ASSEMBLY COMMITTEE SUBSTITUTE FOR
ASSEMBLY, Nos. 5254 and 4811
STATE OF NEW JERSEY
220th LEGISLATURE
ADOPTED MAY 11, 2023
Sponsored by:
Assemblyman WILLIAM F. MOEN, JR.
District 5 (Camden and Gloucester)
Assemblyman JOHN F. MCKEON
District 27 (Essex and Morris)
Assemblyman ROBERT J. KARABINCHAK
District 18 (Middlesex)
Assemblywoman ELLEN J. PARK
District 37 (Bergen)
SYNOPSIS
Requires registration of data brokers and prohibits brokering of certain health records.
CURRENT VERSION OF TEXT
Substitute as adopted by the Assembly Science, Innovation and Technology Committee.
An Act concerning data brokers and supplementing Title 56 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. As used in P.L. , c. (C. ) (pending before the Legislature as this bill):
“Behavioral health care” means procedures or services provided to a patient for the treatment of a mental illness, emotional disorder, or substance use disorder.
“Behavioral health record” means personal identifying information that describes behavioral health care or that otherwise identifies an individual patient as having a behavioral health condition or as receiving care or treatment for a behavioral health condition.
“Data broker” means a business, or a unit or units of a business, separately or together, that collects and sells or licenses to third parties the personal identifying information of an individual with whom the business does not have a direct relationship.
“Division” means the Division of Consumer Affairs in the Department of Law and Public Safety.
“Personal identifying information” means one or more of the following computerized data elements about an individual, if categorized or organized for dissemination to third parties: name; address; date of birth; place of birth; mother’s maiden name; unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data; name or address of a member of the individual’s immediate family or household; Social Security number or other government-issued identification number; or other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the individual with reasonable certainty. “Personal identifying information” shall not include publicly available information to the extent that it is related to an individual’s business or profession.
“Physical health care” means procedures or services provided to a patient in connection with the patient’s physical health, including, but not limited to, preventative care, reproductive care, and wellness care, as well as treatment for an illness, disorder, disease, or other acute or chronic physical health condition.
“Physical health record” means personal identifying information that describes physical health care or that otherwise identifies an individual patient as having a physical health condition or as receiving care or treatment for a physical health condition.
2. a. The Division of Consumer Affairs in the Department of Law and Public Safety shall establish and maintain a public registry of data brokers doing business in this State. Using the information submitted pursuant to subsection c. of this section, the registry shall include, at a minimum, for each data broker doing business in this State: the data broker’s name and physical address; a general email address that may be used to request information about the data broker’s privacy policies and data collection practices; a general Internet website address for the data broker; an Internet website address specific to the data broker’s privacy policies; and any relevant opt-out information. The division shall review and update the information contained in the registry at least annually.
b. Each data broker doing business in New Jersey shall annually register with, and pay a registration fee of $100 to, the division. Registration fees collected pursuant to this subsection shall be used to establish and maintain the registry required pursuant to this section.
c. Each data broker shall submit the following information to the division at the time of registration, which information shall be updated by the data broker at least annually, or at such other frequency as the division may require:
(1) the data broker’s name and primary physical, email, and Internet addresses;
(2) whether the data broker permits individuals to opt out of the data broker’s collection practices, including the method for requesting an opt-out, the type of opt-out, whether the opt-out is limited to certain activities or sales, and whether the data broker permits individuals to authorize a third party to opt out on the individual’s behalf;
(3) a statement specifying the data collection, databases, or sales activities from which an individual may not opt out;
(4) whether the data broker uses a credentialing process for purchasers of data and, if applicable, a general explanation of that process;
(5) a history of data breaches and other cybersecurity events affecting the data broker and personal identifying information in the data broker’s possession, including the number of individuals affected by each such data breach or cybersecurity event;
(6) a separate statement detailing the data collection practices, databases, sales activities, and opt-out methods that are applicable to the personal identifying information of persons under the age of 18 and whether the data broker has actual knowledge that it possesses the personal identifying information of persons under the age of 18; and
(7) any information the division deems appropriate to implement the purposes of P.L. , c. (C. ) (pending before the Legislature as this bill).
d. (1) A business that collects and sells or licenses personal identifying information shall not be considered a data broker for the purposes of P.L. , c. (C. ) (pending before the Legislature as this bill) if:
(a) the full extent to which the business collects and sells or licenses personal identifying information is incidental to conducting one or more of the following activities:
(i) developing or maintaining a third-party e-commerce or application platform;
(ii) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
(iii) providing publicly available information related to an individual’s business or profession; or
(iv) providing publicly available information via real-time or near real-time alert services for health or safety purposes; or
(b) the business is a financial institution or an affiliate of a financial institution that is subject to Title V of the federal “Gramm-Leach-Bliley Act,” 15 U.C.S. s.6801 et seq., and the rules and regulations promulgated thereunder.
(2) A business that engages in one or more of the activities described in sub-subparagraphs (i) through (iv) of subparagraph (a) of paragraph 1 of this subsection shall be considered a data broker for the purposes of P.L. , c. (C. ) (pending before the Legislature as this bill) if the business collects and sells or licenses personal identifying information in any way that is not incidental to an activity described in sub-subparagraphs (i) through (iv) of subparagraph (a) of paragraph 1 of this subsection, unless the business is exempt under subparagraph (b) of paragraph (1) of this subsection.
3. In no case shall a data broker sell, offer for sale, license, or otherwise furnish, provide, or transmit to any other individual or entity a physical health record or a behavioral health record.
4. a. A data broker that fails to register with the division or to submit the annual registration fee as required under subsection b. of section 2 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall be liable to a civil penalty of $50 for each day the data broker fails to register or submit the required fee.
b. A data broker that fails to submit the information required under subsection c. of section 2 of P.L. , c. (C. ) (pending before the Legislature as this bill) or to update the information as required under subsection c. of section 2 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall be liable for a civil penalty of $50 for each day the data broker fails to submit or update the information.
c. A data broker that sells, offers for sale, licenses, or otherwise furnishes, provides, or transmits to any other individual or entity a physical health record or a behavioral health record in violation of section 3 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall be liable to a civil penalty of $1,000 for each physical or behavioral health record sold, offered for sale, licensed, or otherwise furnished, provided, or transmitted.
d. A civil penalty assessed pursuant to this section shall be collected and enforced by the division in summary proceedings before a court of competent jurisdiction pursuant to the provisions of the “Penalty Enforcement Law of 1999,” P.L.1999, c.274 (C.2A:58-10 et seq.).
5. The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall adopt rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), as shall be necessary for the implementation of P.L. , c. (C. ) (pending before the Legislature as this bill).
6. This act shall take effect immediately, except that subsections a. and b. of section 4 of this act shall remain inoperative for 180 days following the date of enactment.