Press "Enter" to skip to content

Privacy Legislation Introduced in the Garden State is a Short but Weedy Row to Hoe

nj consumer privacy actAlthough just over five pages in length (excluding the cover page and three-page summary), New Jersey S269 is not your garden-variety piece of privacy legislation and is packed with plenty of weedy issues. The bill was introduced by the state Senate Republican leader.

The legislation would capture a significantly greater number of smaller businesses than the California Consumer Privacy Act (CCPA) due to decreased thresholds.  A business would be subject to the privacy act if it does business in New Jersey and:

  1. has an annual gross revenue of $5 million or more (as opposed to $25 million under the CCPA);
  2. derives 50 percent or more of its annual revenue from selling the personally identifiable information of data subjects; or
  3. alone or in combination, annually buys, receives, sells, or shares for commercial purposes the personally identifiable information of at least 25,000 data subjects (as opposed to the CCPA’s 50,000 threshold).

Unlike the CCPA, the definition of “business” does not expressly exclude non-profit entities.

Like the CCPA, the legislation would require a notice at collection, but the information required is more onerous.  As a refresher, the CCPA and its recently modified proposed regulations require that the notice at collection include:

  1. the categories of personal information to be collected;
  2. the business or commercial purposes for the collection;
  3. a “Do Not Sell My Personal Information” link, if applicable; and
  4. a link or directions to the business’s privacy policy.

In contrast, the New Jersey legislation would require the notice at collection to include:

  1. a complete description of the personally identifiable information that the business collects about a data subject and the means by which a business collects the personally identifiable information [as opposed to the CCPA’s categories of information];
  2. the purpose and legal basis for the processing of the personally identifiable information;
  3. all third parties with which the business may disclose a data subject’s personally identifiable information [here too, the CCPA only requires disclosure of categories of third parties];
  4. the purpose of the disclosure of personally identifiable information, including whether the business profits from the disclosure; and
  5. the contact information of the person employed at the business responsible for personally identifiable information data protection, where applicable.

Consumers would have the right to know and request deletion of the personal information collected about them, and to opt out of the processing of their personal information.

The legislation does not include any exemptions for businesses or personal information subject to the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act.

The legislation provides a private right of action in the event of a breach and damages equal to  actual damages or $100 to $750 per data subject per incident, whichever is greater.

The director of the Division of Consumer Affairs in the Department of Law and Public Safety would be tasked with rulemaking.

The bill is identical to one introduced by the sponsor in October 2019, at the end of New Jersey’s 2018-2019 session where it soon died with no significant action taken. At the start of the 2020-2021 legislative session, the bill was reintroduced as S269 and now has two years to make its way through the New Jersey legislative process. No significant action has been taken since its introduction. It is too early to say what the final bill will look like or if it even has the prospect of becoming law.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.