Garden State Takes Another Stab at a Privacy Law: New Jersey Reintroduces a Privacy Bill

On January 14, 2020, New Jersey Senator Thomas H. Kean, Jr. introduced Senate Bill No. 269, a revival of the state privacy bill that died in the legislative committee last year.

The bill, as introduced by Senator Kean, would apply to businesses that (1) have an annual revenue of $5,000,000 or more; (2) derive 50% or more of their annual revenue from selling the personally identifiable information of data subjects; or (3) buy, receive, sell, or share for commercial purposes the personally identifiable information of at least 25,000 data subjects.

The bill would require businesses before the point of collection of personal information to provide the following information to the data subjects: (1) a complete description of the information that the business collects about a data subject and the means by which a business collects the personally identifiable information;  (2) the purpose and legal basis for the processing of the personally identifiable information; (3) all third parties with which the business may disclose a data subject’s personally identifiable information; (4)   the purpose of the disclosure of personally identifiable information, including whether the business profits from the disclosure; and (5) the contact information of the person employed at the business responsible for personally identifiable information data protection, where applicable.

The bill further provides that the business, at the time the personally identifiable information is obtained, must provide the data subject with the following information for the purpose of ensuring fair and transparent processing: (1)  the period for which the personally identifiable information will be stored or the criteria used to determine that period; and (2) the right of the data subject to request from the business access to their personally identifiable information.

In response to the data subject request, a business would be required to (1) confirm that the data subject’s personally identifiable information is, or has been processed by the business; (2) provide a copy of the data subject’s personally identifiable information in a structured and commonly-used machine-readable format; (3) correct any inaccurate personally identifiable information; and (4) subject to certain exceptions, allow the data subject to opt-out of processing of their personal information.   Businesses would also be obligated to maintain an information security program that meets the requirements for any information security program required by federal law or, if applicable that meets the industry standards.

Notably, unlike the CCPA and numerous other proposed state bills, the New Jersey bill does not exclude information subject to federal privacy laws, such as HIPAA, FCRA, and GLBA, from the scope of the state law.  In addition, the law will also apply to personally identifiable professional and employment-related information.

The bill would provide for a private right of action in cases where a business fails to comply with the provisions of the privacy law resulting in a data breach.  The right of action would be subject to a 30-day cure notice that may include complimentary dispute resolution under the state rules of civil procedure. The foregoing failure would also be a per se violation of the New Jersey Consumer Fraud Act.

The privacy law, as proposed, would take effect immediately.

We will continue to follow the legislative developments in New Jersey and other states as their privacy bills advance through the legislative process.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653