The bill establishes stringent requirements for controllers and processors of personal data, mandating that they de-identify such data before sale and explicitly prohibiting any attempts to re-identify it. It introduces the definition of "re-identify," which refers to the process of linking de-identified data back to an identified or identifiable individual. The bill emphasizes the responsibilities of these entities to maintain data anonymity and publicly commit to not re-identifying the data. It also states that any waiver of these provisions will be void and unenforceable, and enforcement will be under the exclusive authority of the Office of the Attorney General, with no private right of action for violations.

Furthermore, the bill empowers the Director of the Division of Consumer Affairs to establish standards for the de-identification process and allows for specific exceptions to these requirements if they are deemed beneficial to the public, such as for medical studies or addressing environmental hazards. The act is set to take effect 365 days after its enactment, although the Director may take necessary administrative actions in advance to facilitate its implementation.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19