or widely distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.
Re-identify means to link de-identified data to an identified or identifiable individual, or a device linked to such an individual.
"Sale" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. "Sale" shall not include:
The disclosure of personal dat