ASSEMBLY JUDICIARY COMMITTEE

 

STATEMENT TO

 

[Fourth Reprint]

SENATE, No. 332  

 

with committee amendments

 

STATE OF NEW JERSEY

 

DATED:  DECEMBER 18, 2023

 

      The Assembly Judiciary Committee reports favorably and with committee amendments on Senate Bill No. 332 (4R).

      As amended and reported, this bill imposes requirements on certain entities (i.e., controllers) that determine the purposes and means of processing personal data.  However, the provisions of the bill would only apply to controllers, which conduct business in the State or produce products or services that are targeted to residents of the State, and which control or process the personal data of a minimum number of consumers each year.

      The bill requires a controller to provide notice to consumers of the collection and disclosure of “personal data,” as that term is defined in the bill, to third parties. The bill also sets forth various requirements concerning the information that is required to be included in this notice.  The bill also imposes other requirements and limitations on controllers regarding the processing of personal data, including limiting the collection and processing of personal data, taking reasonable measures to protect personal data, and obtaining consumer consent before processing certain data.  Specifically, the bill imposes additional restrictions on the processing of sensitive data, as defined in the bill, or the processing of a child’s personal data.

      Additionally, the bill requires a controller that processes personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer to allow consumers to exercise the right to opt-out of such processing through a user-selected universal opt-out mechanism.  The bill permits a consumer to authorize another person to act on the consumer’s behalf to opt out of the sale of personal data.  The bill prohibits a controller from discriminating against a consumer if the consumer chooses to opt out of the processing for sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects of the consumer’s personal data, provided certain exceptions.

      The bill requires a controller to complete data protection assessments, as described in the bill, and to make such assessments available to the Division of Consumer Affairs.

      The bill provides that a processor, in addition to a controller, has certain duties under the bill.  A processor is required to cooperate with a controller so that a controller remains in compliance with the bill.

      Under the bill, the consumers of a controller may submit a verified request to exercise any rights established under the bill.  The bill requires a controller to respond to each verified request within 45 days, except as extended in certain circumstances.  Any information provided in response to a verified request would be provided free of charge, except that a controller may charge a fee for a second or subsequent request submitted within a 12-month period.  The bill also requires a controller to establish a process for consumers to appeal the controller’s refusal to take action on a request.

      The bill also establishes certain consumer rights concerning personal data, including the right to: confirm whether a controller may process or access the consumer’s personal data; correct inaccuracies in the consumer’s personal data; delete personal data concerning the consumer; obtain a copy of the consumer’s personal data held by the controller in a portable format; and opt out of the processing of personal data for the purposes of (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

      As amended and reported by the committee, this bill is identical to Assembly Bill No. 1971 (1R), which was also amended and reported by the committee on this date.

 

COMMITTEE AMENDMENTS:

      The committee amended the bill to:

      (1)  add the definitions of the terms “biometric data,” “child,” “consent,” “controller,” “COPPA,” “dark pattern,” “decisions that produce legal or similarly significant effects concerning the consumer,” “precise geolocation data,” “process,” “processor,” “profiling,” “sensitive data,” “targeted advertising,” and “trade secret” to the bill;

      (2)  remove the definitions of the terms “business,” “disclose,” “online service,” “operator,” and “service provider” from the bill;

      (3)  revise certain definitions in the bill and replace the term “personally identifiable information” with the term “personal data”;

      (4)  provide that the bill’s provisions apply to controllers that conduct business in the State or target products and services to residents of the State, and that control or process a minimum number of consumers’ personal data;

      (5)  require a controller to provide on the online service a reasonably accessible, clear, and meaningful privacy notice to the consumer, which privacy notice is required to contain certain information, including the disclosure of a controller’s sale of personal data to third parties for certain purposes in the privacy notice posted on its Internet website;

      (6)  prohibit a controller from requiring a consumer to create a new account in order to exercise a right or increasing the cost of, or decreasing the availability of, a product or service based solely upon the exercise of a right;

      (7)  provide that a controller is required to respond to a consumer’s request for certain information, collected or processed after the effective date of this bill, within 45 days, and to permit a 45-day extension of this period, if necessary, with notice to the consumer;

      (8)  provide for a controller’s process for responding to a consumer request for information, for certain conditions which permit the controller to deny a request, and for a consumer’s ability to appeal the denial;

      (9)  prohibit a controller from discriminating against consumers who opt out of the processing of their personal data;

      (10)      outline consumer rights under the bill;

      (11)      provide a description of compliant deletion of personal data by a controller upon a consumer’s request;

      (12)      permit a consumer to authorize another person to act on the consumer’s behalf to opt out of the sale of personal data;

      (13)      provide that within four months of the bill’s effective date, a controller is required to provide a mechanism by which a consumer may opt out of the collection of personal data for certain reasons;

      (14)      outline certain restrictions on a controller’s collection and processing of personal data, including restrictions on the processing of sensitive data or the processing of a child’s personal data;

      (15)      require a controller to complete data protection assessments and make such assessments available to the Division of Consumer Affairs;

      (16)      place certain duties previously created by the bill for an operator instead upon a controller, as defined in the bill as amended;

      (17)      provide that a processor, in addition to a controller, has certain duties under the bill and is required to cooperate so that a controller remains in compliance with the bill;

      (18)      provide that the bill is to take effect on the 365th day following the date of enactment, instead of the 180th day; and

      (19)      make technical changes to the bill.