ASSEMBLY SCIENCE, INNOVATION AND TECHNOLOGY COMMITTEE
STATEMENT TO
ASSEMBLY COMMITTEE SUBSTITUTE FOR
ASSEMBLY, Nos. 5254 and 4811
STATE OF NEW JERSEY
DATED: MAY 11, 2023
The Assembly Science, Innovation and Technology Committee reports favorably this Assembly Committee Substitute for Assembly Bill Nos. 5254 and 4811.
As reported, this bill requires data brokers to register with the Division of Consumer Affairs (“the division”) in the Department of Law and Public Safety and prohibits the brokering of physical or behavioral health records.
Data brokers are businesses that collect and sell or license to third parties the personal identifying information of an individual with whom the business does not have a direct relationship. As used in the bill, “personal identifying information” means one or more computerized data elements about an individual that are categorized or organized for dissemination to third parties and that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the individual with reasonable certainty.
Specifically, the bill requires the division to establish and maintain a public registry of data brokers doing business in New Jersey. Data brokers are required to register with the division, pay an annual registration fee of $100, and provide the division with certain information about the data broker’s business as described in the bill. Collected registration fees will be used to implement the provisions of the bill.
Under the bill, the information that data brokers are required to submit to the division at the time of registration includes: (1) the data broker’s name and primary physical, email, and Internet addresses; (2) the data broker’s policies for opting out of the data broker’s collection practices; (3) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process; (4) a history of data breaches and other cybersecurity events affecting the data broker, including the number of individuals affected by each such data breach or cybersecurity event; (5) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and (6) any other information the division deems appropriate. Data brokers are required to update this information annually or at such other intervals as the division requires.
Using the information submitted by data brokers, the division is to include in the registry, at minimum, each data broker’s name and physical address, a general email address that may be used to request information about the data broker’s privacy policies and data collection practices, a general Internet website address for the data broker, an Internet website address specific to the data broker’s privacy policies, and any relevant opt-out information. The division is required to review and update this information at least annually.
Data brokers that fail to submit and update information as required under the bill, or that fail to register and pay the registration fee required under the bill, will be liable for a civil penalty of $50 for each day the data broker is not in compliance.
A business will not be considered a data broker for the purposes of the bill if the collection and sale or licensing of personal identifying information is incidental to one or more of the following activities conducted by the business: (1) developing or maintaining a third-party e-commerce or application platform; (2) providing 411 directory assistance or directory information services on behalf of or as a function of a telecommunications carrier; (3) providing publicly available information related to an individual’s business or profession; or (4) providing publicly available information via real-time or near real-time alert services for health or safety purposes. A business that engages in these activities will still be considered a data broker for the purposes of the bill if the business collects and sells or licenses personal identifying information in any way that is not incidental to one or more of those activities.
Additionally, a business will not be considered a data broker for the purposes of the bill if it is a financial institution or an affiliate of a financial institution subject to Title V of the federal “Gramm-Leach-Bliley Act,” and the rules or regulations issued under its authority.
The bill provides that in no case may a data broker sell, offer for sale, license, or otherwise furnish, provide, or transmit to any other individual or entity any physical or behavioral health record pertaining to an individual, including records describing physical or behavioral health care provided to an individual and records that otherwise identify an individual as having a physical or behavioral health condition or as receiving care or treatment for a physical or behavioral health condition. A data broker that violates this prohibition will be liable to a civil penalty of $1,000 for each physical or behavioral health record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted in violation of this prohibition.