ASSEMBLY, No. 1181

STATE OF NEW JERSEY

219th LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2020 SESSION

 


 

Sponsored by:

Assemblyman  ANDREW ZWICKER

District 16 (Hunterdon, Mercer, Middlesex and Somerset)

Assemblyman  RAJ MUKHERJI

District 33 (Hudson)

Assemblyman  JOE DANIELSEN

District 17 (Middlesex and Somerset)

 

Co-Sponsored by:

Assemblyman Conaway

 

 

 

 

SYNOPSIS

     Requires commercial Internet website and online service operators to conspicuously post their privacy policy.

 

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel.

  


An Act concerning commercial Internet websites, online services, and privacy policies and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

 

     1.    As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

     “Commercial Internet website” means a website operated for business purposes, including, but not limited to, the sale of goods and services.

     “Conspicuously post” means notification provided through any of the following:

     a.     an Internet webpage on which the actual privacy policy is posted if the Internet webpage is the homepage or first significant page after entering the Internet website;

     b.    an icon that hyperlinks to an Internet webpage on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Internet website, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Internet webpage or is otherwise distinguishable;

     c.     a text link that hyperlinks to an Internet webpage on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Internet website, and if the text link does one of the following:

     (1)   includes the word “privacy;”

     (2)   is written in capital letters equal to or greater in size than the surrounding text; or

     (3)   is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language;

     d.    any other functional hyperlink that is so displayed that a reasonable person would notice it; or

     e.     in the case of an online service, any other reasonably accessible means of making the privacy policy available for customers of the online service.

     “Customer” means an individual within this State who provides, either knowingly or unknowingly, personally identifiable information to an operator, with or without an exchange of consideration, in the course of seeking or acquiring, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

     “Internet Protocol” means a communications protocol that enables an Internet end user to send or receive a communication over the Internet, regardless of whether the communication is voice, data, or video.

     “Online service” means a commercial information service provided over the Internet, including, but not limited to, offsite data
storage services and computer application services.

     “Operator” means a person or entity that owns an Internet website or an online service that collects and maintains personally identifiable information from a customer and which is operated for commercial purposes. “Operator” shall not include any third party that operates, hosts, or manages, but does not own, a website or online service on the operator’s behalf, or by processing information on behalf of the operator.

     “Personally identifiable information” means any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service, including, but not limited to, the customer’s:

     a.     name, alias, nickname, and user name;

     b.    postal and electronic mail address;

     c.     telephone number;

     d.    account name;

     e.     social security number or other government-issued identification number, including driver’s license number or passport number;

     f.     birthdate or age;

     g.    physical characteristic information, including height and weight;

     h.    sexual information, including sexual orientation, sex, gender status, gender identity, and gender expression;

     i.     race or ethnicity;

     j.     religious affiliation or activity;

     k.    political affiliation or activity;

     l.     professional or employment-related information;

     m.   educational information;

     n.    medical information, including medical conditions or drugs, therapies, mental health, or medical products or equipment used;

     o.    financial information, including credit, debit, or account numbers, account balances, payment history, or information related to assets, liabilities, or general creditworthiness;

     p.    commercial information, including records of property, products, or services provided, obtained or considered, or other purchasing or customer histories;

     q.    geolocation information;

     r.     Internet or mobile activity information, including Internet protocol addresses or information concerning the access or use of any online service;

     s.     content, including text, photographs, audio or video recordings, or other material generated or provided by the customer; or

     t.     any of the above categories of information as they pertain to the children of the customer.

     “Third party” means:

     a.     a private entity that is a separate legal entity from the operator;

     b.    a private entity that does not share common ownership or common corporate control with the operator; or

     c.     a private entity that does not share a brand name or common branding with the operator, such as an affiliate relationship that is clear to the customer.

 

     2.    a.  An operator that collects through the Internet the personally identifiable information of a customer shall conspicuously post on its Internet website or online service a privacy policy that shall include, but is not limited to:

     (1)   the categories of personally identifiable information that the operator collects through the Internet website or online service about individual customers who use or visit its commercial Internet website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;

     (2)   if offered by an operator, a description of the process by which a customer who uses or visits a commercial Internet website or online service may review and request changes to any of the customer’s personally identifiable information that is collected through the commercial Internet website or online service;

     (3)   a description of the process by which the operator notifies customers who use or visit its commercial Internet website or online service of material changes to the operator’s privacy policy for that commercial Internet website or online service;

     (4)   the effective date of the privacy policy;

     (5)   disclosure of how the operator responds to Internet web browser “do not track” settings or other mechanisms that provide customers the ability to exercise choice concerning the collection of personally identifiable information about an individual customer’s online activities over time and across third-party Internet websites or online services; and

     (6)   disclosure of whether third parties may collect, purchase, or access personally identifiable information about an individual customer’s online activities over time and across different Internet websites when a customer uses the operator’s commercial Internet website or online service.

     b.    An operator shall conspicuously post its privacy policy within 30 days after being notified of noncompliance by the Director of the Division of Consumer Affairs.

 

     3.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for an operator to knowingly and willfully or negligently and materially fail to post a privacy policy pursuant to section 2 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     4.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     5.    This act shall take effect immediately.

 

 

STATEMENT

 

     This bill requires commercial Internet website and online service operators to conspicuously post on their Internet website or online service a privacy policy that includes, but is not limited to:

     1)    the categories of personally identifiable information that the operator collects through the Internet website or online service about individual customers who use or visit its commercial Internet website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;

     2)    if offered by an operator, a description of the process by which a customer who uses or visits a commercial Internet website or online service may review and request changes to any of the customer’s personally identifiable information that is collected through the commercial Internet website or online service;

     3)    a description of the process by which the operator notifies customers who use or visit its commercial Internet website or online service of material changes to the operator’s privacy policy for that commercial Internet website or online service;

     4)    the effective date of the privacy policy;

     5)    disclosure of how the operator responds to Internet web browser “do not track” settings or other mechanisms that provide customers the ability to exercise choice concerning the collection of personally identifiable information about an individual customer’s online activities over time and across third-party Internet websites or online services; and

     6)    disclosure of whether third parties may collect, purchase, or access personally identifiable information about an individual customer’s online activities over time and across different Internet websites when a customer uses the operator’s commercial Internet website or online service.

     This bill defines “personally identifiable information” as any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service, including, but not limited to several examples that are listed in the bill.