This bill amends current legislation to mandate that controllers or processors de-identify personal data before selling it and prohibits the re-identification of such data. It introduces the definition of "re-identify," which pertains to linking de-identified data back to an identifiable individual. The bill outlines the responsibilities of both controllers and processors to ensure compliance, including taking reasonable measures to maintain data anonymity and publicly committing to refrain from re-identification attempts. It also establishes that any waivers or agreements that do not align with these provisions will be deemed void and unenforceable.

Additionally, the bill empowers the Director of the Division of Consumer Affairs to create regulations that set standards for de-identification, with potential exceptions for public benefit purposes, such as medical studies or environmental hazard prevention. Enforcement of these provisions will be under the authority of the Office of the Attorney General, and it is explicitly stated that there is no private right of action for violations of this law. The act is scheduled to take effect 365 days after its enactment, although preliminary administrative actions may be taken by the Director to facilitate implementation.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19