SENATE, No. 1257

STATE OF NEW JERSEY

219th LEGISLATURE

 

INTRODUCED FEBRUARY 3, 2020

 


 

Sponsored by:

Senator  TROY SINGLETON

District 7 (Burlington)

 

 

 

 

SYNOPSIS

     Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

 

CURRENT VERSION OF TEXT

     As introduced.

  


An Act concerning commercial Internet websites, consumers, and personally identifiable information and supplementing Title 56 of the Revised Statutes.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

      1.   As used in P.L.    , c.    (C.      ) (pending before the Legislature as this bill):

      “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity.

     “Commercial Internet website” means a website operated for business purposes, including, but not limited to, the sale of goods and services, which collects and maintains personally identifiable information from a consumer.

     “Consumer” means an identified person who is a resident of this State acting only in an individual or household context. “Consumer” shall not include a person acting in a commercial or employment context.

     “De-identified data” means: data that cannot be linked to a consumer without additional information that is kept separately; or data that has been modified to a degree that the risk of re-identification, consistent with guidance from the Federal Trade Commission and the National Institute of Standards and Technology, is small, as determined by the Director of the Division of Consumer Affairs in the Department of Law and Public Safety pursuant to section 8 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill), that is subject to a public commitment by the operator not to attempt to re-identify the data, and to which one or more enforceable controls to prevent re-identification has been applied, which may include legal, administrative, technical, or contractual controls.

     “Designated request address” means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

     “Disclose” means to release, transfer, share, disseminate, make available, or otherwise communicate orally, in writing, or by electronic or any other means to a third party a consumer’s personally identifiable information. “Disclose” shall not include:

     the disclosure of a consumer’s personally identifiable information by an operator to a third party under a written contract authorizing the third party to use the personally identifiable information to perform services on behalf of the operator, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying consumer information, processing payments, providing financing, or similar services, but only if the contract prohibits the third party from using the personally identifiable information for any reason other than performing the specified service on behalf of the operator and from disclosing personally identifiable information to additional third parties unless expressly authorized by the consumer;

     the disclosure of personally identifiable information by an operator to a third party based on a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or court order;

     the disclosure of personally identifiable information by an operator to a third party that is reasonably necessary to address fraud, risk management, security, or technical issues, to protect the operator’s rights or property, or to protect a consumer or the public from illegal activities as required by law; or

     the disclosure of personally identifiable information by an operator to a third party in connection with the proposed or actual sale or merger of the operator, or sale of all or part of its assets, to a third party.

     “Online service” means an information service provided over the Internet that collects and maintains personally identifiable information from a consumer.

     “Operator” means a person or entity that operates a commercial Internet website or an online service. “Operator” shall not include any third party that operates, hosts, or manages, but does not own, a commercial Internet website or online service on the operator’s behalf, or processes information on behalf of the operator.

     “Personally identifiable information” means any information that

is linked or reasonably linkable to an identified or identifiable person. “Personally identifiable information” shall not include de-identified data or publicly available information.

     “Publicly available information” means information that is lawfully made available from federal, State, or local government records, or widely-distributed media.

     “Sale” means the exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party's discretion to additional third parties. "Sale" shall not include the following:

     the disclosure of personally identifiable information to a service provider that processes that information on behalf of the operator;

     the disclosure of personally identifiable information to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personally identifiable information to the operator;

     the disclosure or transfer of personally identifiable information to an affiliate of the operator; or

     the disclosure or transfer of personally identifiable information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the operator’s assets.

     “Service provider” means a person, private entity, public entity, agency, or other entity that processes personally identifiable information on behalf of the operator and who shall provide sufficient guarantees to the operator to implement appropriate technical and organizational measures in a manner that processing shall ensure the protection of the consumer’s personally identifiable information.

     “Third party” means a person, private entity, public entity, agency, or entity other than the consumer, operator, or affiliate or service provider of the operator.

     "Verified request" means the process through which a consumer may submit a request to exercise a right or rights established in P.L.    , c.    (C.      ) (pending before the Legislature as this bill), and by which an operator can reasonably authenticate the request and the consumer making the request using commercially reasonable means.

 

      2.   a.   An operator that collects the personally identifiable information of a consumer through a commercial Internet website or online service shall provide on its commercial Internet website or online service notification to a consumer that shall include, but not be limited to:

     (1)   the categories of the personally identifiable information that the operator collects through the commercial Internet website or online service about a consumer who uses or visits the operator’s commercial Internet website or online service;

     (2)   the categories of all third parties with which the operator may disclose a consumer’s personally identifiable information;

     (3)   whether a third party may collect personally identifiable information about a consumer’s online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator;

     (4)   a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of the consumer’s personally identifiable information that is collected by the commercial Internet website or online service of the operator;

     (5)   the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and

     (6)   information concerning one or more designated request addresses of the operator.

      b.   In addition to the requirements of subsection a. of this section, an operator shall include the notification as a separate section of the operator’s privacy policy.

 

     3.    a.   An operator that collects a consumer’s personally identifiable information through its commercial Internet website or online service and discloses the consumer’s personally identifiable information to a third party shall make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address:

     (1)   the category or categories of a consumer’s personally identifiable information that were disclosed; and

     (2)   the category or categories of the third parties that received the consumer’s personally identifiable information.

      b.   An operator that receives a verified request from a consumer pursuant to subsection a. of this section shall provide a response to the consumer within 60 days of the operator’s verification of the request and shall provide the information, pursuant to subsection a. of this section, for all disclosures of personally identifiable information that occurred in the prior 12 months.

      c.    This section shall not apply to personally identifiable information disclosed prior to the effective date of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     4.    a.   An operator that collects the personally identifiable information of a consumer through its commercial Internet website or online service and sells the personally identifiable information of the consumer through the Internet shall clearly and conspicuously post a link, on its commercial Internet website or online service or in another prominently accessible location the commercial Internet website maintains for consumer privacy settings, to an Internet webpage maintained by the operator, which enables a consumer, by verified request, to opt out of the sale of the consumer’s personally identifiable information. The method in which a consumer may opt out shall be in a form and manner determined by the operator, provided that a consumer shall not be required to establish an account with the operator in order to opt out of the sale of a consumer’s personally identifiable information.

     b.    An operator shall be prohibited from discriminating against a consumer if the consumer chooses to opt out of the sale of the consumer’s personally identifiable information pursuant to subsection a. of this section. The provisions of this section shall not prohibit the operator’s ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer’s personally identifiable information, or to provide different services to consumers that are reasonably related to the value of the relevant data.

 

     5.    A waiver of the requirements of, or an agreement that does not comply with, the provisions of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall be void and unenforceable.

 

     6.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall apply to:

     a.     protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the "Health Insurance Portability and Accountability Act of 1996," Pub.L.104-191, and the “Health Information Technology for Economic and Clinical Health Act,” (42 U.S.C. s.17921 et seq.).

     b.    a financial institution or an affiliate of a financial institution that is subject to Title V of the federal “Gramm-Leach-Bliley Act of 1999,” 15 U.S.C. s.6801 et seq., and the rules and implementing regulations promulgated thereunder; 

     c.     the secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii); or

     d.    an insurance institution subject to P.L.1985, c.179 (C.17:23A-1 et seq.).

     e.     the sale of a consumer’s personally identifiable information by the New Jersey Motor Vehicle Commission that is permitted by the federal "Drivers' Privacy Protection Act of 1994," 18 U.S.C. s.2721 et seq.; and

     f.     personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency, as defined in 15 U.S.C. s.1681a(f), if the collection, processing, sale, or disclosure of the personally identifiable information is limited by the federal “Fair Credit Reporting Act,” 15 U.S.C. s.1681 et seq., and implementing reguations.

 

     7.    Nothing in P.L.    , c.    (C.      ) (pending before the Legislature as this bill) shall require an operator to:

     a.     re-identify de-identified data;

     b.    collect, retain, use, link, or combine personally identifiable information concerning a consumer that it would not otherwise collect, retain, use, link, or combine in the ordinary course of business.

 

     8.    It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for an operator to fail to notify a consumer of the sale of personally identifiable information pursuant to sections 2 and 3 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) or fail to allow a consumer to opt out of the sale of a consumer’s personally identifiable information pursuant to section 4 of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) if the operator fails to cure any alleged violation of P.L.    , c.    (C.      ) (pending before the Legislature as this bill) within 30 days after receiving notice of alleged noncompliance from the Attorney General.

 

     9.    The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,”  P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     10.  The Office of the Attorney General shall have sole and exclusive authority to enforce a violation of P.L.    , c.    (C.      ) (pending before the Legislature as this bill).

 

     11.  This act shall take effect on the 180th day following the date of enactment, except that the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of this act.

 

 

STATEMENT

 

     This bill requires a commercial Internet website and online service operator (operator) to notify consumers of the collection and disclosure of “personally identifiable information,” as that term is defined in the bill, to third parties. An operator that collects through the Internet the personally identifiable information of a consumer is to provide on its Internet website or online service notification to a consumer that includes, but is not limited to:

     1)    the categories of the personally identifiable information that the operator collects through the Internet website or online service about a consumer who uses or visits its commercial Internet website or online service;

     2)    all third parties with which the operator may disclose a consumer’s personally identifiable information;

     3)    whether a third party may collect personally identifiable information about a consumer’s online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator;

     4)    a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of his or her personally identifiable information that is collected by the commercial Internet website or online service of the operator;

     5)    the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and

     6)    information concerning one or more designated request addresses that a consumer may use to request information under the bill.

     This bill requires that an operator that discloses a consumer’s personally identifiable information to a third party is to make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address: the consumer’s personally identifiable information that was disclosed; and the names and contact information of the third parties that received the consumer’s personally identifiable information. An operator that receives a request from a consumer is to provide a response to the consumer within 60 days of its verification and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

     The bill provides that an operator that collects the personally identifiable information of a consumer through its commercial Internet website or online service and sells the personally identifiable information of the consumer through the Internet is to clearly and conspicuously post a link on its commercial Internet website or online service, or in another prominently accessible location the commercial Internet website maintains for consumer privacy settings, to an Internet webpage maintained by the operator, which enables a consumer, by verified request, to opt out of the sale of the consumer’s personally identifiable information. The method in which a consumer may opt out shall be in a form and manner determined by the operator, provided that a consumer is not to be required to establish an account with the operator in order to opt out of the sale of a consumer’s personally identifiable information.

     An operator is to be prohibited from discriminating against a consumer if the consumer chooses to opt out of the sale of the consumer’s personally identifiable information. The provisions of the bill are not to prohibit the operator’s ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer’s personally identifiable information, or to provide different services to consumers that are reasonably related to the value of the relevant data.

     Further, the bill prohibits an operator from discriminating against or penalizing a consumer if the consumer chooses to opt out of the disclosure of the consumer’s personally identifiable information.

     The provisions of the bill are not to apply to certain types of information and institutions listed in the bill.

     Nothing in the bill is to require an operator to re-identify de-identified data or collect, retain, use, link, or combine personally identifiable information concerning a consumer that it would not otherwise collect, retain, use, link, or combine in the ordinary course of business.

     The Attorney General is to have sole authority to enforce a violation of the bill.