ASSEMBLY, No. 4314

STATE OF NEW JERSEY

221st LEGISLATURE

INTRODUCED MAY 10, 2024

Sponsored by:

Assemblywoman  CAROL A. MURPHY

District 7 (Burlington)

Co-Sponsored by:

Assemblywoman Quijano

SYNOPSIS

     Expands definition of personal data to include use of reproductive health care services and prohibits collection of reproductive health care prescription drugs from Prescription Monitoring Program.

CURRENT VERSION OF TEXT

     As introduced.

An Act concerning privacy of personal data in connection with reproductive health care services, and amending P.L.2023, c.266 and P.L.2007, c.244.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1. Section 1 of P.L.2023, c.266 (C.     ) is amended to read as follows:

     1. As used in P.L.2023, c.266 (C.      ):

     "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity.  For the purposes of this definition, "control" means: the ownership of or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; the control in any manner over the election of a majority of the directors or [individuals] persons exercising similar functions; or the power to exercise a controlling influence over the management or policies of a company.

     "Biometric data" means data generated by automatic or technological processing, measurements, or analysis of [an individual's] a person's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific [individual] person.  "Biometric data" shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific [individual] person.

     "Child" shall have the same meaning as provided in COPPA.

     "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.  "Consent" may include a written statement, including by electronic means, or any other unambiguous affirmative action.  "Consent" shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.

     "Consumer" means an identified person who is a resident of this State acting only in an individual or household context.  "Consumer" shall not include a person acting in a commercial or employment context.

     "Controller" means [an individual] a natural person, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.

     "COPPA" means the federal Children's Online Privacy Protection Act, 15 U.S.C. s.6501 et seq., and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time.

     "Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the United States Federal Trade Commission refers to as a "dark pattern."

     "Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods and services.

     "De-identified data" means: data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable [individual] person, or a device linked to such [an individual] a person, if the controller that possesses the data: (1) takes reasonable measures to ensure that the data cannot be associated with [an individual] a person, (2) publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data, and (3) contractually obligates any recipients of the information to comply with the requirements of this paragraph.

     "Designated request address" means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.2023, c.266 (C.      ).

     "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable person[.], and shall include information that is linked or reasonably linkable to an identified or identifiable person's use of or attempt to use reproductive health care services.  "Personal data" shall not include de-identified data or publicly available information.

     "Precise geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of [an individual] a person with precision and accuracy within a radius of 1,750 feet.  "Precise geolocation data" does not include the content of communications, or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

     "Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.

     "Processor" means a natural person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.

     "Profiling" means any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable [individual's] person's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

     "Publicly available information" means information that is lawfully made available from federal, State, or local government records, or widely-distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.

     "Reproductive health care services" has the same meaning as set forth in section 1 of P.L.2022, c.51 (C.2A:84A-22.18).

     "Sale" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.  "Sale" shall not include:

     The disclosure of personal data to a processor that processes the personal data on the controller's behalf;

     The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;

     The disclosure or transfer of personal data to an affiliate of the controller;

     The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or

     The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

     "Sensitive data" means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis, including a person's use of or attempt to use reproductive health care services; financial information, which shall include a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying [an individual] a person; personal data collected from a known child; or precise geolocation data.

     "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer's preferences or interests.  "Targeted advertising" shall not include: advertisements based on activities within a controller's own internet websites or online applications; advertisements based on the context of a consumer's current search query, visit to an internet website or online application; advertisements directed to a consumer in response to the consumer's request for information or feedback; or processing personal data solely to measure or report advertising frequency, performance, or reach.

     "Third party" means a natural person, private entity, public entity, agency, or entity other than the consumer, controller, or affiliate or processor of the controller.

     "Trade secret" has the same meaning as section 2 of P.L.2011, c.161 (C.56:15-2).

     "Verified request" means the process through which a consumer may submit a request to exercise a right or rights established in P.L.2023, c.266 (C.     ), and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means.

(cf: P.L.2023, c.266, s.1)

     2. Section 12 of P.L.2023, c.266 (C.     ) is amended to read as follows:

     12. a. Nothing in P.L.2023, c.266 (C.        ) shall be construed to restrict a controller's or processor's ability to:

     (1) comply with federal or State law or regulations, except to the extent that such law or regulation imposes civil or criminal liability upon a person or entity for the provision, receipt, or seeking of, or inquiring or responding to an inquiry about reproductive health care services that are legal in this State;

     (2) comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, State, municipal or other governmental authorities, except to the extent that such inquiry, investigation, subpoena or summons concerns the imposition of civil or criminal liability upon a person or entity for the provision, receipt, or seeking of, or inquiring or responding to an inquiry about reproductive health care services that are legal in this State;

     (3) cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State or municipal ordinances or regulations, unless such conduct or activity concerns reproductive health care services that are legal in this State;

     (4) investigate, establish, exercise, prepare for or defend legal claims;

     (5) provide a product or service specifically requested by a consumer;

     (6) perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;

     (7) take steps at the request of a consumer prior to entering into a contract;

     (8) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another [individual] person, and where the processing cannot be manifestly based on another legal basis;

     (9) prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action;

     (10) engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine,

     (a) whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller,

     (b) the expected benefits of the research outweigh the privacy risks, and

     (c) whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;

     (11) assist another controller, processor, or third party with any of the obligations under P.L.2023, c.266 (C.        ); or

     (12) process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is

     (a) subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed, and

     (b) under the responsibility of a professional subject to confidentiality obligations under federal, State or local law.

     b. The obligations imposed on controllers or processors under P.L.2023, c.266 (C.        ) shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to:

     (1) conduct internal research to develop, improve, or repair products, services, or technology;

     (2) effectuate a product recall;

     (3) identify and repair technical errors that impair existing or intended functionality; or

     (4) perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.  Personal data collected, used, or retained pursuant to this subsection shall, where applicable, take into account the nature and purpose or purposes of such collection, use or retention.  Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data. 

     c. The obligations imposed on controllers or processors under P.L.2023, c.266 (C.        ) shall not apply where compliance by the controller or processor with the provisions of law would violate an evidentiary privilege under the laws of this State.  Nothing in P.L.2023, c.266 (C.        ) shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the State as part of a privileged communication.

     d. Personal data that are processed by a controller pursuant to an exception provided by this section:

     (1)   shall not be processed for any purpose other than a purpose expressly listed in this section; and

     (2)   shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section.

     e. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section.

     f. Processing personal data for the purposes expressly identified in this section shall not solely make a legal entity a controller with respect to such processing if such entity would not otherwise meet the definition of a controller.

(cf: P.L.2023, c.266, s.12)

     3. Section 27 of P.L.2007, c.244 (C.45:1-47) is amended to read as follows:

     27.  a.         Notwithstanding the provisions of section 25 of P.L.2007, c.244 (C.45:1-45) to the contrary, the director may adopt a regulation to expand the program to require pharmacies to include information about each prescription dispensed for a prescription drug that is not a controlled dangerous substance.  In determining whether pharmacies should be required to submit to the program information about a prescription drug other than a controlled dangerous substance, the director shall consider: the actual or relative potential for abuse; scientific evidence of its pharmacological effect, if known; the state of current scientific knowledge regarding the drug; its history and current pattern of abuse, including its use to potentiate or enhance the effects of controlled dangerous substances that are subject to abuse; the scope, duration and significance of abuse; what, if any, risk to the public health; and its psychic or physiological dependence liability.  The director shall not expand the program to any prescription drug indicated for use in sterilization, contraception, termination of pregnancy, in-vitro fertilization, or any reproductive health care services as set forth in section 1 of P.L.2022, c.51 (C.2A:84A-22.18).

     b.    At the time the notice to expand the program pursuant to subsection a. is published in the New Jersey Register, the director shall provide a copy of the notice of proposed rule making to the chairpersons of the standing legislative reference committees on health of the Senate and General Assembly.

(cf: P.L.2017, c.341, s.5)

     4. This act shall take effect on the first day of the 13^th month following the date of enactment, except that the Attorney General and the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of this act.

STATEMENT

     This bill expands the provisions of P.L.2023, c.266, which requires notification to consumers of the collection and use of personal data by certain entities, and requires those entities to provide consumers with the means of opting out of targeted advertising, location tracking, and customer profiling. 

     Under the bill, the definitions of "personal data" and "sensitive data" are amended to include data concerning a person's use of or attempt to use reproductive health care services.  Additionally, under the bill, entities that control or process personal data are prohibited from disclosing such data to the extent that disclosure would be in furtherance of imposing civil or criminal liability upon a person or entity for the provision, receipt, or seeking of, or inquiring or responding to an inquiry about reproductive health care services that are legal in this State but may not be legal outside this State.

     This bill also amends P.L.2007, c.244, concerning the State's Prescription Monitoring Program, to prohibit the expansion of the program to prescription drugs used for sterilization, contraception, termination of pregnancy, in-vitro fertilization, or any reproductive health care services.