Cybersecurity Credit: Khakimullin Aleksandr/Shutterstock.com
|

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

New Jersey legislators are joining a growing line of states in proposing a bill to strengthen data privacy protections, following in the footsteps of privacy laws enacted in Europe and California.

The New Jersey bill (AB 3255) would require businesses to obtain permission from New Jersey consumers before they could collect and sell/share personal data to third parties. The legislation would have implications for most companies doing business in New Jersey and that collect consumer data of New Jersey residents.

The bill was introduced by Assemblyman John Burzichelli in the General Assembly on Feb. 25, 2020, and referred to the Assembly's Science, Innovation and Technology Committee, which is chaired by Assemblyman Andrew Zwicker. As of press time, no committee hearings have yet been held to consider this bill.

As noted, several states, including Florida (H. 963), Illinois (SB 2330), Massachusetts (S. 120), New York (S. 224), Texas (HB 4390), Virginia (HB 473) and Washington (SB 6281), have introduced legislation that would create comprehensive data privacy laws. These follow California's law, the California Consumer Privacy Act (CCPA), that went into effect in January 2020, and the European Union's law, the General Data Protection Regulation (GDPR), went into effect in May 2018.

Under the New Jersey bill, certain companies that do business in New Jersey and that collect personal data of New Jersey residents would be required to provide information in clear language to consumers about how they will use the data. In general, consumers would be able to ask companies to provide them with their own personal data it sells to third parties. And consumers would be able to ask companies collecting such data to delete their personal information.

|

NJ Act's Similarities with CCPA

The New Jersey legislation is in many ways a carbon copy of the CCPA. In particular, their similarities are as follows.

First, both have comprehensive definitions of the personal data to be protected — that is, "any information that personally identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a consumer or household," including: i) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers; ii) characteristics of protected classifications under State or federal law; iii) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; iv) biometric information; v) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement; vi) geolocation data; vii) audio, electronic, visual, thermal, olfactory, or similar information; viii) professional or employment-related information; and ix) education records.

In addition, businesses would not only have to do business in New Jersey, they would also have to either: i) have annual gross revenue of at least $25 million; ii) derive 50% or more of its annual revenue from selling the personal data of consumers; or iii) annually buy and/or sell the personal data of at least 50,000 consumers.

Second, consumers would have many of the same rights as under the CCPA: i) to have the business disclose to the consumer before collection what categories of personal data would be collected, and the purposes for which that data would be used; ii) following collection, to request the business disclose what categories and specific pieces of data have been collected from that consumer; iii) following collection, to request that the business delete any personal data that it has collected from that consumer; iv) following collection, to request that the business disclose the categories of data collected, the categories of sources from which data has been collected, the purposes for which that data has been collected, the categories of third parties with which the business shares personal data, and the specific pieces of personal data that it has collected about that consumer.

Third, businesses would have to disclose to requesting consumers (subject to the business' verification of the request's authenticity) the information sought (as noted in the above paragraph).

Fourth, businesses would be prohibited from discriminating against any consumer in response to a consumer's exercise of their rights arising from the legislation (such as by denying goods or services, charging different prices for goods or services, or providing different quality of goods or services). However, businesses would be able to offer financial incentives for the collection of personal data (and thus provide differing levels of quality or different pricing as long as the differences are directly related to the value provided to the business by the personal data in question).

Fifth, businesses that collect personal data would have to provide consumers with designated means by which consumers could contact the business to exercise their rights — such as by mail address, online website, and toll-free telephone numbers, depending on how the data was collected.

Sixth, businesses that collect personal data would have to provide privacy policies accessible to consumers and that provide the general lines of information noted above — types of information collected, the purposes for which the data would be collected, and the consumer's request and other rights.

Seventh, businesses that collect personal data would be able to create a webpage separate from its general home page, which would be directed specifically to New Jersey residents.

|

Differences from CCPA

However, notwithstanding the above similarities, there a few notable and significant differences between AB 3255 and the CCPA.

First, the New Jersey bill utilizes an opt-in regime for the collection and sale of personal information, as well as for the sale of personal information. In contrast, the CCPA utilizes an opt-out approach represented by the iconic "Do Not Sell" button/link to be used on a collecting business's website. Therefore, without opt-in, a business would not be able to collect or sell a consumer's personal information.

Second, pursuant to the two opt-in requirements noted above, a business would have to include two links on its homepage — "I Permit this Business to Collect My Personally Identifiable Information" and "I Permit this Business to Sell My Personally Identifiable Information."

Third, the New Jersey bill lacks any mandate for the application of data security protocols or protective standards applicable to the personal data collected.

Fourth, unlike the CCPA, the New Jersey legislation adopts a permanent exclusion as to employment records/data. Thus, the various rights/obligations created for the protection of personal data would not apply to such data when used for a business's processing of employee data for employment purposes. California's comparable exclusion was not part of the original CCPA, but rather implemented by amendment in late 2019 (just before its effective date) and is set to expire on Dec. 31, 2020 unless made permanent by additional legislation.

Fifth, the New Jersey bill lacks any private right of action arising from data security breaches of consumers' personal data.

Sixth, the New Jersey bill lacks a direct private right of action for individuals, but rather an indirect private right of action only via the New Jersey consumer fraud act. Specifically, a violation of AB 3255 would constitute a violation of the New Jersey Consumer Fraud Act, N.J. Stat. §56:8-1 et seq. (¶14), which includes a private right of action. However, it is unclear how the Consumer Fraud Act's broad enforcement risks would apply to businesses in violation of AB3255.

The summary statement currently found at the end of AB 3255 — a non-operative part of the bill — provides that a first offense "is punishable by a monetary penalty of not more than $10,000" and a second offense, "not more than $20,000." This parallels N.J. Stat. §56:8-13 (Penalties), but that subsection also references Sections 8-14 and 8-15, which introduce layers of nuance to the penalties a business may face under the Consumer Fraud Act. It is also unclear if the penalties could be applied on a per instance basis, or if a procedural violation of AB 3255 would count as a single violation (regardless of how many consumers may have been affected). Accordingly, given the potential for private rights of action, the New Jersey bill also creates the potential for class actions.

Seventh, unlike the CCPA — which deferred its effective date for over a year after passage to provide businesses with time to effect systems modifications to comply with its requirements, the New Jersey bill adopts an effective date that is immediate upon passage. Thus, businesses are given no real time to implement compliance measures after the bill is passed.

|

Federal and State Issues

The various legislative privacy proposals across the U.S. reflect that a consensus is lacking on the best approach to digital privacy laws. As with the various breach notification laws enacted by each of the 50 states, those individual state efforts could lead to a similar patchwork of laws in which businesses will be forced to create state-specific compliance systems that may be inconsistent with one another at best, and extremely difficult to monitor or implement, at worst.

As a result, for those businesses operating in multiple states, compliance could become extremely difficult — particularly if any two states implement conflicting mandates.

The CCPA also shows how efforts to strengthen privacy laws at the state level can be less than orderly. In California, the state attorney general's office is still preparing final regulations for enforcement — months after the CCPA went into effect and businesses were required to comply with it. Moreover, several bills have been introduced in the state legislature seeking to amend the current law and a ballot measure is up for vote this November, which could change the law even more.

However, given the divisions currently in place on Capitol Hill, comprehensive federal privacy legislation does not appear very likely – at least in the near future — leaving a patchwork version of state laws a more likely possibility for now.

|

New Jersey's Next Steps

New Jersey's current effort appears to be the most comprehensive attempt at privacy legislation (at least in comparison to the CCPA), but it has yet to go through the scrutiny of the legislative process. Compounding that difficulty is the ongoing COVID-19 emergency, which will delay the process further — likely for at least a year into 2021 — following which will be the drafting and implementation of enforcement regulations by the New Jersey attorney general.

In all likelihood, New Jersey's current effort as reflected by AB 3255 — if it is enacted at all — will not become fully enforceable until late 2021 or 2022 at the earliest.

 

Kenneth K. Dort is a partner with Faegre Drinker Biddle & Reath LLP in its Chicago office, specializing in information technology, privacy and cyber security law. Mitchell S. Noordyke is an associate with Faegre Drinker Biddle & Reath LLP in its Minneapolis office, specializing in privacy and cyber security law.