ASSEMBLY, No. 4974

STATE OF NEW JERSEY

218th LEGISLATURE

 

INTRODUCED JANUARY 31, 2019

 


 

Sponsored by:

Assemblyman  ANDREW ZWICKER

District 16 (Hunterdon, Mercer, Middlesex and Somerset)

Assemblyman  RAJ MUKHERJI

District 33 (Hudson)

 

 

 

 

SYNOPSIS

     Requires operators of mobile device applications that collect user global positioning system data to notify users about how global positioning system data is disclosed and allow users to opt in to disclosure.

 

CURRENT VERSION OF TEXT

     As introduced.

  


An Act concerning certain mobile device applications and global positioning system data and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

     “Disclose” means to release, transfer, share, disseminate, make available, sell, or otherwise communicate by any means to a third party a user’s GPS data. “Disclose” shall not include:

     the disclosure of GPS data by an operator to a third party based on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or court order; or

     the disclosure of GPS data by an operator to a third party that is reasonably necessary to address fraud, security, or technical issues, to protect the operator’s rights or property, or to protect a user or the public from illegal activities as required by law.

     “GPS data” means a user’s physical location information collected by a global positioning system.

     “Operator” means a person or entity that owns a mobile device application that collects and maintains GPS data from a user of the mobile device application.

     “Mobile device” means a wireless telecommunications device that is capable of running an application that can collect a user’s GPS data.

     “Third party” means:

     a private entity that is a separate legal entity from the operator;

     a private entity that does not share common ownership or common corporate control with the operator; or

     a private entity that does not share a brand name or common branding with the operator, such as an affiliate relationship that is clear to the user.

     “User” means an individual within this State who provides, either knowingly or unknowingly, GPS data to an operator, with or without an exchange of consideration, in the course of using the operator’s mobile device application.

 

     2.    a. An operator shall, prior to a customer activating the operator’s mobile device application, provide to a user, in a form and manner determined by the operator, notification that shall include, but not be limited to:

     (1)   a complete description of the user GPS data that the operator collects through the mobile device application;

     (2)   all third parties to which the operator may disclose user GPS data; and

     (3)   the length of time the operator retains user GPS data.

     b.    In addition to the requirements of subsection a. of this section, an operator shall include the notification as a section of the operator’s privacy policy.

 

     3.    a.  An operator shall allow a user to opt in to the disclosure of the user’s GPS data. The method in which a user may opt in shall be in a form and manner determined by the operator, except that a user shall not be required to establish an account with the operator in order to opt in to the disclosure of a user’s GPS data.

     b.    An operator shall be prohibited from discriminating against or penalizing a user if the user chooses not to opt in to the disclosure of the user’s GPS data pursuant to subsection a. this section.

     c.     An operator shall be prohibited from requesting that a user authorize the disclosure of the user’s GPS data for at least 12 months following the date the user chose not to opt in pursuant to subsection a. of this section.

 

     4.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for an operator to fail to notify a user of the disclosure of user GPS data pursuant to section 2 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) or fail to allow a customer to opt in to the disclosure of user GPS data pursuant to section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     5.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     6.    This act shall take effect immediately but shall remain inoperative until 180 days after the date of enactment.

 

 

STATEMENT

 

     This bill requires an operator of a mobile device application that collects user global positioning system (GPS) data to provide to a user, in a form and manner determined by the operator, notification that is to include, but not be limited to:

     1)    a complete description of the user GPS data that the operator collects through the mobile device application;

     2)    all third parties to which the operator may disclose user GPS data; and

     3)    the length of time the operator retains user GPS data.

An operator is to include the notification as a section of the operator’s privacy policy.

     The bill requires an operator to allow a user to opt in to the disclosure of the user’s GPS data. The method in which a user may opt in is to be in a form and manner determined by the operator but a user is no to be required to establish an account with the operator in order to opt in to the disclosure of a user’s GPS data. An operator is to be prohibited from discriminating against or penalizing a user if the user chooses not to opt in to the disclosure of the user’s GPS data. An operator is to be prohibited from requesting that a user authorize the disclosure of the user’s GPS data for at least 12 months following the date the user chose not to opt in.

     The bill provides that a violation of the bill’s requirements is a violation of the State’s consumer fraud act.