The New Jersey Senate published, on 19 December 2022, amendments to Senate Bill 332, which was introduced to the New Jersey Senate in January 2022. In particular, the bill would require commercial internet websites and online services to notify consumers of the collection and disclosure of personally identifiable information and allow consumers to opt-out of such processing. More specifically, the bill provides that operators must notify consumers of information, including, but not limited to:

• the categories of personally identifiable information that the operator collects; and
• the categories of all third parties with which the operator may disclose a consumer's personally identifiable information.

In addition, the amendments to the bill establish that personally identifiable information may be disclosed orally, and adds a definition of what is considered 'publicly available information'. Furthermore, the amendments to the bill also remove the process for a consumer who uses or visits a commercial internet website or online service to review and request changes to the consumer's personally identifiable information that is collected by the operator.

You can read the bill here, the statement on the amendments here, and track its progress here.

UPDATE (2 February 2023)

Bill on personal information transparency obligations passed by Senate 

The bill was passed, on 2 February 2023, by the State Senate.

You can read the bill here, the statement on the amendments here, and track its progress here.

UPDATE (6 February 2023)

Bill on personal information transparency obligations referred to Committee on Science, Innovation and Technology

The bill was referred, on 6 February 2023, to the Assembly Committee on Science, Innovation and Technology.

You can read the bill here, the statement on the amendments here, and track its progress here.

UPDATE (11 May 2023)

Bill on personal information transparency amended by Assembly Committee

The bill was amended, on 11 May 2023, by the New Jersey State Assembly Science, Innovation and Technology Committee. The bill was amended to reflect that 'business' under the bill is defined as 'a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information.' However, 'business' does not include non-profit organizations.

Likewise, the bill amendments define 'online service' as 'a person or entity that operates an online service', excluding 'any third party that operates, hosts, or manages, but does not own, an online service on the operator's behalf or processes information on behalf of the operator.'

Furthermore, the bill amendments remove the obligation of operators to provide a toll-free phone number, email address, or both for the submission of requests by a customer to review or change personally identifiable information, alongside the obligation to submit verified documents to support the consumer's request. 

You can read the bill here, the amendments here, and track its progress here.

UPDATE (9 January 2024)

Bill on personal information passes Assembly and Senate

On 8 January 2024, the New Jersey General Assembly and New Jersey State Senate voted to pass the bill, following its reporting out of the Assembly Judiciary Committee with amendments, on 18 December 2023. 

This follows the bill's introduction to the Senate in January 2022. In particular, the amendments to the bill highlight that:

• a controller may require a consumer to use an existing account to submit a verified request;
• a controller is not required to authenticate an opt-out request;
• a consumer's option to opt-out applies to sale of data or targeted advertising; and
• a controller can charge escalating amounts for second or subsequent identical consumer requests for information.

Definitions

In particular, the bill defines, amongst others, 'business,' 'consumer,' 'de-identified data,' 'commercial internet website,' 'operator,' 'personally identifiable information,' 'sale,' 'verified request,' 'consent,' 'sensitive data,' and 'targeted advertising.'

Scope

The bill applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey and that during a calendar year either:

• control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

However, the bill clarifies that it does not apply to, amongst others:

• protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services (HHS);
• a financial institution or affiliate subject to the Gramm-Leach Bliley Act of 1999 (GLBA); and
• personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency.

Obligations

The bill outlines a range of obligations and principles for controllers including:

• providing consumers with a reasonably accessible, clear, and meaningful privacy notice, with specified contents;
• purpose limitation;
• data minimization;
• taking reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
• not processing consumers' sensitive data without first obtaining consent, alongside providing a mechanism to revoke consent; and
• not conducting processing which presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment, with such assessments required to identify heightened risks.

Notably, the bill clarifies processing that presents a 'heightened risk.'

In addition, the bill stipulates that processors must adhere to the instructions of controllers and help controllers meet their obligations under the bill, pursuant to a contract with specified contents. Requirements are also noted regarding the use of sub-processors, including the need for a written contract about meeting obligations.

Consumer rights

The bill also details consumer rights, including those to:

• be informed;
• access;
• rectification;
• deletion;
• data portability; and
• opt out of the processing of personal data for the purposes of targeted advertising, sale, or profiling.

The bill prescribes timeframes within which controllers must respond to consumer requests and grounds for the extension of such timeframe. Information provided in response to consumer requests must be done free of charge, though the bill clarifies that controllers may charge for requests that are manifestly unfounded, excessive, or repetitive.

Authority

Finally, the bill determined that the Office of the Attorney General has sole and exclusive authority to enforce its provisions and that the bill shall enter into effect on the 365^th day following the date of its enactment.

You can read the bill here, the amendments to the bill here, and track its progress here.

UPDATE (16 January 2024)

Bill signed by Governor

On 16 January 2024, the bill was signed by the Governor of New Jersey, following its passage by the General Assembly and the State Senate on 8 January 2024. In particular, the bill provides for its entrance into effect 365 days following its enactment.

In particular, the Governor of New Jersey, Philip D. Murphy, clarified in their Signing Statement that amendments to the bill should not be construed as providing the basis for a private right of action for violations of the bill.

You can read the press release here, the Governor's Signing Statement here, the bill here, and track its progress here.