[First Reprint]

ASSEMBLY, No. 4919

STATE OF NEW JERSEY

220th LEGISLATURE

INTRODUCED DECEMBER 5, 2022

Sponsored by:

Assemblyman  HERB CONAWAY, JR.

District 7 (Burlington)

Assemblyman  DANIEL R. BENSON

District 14 (Mercer and Middlesex)

SYNOPSIS

     Concerns social media privacy and data management for children and establishes New Jersey Children's Data Protection Commission.

CURRENT VERSION OF TEXT

     As reported by the Assembly Science, Innovation and Technology Committee on June 15, 2023, with amendments.

An Act concerning social media privacy and data management standards for children, establishing the New Jersey Children's Data Protection Commission, and supplementing Title 56 of the Revised Statutes.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.  As used in P.L.    , c.    (C.        ) (pending before the Legislature as this bill):

     "Child" or "children" means a consumer or consumers who are under 18 years of age.

     "Data Protection Impact Assessment" means a systematic survey to assess and mitigate any risks that arise from the data management practices of a social media platform related to an online service, product, or feature that is likely to be accessed by children.

     "Likely to be accessed by children" means it is reasonable to expect, based on any of the following indicators, that the online service, product, or feature would be accessed by children:

     a. the online service, product, or feature is directed to children;

     b. the online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;

     c. the online service, product, or feature includes advertisements marketed to children;

     d. the online service, product, or feature has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children; or

     e. a significant amount of the audience of the online service, product, or feature is determined, based on internal company research, to be children.

     ¹"Material change" means any action or series of actions to the online service, product, or feature that serves to extend the use of the social media platform by children.¹

     "Online service, product, or feature" does not mean any of the following:

     a. a broadband telecommunications service, as defined in section 1 of P.L.2007, c.191 (C.40:9D-1);

     b. a telecommunications service, as defined in 47 U.S.C. s.153; or

     c. the delivery or use of a physical product.

     "Personal information" means individually identifiable information about an individual that is collected online, including, but not limited to:

     a. first and last name;

     b. home or other physical address, including street name and name of a city or town;

     c. online contact information;

     d. any screen or user name that functions in the same manner as online contact information;

     e. telephone number;

     f. Social Security number;

     g. persistent identifier that can be used to recognize a user over time and across different Internet websites or online services.  Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;

     h. any photograph, video, or audio file that contains a child's image or voice;

     i. geolocation information sufficient to identify street name and name of a city or town; or

     j. information concerning the child or the parents of the child that the operator collects online from the child and combines with an identifier.

     "Profile" or "profiling" means any form of automated processing of personal information that uses personal information to evaluate certain aspects relating to a natural person, including analyzing or predicting aspects concerning a natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

     "Social media platform" or "platform" means a public or semi-public ¹[internet-based] Internet-based¹ service or application that has users in this State, which service or application:

     a.     allows users to construct a public or semipublic profile for the purposes of using the platform, populate a list of other users with whom the user shares a social connection through the platform, and post content viewable by other users of the platform; and

     b.    is designed to connect users within the platform to facilitate social interactions, except that a service or application that provides email or direct messaging services shall not be considered to meet this criterion solely based on the existence of that functionality.

     ¹This definition shall not include "news media" as defined in section 2 of P.L.1977, c.253 (C.2A:84A-21a).¹

     "User" means a person who has an account on a social media platform, regardless of whether the person posts or has posted content or material to the social media platform.

     2.  Before a new online service, product, or feature is offered to users residing in the State, which online service, product, or feature is likely to be accessed by children, the social media platform that offers the online service, product, or feature shall take all of the following actions:

     a. complete a Data Protection Impact Assessment for the online service, product, or feature and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children;

     b. document any risk of material detriment to children that arises from the data management practices of the social media platform identified in the Data Protection Impact Assessment and create a timed plan to mitigate or eliminate those risks before the online service, product, or feature is accessed by children;

     c. estimate the age for which the use of the service, product, or feature is appropriate for child users based on the risks that arise from the data management practices of the social media platform or apply the privacy and data protections afforded to children to all consumers;

     d. configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy, unless the social media platform can demonstrate a compelling reason that a different setting is in the best interests of children;

     e. provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature;

     f. if the online service, product, or feature allows the child's parent, guardian, or any other consumer to monitor the child's online activity or track the child's location, provide an obvious signal to the child when the child is being monitored or tracked;

     g. enforce published terms, policies, and community standards established by the social media platform, including, but not limited to, privacy policies and those concerning children; and

     h. provide prominent, accessible, and responsive tools to help children or, if applicable, their parents or guardians exercise their privacy rights and report concerns.

     3.  a. The Data Protection Impact Assessment required under subsection a. of section 2 of P.L.    , c.    (C.        ) (pending before the Legislature as this bill) shall identify the purpose of the online service, product, or feature, how it uses children's personal information, and the risks of material detriment to children that arise from the data management practices of the social media platform. The Data Protection Impact Assessment shall address, to the extent applicable, all of the following:

     (1) whether the design of the online product, service, or feature could harm children, including, but not limited to, exposing children to harmful, or potentially harmful, content on the social media platform;

     (2) whether the design of the online service, product, or feature could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts on the social media platform;

     (3) whether the design of the online service, product, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the social media platform;

     (4) whether the design of the online service, product, or feature could allow children to be party to or exploited by a harmful, or potentially harmful, contact on the social media platform;

     (5) whether algorithms used by the online service, product, or feature could harm children;

     (6) whether targeted advertising systems used by the online service, product, or feature could harm children;

     (7) whether and how the online service, product, or feature uses system design features to increase, sustain, or extend use of the social media platform by children, which features may include the automatic playing of media, rewards for time spent, and notifications; and

     (8) whether, how, and for what purpose the online service, product, or feature collects or processes the personal information of children.

     b. A social media platform shall review all Data Protection Impact Assessments at least every two years ¹and upon a material change¹ .

     4.  a.  Within three business days of receiving a written request from the Attorney General, a social media platform shall provide to the Attorney General a list of all Data Protection Impact Assessments the social media platform has completed.  For any Data Protection Impact Assessment completed pursuant to subsection a. of section 2 of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), the social media platform shall provide a written or electronic copy of the assessment to the Attorney General within five business days of receiving the written request. 

     b.  Notwithstanding any provision of law to the contrary, a Data Protection Impact Assessment shall be deemed confidential and shall not be considered a government record pursuant to P.L.1963, c.73 (C.47:1A-1 et seq.), P.L.2001, c.404 (C.47:1A-5 et al.), or the common law concerning access to government records.  To the extent any information contained in a Data Protection Impact Assessment includes information subject to attorney-client privilege or work product protection, disclosure pursuant to this section shall not constitute a waiver of that privilege or protection.

     5.  A social media platform that provides an online service, product, or feature likely to be accessed by children shall not take any of the following actions:

     a. use the personal information of any child in a way that the social media platform knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child;

     b. profile a child by default unless both of the following criteria are met:

     (1) the social media platform can demonstrate it has appropriate safeguards in place to protect children; and

     (2) either of the following is true:

     (a) profiling is necessary to provide the online service, product, or feature requested and only with respect to the aspects of the online service, product, or feature with which the child is actively engaged; or

     (b) the social media platform can demonstrate a compelling reason that profiling is in the best interests of children;

     ¹[(3)] c.¹ collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, unless the social media platform can demonstrate a compelling reason that the collecting, selling, sharing, or retaining of the personal information is in the best interests of children likely to access the online service, product, or feature;

     ¹[(4)] d.¹ collect, sell, or share any geolocation information of children by default unless the collection of that geolocation information is strictly necessary for the social media platform to provide the online service, product, or feature, in which case the information may only be collected, sold, or shared during the time in which the geolocation information is necessary to provide the online service, product, or feature;

     ¹[(5)] e.¹ collect any geolocation information of a child without providing an obvious sign to the child during all times in which the geolocation information is collected;

     ¹[(6)] f.¹ use deceptive design practices to lead or encourage children to provide more personal information than is reasonably necessary to provide the online service, product, or feature, or to take any action that the social media platform knows, or has reason to know, is materially detrimental to the child's physical health, mental health, or well-being; ¹[and] or¹

     ¹[(7)] g.¹ use any personal information collected to estimate the age for any other purpose or retain that personal information longer than necessary to estimate age.

     6.  a. Except as provided in subsection d. of this section, any social media platform that violates P.L.    , c.    (C.        ) (pending before the Legislature as this bill) shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought by the Attorney General.

     b. Any penalties, fees, and expenses recovered in an action brought under P.L.    , c.    (C.        ) (pending before the Legislature as this bill) shall be used to offset the costs incurred by the Attorney General in connection with P.L.    , c.    (C.        ) (pending before the Legislature as this bill).

     c. If a social media platform is not in substantial compliance with the requirements of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), the Attorney General shall provide written notice to the social media platform, before initiating an action under P.L.    , c.    (C.        ) (pending before the Legislature as this bill), identifying the specific provisions of P.L.    , c.    (C.        ) (pending before the Legislature as this bill) that the Attorney General alleges have been or are being violated.

     d. If, within 90 days of the notice provided by subsection c. of this section, the social media platform cures any violation alleged by the Attorney General and provides the Attorney General with a written statement that the alleged violations have been cured, and sufficient measures have been taken to prevent future violations, the social media platform shall not be liable for a civil penalty for any violation cured pursuant to this subsection.

     e. Nothing in P.L.    , c.    (C.        ) (pending before the Legislature as this bill) shall be interpreted to serve as the basis for a private right of action under P.L.    , c.    (C.        ) (pending before the Legislature as this bill) or any other law.

     7.  a. There is created, within the Division of Consumer Affairs in the Department of Law and Public Safety, the New Jersey Children's Data Protection Commission.

     b. (1) The commission shall consist of nine members, with expertise in children's data privacy, children's physical health, children's mental health and well-being, computer science, or children's rights, which members shall be appointed as follows:

     (a) three appointees by the Governor;

     (b) three appointees by the President of the Senate; and

     (c) three appointees by the Speaker of the ¹General¹ Assembly.

     (2)   Each member shall serve for a term of three years, except that, of the members first appointed, three members shall be appointed for a one-year term, three members shall be appointed for a two-year term, and three members shall be appointed for a three-year term.  Each member shall serve for the term of appointment until the member's successor is appointed.  A member who has completed a term of membership may be reappointed to the commission.  Vacancies in the commission shall be filled in the same manner as the original appointments were made.

     c. The commission shall take input from a broad range of stakeholders, including from academia, consumer advocacy groups, and small, medium, and large businesses affected by data privacy policies, and shall make recommendations to the Legislature concerning best practices for:

     (1) identifying online services, products, or features likely to be accessed by children;

     (2) evaluating and prioritizing the best interests of children with respect to their privacy, physical health, and mental health and well-being and evaluating how those interests may be furthered by the design, development, and implementation of an online service, product, or feature;

     (3) ensuring that methods used by social media platforms that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the social media platforms, are privacy protective, and minimally invasive;

     (4) assessing and mitigating risks to children that arise from the use of an online service, product, or feature;

     (5) publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access an online service, product, or feature;

     (6) assessing how the commission and the Division of Consumer Affairs may leverage the expertise of the division in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online; and

     (7) any other considerations or practices that the commission deems appropriate.

     d. Members of the commission shall be appointed within ¹[30] 120¹ days after the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), and shall hold their initial organizational meeting as soon as practicable, but no later than 30 days following appointment of a majority of its authorized membership. At the initial organizational meeting, the members shall elect a chairperson and vice-chairperson from among the members of the commission by a majority vote of the members present.

     e. Members of the commission shall serve without compensation, but may be reimbursed for travel and other necessary expenses incurred in the performance of their duties, within the limits of funds appropriated or otherwise made available to the commission for its purposes.  The Division of Consumer Affairs shall provide professional, stenographic, and clerical staff to the commission, as may be necessary for the commission to carry out its duties.  The commission shall be entitled to call upon the services of any State, county, or municipal department, board, commission, or agency, as may be available to it for its purposes.

     f. A majority of the authorized members of the commission shall constitute a quorum, and no action of the commission shall be taken without the affirmative vote of a majority of the authorized members of the commission, except for the election of the chairperson and vice-chairperson at the initial organizational meeting pursuant to subsection d. of this section.

     g. The commission shall prepare a report on its findings and recommendations and shall submit the report to the Governor and to the Legislature, pursuant to section 2 of P.L.1991, c.164 (C.52:14-19.1), no later than six months following its organizational meeting and annually thereafter.

     8.  This act shall take effect on the first day of the 24th month after enactment.