Bill Text: NJ S332 | 2022-2023 | Regular Session | Amended


Bill Title: Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

Spectrum: Partisan Bill (Democrat 5-0)

Status: (Engrossed) 2023-02-06 - Received in the Assembly, Referred to Assembly Science, Innovation and Technology Committee [S332 Detail]

Download: New_Jersey-2022-S332-Amended.html

[Third Reprint]

SENATE, No. 332

STATE OF NEW JERSEY

220th LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2022 SESSION

 


 

Sponsored by:

Senator  TROY SINGLETON

District 7 (Burlington)

Senator  RICHARD J. CODEY

District 27 (Essex and Morris)

 

Co-Sponsored by:

Senators Greenstein and Madden

 

 

 

 

SYNOPSIS

     Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

 

CURRENT VERSION OF TEXT

     As amended by the Senate on December 19, 2022.

  


An Act concerning commercial Internet websites, consumers, and personally identifiable information and supplementing Title 56 of the Revised Statutes.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

     "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity.

     "Commercial Internet website" means a website operated for business purposes, including, but not limited to, the sale of goods and services, which collects and maintains personally identifiable information from a consumer.

     "Consumer" means an identified person who is a resident of this State acting  2[only]2 3only3 in an individual 3[2, job seeking,2]3 or household context. "Consumer" shall not include a person 3[2otherwise2]3 acting in a commercial or employment context.

     "De-identified data" means: data that cannot be linked to a consumer without additional information that is kept separately; or data that has been modified to a degree that the risk of re-identification, consistent with guidance from the Federal Trade Commission and the National Institute of Standards and Technology, is small, as determined by the Director of the Division of Consumer Affairs in the Department of Law and Public Safety pursuant to section 3[8] 93 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), that is subject to a public commitment by the operator not to attempt to re-identify the data, and to which one or more enforceable controls to prevent re-identification has been applied, which may include legal, administrative, technical, or contractual controls.

     "Designated request address" means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     "Disclose" means to release, transfer, share, disseminate, make available, or otherwise communicate 2[orally,]2 3orally,3 in writing, or by electronic or any other means 3[2,2]3 to a third party a consumer's personally identifiable information. "Disclose" shall not include:

     the disclosure of a consumer's personally identifiable information by an operator to a third party under a written contract

authorizing the third party to use the personally identifiable information to perform services on behalf of the operator, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying consumer information, processing payments, providing financing, or similar services, but only if the contract prohibits the third party from using the personally identifiable information for any reason other than performing the specified service on behalf of the operator and from disclosing personally identifiable information to additional third parties unless expressly authorized by the consumer;

     the disclosure of personally identifiable information by an operator to a third party based on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or court order;

     the disclosure of personally identifiable information by an operator to a third party that is reasonably necessary to address fraud, risk management, security, or technical issues, to protect the operator's rights or property, or to protect a consumer or the public from illegal activities as required by law; or

     the disclosure of personally identifiable information by an operator to a third party in connection with the proposed or actual sale or merger of the operator, or sale of all or part of its assets, to a third party.

     "Online service" means an information service provided over the Internet that collects and maintains personally identifiable information from a consumer.

     "Operator" means a person or entity that operates a commercial Internet website or an online service 3[2, and includes any third party that tracks or collects any information concerning a customer's usage of a commercial Internet website, regardless of whether the third party owns or operates the website2]3. "Operator" shall not include any third party that operates, hosts, or manages, but does not own, a commercial Internet website or online service on the operator's behalf, or processes information on behalf of the operator. 

     "Personally identifiable information" means any information that

is linked or reasonably linkable to an identified or identifiable person. "Personally identifiable information" shall not include de-identified data  2[or publicly available information.

     "Publicly available information" means information that is lawfully made available from federal, State, or local government records, or widely-distributed media]2 3or publically available information.

     "Publicly available information" means information that is lawfully made available from federal, State, or local government records, or widely-distributed media3.

     "Sale" means the exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party's discretion to additional third parties. "Sale" shall not include the following:

     the disclosure of personally identifiable information to a service provider that processes that information on behalf of the operator;

     the disclosure of personally identifiable information to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personally identifiable information to the operator;

     the disclosure or transfer of personally identifiable information to an affiliate of the operator; or

     the disclosure or transfer of personally identifiable information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the operator's assets.

     "Service provider" means a person, private entity, public entity, agency, or other entity that processes personally identifiable information on behalf of the operator 3[2or on the operator's website2]3 and who shall provide sufficient guarantees to the operator to implement appropriate technical and organizational measures in a manner that processing shall ensure the protection of the consumer's personally identifiable information.

     "Third party" means a person, private entity, public entity, agency, or entity other than the consumer, operator, or affiliate or service provider of the operator.

      "Verified request" means the process through which a consumer may submit a request to exercise a right or rights established in P.L.    , c.    (C.      ) (pending before the Legislature as this bill), and by which an operator can reasonably authenticate the request and the consumer making the request using commercially reasonable means.

 

     2.    a.   An operator that collects the personally identifiable information of a consumer through a commercial Internet website or online service shall provide on 2[its] the2 commercial Internet website or online service notification to a consumer that shall include, but not be limited to:

     (1)   the categories of the personally identifiable information that the operator collects through the commercial Internet website or online service about a consumer who uses or visits the 2[operator's]2  3operator's3 commercial Internet website or online service;

     (2)   the categories of all third parties with which the operator may disclose a consumer's personally identifiable information;

     (3)   whether a third party may collect personally identifiable information about a consumer's online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator;

     (4)   a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of the consumer's personally identifiable information that is collected by 2[the commercial Internet website or online service of]2 3the commercial Internet website or online service of 3 the operator;

     (5)   the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and

     (6)   information concerning one or more designated request addresses of the operator.

     b.    In addition to the requirements of subsection a. of this section, an operator shall include the notification as a separate section of the operator's privacy policy.

      3[2c.            (1)  The process described in paragraph (4) of subsection a. of this section shall consist of one or more methods for submitting requests to the operator.  The operator shall provide a toll-free phone number, email address, or both, for the submission of requests by a customer to review or change personally identifiable information.  The consumer shall submit verified documents supporting the consumer's request to change personally identifiable information.  The operator shall take steps to promptly verify the data and reply to the consumer's request.

     (2)   An operator may deny an individual consumer's request to change the consumer's personally identifiable information if:

     (a)   the operator is legally obligated to retain the personally identifiable information; or

     (b)   the changes cannot be verified through the submitted documentation.2]3

 

     3.    a.   An operator that collects a consumer's personally identifiable information through its commercial Internet website or online service and discloses the consumer's personally identifiable information to a third party shall make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address:

     (1)   the category or categories of a consumer's personally identifiable information that were disclosed; and

     (2)   the category or categories of the third parties that received the consumer's personally identifiable information.

     b.    An operator that receives a verified request from a consumer pursuant to subsection a. of this section shall provide a response to the consumer within 60 days of the operator's verification of the request and shall provide the information, pursuant to subsection a. of this section, for all disclosures of personally identifiable information that occurred in the prior 12 months.

     c.     This section shall not apply to personally identifiable information disclosed prior to the effective date of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     4.    a.   An operator that collects the personally identifiable information of a consumer through its commercial Internet website or online service and sells the personally identifiable information of the consumer through the Internet shall clearly and conspicuously post a link, on its commercial Internet website or online service or in another prominently accessible location the commercial Internet website maintains for consumer privacy settings, to an Internet webpage maintained by the operator, which enables a consumer, by verified request, to opt out of the sale of the consumer's personally identifiable information. The method in which a consumer may opt out shall be in a form and manner determined by the operator, provided that a consumer shall not be required to establish an account with the operator in order to opt out of the sale of a consumer's personally identifiable information.

     b.    An operator shall be prohibited from discriminating against a consumer if the consumer chooses to opt out of the sale of the consumer's personally identifiable information pursuant to subsection a. of this section. The provisions of this section shall not prohibit the operator's ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer's personally identifiable information, or to provide different services to consumers that are reasonably related to the value of the relevant data.

 

     5.    A waiver of the requirements of, or an agreement that does not comply with, the provisions of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be void and unenforceable.

 

     6.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall apply to:

     a.     protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the "Health Insurance Portability and Accountability Act of 1996," Pub.L.104-191, and the "Health Information Technology for Economic and Clinical Health Act," (42 U.S.C. s.17921 et seq.).

     b.    a financial institution or an affiliate of a financial institution that is subject to Title V of the federal "Gramm-Leach-Bliley Act of 1999," 15 U.S.C. s.6801 et seq., and the rules and implementing regulations promulgated thereunder; 

     c.     the secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii); or

     d.    an insurance institution subject to P.L.1985, c.179 (C.17:23A-1 et seq.).

     e.     the sale of a consumer's personally identifiable information by the New Jersey Motor Vehicle Commission that is permitted by the federal "Drivers' Privacy Protection Act of 1994," 18 U.S.C. s.2721 et seq.; and

     f.     personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency, as defined in 15 U.S.C. s.1681a(f), if the collection, processing, sale, or disclosure of the personally identifiable information is limited by the federal "Fair Credit Reporting Act," 15 U.S.C. s.1681 et seq., and implementing reguations.

 

     7.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall require an operator to:

     a.     re-identify de-identified data;

     b.    collect, retain, use, link, or combine personally identifiable information concerning a consumer that it would not otherwise collect, retain, use, link, or combine in the ordinary course of business.

 

     8.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for an operator to fail to notify a consumer of the sale of personally identifiable information pursuant to sections 2 and 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) or fail to allow a consumer to opt out of the sale of a consumer's personally identifiable information pursuant to section 4 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) if the operator fails to cure any alleged violation of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) within 30 days after receiving notice of alleged noncompliance from the Attorney General.

 

     9.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the "Administrative Procedure Act,"  P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     10.  The Office of the Attorney General shall have sole and exclusive authority to enforce a violation of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).  1Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be construed as providing the basis for, or subject to, a private right of action for violations of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) or under any other law.1

 

     11.  This act shall take effect on the 180th day following the date of enactment, except that the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of this act.

feedback