Bill Text: NJ A2184 | 2024-2025 | Regular Session | Introduced

Bill Title: Requires registration of data brokers and prohibits brokering of certain health records.

Spectrum: Partisan Bill (Democrat 4-0)

Status: (Introduced) 2024-01-09 - Introduced, Referred to Assembly Consumer Affairs Committee [A2184 Detail]

Download: New_Jersey-2024-A2184-Introduced.html

ASSEMBLY, No. 2184

STATE OF NEW JERSEY

221st LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2024 SESSION

 

 

Sponsored by:

Assemblyman  WILLIAM F. MOEN, JR.

District 5 (Camden and Gloucester)

Assemblyman  ROBERT J. KARABINCHAK

District 18 (Middlesex)

Assemblywoman  ELLEN J. PARK

District 37 (Bergen)

 

 

 

 

SYNOPSIS

     Requires registration of data brokers and prohibits brokering of certain health records.

 

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel.

  


An Act concerning data brokers and supplementing Title 56 of the Revised Statutes.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    As used in P.L.    , c.     (C.        ) (pending before the Legislature as this bill):

     "Behavioral health care" means procedures or services provided to a patient for the treatment of a mental illness, emotional disorder, or substance use disorder.

     "Behavioral health record" means personal identifying information that describes behavioral health care or that otherwise identifies an individual patient as having a behavioral health condition or as receiving care or treatment for a behavioral health condition.

     "Data broker" means a business, or a unit or units of a business, separately or together, that collects and sells or licenses to third parties the personal identifying information of an individual with whom the business does not have a direct relationship.

     "Division" means the Division of Consumer Affairs in the Department of Law and Public Safety.

     "Personal identifying information" means one or more of the following computerized data elements about an individual, if categorized or organized for dissemination to third parties: name; address; date of birth; place of birth; mother's maiden name; unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data; name or address of a member of the individual's immediate family or household; Social Security number or other government-issued identification number; or other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the individual with reasonable certainty.  "Personal identifying information" shall not include publicly available information to the extent that it is related to an individual's business or profession.

     "Physical health care" means procedures or services provided to a patient in connection with the patient's physical health, including, but not limited to, preventative care, reproductive care, and wellness care, as well as treatment for an illness, disorder, disease, or other acute or chronic physical health condition.

     "Physical health record" means personal identifying information that describes physical health care or that otherwise identifies an individual patient as having a physical health condition or as receiving care or treatment for a physical health condition.

     2.    a. The Division of Consumer Affairs in the Department of Law and Public Safety shall establish and maintain a public registry of data brokers doing business in this State.  Using the information submitted pursuant to subsection c. of this section, the registry shall include, at a minimum, for each data broker doing business in this State: the data broker's name and physical address; a general email address that may be used to request information about the data broker's privacy policies and data collection practices; a general Internet website address for the data broker; an Internet website address specific to the data broker's privacy policies; and any relevant opt-out information.  The division shall review and update the information contained in the registry at least annually.

     b.    Each data broker doing business in New Jersey shall annually register with, and pay a registration fee of $100 to, the division.  Registration fees collected pursuant to this subsection shall be used to establish and maintain the registry required pursuant to this section.

     c.     Each data broker shall submit the following information to the division at the time of registration, which information shall be updated by the data broker at least annually, or at such other frequency as the division may require:

     (1)   the data broker's name and primary physical, email, and Internet addresses;

     (2)   whether the data broker permits individuals to opt out of the data broker's collection practices, including the method for requesting an opt-out, the type of opt-out, whether the opt-out is limited to certain activities or sales, and whether the data broker permits individuals to authorize a third party to opt out on the individual's behalf;

     (3)   a statement specifying the data collection, databases, or sales activities from which an individual may not opt out;

     (4)   whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process;

     (5)   a history of data breaches and other cybersecurity events affecting the data broker and personal identifying information in the data broker's possession, including the number of individuals affected by each such data breach or cybersecurity event;

     (6)   a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and

     (7)   any information the division deems appropriate to implement the purposes of P.L.    , c.     (C.        ) (pending before the Legislature as this bill).

     d.    (1) A business that collects and sells or licenses personal identifying information shall not be considered a data broker for the purposes of P.L.    , c.     (C.        ) (pending before the Legislature as this bill) if:

     (a)   the full extent to which the business collects and sells or licenses personal identifying information is incidental to conducting one or more of the following activities:

     (i)    developing or maintaining a third-party e-commerce or application platform;

     (ii)   providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;

     (iii)  providing publicly available information related to an individual's business or profession; or

     (iv)  providing publicly available information via real-time or near real-time alert services for health or safety purposes; or

     (b)   the business is a financial institution or an affiliate of a financial institution that is subject to Title V of the federal "Gramm-Leach-Bliley Act," 15 U.C.S. s.6801 et seq., and the rules and regulations promulgated thereunder.

     (2)   A business that engages in one or more of the activities described in sub-subparagraphs (i) through (iv) of subparagraph (a) of paragraph 1 of this subsection shall be considered a data broker for the purposes of P.L.    , c.     (C.        ) (pending before the Legislature as this bill) if the business collects and sells or licenses personal identifying information in any way that is not incidental to an activity described in sub-subparagraphs (i) through (iv) of subparagraph (a) of paragraph 1 of this subsection, unless the business is exempt under subparagraph (b) of paragraph (1) of this subsection.

 

     3.    In no case shall a data broker sell, offer for sale, license, or otherwise furnish, provide, or transmit to any other individual or entity a physical health record or a behavioral health record.

 

     4.    a. A data broker that fails to register with the division or to submit the annual registration fee as required under subsection b. of section 2 of P.L.    , c.     (C.        ) (pending before the Legislature as this bill) shall be liable to a civil penalty of $50 for each day the data broker fails to register or submit the required fee.

     b.    A data broker that fails to submit the information required under subsection c. of section 2 of P.L.    , c.     (C.        ) (pending before the Legislature as this bill) or to update the information as required under subsection c. of section 2 of P.L.    , c.     (C.        ) (pending before the Legislature as this bill) shall be liable for a civil penalty of $50 for each day the data broker fails to submit or update the information.

     c.     A data broker that sells, offers for sale, licenses, or otherwise furnishes, provides, or transmits to any other individual or entity a physical health record or a behavioral health record in violation of section 3 of P.L.    , c.     (C.        ) (pending before the Legislature as this bill) shall be liable to a civil penalty of $1,000 for each physical or behavioral health record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted.

     d.    A civil penalty assessed pursuant to this section shall be collected and enforced by the division in summary proceedings before a court of competent jurisdiction pursuant to the provisions of the "Penalty Enforcement Law of 1999," P.L.1999, c.274 (C.2A:58-10 et seq.).

 

     5.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall adopt rules and regulations, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), as shall be necessary for the implementation of P.L.    , c.     (C.        ) (pending before the Legislature as this bill).

 

     6.    This act shall take effect immediately, except that subsections a. and b. of section 4 of this act shall remain inoperative for 180 days following the date of enactment.

 

 

STATEMENT

 

      This bill requires data brokers to register with the Division of Consumer Affairs ("the division") in the Department of Law and Public Safety and prohibits the brokering of physical or behavioral health records.

      Data brokers are businesses that collect and sell or license to third parties the personal identifying information of an individual with whom the business does not have a direct relationship.  As used in the bill, "personal identifying information" means one or more computerized data elements about an individual that are categorized or organized for dissemination to third parties and that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the individual with reasonable certainty.

      Specifically, the bill requires the division to establish and maintain a public registry of data brokers doing business in New Jersey.  Data brokers are required to register with the division, pay an annual registration fee of $100, and provide the division with certain information about the data broker's business as described in the bill.  Collected registration fees will be used to implement the provisions of the bill.

      Under the bill, the information that data brokers are required to submit to the division at the time of registration includes:  (1) the data broker's name and primary physical, email, and Internet addresses; (2) the data broker's policies for opting out of the data broker's collection practices; (3) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process; (4) a history of data breaches and other cybersecurity events affecting the data broker, including the number of individuals affected by each such data breach or cybersecurity event; (5) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and (6) any other information the division deems appropriate.  Data brokers are required to update this information annually or at such other intervals as the division requires.

      Using the information submitted by data brokers, the division is to include in the registry, at minimum, each data broker's name and physical address, a general email address that may be used to request information about the data broker's privacy policies and data collection practices, a general Internet website address for the data broker, an Internet website address specific to the data broker's privacy policies, and any relevant opt-out information.  The division is required to review and update this information at least annually.

      Data brokers that fail to submit and update information as required under the bill, or that fail to register and pay the registration fee required under the bill, will be liable for a civil penalty of $50 for each day the data broker is not in compliance.

      A business will not be considered a data broker for the purposes of the bill if the collection and sale or licensing of personal identifying information is incidental to one or more of the following activities conducted by the business:  (1) developing or maintaining a third-party e-commerce or application platform; (2) providing 411 directory assistance or directory information services on behalf of or as a function of a telecommunications carrier; (3) providing publicly available information related to an individual's business or profession; or (4) providing publicly available information via real-time or near real-time alert services for health or safety purposes.  A business that engages in these activities will still be considered a data broker for the purposes of the bill if the business collects and sells or licenses personal identifying information in any way that is not incidental to one or more of those activities.

      Additionally, a business will not be considered a data broker for the purposes of the bill if it is a financial institution or an affiliate of a financial institution subject to Title V of the federal "Gramm-Leach-Bliley Act," and the rules or regulations issued under its authority.

      The bill provides that in no case may a data broker sell, offer for sale, license, or otherwise furnish, provide, or transmit to any other individual or entity any physical or behavioral health record pertaining to an individual, including records describing physical or behavioral health care provided to an individual and records that otherwise identify an individual as having a physical or behavioral health condition or as receiving care or treatment for a physical or behavioral health condition.  A data broker that violates this prohibition will be liable to a civil penalty of $1,000 for each physical or behavioral health record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted in violation of this prohibition.

LegiScan Search

View Top 50 Searches

Select area of search.
Find an exact bill number.
Search bill text and data. [help]
Reset

LegiScan Trends

View Top 50 National

IL HB5097 HAIR CARE FOR YOUTH IN CARE
PA HB2238 Providing for consumer protection and prohibiting the use of perfluoroalkyl...
CO HB1227 Annual Rule Review Bill
IL HB3575 ISP-DNR/ICC/SOS POLICE
MA S1674 Relative to Massachusetts certified emergency telecommunicators
HI HB2467 Relating To Rent Credits For Demolition And Infrastructure Costs On Public...
IA HF2626 A bill for an act modifying the computation of net income for the individual...
IL HR0599 IHSA-ELIMINATE TRANSFER LIMITS
IL SB3501 OUTDOOR LIGHTING CONTROL ACT
MD HB892 Criminal Law - Benefits Exploitation
feedback