New Jersey Joins the Data Privacy Frontier

  In the wake of world-wide disturbance over Facebook disclosures following the U.S. election, the new GDPR data protection and collection requirements that took effect this year, and concerns about household appliances that can be used for surveillance, privacy has been at the forefront of social and legal landscape. As technology trends are examined and understood more, public call for more transparency and more stringent data protections increases. Long the pioneer in privacy regulation, this summer California passed AB 375, also known as the California Consumer Privacy Act of 2018.¹

  In short, California’s law which takes effect in 2020, enables Californians to know what data about them is collected and stored by companies, the purpose of the collection, and who the data is shared with.²The law also allows Californians to opt out of the sale of their data, request deletion of their data and provides for a private cause of action for violations of the law.³Armed with California’s version of the Bill governing the collection and use of consumer data, New Jersey introduced its own consumer privacy regulation, NJ S2834, in July 2018.⁴

  NJ S2834 requires notification from commercial Internet websites and online services about their collection and disclosure of personally identifiable information.⁵Personally identifiable information is defined as information that personally identifies, describes or is able to be associated with a customer of a commercial Internet website or online service.⁶NJ S2834 provides a broad list of information elements that can be considered personally identifiable.⁷The list includes demographic, biometric, geographic, medical, and financial data among other types of information, such as information relating to political and religious affiliations or activities.⁸Interestingly, NJ S2834 encompasses these categories of information not only as they pertain to the customer but also the customers’ children.⁹

  The application of the NJ S2834 to customers’ children leaves open many questions. For example, is the child’s information considered a customer’s personal information only if it is collected from the parent-customer or if it is also collected directly from the child? This distinction will have implications on other parts of this Bill and its enforcement of the rights provided by it to consumers, e.g., whether a parent’s choice to allow the selling of their data is an implicit consent to sell the child’s data collected from the parent or a parent’s activity online and whether the answer to this question remains the same if the data was collected directly from the child.¹⁰Similarly, it is unclear if a child under NJ S2834 is a legal minor under the age of 18 or whether NJ S2834 contemplates a more narrow age restriction. It is possible and even likely that by the time NJ S2834 passes, if it does, that it will undergo many revisions. During these revisions, the categories of personal information may be narrowed down and the application of the Bill’s requirements to the information may get better defined and clarified.

  With respect to the requirements of NJ S2834, like AB 375, it allows consumers to obtain a complete description of the personally identifiable information collected about them and notification of what is shared with third parties, including the third party’s identity.¹¹The Bill also requires a clear and visible link to “Do Not Sell My Personal Information” and imposes prohibitions against discrimination of customers who choose to opt-out of the sale of their information.¹²Further, the Bill provides that operators not ask a consumer for authorization to share information for 12-months following the consumer’s choice to opt-out, which leaves the question of how this prohibition applies to information collected by one operator of different websites or a single operator collecting different categories of information for different types of services.¹³Another important characteristic of NJ S2834 is that, unlike AB 375, it does not provide a private cause of action for violations of this law.¹⁴

  NJ S2834 is in its early stages and will undergo a lot more scrutiny going forward, but it is certainly a breakthrough piece of legislation following what will undoubtedly become a large trend among the states. I am interested to see further developments in this domain.