This bill establishes comprehensive data privacy protection requirements for consumer health data in New Jersey, specifically targeting health care providers and patients. It defines key terms such as "regulated entity," which refers to any legal entity conducting business in the state that determines the purpose and means of collecting, processing, sharing, or selling consumer health data. Regulated entities are mandated to maintain a consumer health data privacy policy, restrict access to such data, and implement robust data security practices. They must also obtain explicit consumer consent before collecting or sharing health data and comply with consumer requests to confirm, withdraw consent, or delete their data within specified timeframes.

Furthermore, the bill prohibits the sale of consumer health data without valid consumer authorization and outlines the necessary components of such authorization. It also forbids the use of geofences around health care entities for tracking or collecting consumer health data. Violations of the bill's provisions are classified as unlawful practices, and certain entities and types of information are exempt from its requirements. While the bill emphasizes consumer autonomy and informed consent, it allows regulated entities and processors to collect and use consumer health data to address security incidents or illegal activities, provided they can demonstrate that such processing qualifies for the exemption.