SENATE, No. 2834

STATE OF NEW JERSEY

218th LEGISLATURE

 

INTRODUCED JULY 23, 2018

 


 

Sponsored by:

Senator  TROY SINGLETON

District 7 (Burlington)

Senator  JOSEPH F. VITALE

District 19 (Middlesex)

 

Co-Sponsored by:

Senator Greenstein

 

 

 

 

SYNOPSIS

     Requires commercial Internet websites and online services to notify customers of collection and disclosure of personally identifiable information and allows customers to opt out.

 

CURRENT VERSION OF TEXT

     As introduced.

 


An Act concerning commercial Internet websites, online services, and personally identifiable information and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

     “Commercial Internet website” means a website operated for business purposes, including, but not limited to, the sale of goods and services.

     “Customer” means an individual within this State who provides, either knowingly or unknowingly, personally identifiable information to an operator, with or without an exchange of consideration, in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the operator, including advertising or any other content.

     “Designated request address” means an electronic mail address or toll-free telephone number that a customer may use to request the information required to be provided pursuant to section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     “Disclose” means to release, transfer, share, disseminate, make available, or otherwise communicate orally, in writing, or by electronic or any other means to a third party a customer’s personally identifiable information. “Disclose” shall not include:

     the disclosure of a customer’s personally identifiable information by an operator to a third party under a written contract authorizing the third party to use the personally identifiable information to perform services on behalf of the operator, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, or similar services, but only if the contract prohibits the third party from using the personally identifiable information for any reason other than performing the specified service on behalf of the operator and from disclosing personally identifiable information to additional third parties;

     the disclosure of personally identifiable information by an operator to a third party based on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or court order; or

     the disclosure of personally identifiable information by an operator to a third party that is reasonably necessary to address fraud, security, or technical issues, to protect the operator’s rights or property, or to protect a customer or the public from illegal activities as required by law.

     “Internet Protocol” means a communications protocol that enables an Internet end user to send or receive a communication over the Internet, regardless of whether the communication is voice, data, or video.

     “Online service” means a commercial information service provided over the Internet, including, but not limited to, offsite data storage services and computer application services.

     “Operator” means a person or entity that owns an Internet website or an online service that collects and maintains personally identifiable information from a customer and that is operated for commercial purposes. “Operator” shall not include any third party that operates, hosts, or manages, but does not own, a website or online service on the operator’s behalf, or by processing information on behalf of the operator.

     “Personally identifiable information” means any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service, including, but not limited to:

     name, alias, nickname, and user name;

     postal and electronic mail address;

     telephone number;

     account name;

     social security number or other government-issued identification number, including driver’s license number or passport number;

     birthdate or age;

     physical characteristic information, including height and weight;

     sexual information, including sexual orientation, sex, gender status, gender identity, and gender expression;

     race or ethnicity;

     religious affiliation or activity;

     political affiliation or activity;

     professional or employment-related information;

     educational information;

     medical information, including, but not limited to, medical conditions or drugs, therapies, mental health, or medical products or equipment used;

     financial information, including, but not limited to, credit, debit, or account numbers, account balances, payment history, or information related to assets, liabilities, or general creditworthiness;

     commercial information, including, but not limited to, records of property, products, or services provided, obtained or considered, or other purchasing or consumer histories;

     geolocation information;

     Internet or mobile activity information, including, but not limited to, Internet Protocol addresses or information concerning the access or use of any online service;

     content, including, but not limited to, text, photographs, audio or video recordings, or other material generated by or provided by the customer; and

     any of the above categories of information as they pertain to the children of the customer.

     “Third party” means:

     a private entity that is a separate legal entity from the operator;

     a private entity that does not share common ownership or common corporate control with the operator; or

     a private entity that does not share a brand name or common branding with the operator, such as an affiliate relationship that is clear to the customer.

 

     2.    a.     An operator that collects the personally identifiable information of a customer through the Internet shall provide on its Internet website or online service notification to a customer that shall include, but not be limited to:

     (1)   a complete description of the personally identifiable information that the operator collects through the Internet website or online service about a customer who uses or visits the operator’s commercial Internet website or online service;

     (2)   all third parties with which the operator may disclose a customer’s personally identifiable information; and

     (3)   information concerning one or more designated request addresses.

     b.    In addition to the requirements of subsection a. of this section, an operator shall include the notification as a section of the operator’s privacy policy.

 

     3.    a.      An operator that discloses a customer’s personally identifiable information to a third party shall make the following information available to the customer free of charge upon receipt of a request from the customer for this information through a designated request address:

     (1)   the customer’s personally identifiable information that was disclosed; and

     (2)   the names of, and the contact information for, the third parties that received the customer’s personally identifiable information.

     b.    An operator that receives a request from a customer pursuant to this section shall provide a response to the customer within 30 days of the operator’s receipt of the request and shall provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

     c.     This section shall not apply to personally identifiable information disclosed prior to the effective date of P.L.    , c.    (C.   )     (pending before the Legislature as this bill).

 

     4.    a.      An operator that collects the personally identifiable information of a customer through the Internet shall clearly and conspicuously post on its Internet website or online service homepage a link, entitled “Do Not Sell My Personal Information,” to an Internet webpage maintained by the operator, which enables a customer to opt out of the disclosure of the customer’s personally identifiable information. The method in which a customer may opt out shall be in a form and manner determined by the operator but a customer shall not be required to establish an account with the operator in order to opt out of the disclosure of a customer’s personally identifiable information.

     b.    An operator shall be prohibited from discriminating against or penalizing a customer if the customer chooses to opt out of the disclosure of the customer’s personally identifiable information pursuant to subsection a. this section.

     c. An operator shall be prohibited from requesting that a customer authorize the disclosure of the customer’s personally identifiable information for at least 12 months following the date the customer opted out pursuant to subsection a. of this section.

 

     5.    A waiver of the requirements of, or an agreement that does not comply with, the provisions of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be void and unenforceable.

 

     6.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be construed to apply to any State agency, any political subdivision thereof, or federal agency, or any contractor or subcontractor employed by a State agency, political subdivision thereof, or federal agency.

 

     7.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for an operator to fail to notify a customer of the disclosure of personally identifiable information pursuant to sections 2 and 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) or fail to allow a customer to opt out of the disclosure of a customer’s personally identifiable information pursuant to section 4 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     8.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     9.    This act shall take effect immediately.

 

 

STATEMENT

 

     This bill requires commercial Internet website and online service operators to notify customers of the collection and disclosure of

personally identifiable information to third parties. An operator that collects through the Internet the personally identifiable information

of a customer is to provide on its Internet website or online service notification to a customer that includes, but is not limited to: a complete description of the personally identifiable information that the operator collects through the Internet website or online service about a customer who uses or visits its commercial Internet website or online service; all third parties with which the operator may disclose a customer’s personally identifiable information; and information concerning one or more designated request addresses, which are an email address or toll-free telephone number that a customer may use to request information under the bill.

     This bill requires that an operator that discloses a customer’s personally identifiable information to a third party is to make the following information available to the customer free of charge upon receipt of a request from the customer: the customer’s personally identifiable information that was disclosed and the names and contact information of the third parties that received the customer’s personally identifiable information. An operator that receives a request from a customer is to provide a response to the customer within 30 days and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

     The bill requires an operator that collects the personally identifiable information of a customer to clearly and conspicuously post on its Internet website or online service homepage a link, entitled “Do Not Sell My Personal Information,” to an Internet webpage maintained by the operator, which enables a customer to opt out of the disclosure of the customer’s personally identifiable information. The method in which a customer may opt out is to be in a form and manner determined by the operator but a customer is not to be required to establish an account with the operator in order to opt out of the disclosure of a customer’s personally identifiable information.

     Further, this bill prohibits an operator from discriminating against or penalizing a customer if the customer chooses to opt out of the disclosure of the customer’s personally identifiable information and is prohibited from requesting that a customer authorize the disclosure of the customer’s personally identifiable information for at least 12 months following the date the customer opted out.

     This bill defines “personally identifiable information” as any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service, including, but not limited to several examples that are listed in the bill.