New Jersey - Sectoral Privacy Overview
Article I, Paragraph 1, of the New Jersey State Constitution ('the Constitution') provides that, 'All persons have certain unalienable rights, among which are those of enjoying and defending life and liberty, of acquiring, possessing, and protecting property, and of pursuing and obtaining safety and happiness'. The State's courts recognise this clause as bestowing on individuals the right to substantive due process and privacy.
Article I, Paragraph 7 of the Constitution further provides and recognises: 'The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no warrant shall issue except upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the papers and things to be seized.'
The New Jersey courts have interpreted this clause of the Constitution to have created a constitutionally protected right to privacy that provides broader protections than the Fourth Amendment of the Constitution of the United States.1 However, a reasonable expectation of privacy is required to establish a protected privacy interest.2
New Jersey recognises four related invasion of privacy torts:
- unreasonable intrusion (upon seclusion);
- appropriation of the other's name or likeness (or the right of publicity discussed further below);
- unreasonable publicity given to one's private life; and
- publicity that normally places the other in a false light before the public.
New Jersey courts recognise a common law privacy tort of intrusion upon seclusion when a person intentionally intrudes upon a person's solitude or seclusion or private affairs, whether the intrusion is physical or otherwise (e.g. online), 'if the intrusion would be highly offensive to a reasonable person'.3 To maintain a claim, a person does not need to show publication of the information,4 however, the right of privacy will be balanced against the public interest of safety.5 Further, there is no intrusion where a person has no reasonable expectation of privacy.6
New Jersey also recognises the tort of 'invasion of privacy by unreasonable publication of private facts [that] occurs when it is shown that 'the matters revealed were actually private, that dissemination of such facts would be offensive to a reasonable person, and that there is no legitimate interest of the public in being apprised of the facts publicized'.7
In its 2013 ruling in State v. Earls, 70 A. 3d 630 -2013, the Supreme Court of New Jersey held that cell phone location records cannot be obtained without the police obtaining a warrant, even when those records may otherwise have confirmed criminal conduct.8 Indeed, the Court found that, '[w]hen people make disclosures to phone companies and other providers to use their services, they are not promoting the release of personal information to others. Instead, they can reasonably expect that their personal information will remain private'.9
The Court recognised that using a cell phone to determine the location of its owner 'is akin to using a tracking device' and that this 'degree of intrusion' would not be anticipated by a reasonable person.10 As such, the Court ruled that such information could only be made available to law enforcement officials if a warrant were properly issued.11 Without a warrant, this type of information could reveal 'an intimate picture of one's daily life' and 'reveal not just where people go - which doctors, religious services, and stores they visit - but also the people and groups' with whom they choose to affiliate.12
New Jersey courts have also recognised the right of an individual to prevent unauthorised appropriation of their name or likeness for commercial purposes (or a 'right of publicity').13 While not a right of 'privacy' as we may think of it today, it is a recognised right of an individual to prevent others from commercially exploiting their image or identity.14 In New Jersey, courts have further found that this right survives with one's death.15
New Jersey does not have a piece of legislation akin to either the California Consumer Privacy Act of 2018 ('CCPA') or the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). That said, readers should be aware of the following.
The Personal Information and Privacy Protection Act 2016 ('the Act'), under §56:11-53 to 55 of Title 56 of the New Jersey Annotated Statute ('N.J. Stat. Ann.'), restricts the right of a retail establishment to scan a person's identification card (see N.J. Stat. Ann. §56:11-54(a) for the definition of an identification card) but for the following limited purposes (N.J. Stat. ANN. §56:11-54(b)):
- to verify the authenticity of the card or the identity of the person where the person pays for good or services with a method other than cash;
- to verify a person's age for the sale of restricted goods (e.g., alcohol);
- to prevent fraud or other criminal activity if a person requests a refund or exchange of goods;
- to prevent fraud or other criminal activity in a credit transaction or to open a credit account;
- to establish or maintain a contract;
- to record, retain or transmit information required by federal or state law;
- to transmit information to a consumer reporting agency, financial institution, or debt collector where permitted by the Fair Credit Reporting Act of 1970 ('FCRA'), the Gramm-Leach-Bliley Act of 1999, and the Fair Debt Collection Practices Act; or
- to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
Any entity that retains such information pursuant to Sections 3 to 8 of the Act must securely store the information, and any breach of the security of the information must be reported to the Division of State Policy of the New Jersey Department of Law and Public Safety and the impacted person, as required under §56:8-163 of Title 56 of the N.J. Stat. Ann. (N.J. Stat. Ann. §56:11-54(d)(2)). Further, no entity that receives information can sell or disseminate to a third party any information obtained under the Act for any purpose, including for marketing, advertising, or other similar activity (N.J. Stat. Ann. §56:11-54(d)(3)).
Violations of the Act will result in civil penalties of $2,500 for the first violation and $5,000 for any subsequent violation (N.J. Stat. Ann. §56:11-55(a)). Additionally, the Act creates a private cause of action for the recovery of proven damages (N.J. Stat. Ann. §56:11-55(b)).
The New Jersey Wiretapping and Electronic Surveillance Control Act ('the Wiretap Act'), under §§2A:156A-1 to 37 of Title 2A of the N.J. Stat. Ann., proscribes the purposeful interception of any wire, electronic or oral communication. The statute applies to private employers, as discussed further in section 5 below. However, New Jersey is considered a 'one-party state', meaning that if two persons are involved in a communication by telephone or other device, provided that one of the participants consents to the conversation being intercepted, then the interception or recording of that communication does not violate the law (N.J. Stat. Ann. §2A:156A-4(d)).
To obtain telephone billing or toll records, the State must apply for a court order under the Wiretap Act. The Wiretap Act requires the State to demonstrate 'specific and articulable facts showing that there are reasonable grounds to believe that the record[s sought are] relevant and material to an ongoing criminal investigation' (N.J. Stat. Ann. §2A:156A-4(e)). 'The requested records must cover a finite period of time which does not extend beyond the date of the order'.16
Absent an exception to the law, violations will entitle a person to seek redress in a private cause of action, seeking actual damages, but not less than statutory damages of $100 per day of violation or $1,000, whichever is greater, punitive damages, attorneys' fees, and court costs (N.J. Stat. Ann. §2A:156A-24). Further, a violation of the Wiretap Act is a criminal offense in the third degree, and includes fines up to $15,000 and imprisonment (see N.J. Stat. ANN. §2A:156A-3; §2C:43-3(b)(1); §2C:43-6(a)(3)).
The New Jersey Identity Theft Prevention Act ('the Identity Theft Prevention Act'), under §56:11-44 et seq. of Title 56 of the N.J. Stat. Ann., in conjunction with N.J. Stat. Ann. §§56:8-161 to 166.1, prohibits an individual or business from publicly posting or displaying an individual's social security number. Specifically, N.J. Stat. Ann. §56:8-164 sets forth permitted and proscribed uses of social security numbers ('SSNs'), including the following:
- no person, business, or public entity may:
- post or display any four or more consecutive numbers from an SSN;
- print an SSN on any materials mailed to the individual unless required by State and/or Federal law;
- intentionally disclose or otherwise make available to the general public a person's SSN;
- require an individual to transmit their SSN over the internet except with a secure connection or where the SSN is encrypted; or
- require an individual to use their SSN to access a website unless a unique password or personal identification or other authentication device is also required.
A person, business, or entity can use an SSN for internal verification and administration purposes provided the use does not involve the release of the SSN to a person not designated by the entity to perform an associated function (e.g., a credit check) or as authorised by law (N.J. Stat. Ann. §56:8-164(b)).
Note that an SSN can be included in applications or enrolment processes, and mailed for such purposes provided that the SSN is not on a postcard or other mailer without an envelope, or where the SSN could be viewed through a window in the mailing envelope (N.J. Stat. Ann. §56:8-164(d)).
The statute does not apply to recorded documents, or documents required to be open to the public under the Open Public Records Act, under §§47:1A-1 to 13 of Title 47 of the N.J. Stat., nor does it apply to records required by statute, case law, court rules or made available to the public under Article VI of New Jersey's Constitution (N.J. Stat. Ann. §56:8-164(d)).
This statute is complemented by the Identity Theft Prevention Act, which recognised in its findings that it is 'a valid public purpose [...] to ensure that the Social Security numbers of the citizens of the State [...] are less accessible in order to detect and prevent identity theft and to enact other protections and remedies' (N.J. Stat. Ann. §56:11-45(e)). To achieve these goals, individual consumers have the right to freeze their credit (N.J. Stat. Ann. §56:11-46)17; and if a credit freeze is in place, then a consumer reporting agency cannot change the following information in a consumer's credit record without sending written confirmation of the change to the consumer within 30 days of the change being posted: name, date of birth, SSN, or address (N.J. Stat. Ann. §56:11-47). Where the change relates to the consumer's address, written notice needs to be given to both the old and new address (N.J. Stat. Ann. §56:11-47).
§2C:21-17 of Title 2C of the N.J. Stat. Ann. makes it a crime to obtain any personal identifying information18 of another, and use that information, or assist another to use that information 'in order to assume the identity of or represent himself as another person, without that person's authorization and with the purpose to fraudulently obtain or attempt to obtain a benefit or services, or to avoid the payment of debt or other legal obligation or avoid prosecution for a crime by using the name of the other person' (N.J. Stat. Ann. §2C:21-17(a)(4)).
This statute applies to any such activity, whether conducted via an electronic communication, through a website or otherwise (N.J. Stat. Ann. §2C:21-17(a)). If the 'benefit' is less than $500, and the offense involves only one victim, the offense is a fourth-degree crime unless the offender is a repeat offender (N.J. Stat. Ann. §2C:21-17(c)(1). Identity theft impacting at least two persons, but less than five persons, or which involves more than $500 but less than $75,000 is a third-degree crime (N.J. Stat. Ann. §2C:21-17(c)(2)). Where the offense involves a benefit of more than $75,000 or more than five victims, it is considered a second-degree offense (N.J. Stat. Ann. §2C:21-17(c)(3)).
§2C:14-9 of Title 2C of the N.J. Stat. Ann. makes an invasion of privacy a criminal act where the actor exposes the intimate parts of an individual or images of a person in the act of sexual contact without 'license […] or privilege […] to do so' (N.J. Stat. Ann. §2C:14-9(b)(1)). It is a further invasion of privacy and a criminal act to film, record, or otherwise reproduce an image of a person in undergarments without consent (N.J. Stat. Ann. §2C:14-9(c)). The recording of a person engaged in sexual contact without consent is also criminal conduct under the statute (N.J. Stat. Ann. §2C:14-9(d)). The law was, in part, targeted to unauthorised viewing and/or photographing persons in dressing rooms (see generally N.J. Stat. Ann §2C:14-9).
New Jersey statutes also target criminal computer activity (see §2C:20-25 of Title 2C of the N.J. Stat. Ann.). A person is guilty of computer criminal activity if the person purposely or knowingly and without authorisation, or in excess of authorisation:
- accesses or attempts to access any data, data base, computer, computer storage medium, computer program, computer software, computer equipment, computer system or computer network for the purpose of executing a scheme to obtain personal identifying information from the owner of a computer or any third party (N.J. Stat. Ann. §2C:20-25(c)); or
- obtains, takes, copies, or uses any data, data base, computer program, computer software, personal identifying information, or other information stored in a computer, computer network, computer system, computer equipment or computer storage medium (N.J. Stat. Ann. §2C:20-25(e)).
The violation of N.J Stat. Ann. §2C:20-25(c) is a second degree crime if the value of the information obtained exceeds $5,000 (N.J Stat. Ann. §2C:20-25(g)). The violation of N.J. Stat. Ann. §2C:20-25(e) is a second degree crime where the information or computer accessed contained 'personal identifying information, medical diagnoses, treatments or other medical information concerning an identifiable person' (N.J. Stat. Ann §2C:20-25(g)(1)).
Crimes under both N.J. Stat. Ann. §2C:20-25(c) and (e) are escalated to first degree crimes where the access or taking creates a risk of, or causes, death or significant bodily injury, or damages in excess of $250,000 (N.J. Stat. Ann. §2C:20-25(g)). Where the victim is under the age of 18, this is an aggravating circumstance considered at the time of sentencing (N.J. Stat. Ann. §2C:20-25(h)).
Driving records are protected by New Jersey state law. Under the Motor Vehicles and Traffic Regulation, under Title 39 of the N.J. Stat. Ann., the New Jersey Motor Vehicle Commission is proscribed from disclosing a person's personal information without consent (N.J. Stat. Ann. §39:2-3.4). Under the statute, personal information includes photograph, SSN, driver identification number, name, address, telephone number, and medical or disability information (N.J. Stat. Ann. §39:2-3.3). Personal information, for purposes of this law, does not include one's accident records or violations or status as a driver (e.g. whether one' s license is suspended or revoked) (N.J. Stat. Ann. §39:2-3.3). Individuals have a private cause of action for violations of this law, including actual damages, which can be no less than statutory damages of $2,500, punitive damages, equitable relief, attorneys' fees and costs (N.J. Stat. Ann. §39:2-3.6). A knowing disclosure of personal information from motor vehicle records is also a fourth-degree crime, with fines up to $10,000 and a prison term of up to 18 months (see N.J. Stat. Ann. §39:2-3.5; §2C:43-3; §2C:43-6).
As noted above, when a person accesses or obtains computer records containing medical information regarding an identifiable person, the same is a criminal offense (N.J. Stat. Ann. §2C:20-25).
During the rise of the AIDS crisis, New Jersey courts reaffirmed that "[d]isclosure of a family member's medical condition, especially exposure to or infection with the AIDS virus is a disclosure of a 'personal matter'.''19 New Jersey courts have further confirmed that "[p]atients have a privacy right in their medical records and medical information".20
Additionally, under New Jersey's Genetic Privacy Act ('the Genetic Privacy Act'), under §10:5-43 to 50 of Title 10 of the N.J. Stat. Ann., no person can access or receive another person's genetic information without that person's consent, with limited exemptions for (N.J. Stat. Ann. §10:5-45):
- law enforcement agencies investigating criminal activity;
- to determine paternity of a child;
- to identify a corpse;
- for anonymous research;
- for newborn screening where required by law; or
- where authorised by federal law.
The Genetic Privacy Act also proscribes a person to be compelled to disclose the identity of a person undergoing genetic testing (N.J. Stat. Ann. §10:5-47).
A violation of the Genetic Privacy Act gives rise to a private cause of action, allowing the aggrieved individual to seek damages for economic loss, emotional harm, and bodily damage (N.J. Stat. Ann. §10:5-49(c)). Violations of the Genetic Privacy Act may also result in a $1,000 fine and a six-month prison term (N.J. Stat. Ann. §10:5-49(a)). Wilful disclosures carry a $5,000 fine and a one-year prison term (N.J. Stat. Ann. §10:5-49(b)).
More recently, New Jersey enacted legislation restricting health insurance carriers regarding computerised records. Specifically, §56:8-197 of Title 56 of the N.J. Stat. Ann. prohibits health insurance carriers from compiling or maintaining 'computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person' (N.J. Stat. Ann. §56:8-197(a)).21 The law goes further to provide that the use of a mere password is not sufficient for compliance if that program 'only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program' (N.J. Stat. Ann. §§ 56:8-197(a)). Notably, the law only applies to the user computer systems and computerised records transmitted across public networks (N.J. Ann. Stat. §56:8-197(b)).
On 13 June 2020, Governor Murphy issued Executive Order No. 154, which authorised the reopening of facilities under certain restrictions, including requiring employees to answer health screening questions before the premises could reopen.
Governor Murphy subsequently issued Executive Order No. 252, which, as of 7 September 2021, directs covered health care and high-risk congregate settings to maintain policies that require workers to either provide proof that they have been fully vaccinated or submit to COVID-19 testing at a minimum one to two times weekly.
As to mental-health records, §30:4-24.3 of Title 30 of the N.J. Stat. Ann. prohibits broad access to records maintained by institutions and agencies providing mental health services. Specifically, these records must be kept confidential and cannot be disclosed except with consent of the individual or a legal guardian or parent with limited exceptions.
N.J. Stat. Ann. §56:11-51 precludes a creditor from denying credit to or reducing the credit limit of an individual solely due to the individual being the victim of identity theft.22 A creditor that violates this law will be liable for a civil penalty not to exceed $5,000 for each violation, payable to the Commissioner of Banking and Insurance (N.J. Stat. Ann. §56:11-52).
As noted above, the Wiretap Act applies to private employees to protect those employees from employers intercepting their private communications. However, the law excludes employer-issued devices and the interception of communications on those devices by employers where the device is used in the normal course of business (N.J. Stat. Ann. §2A:156A-2(d)(1)).
This is not the same analysis, however, if the company-issued device is used by an employee to communicate with the employee's personal attorney through a personal (not a company-issued) email account. In Stengart v. Loving Care Agency, Inc. 990 A.2d 650, 655 (N.J. 2010), the court addressed whether "an employee can expect privacy and confidentiality in personal e-mails with her attorney, which she accessed on a computer belonging to her employer". Stengart used her company issued computer to correspond with her attorney through her "personal, password-protected, web-based e-mail account". In the course of discrimination litigation that ensued, the employer "hired a computer forensic expert to recover all files stored on the laptop including the e-mails, which had been automatically saved on the hard drive". The Supreme Court of New Jersey held that the employee "could reasonably expect that email communications with her lawyer through her personal [web-based email] account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them".
The New Jersey Social Media Act, under §34:6B-5 to 10 of Title 34 of the N.J. Stat., prohibits an employer from requiring a current or prospective employee from providing the access credentials for such person's personal social media accounts (N.J. Stat. Ann. §34:6B-6). Further, employers cannot compel employees to waive this right as a condition to employment (N.J. Stat. Ann. §34:6B-7). The Act does, however, allow an employer to view an employee's or prospective employee's public postings on social media, and further allows an employer to access social media accounts created or maintained for the employer (N.J. Stat. Ann. §34:6B-10).
If, however, an employer suspects that an employee has been engaged in a violation of law or misconduct, or has stolen confidential or financial data of the employer, then an employer under such circumstances can seek access to an employee's personal social media account (N.J. Stat. Ann. §34:6B-10(b)).
The statute does not create a private cause of action, however, employers violating the Act are subject to civil fines of $1,000 for the first violation and $2,500 for each subsequent violation (N.J. Stat. Ann. §34:6B-9).
An employer cannot require a potential employee to inquire as to the prospect's criminal record during the initial employment application process (N.J. Stat. Ann. §34:6B-14(a)). However, the employer can, after the initial screening, require a complete employment application, including a criminal background check (N.J. Stat. Ann. §34:6B-14(c)). Further, an employer can elect not to hire an employee based on the results of that background check or inquiry unless the record had been expunged or erased by pardon (N.J. Stat. Ann. §34:6B-14(c)).
As of 1 January 2020, New Jersey law prohibits an employer from screening employees based on salary history, including but not limited to prior salaries, wages, or benefits (see N.J. Stat. Ann. §10:5-12.12; §10:5-12.12, §34:6B-20(a)(1)). Further, if an employer asks a prospective employee to voluntarily disclose prior salary history, and the employee declines, the employer cannot take that refusal into consideration when evaluating whether to hire the candidate (N.J. Stat. Ann. §10:5-12.12, §34:6B-20(b)(1)). There are exceptions where, for example, a new manager knows an employee's salary because the employee worked for another division of the company, or where salary is required to be disclosed by law (N.J. Stat. Ann. §34:6B-20(c)). If a job applicant is a member of a protected class, violations of the law are enforced by the Attorney General, and the subject employee or prospective employee can seek recourse by hiring, reinstatement or promotion, as well as back pay and attorneys' fees (see N.J. Stat. Ann. §10:5-14.1; §10:5-14.1a; §10:5-27.1). Civil penalties may also be assessed, ranging from $1,000 to $10,000 per violation for sharing salary information without an employee's consent (N.J. Stat. Ann. §34:6B-20(e)(1)).
Employers can confirm whether an individual holds a commercial driver's license where required by the Commercial Motor Vehicle Safety Act of 1986 (N.J. Stat. Ann. §39:2-3.4(c)(8)). Employers can also obtain information about a potential or current employee's motor vehicle record with the employee's notarised consent (N.J. Stat. Ann. §39:2-3.4(c)(10)).
Employers are required by the Identity Theft Prevention Act to destroy all paper or electronic records containing personal information when those records are no longer needed (N.J. Stat. Ann. §56:8-162). Note, however, that certain records regarding employees must be retained for six years (§12:56-4.4 of Chapter 56 of Title 12 of the New Jersey Administrative Code ('N.J. Admin. Code')). If an employer's records are breached, exposing personnel records, personnel must be notified of that breach (N.J. Stat. Ann. §56:8-163(a)). Personal information here means an individual's name linked with one of the following SSN, driver's license number, state identification card number, credit or debit account with any security or other access credentials, username, email address, or other account holder information together with password and security question that would allow access to the online account (N.J. Stat. Ann. §56:8-161). An individual can pursue a private cause of action for wilful, knowing or reckless violations of this requirement (N.J. Stat. Ann. §56:8-166).
New Jersey employers must obtain informed consent from employees before obtaining any genetic information about an employee under the Genetic Privacy Act (N.J. Stat. Ann. §10:5-45).
Internet service providers can disclose certain subscriber information in response to a grand jury or trial subpoena. Information may include the subscriber's name, address, telephone number, types of service, and means and source of payment.
In 2016, the State enacted legislation proscribing the publication of certain information on the internet. No person, business or association may disclose on the internet 'the home address or unpublished home telephone number of any active, formerly active, or retired judicial officer, [...] prosecutor, or law enforcement officer under circumstances in which a reasonable person would believe that providing that information would expose another to harassment or risk of harm to life or property' (N.J. Stat. Ann. §56:8-166.1(a)). The law created a private cause of action allowing not only the impacted officer, but any person living at the home address in question, to seek civil relief before the courts (N.J. Stat. Ann. §56:8-166.1). The law provided for such persons to recover actual damages, which in no event would be less than statutory damages of $1,000 per violation, punitive damage upon a showing of willful or reckless disregard of the law; attorneys' fees, costs, and equitable relief (N.J. Stat. Ann. §56:8-166.1(c)). For purposes of the law, 'disclose' includes to 'solicit, sell, manufacture, give, provide, lend, trade, mail, deliver, transfer, post, publish, distribute, circulate, disseminate, present, exhibit, advertise, or offer' (N.J. Stat. Ann. §56:8-166.1(d)).
Then, in response to the shooting of the son of a member of New Jersey's judiciary, on 20 November 2020, the Daniel Anderl Judicial Security and Privacy Act of 2020 came into effect. The law, which amends New Jersey's Open Public Records Act, excludes from the definition of a government (read that 'public') record, any document which discloses the home address of any active or retired judge, prosecutor or law enforcement officer (N.J. Stat. Ann. §47:1A-1.1). The law further proscribes government agencies, individuals and/or businesses from knowingly publishing online or otherwise releasing or making available the home address and/or unpublished home telephone number of any active or retired judge, prosecutor or law enforcement officer (N.J. Stat. Ann. §56:8-166.1(a)).
As noted above in the discussion of N.J. Stat. Ann. §2C:20-25, where the victim is under the age of 18, this is an aggravating circumstance that is taken into consideration by the courts at the time of sentencing (N.J. Stat. Ann. §2C:20-25(h)).
New Jersey has not adopted state legislation regarding unsolicited bulk or commercial emails. However, New Jersey has adopted legislation regarding unsolicited facsimiles and unsolicited telemarketing calls to commercial mobile service devices.
N.J. Stat. Ann. §56:8-130 prohibits unsolicited [added by an amendment in 2015] telemarketing calls to a commercial mobile service device of a customer unless: (i) the call is from the service provider itself to the customer; (ii) and the customer will not incur charges or usage allocation deduction.
N.J. Stat. Ann. §56:8-158 prohibits any 'person' from using any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine within the State.23 The law does not apply where correspondence in sent where the recipient has an existing relationship with the sender, or where the sender is a member of a nonprofit organisation, 'provided that such unsolicited advertisement […] shall provide clear and conspicuous notice on the first page of the unsolicited advertisement' (N.J. Stat. Ann. §56:8-158(b)). The notice must include (N.J. Stat. Ann. §56:8-158(b)):
- disclosure to the recipient that the recipient may request the sender of the unsolicited advertisement not to send any future unsolicited advertisements to the recipient's telephone facsimile machine; and
- the domestic address and facsimile machine number for the recipient to transmit such a request to the sender.
Persons receiving unsolicited advertisements to a facsimile machine can request that they not receive future advertisements (N.J. Stat. Ann. §56:8-158(c)). The request must (N.J. Stat. Ann. §56:8-158(c)):
- identify the telephone number of the telephone facsimile machine to which the request relates;
- be made to the sender's domestic address or the facsimile machine number of the sender provided in the notice to the recipient; and
- be sent in written form to the sender's domestic address or sent by return facsimile transmission to the sender's facsimile machine number, in order to be effective.
Failure to honor a valid written receipt is a violation of the statute (N.J. Stat. Ann. §56:8-158(d)). The law provides for a private cause of action, and an aggrieved person may recover actual damages, or $500 per violation, whichever is greater, plus costs and attorneys' fees (N.J. Stat. Ann. §56:8-159(b)). Further if a sender ignores a notice to cease transmissions, then the recipient can recover actual damages or $1,000 per violation, whichever is greater, plus costs and attorneys' fees (not to exceed $1,000) (N.J. Stat. Ann. §56:8-159(c)).
New Jersey has not adopted state legislation regarding a mandate for privacy policies or notices.
New Jersey requires that when a business or entity is no longer required to retain a customer's records containing personal information in its custody or control, those records must be securely destroyed 'by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means' (N.J. Stat. Ann. §56:8-162).
'Personal information', for purposes of this statute, includes an individual's first name or first initial and last name linked with any one or more of the following data elements (N.J. Stat. Ann. §56:8-161):
- driver's license number or State identification card number;
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or
- username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
Note that personal information does not include 'publicly available information that is lawfully made available to the general public from federal, State, or local government records, or widely distributed media' (N.J. Stat. Ann. §56:8-161). New Jersey's law further provides that it is an unlawful practice to willful, knowingly, or recklessly violate this requirement (N.J. Stat. Ann. §56:8-166).
While New Jersey does not have a proactive privacy law, such as the CCPA, it does have a breach notification law under N.J. Stat. Ann. §56:8-163. A business conducting business in the State, or a public entity that maintains computer records that includes personal information must disclose any breach of security of those computerised records (N.J. Stat. Ann. §56:8-163(a)).
The disclosure must be made expediently, subject to law enforcement and reasonable time to determine the scope of the breach (N.J. Stat. Ann. §56:8-163(a)). Note that notice is not required if the entity establishes that misuse of the information is not reasonably possible (This could include, for example, if the data was encrypted, and decryption key was not compromised, too) (N.J. Stat. Ann. §56:8-163(a)). In such instances, the business or government entity must document the basis for this conclusion, and retain that record for five years (N.J. Stat. Ann. §56:8-163(a)). If the business or agency is maintaining the compromised records as a vendor to another business or agency, then the notice to be given is to the 'customer' of the business or agency (N.J. Stat. Ann. §56:8-163(b)).
It is then the customer's duty to provide notice to the impacted individuals as provided in the statute (N.J. Stat. Ann. §56:8-163(b)). Prior to notifying any impacted individuals, a business or entity that experienced a data breach of computerised records must first notify the Division of State Police in the New Jersey Department of Law and Public Safety (N.J. Stat. Ann. §56:8-163(c)). N.J. Stat. Ann. 56:8-163(d) details the means by which notice is to be given, which depends upon the number of impacted individuals (N.J. Stat. Ann. §56:8-163(d)). If a breach involves more than 1,000 persons, then the business or entity must also notify all consumer reporting agencies, as defined by the FCRA (N.J. Stat. Ann. §56:8-163(f)).
Where a breach involved a username or password in combination with any password or security question and answer that would permit access to an online account, but which did not involve any other personal information24, then notice must direct the impacted individual to change their password and/or security question for the impacted account, and any other account for which the customer used the same password and/or security question and answer (N.J. Stat. Ann. §56:8-163(g)(1)). Finally, if the breach impacted a person's email address, notice must not be given via the email account at issue (N.J. Stat. Ann. §56:8-163(g)(2)).
Pseudonyms in Public Filings
Federal Rules of Civil Procedure ('Fed. R. Civ. P.') require plaintiffs to identify their real names in pleadings (Rule 10(a) of the Fed. R. Civ. P.). It is in the public interest, and the right of a defendant to know the claimant in proceedings before the courts.25 However, in exceptional circumstances, plaintiffs will be allowed to proceed under pseudonyms.26 The Third Circuit has adopted a 9-factor test.27 The factors in favour of anonymity include28:
- the extent to which the identity of the litigant has been kept confidential;
- the bases upon which disclosure is feared or sought to be avoided, and the substantiality of these bases;
- the magnitude of the public interest in maintaining the confidentiality of the litigant's identity;
- whether, because of the purely legal nature of the issues presented or otherwise, there is an atypically weak public interest in knowing the litigant's identities;
- the undesirability of an outcome adverse to the pseudonymous party and attributable to his refusal to pursue the case at the price of being publicly identified; and
- whether the party seeking to sue pseudonymously has illegitimate ulterior motives.
Factors to be weighed against anonymity include29:
- the universal level of public interest in access to the identities of litigants;
- whether, because of the subject matter of this litigation, the status of the litigant as a public figure, or otherwise, there is a particularly strong interest in knowing the litigant's identities, beyond the public's interest which is normally obtained; and
- whether the opposition to pseudonym by counsel, the public, or the press is illegitimately motivated.
Attorney Rules of Ethics and New Jersey Bar Mandates
The New Jersey State Bar Association's Advisory Opinion 701 ('Advisory Opinion 701') provides that '[t]he obligation to preserve client confidences extends beyond merely prohibiting an attorney from himself making disclosure of confidential information without client consent [...] It also requires that the attorney take reasonable affirmative steps to guard against the risk of inadvertent disclosure'. The attorney must 'exercise reasonable care' to guard against unauthorised access (Advisory Opinion 701). Advisory Opinion 701 further provides that:
- when client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer's obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it;
- the touchstone in using 'reasonable care' against unauthorised disclosure is that:
- the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security; and
- use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data - if the lawyer has come to the prudent professional judgment that they have satisfied both these criteria, then 'reasonable care' will have been exercised.
New Jersey requires all water purveyors to develop and implement a cybersecurity program (N.J. Stat. Ann. §58:31-4)30.
1. State v. Reid, 945 A.2d 26, 31-32 (2008).
2. State v. Hempele, 576 A.2d 793, 802 (N.J. 1990), at 35.
3. Hennessey v. Coastal Eagle Point Oil Co., 609 A.2d 11, 17 (N.J. 1992) (quoting RESTATEMENT (SECOND) OF TORTS § 652B (AM. LAW INST. 1977)); see also N.O.C., Inc. v. Schaefer, 484 A.2d 729, 731 (N.J. Super. Ct. App. Div. 1984).
4. Hennessey, 609 A.2d at 17 (citing RESTATEMENT (SECOND) OF TORTS § 652B (AM. LAW INST. 1977)).
5. Id. at 20-23 (finding that in the context of employer's random urine testing, where an employee's duty is so fraught with hazard, public safety concerns will outweigh an employee's right to privacy).
6. White v. White, 781 A.2d 85, 91-92 (N.J. Super. Ct. Ch. Div. 2001) (finding that a husband did not have an expectation of privacy in the sun room where he slept where his children and his wife were in the room regularly); see also Poltrock v. NJ Auto. Accounts Mmgt. Co., 2008 WL 5416396, at *5-7 (D.N.J. Dec. 22, 2008) (finding no expectation of privacy where a company used information on a resume submitted two years earlier by an applicant to collect on a debt when the would be employee owed money for services rendered by the same company).
7. Smith v. Dalta, 164 A.3d 1110, 1118 (N.J. App. Div. 2017) (quoting Romaine v. Kallinger, 537 A.2d 284, 292 (N.J. 1988)).
8. State v. Earls, 70 A.3d 630, 644 (N.J. 2013).
9. Id. at 641 (emphasis added) (citations omitted).
10. Id. at 642.
11. Id. at 644.
13. See Faber v. Condecor, Inc., 477 A.2d 1289, 1292 (N.J. Super. Ct. App. Div. 1984) (quoting Palmer v. Schonhorn Enters., Inc. 232 A.2d 458, 461 (N.J. Super. Ct. Ch. Div. 1967)).
15. McFarland v. Miller, 14 F.3d 912, 918 (3d Cir. 1994).
16. State v. Lunsford, 141 A.3d 270, 285 (N.J. 2016).
17. Note that the request must be certified or overnight courier or by email, but in the latter case, only using a secure portal provided by the subject credit reporting agency (N.J. Stat. Ann. §56:11-46(a)). The agency receiving the request must send written confirmation to the consumer within five business days, and provide a unique identification number or password which must be used to unfreeze the credit (N.J. Stat. Ann. §56:11-46(b)).
18. For purposes of this law, 'personal identifying information' includes name, address, telephone number, SSN, place of employment, employee identification number, demand deposit account number, savings account number, credit card number and mother's maiden name. Governor's Conditional Veto Message, Bill Nos. 2414, 1638 and 2456, 2005 Main Volume (N.J. 2005), available at N.J. Stat. Ann. §2C: 21-17.
19. Doe v. Borough Barrington, 729 F. Supp. 376, 382 (D.N.J. 1990).
20. Smith v. Datla, 164 A.3d 1110, 1120 (N.J. Super. Ct. App. Div. 2017) (citing United States v. Westinghouse, 638 F.2d 570, 577 (3d Cir. 1980)).
21. For purposes of this law, the definitions under N.J. Stat. Ann. §56:8-196 apply.
22. The person must present evidence of identity theft, in the form of a police report, affidavit of identity theft filed with the Federal Trade Commission or other similarly executed affidavit (N.J. Stat. Ann. §56:11-51(a)).
23. The statute expressly does not apply to 'the actions of an internet service provider or telecommunications service provider in the transmission, routing, relaying, handling, or storing of the facsimile through an automatic technical process' (N.J. Stat. Ann. §56:8-158(a)). For purposes of this law, the definitions under N.J. Stat. Ann. §56:8-157 apply.
24. For purposes of this Section, 'personal information' is as defined in N.J. Stat. Ann. §56:8-161.
25. See Doe v. Meglass, 654 F.3d 404, 408 (3d Cir. 2011).
27. Id. at 409.
28. Id. (quoting Doe v. Provident Life & Acc. Ins. Co., 176 F.R.D. 464, 467-68 (E.D.Pa. 1997)).
29. Id. (quoting Doe, 176 F.R.D. at 467-68).
30. The legislation exempts a water purveyor that does not have an internet connected control system. Note that US federal law also requires annual risk assessments and additional requirements to improve resiliency (see §300i-2 of Title 42 of the United States Code).