ASSEMBLY, No. 4811

STATE OF NEW JERSEY

220th LEGISLATURE

INTRODUCED OCTOBER 20, 2022

Sponsored by:

Assemblyman  WILLIAM F. MOEN, JR.

District 5 (Camden and Gloucester)

SYNOPSIS

     Establishes data broker registry.

CURRENT VERSION OF TEXT

     As introduced.

An Act establishing a registry of data brokers and supplementing Title 56 of the Revised Statutes.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.  a.  As used in P.L.    , c.    (C.        ) (pending before the Legislature as this bill):

     "Brokered personal information" means one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties:

     (1) name;

     (2) address;

     (3) date of birth;

     (4) place of birth;

     (5) mother's maiden name;

     (6) unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;

     (7) name or address of a member of the consumer's immediate family or household;

     (8) Social Security number or other government-issued identification number; or

     (9) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.

     "Brokered personal information" shall not include publicly available information to the extent that it is related to a consumer's business or profession.

     "Data broker" means a business, or a unit or units of a business, separately or together, that collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. "Data broker" does not include the following activities conducted by a business and the collection and sale or licensing of brokered personal information incidental to conducting these activities, do not qualify the business as a data broker:

     (1) developing or maintaining third-party e-commerce or application platforms;

     (2) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;

     (3) providing publicly available information related to a consumer's business or profession; or

     (4) providing publicly available information via real-time or near real-time alert services for health or safety purposes.

     "Division" means the Division of Consumer Affairs in the Department of Law and Public Safety.

     b.  The Division of Consumer Affairs in the Department of Law and Public Safety shall establish and maintain an up-to-date and public registry of data brokers doing business in this State.

     c.  The registry shall include, but need not be limited to, the name of the data broker, the data broker's physical address, a general email address to gain further information about the data broker's privacy policies and data collection, a website address, a website address specific to the data broker's privacy policy, and any relevant opt-out information.

     d.  Each data broker shall pay a registration fee of $100 to the division. The fee shall be used to implement the registry, to offset the upfront costs of starting a new public database, and to hire staff to maintain it.

     e.  In addition to the registration fee, each data broker shall also submit the following information to the division:

     (1) the name and primary physical, email, and internet addresses of the data broker;

     (2) whether the data broker permits a consumer to opt out of the data broker's collection practices, including the method for requesting an opt-out, the type of opt-out, whether the opt-out applies to only certain activities or sales, and whether the data broker permits a consumer to authorize a third party to opt out on a consumer's behalf;

     (3) a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

     (4) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation about that process;

     (5) any information the data broker has about security breaches it has experienced, including the number of security breaches the data broker has experienced during the prior year and the number of consumers affected by the breaches;

     (6) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the brokered personal information of persons under the age of 18; and

     (7) any information the division deems appropriate to implement the purposes of P.L.    , c.    (C.        ) (pending before the Legislature as this bill).

     2.  If a data broker does not comply with the registration requirements of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), the data broker shall be subject to a civil penalty of $50 per day, not to exceed $10,000 per year for each year it fails to register.  The penalty prescribed by this section shall be collected and enforced pursuant to the "Penalty Enforcement Law of 1999," P.L.1999, c.274 (C.2A:58-10 et seq.).

     3.  This act shall take effect immediately except that section 2 shall remain inoperative until 180 days following the date of enactment.

STATEMENT

     This bill requires the Division of Consumer Affairs (division) to establish and maintain an up-to-date and public registry of data brokers in New Jersey.  The registry is to include, at a minimum, the name of the data broker, the data broker's physical address, a general email address to gain further information about the data broker's privacy policies and data collection, a website address, a website address specific to the data broker's privacy policy, and any relevant opt-out information.

     To register, each data broker is required to pay a registration fee and provide certain information to the division.   The bill provides that if a data broker does not comply with the registration requirements, then it is subject to a civil penalty of $50 per day, not to exceed $10,000 per year for each year it fails to register.