Sponsored by:
Assemblyman JOHN F. MCKEON
District 27 (Essex and Morris)
Assemblyman ROBERT J. KARABINCHAK
District 18 (Middlesex)
Assemblywoman ELLEN J. PARK
District 37 (Bergen)
SYNOPSIS
Requires registration of data brokers; prohibits brokering of certain health records.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning data brokers and supplementing Title 56 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. As used in this act:
“Behavioral health care” means procedures or services provided to a patient for the treatment of a mental illness, emotional disorder, or substance use disorder.
“Behavioral health record” means personal identifying information that describes behavioral health care or that otherwise identifies an individual patient as having a behavioral health condition or as receiving care or treatment for a behavioral health condition.
“Data broker” means a business, or a unit or units of a business, separately or together, that collects and sells or licenses to third parties the personal identifying information of an individual with whom the business does not have a direct relationship.
“Division” means the Division of Consumer Affairs in the Department of Law and Public Safety.
“Physical health care” means procedures or services provided to a patient in connection with the patient’s physical health, including, but not limited to, preventative care, reproductive care, and wellness care, as well as treatment for an illness, disorder, disease, or other acute or chronic physical health condition.
“Physical health record” means personal identifying information that describes physical health care or that otherwise identifies an individual patient as having a physical health condition or as receiving care or treatment for a physical health condition.
“Personal identifying information” means one or more of the following computerized data elements about an individual, if categorized or organized for dissemination to third parties: name; address; date of birth; place of birth; mother’s maiden name; unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data; name or address of a member of the individual’s immediate family or household; Social Security number or other government-issued identification number; or other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the individual with reasonable certainty. “Personal identifying information” shall not include publicly available information to the extent that it is related to an individual’s business or profession.
2. a. The Division of Consumer Affairs in the Department of Law and Public Safety shall establish and maintain a public registry of data brokers doing business in this State. Using the information submitted pursuant to subsection c. of this section, the registry shall include, at a minimum, for each data broker doing business in this State: the data broker’s name and physical address; a general email address that may be used to request information about the data broker’s privacy policies and data collection practices; a general Internet website address for the data broker; an Internet website address specific to the data broker’s privacy policies; and any relevant opt-out information. The division shall review and update the information contained in the registry at least annually.
b. Each data broker doing business in New Jersey shall annually register with, and pay a registration fee of $100 to, the division. Registration fees collected pursuant to this subsection shall be used to establish and maintain the registry required pursuant to this section.
c. Each data broker shall submit the following information to the division at the time of registration, which information shall be updated by the data broker at least annually, or at such other frequency as the division may require:
(1) the data broker’s name and primary physical, email, and Internet addresses;
(2) whether the data broker permits individuals to opt out of the data broker’s collection practices, including the method for requesting an opt-out, the type of opt-out, whether the opt-out is limited to certain activities or sales, and whether the data broker permits individuals to authorize a third party to opt out on the individual’s behalf;
(3) a statement specifying the data collection, databases, or sales activities from which an individual may not opt out;
(4) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process;
(5) a history of data breaches and other cybersecurity events affecting the data broker and personal identifying information in the data broker’s possession, including the number of individuals affected by each such data breach or cybersecurity event;
(6) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and
(7) any information the division deems appropriate to implement the purposes of this act.
d. (1) A business that collects and sells or licenses personal identifying information shall not be considered a data broker for the purposes of this act if the full extent to which the business collects and sells or licenses personal identifying information is incidental to conducting one or more of the following activities:
(a) developing or maintaining a third-party e-commerce or application platform;
(b) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
(c) providing publicly available information related to an individual’s business or profession; or
(d) providing publicly available information via real-time or near real-time alert services for health or safety purposes.
(2) A business that engages in one or more of the activities described in subparagraphs (a) through (d) of paragraph (1) of this subsection shall be considered a data broker for the purposes of this act if the business collects and sells or licenses personal identifying information in any way that is not incidental to an activity described in subparagraphs (a) through (d) of paragraph (1) of this subsection.
3. In no case shall a data broker sell, offer for sale, license, or otherwise furnish, provide, or transmit to any other individual or entity a physical health record or a behavioral health record.
4. a. A data broker that fails to register with the division or to submit the annual registration fee as required under subsection b. of section 2 of this act shall be liable to a civil penalty of $50 per day for each day the data broker fails to register or submit the required fee.
b. A data broker that fails to submit the information required under subsection c. of section 2 of this act or to update the information as required under subsection c. of section 2 of this act shall be liable to a civil penalty of $50 per day for each day the data broker fails to submit or update the information.
c. A data broker that sells, offers for sale, licenses, or otherwise furnishes, provides, or transmits to any other individual or entity a physical health record or a behavioral health record in violation of section 3 of this act shall be liable to a civil penalty of $1,000 for each behavioral health record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted.
d. A civil penalty assessed pursuant to this section shall be collected and enforced by the division in summary proceedings before a court of competent jurisdiction pursuant to the provisions of the “Penalty Enforcement Law of 1999,” P.L.1999, c.274 (C.2A:58-10 et seq.).
5. The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall adopt rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), as shall be necessary for the implementation of this act.
6. This act shall take effect immediately, except that subsections a. and b. of section 4 of this act shall remain inoperative for 180 days following the date of enactment.
STATEMENT
This bill requires data brokers to register with Division of Consumer Affairs in the Department of Law and Public Safety, and prohibits the brokering of behavioral health records.
Data brokers are businesses that collect and sell or license to third parties the personal identifying information of an individual with whom the business does not have a direct relationship. As used in the bill, “personal identifying information” means one or more computerized data elements about an individual that are categorized or organized for dissemination to third parties and that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the individual with reasonable certainty. These data elements include, but are not limited to, an individual’s: 1) name; 2) address; 3) date of birth; 4) place of birth; 5) mother’s maiden name; 6) biometric data; 7) immediate family members’ names or addresses; or 8) Social Security number or other government-issued identification number.
Specifically, the bill requires the division to establish and maintain a public registry of data brokers doing business in New Jersey. Data brokers will be required to register with the division, pay an annual registration fee of $100, and provide the division with certain information about the data broker’s business. Collected registration fees will be used to implement the provisions of the bill.
The information data brokers will be required to submit to the division at the time of registration will include: 1) the data broker’s name and primary physical, email, and Internet addresses; 2) the data broker’s policies for opting out of the data broker’s collection practices; 3) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process; 4) a history of data breaches and other cybersecurity events affecting the data broker, including the number of individuals affected by each such data breach or cybersecurity event; 5) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and 6) any other information the division deems appropriate. Data brokers will be required to update this information annually, or at such other intervals as the division requires.
Using the information submitted by data brokers, the division will include in the registry, at a minimum, each data broker’s name and physical address, a general email address that may be used to request information about the data broker’s privacy policies and data collection practices, a general Internet website address for the data broker, an Internet website address specific to the data broker’s privacy policies, and any relevant opt-out information. The division will be required to review and update this information at least annually.
Data brokers that fail to submit and update information as required under the bill, or that fail to register and pay the registration fee required under the bill, will be liable to a civil penalty of $50 per day for each day the data broker is not in compliance.
A business will not be considered a data broker for the purposes of the bill if the business collects and sells or licenses personal identifying information, but the collection and sale or licensing of personal identifying information is incidental to one or more of the following activities: developing or maintaining a third-party e-commerce or application platform; providing 411 directory assistance or directory information services on behalf of or as a function of a telecommunications carrier; providing publicly available information related to an individual’s business or profession; or providing publicly available information via real-time or near real-time alert services for health or safety purposes. A business that engages in these activities will still be considered a data broker for the purposes of the bill if the business collects and sells or licenses personal identifying information in any way that is not incidental to one or more of those activities.
The bill provides that in no case may a data broker sell, offer for sale, license, or otherwise furnish, provide, or transmit to any other individual or entity any physical or behavioral health record pertaining to an individual, including records describing physical or behavioral health care provided to an individual and records that otherwise identify an individual as having a physical or behavioral health condition or as receiving care or treatment for a physical or behavioral health condition. A data broker that violates this prohibition will be liable to a civil penalty of $1,000 for each physical health record and for each behavioral health record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted in violation of this prohibition.
For the purposes of the bill, “behavioral health care” includes procedures or services provided to a patient for the treatment of a mental illness, emotional disorder, or substance use disorder. “Physical health care” means procedures or services provided to a patient in connection with the patient’s physical health, including, but not limited to, preventative care, reproductive care, and wellness care, as well as treatment for an illness, disorder, disease, or other acute or chronic physical health condition.