New Jersey - Data Protection Overview
The New Jersey Constitution ('the Constitution'), the New Jersey Revised Statutes ('the N.J. Rev. Stat.'), the New Jersey Administrative Code (which you can access here) ('the N.J.A.C.'), various federal and state statutes, and state common law privacy rights protect the privacy of personal information in New Jersey.
The Constitution does not expressly provide for a right to privacy. However, New Jersey courts have interpreted Article 1(1) of the Constitution, which states 'all persons are by nature free and independent, and have certain natural and unalienable rights, among which are those of enjoying and defending life and liberty, of acquiring, possessing, and protecting property, and of pursuing and obtaining safety and happiness,' to guarantee an individual's right to privacy.
The New Jersey Courts ('the Courts') recognize the four common law right to privacy torts:
- false light privacy;
- public disclosure of private facts; and
- appropriation of name or likeness.
See Bisbee v. John C. Conover Agency, 186 452 A.2w 689, 186 N.J. Super 335, 340 (App. Div. 1982).
The Identity Theft Prevention Act ('ITPA') (§ 56:8-161 et seq of Chapter 8 of Title 56 of the N.J. Rev. Stat.) contains the New Jersey data breach notification law.
Any organisation that conducts its business operations in New Jersey, or any public entity that compiles or maintains computerised records shall notify a resident of New Jersey of a breach of their personal information in the most expedient time possible. The business or public entity shall first notify the New Jersey Division of State Police in the Department of Law and Public Safety. Notice is not required if the misuse of personal information by an unauthorised person is not reasonably possible. Any determination shall be documented in writing and retained for five years (§ 56:8-163(12)(a) of the N.J. Rev. Stat.)
A New Jersey business or public entity that maintains computerized records on behalf of another entity shall notify that entity (§ 56:8-163(12)(b) of the N.J. Rev. Stat.)
Personal Information is defined as an individual's first name or first initial and last name combined with one or more of the following (§ 56:8-161(10) of the N.J. Rev. Stat.):
- Social Security number;
- driver's license number or State identification card number;
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; and
- username, email address, or any other account holder identifying information in combination with any password or security question and answer that would access an online account.
Furthermore, dissociated data that, if linked, would constitute personal information if the means to linking the dissociated data were accessed in connection with the access to the dissociated data. For the purposes of § 56:8-161(10-15) of the N.J. Rev. Stat., personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.
The notification methods for a breach of personal information listed in § 56:8-163(12)(3)(f) of the N.J. Rev. Stat. differ from the general notice requirements. When notice is provided to more than 1,000 persons at one time, consumer credit reporting agencies shall be notified. A business or public entity shall document any determination that the misuse of personal information is not reasonably possible and retain that documentation for five years. It is an unlawful practice and a violation of the New Jersey Consumer Fraud Act ('CFA') to willfully, knowingly or recklessly violate this section. A consumer that proves a claim under the CFA may recover three times the amount of damages suffered and reasonable attorneys’ fees (§ 56:8-161-163 of the N.J. Rev. Stat.)
Social Security Numbers
The ITPA includes specific protections directed at Social Security numbers. In general, where a person or a public or private entity requests a Social Security number from an individual the requesting party shall maintain the confidentiality of the Social Security number. In addition, the Act contains prohibitions against various acts including, but not limited to (§ 56:8-164 of the N.J. Rev. Stat.):
- publicly posting or displaying four or more consecutive numbers of a Social Security number;
- printing a Social Security number on mailed materials;
- printing a Social Security number on a card required to access products or services;
- intentionally communicating or making a Social Security number available to the general public; and
- requiring an individual to transmit their Social Security number over the Internet, unless the connection is secure, or the Social Security number is encrypted.
Certain exceptions may apply including the collection, use, or release of a Social Security number as required by state or federal law, where an entity uses the Social Security number for internal verification or administrative purposes, or where the Social Security number is included in a mailed application or form as part of an application or enrollment process to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the number. In the latter case, the Social Security number may not be printed on a mailer that does not require an envelope or may not be visible on an envelope without it having been opened.
Where a person or a private entity requests a Social Security number from an individual, upon request of the individual, the person or private entity shall identify the reason for requesting the individual's Social Security number. Where a public entity requests a Social Security number from an individual, the public entity shall affirmatively state the use to which the Social Security number will be put (§ 56:8-164 of the N.J. Rev. Stat.).
It is an unlawful practice and a violation of the CFA to willfully, knowingly or recklessly violate this section (§ 13:45F-5.2 of the N.J.A.C.)
The New Jersey Personal Information and Privacy Protection Act limits the personal information a retail establishment may collect by scanning an individual’s identification card (e.g., driver’s license, probationary license, non-driver photo identification card or similar state issued card); limits the retention of personal information collected for the verification of the authenticity of the card or the individual’s identity or age, and requires the secure storage of any personal information retained.
Retailers may only collect an individual’s name, address, date of birth, the state issuing the identification card, and card number for specific purposes including, but not limited to:
- verifying the authenticity of ID or individual paying for goods or services by means other than cash, returning an item, or requesting a refund or an exchange;
- verifying the individual’s age;
- preventing fraud or criminal activity related to a return, refund, exchange, transaction, or opening or managing of a credit account;
- recording, retaining, or transmitting information as required or permitted by State or federal law;
- transmitting information to a consumer reporting agency, financial institution, or debt collector as permitted under the federal Fair Credit Reporting Act of 1970 ('FCRA'), the Gramm-Leach-Bliley Act of 1999 ('GLBA'), and the New Jersey Fair Debt Collection Practices Act of 2018 ('FDCPA'); or
- recording, using or transmitting information by a covered entity governed by the Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
The sale or dissemination of the scanned and collected personal information by a retailer to a third party for any purpose including marketing, advertising or promotional activities, is prohibited except as permitted under the statute.
A violator of the Personal Information and Privacy Protection Act will be subject to civil penalties collected by summary proceedings instituted by the New Jersey Attorney General ('AG'). Any person aggrieved by a violation of this act may bring an action in the Superior Court to recover damages (§ 56:11-53 et seq. of the N.J. Rev. Stat.).
Electronic printing of credit card numbers on sales receipts
Retail sales establishments are prohibited from electronically printing more than the last five digits of a customer's credit card account number or the expiration date of that credit card on a sales receipt provided to the customer at the point of sale (§ 56:11-42 of the N.J. Rev. Stat.).
The New Jersey Motor Vehicle Commission, any officer, employee, or contractor is prohibited from knowingly disclosing or making available personal information obtained in connection with a motor vehicle record, subject to certain permissible disclosures and limitations on the authorized recipient’s further use. Personal information means information that identifies an individual, including an individual's photograph; social security number; driver identification number; name; address other than the five-digit zip code; telephone number; and medical or disability information. A permissible disclosure of personal information under this section shall not include a Social Security number, except in accordance with applicable state or federal law.
Knowingly obtaining or disclosing personal information from a motor vehicle record in violation of this section is a crime of the fourth degree (N.J. Rev. Stat. 39:2-3.3,3.5.).
Records relating to the administration of the state tax law are confidential and privileged and shall not be produced except under certain circumstances including, but not limited to, where the files or records are relevant to an investigation, action, proceeding or determination under the State Tax Uniform Procedure Law (§ 54:40A-21 of the N.J. Rev. Stat.) or of the state tax law affected. The unauthorised divulging, disclosing, or use of this information constitutes a crime of the fourth degree. The examination of such records for any reason other than performance of official duties constitutes a disorderly person's offense (§ 54:50-8,9 of the N.J. Rev. Stat.).
Confidential Personal Identifiers
Pursuant to New Jersey Supreme Court Rule 1:38 – Public Access to Court Records; Personal Identifies and Redaction ('New Jersey Supreme Court Rule'), a party shall not include confidential personal identifiers in documents filed with the court, unless otherwise required by law or court order (New Jersey Supreme Court Rule 1:38(7)(a). Confidential identifiers include a: Social Security number, driver’s license number, vehicle plate number, insurance policy number, active financial account number, or active credit card number.
Invasion of privacy
In New Jersey, it is an invasion of privacy to observe, photograph, film, videotape, record, or otherwise reproduce in any manner the image of another person in a fitting room or under circumstances where a reasonable person would know the individual may expose intimate parts or engage in sexual acts and would not expect to be observed if the actor is neither licensed nor privileged to do so or has not obtained the individual’s consent. An unauthorised act of observing an individual is a crime of the fourth degree. An unauthorised act of creating an image of the individual is a crime of the third degree. Where the actor discloses such image without license, privilege or consent, it is a crime of the third degree.
This section specifically exempts the observation or recording of individuals at the entrance to a fitting room if the actor has posted notice of its intent. The disclosure of any recording of an individual within a fitting room is prohibited subject to certain exceptions involving disclosures made for criminal prosecution or activities within the scope of employment. For the purpose of this section, disclose means sell, manufacture, give, provide, lend, trade, mail, deliver, transfer, publish, distribute, circulate, disseminate, present, exhibit, advertise or offer.
Posting or providing prior notice of intent to observe, record, or disclose images and acting with a lawful purpose is an affirmative defense (§ 2C:14-9 of the N.J. Rev. Stat.).
The Cable Subscriber Privacy Protection Act of 2006 ('the Cable Privacy Act') prohibits a cable television company from using the cable television system to collect personally identifiable information relating to a subscriber, a subscriber household, or user of a subscriber terminal without the prior written or electronic consent of the subscriber. Notwithstanding, a cable television company may collect, receive, store, aggregate and use this information to provide cable television and auxiliary services to a subscriber and to detect unauthorised reception of services without first obtaining consent. Personally identifiable information means any information that identifies any individual as a subscriber to, or user of, a cable television system, or that otherwise provides information about that individual or his use of any service provided by a cable television system.
At the time of entering into the contract with a subscriber, and annually thereafter, the cable company shall provide the subscriber with written notice of its information collection practices including, but not limited to, a description of the types of information to be collected, the purpose for collecting, disclosures to third parties, and subscriber access and amendment rights. Any personally identifiable information collected by the cable company shall be used solely for the disclosed purpose and destroyed upon the first to occur: completion of the purpose for which it was collected, withdrawal of consent, or termination of the subscriber contract.
Without the prior consent of the subscriber, the company is prohibited from renting, selling or releasing this information to third parties, except to third parties providing auxiliary services or as required by law, and prohibited from monitoring household viewing practices subject to certain exceptions. The company may disclose the names and addresses of the subscriber's subject to the subscriber’s right to object. Recipients of personally identifiable information may not use the information beyond the scope of the purpose for which the disclosure is made by the company and shall destroy the information upon completion of the purpose, termination of the subscriber relationship, or withdrawal of subscriber consent.
The disclosure of personally identifiable information in violation of the Cable Privacy Act or the negligent, willful or reckless violation of it, is punishable by a fine to be collected by the AG in a summary manner. The company’s failure to provide notice or failure to obtain consent shall be punishable by a fine collected by the Attorney General in a summary proceeding (§ 48:5A-54 et seq. of the N.J. Rev. Stat.).
Wiretapping, electronic surveillance and monitoring
Wiretapping, electronic surveillance, and monitoring of individuals in New Jersey is subject to the federal Electronic Communications Privacy Act of 1986 ('ECPA'), the Stored Communications Act of 1986 ('SCA'), and the Computer Fraud and Abuse Act of 1986 ('CFAA') as well as certain state statutes including the New Jersey Wiretapping and Electronic Surveillance Control Act of 2018 ('WESCA'), and state common law privacy rights.
Pursuant to WESCA the purposeful or attempted interception, disclosure, or use of contents resulting from the interception of wire, electronic, and oral communications where the person knows or has reason to know the contents were obtained through interception is prohibited subject to certain limited exceptions including where contents have become common knowledge or public information. Such actions constitute a crime of the third degree.
Exceptions include, but are not limited, to interception, disclosure, or use where:
- a person is a party to the wire, electronic, or oral communication or one of the parties gave prior consent to the interception;
- an employee of the provider of the wire or electronic communications service intercepts discloses, or uses a communication in the normal course of their employment and during an activity necessary to the performance of their duties or to protect the rights or property of the service provider;
- a law enforcement officer is a party to the wire, electronic, or oral communication or has been instructed to intercept by a law enforcement officer who is a party to the communication; or
- access is made through an electronic communication system configured so the electronic communication is readily accessible to the public.
An aggrieved party shall have a civil cause of action against the party who intercepts, discloses, or uses a wire, electronic, or oral communication in violation of the WESCA and shall be entitled to recover the higher of actual or liquidated damages, punitive damages, and reasonable attorney’s fees. It is a crime of the third degree to knowingly use or disclose the contents of an intercepted wire, electronic or oral communication (§ 2A:156A-1 et seq. of the N.J. Rev. Stat.).
Stored Communications: It is a crime of the fourth degree to knowingly accessing, without or in excess of authority, a facility that provides an electronic communication service and obtains, alters or prevents authorised access to a stored wire or electronic communication. It is a crime of the third degree to do so for the purpose of commercial advantage, or private commercial gain, or malicious destruction or damage.
A provider of electronic communication services, or remote computing services, to the public, is prohibited from knowingly divulging the contents of a communications stored or processed by the service, subject to limited exceptions including disclosure to the intended recipient of the communication or with the lawful consent of the originator (§ 2A:156A-27,28 of the N.J. Rev. Stat.).
Service providers, subscribers, or customers aggrieved by this section may recover appropriate relief in a civil action which may include equitable relief, actual damages, any profits made by the violator, reasonable attorney’s fees and litigation costs (§ 2A:156a-32 of the N.J. Rev. Stat.)
Health and medical data are protected by state common law privacy rights, various state statutes and administrative codes, and federal laws including 45 CFR Parts 160 and 164 of the HIPAA, and the Confidentiality of Alcohol and Substance Abuse Patient Records Regulation, 42 CFR Part 2. New Jersey does not have a single comprehensive statute protecting the privacy and security of health and medical information. The state addresses these obligations based on the nature of the health care provider, facility, treatment, or health and medical record.
Subject to express exceptions, various state statutes and regulations create obligations regarding the confidentiality, security, access to or disclosure of, retention, and/or destruction of health or medical information and treatment records for health care providers or facilities.
These statutes and regulations apply to the following:
- licensed health care professionals (i.e., any person licensed or authorised to engage in a health care profession regulated by the New Jersey Board of Medical Examiners) § 13:35-6.5 of the N.J.A.C.;
- a general hospital licensed by the New Jersey Department of Health ('DOH'), § 26H-12.8 of the N.J. Rev. Stat.;
- insurance institutions including Health Maintenance Organizations ('HMOs'), medical service corporations, hospital service corporations, and dental service corporations, § 17:23A-1 et seq. of the N.J. Rev. Stat., HMOs, § 17:23A-1 et seq. of the N.J. Rev. Stat., HMOs, § 26:2J-27 of the N.J. Rev. Stat.;
- dental plan organisations, § 17:48D-21 of the N.J. Rev. Stat.; pre-paid prescription services, § 17:48F-28 of the N.J. Rev. Stat.; long term care facilities (i.e. nursing homes), § 30:13-5 of the N.J. Rev. Stat., § 8:39-35 of the N.J.A.C;
- ambulatory care facilities (i.e., health care facilities that provide ambulatory care preventive, diagnostic, and treatment services including primary care, hospital outpatient, ambulatory surgery, family practice, family planning, outpatient drug abuse treatment, chronic dialysis, computerized tomography, magnetic resonance imaging, extracorporeal shock wave lithotripsy, and radiological services as well as abortion facilities, comprehensive outpatient rehabilitation facilities, and birth centers), § 8:43A-13.5-6 of the N.J.A.C.;
- home health care agencies (i.e., entity licensed by the DOH to provide preventive, rehabilitative, and therapeutic services to patients on a visiting basis in a place of residence used as a patient's home), § 8:42-11 of the N.J.A.C.;
- pharmacies, § 13:39-7 of the N.J.A.C.;
- marriage and family therapy counselors, § 13:34-8 of the N.J.A.C; professional counselors (i.e., mental health counselors), § 45:14B-32 of the N.J. Rev. Stat., § 13:34-18 of the N.J.AC.;
- § 13:34-27 of the N.J.A.C. rehabilitation counselors;
- licensed clinical alcohol and drug counselors, § 45:2D-11 of the N.J. Rev. Stat., § 13:34C-4 of the N.J.A.C.;
- The New Jersey Department of Human Service's Division of Developmental Disabilities, §10:41-2 of the N.J.A.C.;
- short term care facilities (i.e., a closed acute-care adult psychiatric unit in a general hospital for short-term admission of individuals who meet the legal standards for commitment and require intensive treatment are confidential protected health information), §10:37g-3 of the N.J.A.C;
- community mental health programs, § 10:37-6.76-79 of the N.J.A.C; and
- outpatient substance use disorder treatment programs (i.e. all substance use disorder treatment facilities that provide outpatient substance use disorder treatment services; hospitals and primary health care facilities that offer hospital-based out services in a designated outpatient unit), § 10:161B-18 of the N.J.A.C.
Notwithstanding the above, the retention period for medical records, or photographic reproductions shall be retained for a period of ten years following the most recent discharge of the patient, or until the patient reaches the age of 23 years old, whichever is the longer period of time. Furthermore, discharge summary sheets of the patient shall be retained for a period of 20 years following the most recent discharge of the patient., and X-ray films or reproductions of such for a period of five years (§ 26:8-5 of the N.J. Rev. Stat.).
Several statutes specifically protect the confidentiality and limit the disclosure of certain health or medical information and treatment records: substance abuse treatment records, § 45;2D-11 of the N.J. Rev. Stat., § 26:2B-20 of the N.J. Rev. Stat.; § 13:34C-4 of the N.J.A.C.; mental health records, §30:4-24.3 of the N.J. Rev. Stat., § 45:14B-28, 32 of the N.J. Rev. Stat.; HIV/AIDs, § 26:5C-1 et seq. of the N.J. Rev. Stat.; genetic information, § 10.5-43 et seq. of the N.J. Rev. Stat., § 17:23A-1 et seq. of the N.J. Rev. Stat.; and venereal disease, § 26:4-41 of the N.J. Rev. Stat.
Notice of patient rights: A general hospital shall provide a written summary of patient rights, including privacy and confidentiality, to the patient or guardian upon admission to the hospital and conspicuously post a copy in the patient’s room and in a public place within the hospital (§ 26:2H-12.9 of the N.J. Rev. Stat.)
Insurance carrier security measures: The state mandates that health insurance carriers implement measures to safeguard computerised health records containing personal information which they compile or maintain on an end user computer system (e.g., desktop computers, laptop computers, tablets or other mobile devices, or removable media), or transmit across public networks. These measures must secure the information by encryption or any other method which renders the information unreadable, undecipherable, or unusable by an unauthorised person. For the purposes of this statute, a health insurance carrier is an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in New Jersey. Personal information means an individual's first name or first initial and last name linked with one or more of the following:
- Social Security number;
- driver's license number or State identification card number;
- address; or
- identifiable health information.
It also includes dissociated data that, if linked, would constitute personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. Violations of this section constitute an unlawful practice (§56:8-196 of the N.J. Rev. Stat.).
Privileges and evidentiary rules: New Jersey recognises the physician-patient privilege, § 2a:84A-22.2 of the N.J. Rev. Stat.; psychologist-patient privilege, § 45:14B-28 of the N.J. Rev. Stat.; and marriage or family therapist-patient privilege, § 458B-29 of the N.J. Rev. Stat., New Jersey Evidence Rule 534 ('Rule 534') recognises the Unified Mental Health Services Provider-Patient Privilege. Rule 534 applies to legal proceedings in New Jersey state courts and protects the disclosure of confidential communications between mental health services providers and patients that occur during the course of treatment or are related to the patient’s mental or emotional health. This privilege applies to the following:
- psychiatrists and other physicians,
- marriage and family therapists,
- social workers,
- alcohol and drug counselors,
- professional, associate, or rehabilitation counselors,
- physician assistants and
Early Intervention System: The rules for implementation of the state’s early intervention system under Part C of the federal Education of Individuals with Disabilities Act of 2000 apply to the state Departments of Health, Education, Children and Families, and Human Services; early intervention provider agencies funded through the DOH, and practitioners identified in individualised family service plans.
A services coordinator shall provide parents with notice of the state information practices regarding the collection of personally identifiable information from children potentially eligible to receive early intervention services through the New Jersey DOH's Early Intervention System. Personally identifiable information means the name of a child, a child's parent, or other family members; the address of the child or the child's family; a personal identifier, such as the child's or parent's social security number; or any list of personal characteristics or other information that would make it possible to identify the child or the child's parents with reasonable certainty.
Provider agencies shall obtain parental consent, subject to certain exceptions, prior to disclosing personally identifiable information to third parties. Parents shall have the right to review, amend, and receive a copy of the agency's early intervention record relating to their child. The regulation requires each provider agency to implement safeguards that include written policies and procedures protecting the confidentiality of personally identifiable information at collection, storage, disclosure, and destruction stages; appoint a designated person to ensure the confidentiality of personally identifiable information; train persons responsible for collecting or using personally identifiable information, and maintain for public inspection a current list of the names and positions of agency employees who may have access to personally identifiable information. The provider agency shall inform the parents when personally identifiable information is no longer needed and, at the request of the parents, destroy it subject to retention of a permanent record containing limited information (§ 8:17-12.1 of the N.J.A.C.).
The New Jersey Insurance Information Practices Act ('IIAPA') imposes obligations on insurance institutions, agents or insurance-support organisations that collect, receive, or maintain information or otherwise engage in insurance transactions with natural persons who are state residents regarding life, health, or disability insurance. The IIAPA also applies in the case of property casualty insurance to insurance transactions involving policies or certificates of insurance delivered or issued in the state.
Obligations include providing applicants or policyholders with notice of the insurance institution or agent’s information practices relating to certain insurance transactions, providing rights of access, accounting, amendment and deletion for recorded personal information, advising the applicant or policy holder of the specific reason(s) or their right to request the reasons and a summary of their rights in the event of an adverse underwriting decision, and obtaining the written consent of an applicant for insurance when requiring medical testing as a condition of issuing, extending or renewing insurance.
The IIAPA prohibits the preparation of, or request for, an investigative consumer report in connection with a policy unless the requesting party informs the individual of their rights to request an interview in connection with the report and request and receive a copy of the report; the disclosure of personal or privileged information relating to an insurance transaction except where the disclosure is based on the individual’s written authorisation or permitted under the IIAPA; and the disclosure of any personal or privileged information collected or received in connection with an insurance transaction regarding an individual's status as a victim of domestic violence or a domestic violence-related condition or the individual's status as an employer of a victim of domestic violence, subject to limited exceptions including the individual’s consent.
The Commissioner of the New Jersey Department of Banking & Insurance ('the Commissioner'), may conduct a hearing to investigate whether an insurance institution, agent or insurance-support organization has violated provisions of this IIAPA. Upon determining the existence of such a violation, the Commissioner may issue a cease and desist order and order monetary penalties for knowing violations of this statute. An individual may apply to the New Jersey Superior Court ('the Superior Court') for equitable relief from violations of their right to access, amend or delete, or receive reasons for an adverse underwriting decision. In the case of disclosures made in violation of the act, the individual may recover actual damages, costs, and reasonable attorney’s fees. It is a crime of the fourth degree for any person to knowingly and willfully obtain an individual’s personal information from an insurance institution, agent or insurance-support organisation under false pretenses (§ 17:23A-1 et seq. of the N.J. Rev. Stat.).
Licensees (i.e., all licensed insurers, producers and other persons licensed or required to be licensed, or authorised or required to be authorised, or registered or required to be registered pursuant to Titles 17 and 17B of the N.J. Rev. Stat, HMOs, and any other person or entity subject to the statute governing information practices at § 17:23A-1 et seq. of the N.J. Rev. Stat. are subject to a duty to safeguard customer information. This includes, but is not limited to, implementing a comprehensive written information security program that includes the following:
- administrative, technical and physical safeguards for the protection of customer information;
- conducting risk assessments;
- exercising due diligence in selecting service providers;
- contractually obligating service providers to implement appropriate measures based on the licensee's risk assessment; and
- taking steps to confirm that its service providers have satisfied these obligations.
Failure to comply with these provisions constitutes a violation of the statutes governing trade practices at §17:29B-1 et seq and §17B:30-1 et seq of the N.J.A.C (§ 11:1-44.3-10 of the N.J.A.C).
Electronic Fund Transfers
The New Jersey Electronic Fund Transfer Privacy Act of 1984 ('EFTPA') regulates the disclosure of information in the context of an electronic fund transfer by a state or national bank, savings and loan association, mutual savings bank, or credit union, a person who directly or indirectly holds an account belonging to a consumer, or any person who issues an access device and agrees with a consumer to provide electronic fund transfer services. An electronic fund transfer means any transfer of funds, excluding transactions originated by check, draft, or similar paper instrument, that is initiated through an electronic terminal, telephone, or computer or magnetic tape for the purpose of ordering, instructing, or authorising a financial institution to debit or credit an account. The includes but is not limited to point-of-sale transfers, automated teller machine transfers, direct deposits or withdrawals of funds and transfers initiated by telephone. An electronic fund transfer does not include any transaction which is exempt, by statute or regulation, from the provisions of Title IX of the Federal Consumer Credit Protection Act. An account means a demand, time, or savings deposit, or other consumer asset account, excluding an occasional or incidental credit balance, that a financial institution holds directly or indirectly and is established for personal, family or household purposes. An access device refers to a card, code, or other means of access to a consumer's account that may be used by the consumer for the purpose of initiating electronic fund transfers.
Financial institutions may disclose information to a third party relating to an electronic fund transfer or account subject to written permission of the possessor of the account, or when disclosure is necessary to:
- complete an electronic fund transfer;
- verify the existence and condition of an account for a third party;
- resolve an error or an inquiry as to an alleged error;
- certain regulatory or government agency functions.
An aggrieved individual may bring a civil action against a financial institution or government agency to recover actual damages, costs, and reasonable attorney’s fees for negligently, willfully or recklessly violating this act. A court may award punitive damages for a willful or reckless violation (§ 17:16k-1 et seq. of the N.J. Rev. Stat).
New Jersey Fair Credit Reporting Act
The New Jersey Fair Credit Reporting Act ('NJFCRA') regulates the collection and disclosure of personal information used in consumer credit reports. It provides additional consumer protection relating to consumer credit reports and consumer credit reporting agencies, consistent with the federal FCRA, including a private cause of action for violations of the NJFCRA.
A consumer report is any communication of information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used to establish the consumer's eligibility for personal or household credit or insurance, for employment purposes, or for other permissible purposes under the NJFCRA.
The requesting party shall provide written notice to the consumer and obtain the consumer’s written permission prior to procuring an investigative consumer report.
Consumer reporting agencies may provide a consumer report on the written instructions of the consumer to whom it relates or under certain limited circumstances including, but not limited to:
- in response to a court order or a subpoena for grand jury proceedings;
- in connection with a credit transaction involving the consumer and the extension of credit to, or review or collection of the consumer’s account;
- for employment purposes;
- for underwriting of insurance involving the consumer; or
- to a person with a legitimate business need for the information.
A consumer reporting agency may only provide a consumer report for employment purposes upon certification by the requesting party that it has provided the consumer with prior written separate notice that it may obtain the consumer report, has obtained the consumer’s written consent, it will not use a consumer report containing medical information about the consumer for employment purposes, or in connection with a credit, insurance or direct marketing transaction, and will not use the report in violation of applicable state and federal laws.
When using the consumer report for employment purposes, prior to taking any adverse action based on the contents of the report, the requesting party shall provide the consumer with a copy of the report and a written description of their rights under the NJFCRA.
A consumer may request and receive from the consumer reporting agency a copy of all information contained in the consumer's file, including but not limited to, the sources of the information, the identity of any person who procured a consumer report for employment purposes during the two-years preceding the request or for any other purpose during the one-year preceding the request is made.
The consumer may dispute the completeness or accuracy of the information contained in the investigative report and the agency shall reinvestigate free of charge within thirty days of receipt of the notice.
Liability for willful or negligent noncompliance with the NJFCRA or for obtaining a consumer report under false pretenses or knowingly without a permissible purpose may result in an award of damages including, but not limited to actual damages or statutorily set damages. Any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be guilty of a crime of the fourth degree. The Division of Consumer Affairs in the Department of Law and Public Safety ('the Division of Affairs') shall enforce the provisions of the NJFCRA (§ 56:11-28 et seq. of the N.J. Rev. Stat.).
A consumer shall not be required to submit their personal identification information for recordation as a condition to using a credit card to complete a consumer transaction. Personal information includes, but is not limited to, address and telephone number. Notwithstanding, the card holder’s telephone number may be recorded if the consumer transaction does not require credit card authorization.
Violations of this section are subject to civil penalties collected by summary proceedings instituted by the AG (§ 56:11-17, 18 of the N.J. Rev. Stat.).
The data protection laws cited in the preceding sections also apply in the workplace including the disposal of certain records, restrictions on the use and display of Social Security numbers, notice of a data breach, and surveillance and monitoring.
Surveillance and monitoring
See wiretapping, electronic surveillance, and monitoring, above.
In the case of Stengart v. Loving Care Agency, 990 A.2d 650, 665 (2010) where the plaintiff was found to have a reasonable expectation of privacy regarding the content of the emails exchanged with her attorney using the employer’s laptop where she used a personal email account and the employer’s policy did not address employee use of personal, web-based email accounts through company equipment. Furthermore, in the case of Liebeskind v. Rutgers Univ., 2015 N.J. Super. Unpub LEXIS 137, where it was held that the browsing history on the plaintiff's workplace computer was not entitled to the same expectations of privacy that emails to an attorney have.
Social Security numbers
See Social Security numbers, above.
Criminal History Background Checks
A person or non-governmental entity may obtain all New Jersey criminal history information from the State Bureau of Identification to determine an individual's qualifications for employment, volunteer work or other services. The requesting party must submit the individual’s signed written consent and the party’s signed certification attesting it is authorised to receive the record, will use the records solely for determining the individual's qualifications, will not disseminate the records for unauthorised purposes, and will permit the individual the right to confirm or deny the accuracy of the record in the event the content disqualifies the subject. The subject shall be afforded a reasonable amount of time to correct or complete the record prior to a final decision on eligibility for the position or employment (§ 13:59-1.1. et seq. of the N.J.A.C.).
An employer may obtain a consumer report for employment purposes only if it has provided the individual with notice that it may obtain the consumer report, obtained the consumer’s written authorisation to do so, and made certain attestations to the consumer reporting agency (see Financial Data, above). The employer shall provide the consumer with a copy of the report and notice of their rights under the NJFCRA and the FCRA to taking adverse action based on the report (§ 56:11-28 et seq. of the N.J. Rev. Stat.).
An employer, employment agency or labor organisation is prohibited from eliciting or attempting to elicit, information that would reveal the applicant’s disability or health condition, unless required or necessitated by Federal law or regulation. This does not preclude inquiring into whether an applicant is precluded from satisfactorily performing the essential functions of the job in question or inviting an applicant to identify as a person with a disability to satisfy certain purposes. Any requests for and use of such information shall comply with the federal Americans with Disabilities Act (§ 13:13-2.4 of the N.J.A.C.).
Prohibited Actions During the Application Process
The New Jersey Opportunity to Compete Act of 1999 prohibits an employer, during the initial employment application process, from making oral or written inquiries or asking on the employment application about an applicant's criminal record (§ 34:6B-11 et seq. of the N.J. Rev. Stat.).
Under the New Jersey Law Against Discrimination ('LAD'), an employer is prohibited from discriminating on the basis of an employee’s refusal to submit to a genetic test or make available the results of a genetic test to the employer (§ 10:5-12 of the N.J. Stat.).
An employer is prohibited from requesting or requiring that a job applicant or current employee disclose a username or password, or otherwise provide the employer with access, to a personal account through an electronic communications device. Furthermore, an employer shall not require that an individual waive this right as a condition of applying for or receiving an employment offer or retaliate or discriminate against an individual for exercising rights under this statute.
Personal accounts mean an account, service or profile on a social networking website used by a current or prospective employee exclusively for personal communications and unrelated to the employer’s business purposes. It does not include any account, service or profile created, maintained, used or accessed by a current or prospective employee for the employer’s business purposes or for business related communications. Electronic communications devices include computers, telephones, personal digital assistants, or similar devices.
Notwithstanding, an employer may implement internal policies on employee use of employer issued electronic communications devices, accounts, or services or those used by the employee for business purposes; conduct investigations to ensure employee compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct based on the receipt of specific information about employee activity on a personal account; conduct investigations into employee actions based on the receipt of specific information pertaining to an employee’s unauthorised transfer of an employer's proprietary information, confidential information or financial data to a personal account. The employer may view, access, or utilise information about a current or prospective employee that it can obtain in the public domain.
Violations of this act are punishable by a civil penalties collectible by the Commissioner of Labor and Workforce Development ('the Labour Commissioner') in a summary proceeding (§ 34:6B-5 et seq. of the N.J. Rev. Stat.).
Salary History Inquiries: Effective 1 January 2020, the LAD prevents a New Jersey employer from screening a job applicant based on their prior wages, salaries, or benefits or requiring that their salary history satisfy certain criteria. Any employer who violates this section shall be liable for civil penalties collectible by the Labour Commissioner in a summary proceeding (§ 10:5-12.12 of the N.J.A.C.).
Various New Jersey statutes protect individuals from certain unsolicited communications, in addition to the Federal Telephone Consumer Protection Act of 1991 ('TCPA') and Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM').
Unsolicited Advertisements to FAX Machines: Persons within New Jersey are prohibited from using a FAX machine, computer, or other device to send unsolicited advertisements to FAX machines located within New Jersey, subject to certain exceptions including within an existing business relationship with the residential or business subscriber. An unsolicited advertisement means any material that advertises the commercial availability or quality of any property, goods, or services which is transmitted to any person without their prior express invitation or permission. Specific rules apply to non-profit organisations and their members.
When the sender is permitted to send an unsolicited advertisement by FAX, the first page shall include a notice that advises the recipient of the right to request the sender not send future unsolicited advertisements and includes the sender’s domestic address and FAX machine number for receiving the request.
A violation of this act constitutes an unlawful practice pursuant to § 56:8-1 et seq. of the N.J. Rev. Stat. and shall be subject to all remedies and penalties available under this provision. Any person aggrieved by a violation of this act may bring an action in the Superior Court to enjoin further violations or for damages (§ 56:8-157 et seq. of the N.J. Rev. Stat.).
Telemarketers: The New Jersey Division of Consumer Affairs maintains a Do Not Call Registry consisting of New Jersey telephone numbers culled from the Federal Do Not Call Registry. Pursuant to the state Telemarketing Do Not Call Law, telemarketers are prohibited from making or causing to be made unsolicited telemarketing sales calls to a New Jersey resident whose number is on the do not call list, subject to certain limited exceptions; calling between the hours of 9:00 p.m. and 8:00 a.m. local time; or calling a telephone number that has been identified as belonging to a commercial mobile service device.
A telemarketer is any entity, regardless of legal form that, that on behalf of itself or others makes residential telemarketing sales calls to a customer in New Jersey, or any person who directly controls or supervises the conduct of a telemarketer doing so. A telemarketing sales call is one made by a telemarketer to a customer in New Jersey as part of a plan, program or campaign to encourage the purchase or rental of, or investment in merchandise, except for continuing services. It does not include a call made to an existing customer solely to collect on accounts or follow up on a contractual obligation.
Telemarketers may call a customer on the do not call list if the customer is an existing customer, unless the existing customer has stated they no longer wish to receive the telemarketer’s calls. The telemarketer may call a customer on the do not call list who is not an existing customer only after obtaining the customer’s prior written affirmative consent, telephone number, and signature.
Telemarketers are subject to specific requirements for disclosures during calls, recordkeeping, and employee training.
A violation of this statute is an unlawful practice subject to the penalty provisions of § 56:8-13 and §56:8-14.3 of the N.J. Rev. Stat., and subject to investigation and prosecution by the Division of Consumer Affairs. Defenses to liability include, but are not limited to, maintaining an updated copy of the no call list, written policies and procedures relating to the statute, and records demonstrating compliance (§56:8-119 et seq. of the N.J. Rev. Stat.;§ 13:45D-1.1 et seq. of the N.J.AC.)
The CFA includes a prohibition on the use of false promises, misrepresentations, or the knowing omission of any material fact in connection with the sale or advertisement of any merchandise or real estate, regardless of whether any person has in fact been misled, deceived or damaged as a result (§ 56:8-2 of the N.J. Rev. Stat.). Moreover, enforcement activity by the AG for alleged violations of the CFA has included settlement agreements that require a party to clearly describe the personal information it collects, how the information is used, and whether the information is provided to third parties involving.
Truth in Consumer Contract, Warranty and Notice Act: The New Jersey Truth in Consumer Contract, Warranty and Notice Act of 1981 ('TCCWNA') includes a provision prohibiting a seller, lessor, creditor, lender or bailee in the course of its business from displaying to a consumer or prospective consumer any written consumer warranty, notice or sign which includes any provision that violates any clearly established legal right of a consumer or responsibility of a seller, lessor, creditor, lender or bailee as established by State or Federal law at the time the notice or sign is given or displayed. A person that violates this section shall be liable to the aggrieved consumer for a civil penalty (§ 56:12-14 et seq. of the N.J. Rev. Stat.). The New Jersey Supreme Court has ruled that the TCCWNA applies only to consumers who have suffered some form of harm resulting from the defendant’s actions, see Spade v. Select Comfort Corp., 181 A. 3d 969. 232 NJ 504 (2108).
Data Disposal and Destruction: The ITPA requires that a business or public entity securely destroy, or arrange for the destruction of, customer records within its custody or control that contain personal information when the information is no longer needed. It is an unlawful practice and a violation of the CFA to willfully, knowingly or recklessly violate this section (§ 56:8-162 of the N.J. Rev. Stat.).
Computers: It is a criminal act for a person to purposely or knowingly and without authorisation, or in excess of authorisation to access, attempt to access, alter, damage, or destroy any data, database, computer storage medium, computer program, computer software, computer equipment, computer, computer system or computer network including with intent to defraud or obtain another’s services, property, or personal information; to deny, disrupt or impair computer services or Internet access; to obtain, take, copy or use any information stored in a computer including, but not limited to, personal identifying information; and to access and recklessly alter, damage or destroy any data, data base, computer, computer storage medium, computer program, computer software, computer equipment, computer system or computer network.
It is a criminal act to purposely or knowingly and without authorisation access, or access in excess of authorisation, any data, database, computer, computer storage medium, computer software, computer equipment, computer system and knowingly or recklessly disclose or cause to be disclosed information contained within including, but not limited to, personal identifying information or information protected by law, court order or rule of court (§ 2C:20-25,31 of the N.J. Rev. Stat.).
Local boards of education, in conjunction with law enforcement, shall offer a fingerprint program for the protection of public-school students in kindergarten through grade nine. A parent, guardian, or temporary caretaker shall provide voluntary, written, signed authorisation. The fingerprint record will include the student’s name, address, race, sex, date of birth, birthplace, physical features and the name of the parent or guardian. Completed records shall be provided to the student’s parent or guardian and may not be retained by local law enforcement for their own records (§ 18A:36-29 to 31 of N.J. Rev Stat.).
The New Jersey Genetic Privacy Act of 1996 requires a person to obtain informed consent from an individual prior to obtaining genetic information, subject to certain exceptions, in accordance with regulations promulgated by the Commissioner of the DOH in consultation with the Commissioner of the New Jersey Department Banking and Insurance. No person shall retain genetic information that can be identified as belonging to an individual or family without obtaining the informed consent of the individual, subject to certain exceptions. The DNA sample from which the genetic information has been obtained shall be promptly destroyed at the request of the individual, unless necessary for certain investigations or as authorised by court order. Where the DNA sample is collected for research it shall be promptly destroyed if the individual withdraws from the project or upon completion of the project. DNA collected for insurance or employment purposes shall be destroyed upon completion of the purpose. An individual or their representative may inspect, request correction, or obtain genetic information from their records (§ 10:5-43 et seq. of the N.J. Rev. Stat.).
Student data in New Jersey is protected by various state and federal statutes, including the Federal Family Educational Rights and Privacy Act ('FERPA'), and state common law privacy rights.
All district boards of education and private agencies that provide educational services by means of public funds shall compile and maintain student records and regulate access, disclosure, or communication of information contained in these records in a manner that assures the security of such records. Mandated student records shall contain the student's name, address, telephone number, date of birth, name of parent(s), gender, standardised assessment results, grades, attendance, classes attended, grade level completed, year completed, and years of attendance; record of daily attendance; descriptions of student progress according to the student evaluation system used in the school district; history and status of physical health compiled in accordance with New Jersey regulations, including results of any physical examinations given by qualified school district employees and immunisations; records pursuant to rules and regulations regarding the education of students with disabilities; and all other records required by § 6A of the N.J.A.C.
Parents, adult students, and emancipated minors shall receive annual written notice of their rights regarding student records. Rights include access to the student record; prohibiting the school from including certain information in a student directory; challenging the accuracy, relevance or disclosure of student records; and seeking to expunge, amend, or add data and reasonable comments to the student record.
District boards of education shall maintain the confidentiality of all student records with name, Social Security number, address, and telephone number. A student’s health records shall be maintained separately from other student records.
Student records may be stored electronically or in paper format. Electronically stored records shall have proper security and backup procedures. Only authorised persons shall have access to student records, including student health records, consistent with applicable State and Federal statutes and regulations including the FERPA and the Federal Freedom of information Act of 1966 ('FOIA') or as necessary in connection with an emergency.
Records of currently enrolled students may be disposed of once the information is no longer necessary to provide educational services, subject to the written consent of the parent or adult student. Upon graduation or permanent departure from a school district, the parent or adult student shall be notified of the right to receive the entire student record upon request. The public school district where the student was last enrolled or from where they graduated or permanently departed shall keep a record of a student's name, date of birth, name of parents, gender, health history and immunisation, standardised assessment results, grades, attendance, classes attended, grade level completed, year completed, and years of attendance for 100 years. All other information within the student record may be disposed of after providing written notice to and obtaining written consent from the parent or adult student (§ 18A:36-19 of the N.J. Rev. Stat and § 6A:32-7.1 et seq. of the N.J.A.C).
A student’s parent or guardian must provide informed prior written consent and have an opportunity to review the document before a school district administers any survey, analysis, or evaluation to the student that reveals information related to political affiliations; mental and psychological problems; sexual behavior and attitudes; illegal, anti-social, self-incriminating and demeaning behavior; critical appraisals of other individuals with whom a respondent has a close family relationship; legally recognised privileged or analogous relationships; income, other than that required by law to determine eligibility for participation in a program or receiving financial assistance; or a social security number (§ 18A:36-34 of the N.J. Rev. Stat.).
Disclosure of student information on Internet
A school district or charter school Internet website may not disclose a student’s personally identifiable information without the prior written consent of the student’s parent or guardian (§18A:36-35 of the N.J. Rev. Stat and § 6A:327.4 of the N.J.A.C.).
Public school students are not required to supply information on their race, ethnicity, migrant status or economically disadvantaged status for materials to be distributed in class and no such information shall be included in any materials distributed to a student in a public school (§ 18A:36-36 of the N.J. Rev. Stat.).
When a school district or charter school provides a student with an electronic device including, but not limited to, a laptop computer or cellular phone it must also provide a written or electronic notice advising the following:
- the device may record or collect information relating to their activities, location, and use of the device; and
- the school will not use these capabilities in a manner that will violate the privacy rights of the student or anyone living with the student.
The student’s parent or guardian must provide the school with acknowledgment of the receipt of the notice. Failure to provide students with written notice shall subject the school district or school to a fine remitted to the New Jersey Department of Education (§ 18A:36-39 of the N.J. Rev. Stat.).
Public and private institutions of higher education located in New Jersey are prohibited from requiring an applicant or student to provide or disclose any user name or password, or in any way provide access, to a personal account or service through an electronic communications device; inquiring as to whether a student or applicant has an account or profile on a social networking website; preventing an applicant or student from participating in activities sanctioned by the institution, or discriminating or retaliating against a student or applicant for refusing to provide or disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device; or requiring an applicant or student to waive these rights. An aggrieved individual may institute a civil action for injunctive relief, compensatory and consequential damages, reasonable attorneys’ fees and costs (§ 18A:3-29 to 32 of the N.J. Rev. Stat.).
The Commissioner of Education must develop and distribute guidelines to ensure school personnel do not disclose information that may reveal a student's transgender status, except as allowed by law (§ 18A:36-41 of the N.J. Rev. Stat.).
The New Jersey AG has entered into the Children's Online Privacy Protection Act of 1998 ('COPPA') related settlements based on alleged violations of COPAA and the CFA.