Inside New Jersey's Latest Effort on the Privacy Front
New Jersey legislators have joined a growing line of states in proposing a bill to strengthen data privacy protections, following in the footsteps of privacy laws enacted in Europe and California.
May 15, 2020 at 08:00 AM
10 minute read
|
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
New Jersey legislators are joining a growing line of states in proposing a bill to strengthen data privacy protections, following in the footsteps of privacy laws enacted in Europe and California.
The New Jersey bill (AB 3255) would require businesses to obtain permission from New Jersey consumers before they could collect and sell/share personal data to third parties. The legislation would have implications for most companies doing business in New Jersey and that collect consumer data of New Jersey residents.
The bill was introduced by Assemblyman John Burzichelli in the General Assembly on Feb. 25, 2020, and referred to the Assembly's Science, Innovation and Technology Committee, which is chaired by Assemblyman Andrew Zwicker. As of press time, no committee hearings have yet been held to consider this bill.
As noted, several states, including Florida (H. 963), Illinois (SB 2330), Massachusetts (S. 120), New York (S. 224), Texas (HB 4390), Virginia (HB 473) and Washington (SB 6281), have introduced legislation that would create comprehensive data privacy laws. These follow California's law, the California Consumer Privacy Act (CCPA), that went into effect in January 2020, and the European Union's law, the General Data Protection Regulation (GDPR), went into effect in May 2018.
Under the New Jersey bill, certain companies that do business in New Jersey and that collect personal data of New Jersey residents would be required to provide information in clear language to consumers about how they will use the data. In general, consumers would be able to ask companies to provide them with their own personal data it sells to third parties. And consumers would be able to ask companies collecting such data to delete their personal information.
|NJ Act's Similarities with CCPA
The New Jersey legislation is in many ways a carbon copy of the CCPA. In particular, their similarities are as follows.
First, both have comprehensive definitions of the personal data to be protected — that is, "any information that personally identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a consumer or household," including: i) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers; ii) characteristics of protected classifications under State or federal law; iii) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; iv) biometric information; v) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement; vi) geolocation data; vii) audio, electronic, visual, thermal, olfactory, or similar information; viii) professional or employment-related information; and ix) education records.
In addition, businesses would not only have to do business in New Jersey, they would also have to either: i) have annual gross revenue of at least $25 million; ii) derive 50% or more of its annual revenue from selling the personal data of consumers; or iii) annually buy and/or sell the personal data of at least 50,000 consumers.
Second, consumers would have many of the same rights as under the CCPA: i) to have the business disclose to the consumer before collection what categories of personal data would be collected, and the purposes for which that data would be used; ii) following collection, to request the business disclose what categories and specific pieces of data have been collected from that consumer; iii) following collection, to request that the business delete any personal data that it has collected from that consumer; iv) following collection, to request that the business disclose the categories of data collected, the categories of sources from which data has been collected, the purposes for which that data has been collected, the categories of third parties with which the business shares personal data, and the specific pieces of personal data that it has collected about that consumer.
Third, businesses would have to disclose to requesting consumers (subject to the business' verification of the request's authenticity) the information sought (as noted in the above paragraph).
Fourth, businesses would be prohibited from discriminating against any consumer in response to a consumer's exercise of their rights arising from the legislation (such as by denying goods or services, charging different prices for goods or services, or providing different quality of goods or services). However, businesses would be able to offer financial incentives for the collection of personal data (and thus provide differing levels of quality or different pricing as long as the differences are directly related to the value provided to the business by the personal data in question).
Fifth, businesses that collect personal data would have to provide consumers with designated means by which consumers could contact the business to exercise their rights — such as by mail address, online website, and toll-free telephone numbers, depending on how the data was collected.
Sixth, businesses that collect personal data would have to provide privacy policies accessible to consumers and that provide the general lines of information noted above — types of information collected, the purposes for which the data would be collected, and the consumer's request and other rights.
Seventh, businesses that collect personal data would be able to create a webpage separate from its general home page, which would be directed specifically to New Jersey residents.
|Differences from CCPA
However, notwithstanding the above similarities, there a few notable and significant differences between AB 3255 and the CCPA.
First, the New Jersey bill utilizes an opt-in regime for the collection and sale of personal information, as well as for the sale of personal information. In contrast, the CCPA utilizes an opt-out approach represented by the iconic "Do Not Sell" button/link to be used on a collecting business's website. Therefore, without opt-in, a business would not be able to collect or sell a consumer's personal information.
Second, pursuant to the two opt-in requirements noted above, a business would have to include two links on its homepage — "I Permit this Business to Collect My Personally Identifiable Information" and "I Permit this Business to Sell My Personally Identifiable Information."
Third, the New Jersey bill lacks any mandate for the application of data security protocols or protective standards applicable to the personal data collected.
Fourth, unlike the CCPA, the New Jersey legislation adopts a permanent exclusion as to employment records/data. Thus, the various rights/obligations created for the protection of personal data would not apply to such data when used for a business's processing of employee data for employment purposes. California's comparable exclusion was not part of the original CCPA, but rather implemented by amendment in late 2019 (just before its effective date) and is set to expire on Dec. 31, 2020 unless made permanent by additional legislation.
Fifth, the New Jersey bill lacks any private right of action arising from data security breaches of consumers' personal data.
Sixth, the New Jersey bill lacks a direct private right of action for individuals, but rather an indirect private right of action only via the New Jersey consumer fraud act. Specifically, a violation of AB 3255 would constitute a violation of the New Jersey Consumer Fraud Act, N.J. Stat. §56:8-1 et seq. (¶14), which includes a private right of action. However, it is unclear how the Consumer Fraud Act's broad enforcement risks would apply to businesses in violation of AB3255.
The summary statement currently found at the end of AB 3255 — a non-operative part of the bill — provides that a first offense "is punishable by a monetary penalty of not more than $10,000" and a second offense, "not more than $20,000." This parallels N.J. Stat. §56:8-13 (Penalties), but that subsection also references Sections 8-14 and 8-15, which introduce layers of nuance to the penalties a business may face under the Consumer Fraud Act. It is also unclear if the penalties could be applied on a per instance basis, or if a procedural violation of AB 3255 would count as a single violation (regardless of how many consumers may have been affected). Accordingly, given the potential for private rights of action, the New Jersey bill also creates the potential for class actions.
Seventh, unlike the CCPA — which deferred its effective date for over a year after passage to provide businesses with time to effect systems modifications to comply with its requirements, the New Jersey bill adopts an effective date that is immediate upon passage. Thus, businesses are given no real time to implement compliance measures after the bill is passed.
|Federal and State Issues
The various legislative privacy proposals across the U.S. reflect that a consensus is lacking on the best approach to digital privacy laws. As with the various breach notification laws enacted by each of the 50 states, those individual state efforts could lead to a similar patchwork of laws in which businesses will be forced to create state-specific compliance systems that may be inconsistent with one another at best, and extremely difficult to monitor or implement, at worst.
As a result, for those businesses operating in multiple states, compliance could become extremely difficult — particularly if any two states implement conflicting mandates.
The CCPA also shows how efforts to strengthen privacy laws at the state level can be less than orderly. In California, the state attorney general's office is still preparing final regulations for enforcement — months after the CCPA went into effect and businesses were required to comply with it. Moreover, several bills have been introduced in the state legislature seeking to amend the current law and a ballot measure is up for vote this November, which could change the law even more.
However, given the divisions currently in place on Capitol Hill, comprehensive federal privacy legislation does not appear very likely – at least in the near future — leaving a patchwork version of state laws a more likely possibility for now.
|New Jersey's Next Steps
New Jersey's current effort appears to be the most comprehensive attempt at privacy legislation (at least in comparison to the CCPA), but it has yet to go through the scrutiny of the legislative process. Compounding that difficulty is the ongoing COVID-19 emergency, which will delay the process further — likely for at least a year into 2021 — following which will be the drafting and implementation of enforcement regulations by the New Jersey attorney general.
In all likelihood, New Jersey's current effort as reflected by AB 3255 — if it is enacted at all — will not become fully enforceable until late 2021 or 2022 at the earliest.
Kenneth K. Dort is a partner with Faegre Drinker Biddle & Reath LLP in its Chicago office, specializing in information technology, privacy and cyber security law. Mitchell S. Noordyke is an associate with Faegre Drinker Biddle & Reath LLP in its Minneapolis office, specializing in privacy and cyber security law.
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1The Increase in Artificial Intelligence-Related Securities Class Actions
- 2Trump’s DOE Pick Could Spell Trouble for Title IX Enforcement, Higher Ed Funding
- 3Jefferson Doctor Hit With $6.8M Verdict Over Death of 64-Year-Old Cancer Patient
- 4Seven Rules of the Road for Managing Referrals To/From Other Attorneys, Part 1
- 5What Went Wrong With Adeel Mangi's Long, Strange Trip Through the Judicial Nomination Process?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250