Bill Text: NJ A4817 | 2016-2017 | Regular Session | Introduced


Bill Title: Requires commercial Internet website and online service operators to notify customers of collection and disclosure of personally identifiable information to third parties.

Spectrum: Bipartisan Bill

Status: (Introduced - Dead) 2017-05-18 - Introduced, Referred to Assembly Law and Public Safety Committee [A4817 Detail]

Download: New_Jersey-2016-A4817-Introduced.html

ASSEMBLY, No. 4817

STATE OF NEW JERSEY

217th LEGISLATURE

 

INTRODUCED MAY 18, 2017

 


 

Sponsored by:

Assemblywoman  AMY H. HANDLIN

District 13 (Monmouth)

Assemblyman  JOHN F. MCKEON

District 27 (Essex and Morris)

Assemblyman  ROBERT AUTH

District 39 (Bergen and Passaic)

 

Co-Sponsored by:

Assemblyman Lagana

 

 

 

 

SYNOPSIS

     Requires commercial Internet website and online service operators to notify customers of collection and disclosure of personally identifiable information to third parties.

 

CURRENT VERSION OF TEXT

     As introduced.

  


An Act concerning commercial Internet websites, online services, and personally identifiable information and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.  As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

     "Commercial Internet website" means a website operated for business purposes, including, but not limited to, the sale of goods and services.

     "Customer" means an individual within this State who provides, either knowingly or unknowingly, personally identifiable information to an operator, with or without an exchange of consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the operator, including advertising or any other content.

     "Designated request address" means an email address or toll-free telephone number that a customer may use to request the information required to be provided pursuant to section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     "Disclose" means to release, transfer, share, disseminate, make available, or otherwise communicate orally, in writing, or by electronic or any other means to a third party a customer's personally identifiable information. "Disclose" shall not include: the disclosure of a customer's personally identifiable information by an operator to a third party under a written contract authorizing the third party to use the personally identifiable information to perform services on behalf of the operator, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, or similar services, but only if the contract prohibits the third party from using the personally identifiable information for any reason other than performing the specified service on behalf of the operator and from disclosing personally identifiable information to additional third parties; or

     the disclosure of personally identifiable information by an operator to a third party based on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or court order; or the disclosure of personally identifiable information by an operator to a third party that is reasonably necessary to address fraud, security, or technical issues, to protect the operator's rights or property, or to protect a customer or the public from illegal activities as required by law.

     "Internet Protocol" means a communications protocol that enables an Internet end user to send or receive a communication over the Internet, regardless of whether the communication is voice, data, or video.

     "Online service" means a commercial information service provided over the Internet, including, but not limited to, offsite data storage services and computer application services.

     "Operator" means a person or entity that owns an Internet website or an online service that collects and maintains personally identifiable information from a customer and which is operated for commercial purposes. "Operator" shall not include any third party that operates, hosts, or manages, but does not own, a website or online service on the operator's behalf, or by processing information on behalf of the operator.

     "Personally identifiable information" means any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service, including, but not limited to:

     name, alias, nickname, and user name;

     postal and email address;

     telephone number;

     account name;

     social security number or other government-issued identification number, including driver's license number or passport number;

     birthdate or age;

     physical characteristic information, including height and weight;

     sexual information, including sexual orientation, sex, gender status, gender identity, and gender expression;

     race or ethnicity;

     religious affiliation or activity;

     political affiliation or activity;

     professional or employment-related information;

     educational information;

     medical information, including medical conditions or drugs, therapies, mental health, or medical products or equipment used;

     financial information, including credit, debit, or account numbers, account balances, payment history, or information related to assets, liabilities, or general creditworthiness;

     commercial information, including records of property, products, or services provided, obtained or considered, or other purchasing or consumer histories;

     geolocation information;

     Internet or mobile activity information, including Internet protocol addresses or information concerning the access or use of any online service;

     content, including text, photographs, audio or video recordings, or other material generated by or provided by the customer; and

     any of the above categories of information as they pertain to the children of the customer.

     "Third party" means:

     a private entity that is a separate legal entity from the operator;

     a private entity that does not share common ownership or common corporate control with the operator; or

     a private entity that does not share a brand name or common branding with the operator, such as an affiliate relationship that is clear to the customer.

 

     2.    An operator that collects through the Internet the personally identifiable information of a customer shall provide on its Internet website or online service notification to a customer that includes, but is not limited to:

     a.     a complete description of the personally identifiable information that the operator collects through the Internet website or online service about a customer who uses or visits its commercial Internet website or online service;

     b.    all third parties with which the operator may disclose a customer's personally identifiable information; and

     c.     information concerning one or more designated request addresses.

 

     3.    a.         An operator that discloses a customer's personally identifiable information to a third party shall make the following information available to the customer free of charge upon receipt of a request from the customer for this information through a designated request address:

     (1)   the customer's personally identifiable information that was disclosed; and

     (2)   the names of the third parties that received the customer's personally identifiable information.

     b.    An operator that receives a request from a customer under this section shall provide a response to the customer within 30 days of the operator's receipt of the request and shall provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

     c.     This section shall not apply to personally identifiable information disclosed prior to the effective date of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     4.    A waiver of the requirements of, or an agreement that does not comply with, the provisions of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be void and unenforceable.

 

     5.    a.  Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be construed to apply to any State agency, any political subdivision thereof, federal agency, or any contractor, subcontractor, or agent thereof, when working for that State agency, political subdivision thereof, or federal agency.

 

     6.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for an operator to fail to notify a customer of the disclosure of personally identifiable information pursuant to sections 2 and 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     7.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     8.    This act shall take effect immediately.

 

 

STATEMENT

 

     This bill requires commercial Internet website and online service operators to notify customers of the collection and disclosure of personally identifiable information to third parties. An operator that collects through the Internet the personally identifiable information of a customer is to provide on its Internet website or online service notification to a customer that includes, but is not limited to: a complete description of the personally identifiable information that the operator collects through the Internet website or online service about a customer who uses or visits its commercial Internet website or online service; all third parties with which the operator may disclose a customer's personally identifiable information; and information concerning one or more designated request addresses, which are an email address or toll-free telephone number that a customer may use to request information under the bill.

     This bill requires that an operator that discloses a customer's personally identifiable information to a third party is to make the following information available to the customer free of charge upon receipt of a request from the customer for this information through a designated request address: the customer's personally identifiable information that was disclosed and the names of the third parties that received the customer's personally identifiable information. An operator that receives a request from a customer is to provide a response to the customer within 30 days and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

     This bill defines "personally identifiable information" as any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service, including, but not limited to several examples that are listed in the bill.

feedback