This bill establishes strict regulations for the handling of personal data by requiring that controllers or processors de-identify such data before any sale occurs. It explicitly prohibits the re-identification of de-identified data and the provision of means to third parties for re-identification. The bill introduces a new definition for "re-identify," which refers to the process of linking de-identified data back to an identified or identifiable individual. It emphasizes the responsibilities of data controllers and processors to take reasonable measures to prevent re-identification and to publicly commit to maintaining data in a de-identified state.

Furthermore, the bill amends existing laws to declare that any waivers or agreements that do not comply with its provisions will be void and unenforceable. It grants the Director of the Division of Consumer Affairs the authority to create regulations for de-identification standards and allows for limited exceptions for public benefit, particularly in contexts such as medical studies or environmental hazard prevention. The enforcement of these provisions will be managed solely by the Attorney General, with no private right of action permitted for violations. The act is set to take effect 365 days after its enactment, although preliminary administrative actions may be taken by the Director to facilitate implementation.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19