This bill amends existing legislation to mandate that controllers or processors de-identify personal data before its sale and prohibits any attempts to re-identify that data. It introduces the definition of "re-identify," which refers to the process of linking de-identified data back to an identified or identifiable individual. The bill places a strong emphasis on the responsibilities of these entities to ensure compliance, including taking reasonable measures to maintain data anonymity and publicly committing to refrain from re-identification. Furthermore, any waivers of these requirements or agreements that allow for non-compliance will be deemed void and unenforceable.

The enforcement of this legislation will be under the exclusive authority of the Office of the Attorney General, with no private right of action for violations. The Director of the Division of Consumer Affairs is tasked with establishing rules and regulations for implementing these provisions, including setting standards for de-identification. The bill allows for specific exceptions to the de-identification requirements, particularly for purposes that benefit the public, such as medical studies or environmental hazard prevention. The act is set to take effect 365 days after its enactment, although the Director may initiate necessary administrative actions prior to that date.

Statutes affected:
Introduced: 56:8-166.4, 56:8-166.9, 56:8-166.13, 56:8-166.16, 56:8-166.17, 56:8-166.18, 56:8-166.19