New Jersey has joined a growing list of states considering legislation on data privacy to promote transparency, accountability, and individual choice. One bill would create new obligations for commercial entities whose online website or services collect personally identifiable information (PII) from individuals in New Jersey. A second bill would regulate an operator’s use of global positioning system (GPS) data belonging to a customer in New Jersey.

Assembly Bill 4902 (AB 4902)

AB 4902 requires an operator of a commercial internet website or online service (e.g., offsite data storage and apps) that collects PII from customers online to provide customers with notice of its data collection activities and disclosures to third parties. The operator also must allow customers to opt out of the sale or disclosure of their PII to a third party by providing a conspicuous online “Do Not Sell My Information” link. The operator need not be located in New Jersey, as long as it collects the PII from a customer “within” New Jersey.

These customer notice-and-choice rights apply to information that “personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service.” The bill includes a non-exhaustive list of PII examples covering a broad range of information relating to a customer, as well as a customer’s children, such as names, addresses, IP addresses, phone numbers, photos, Social Security number, race and ethnicity, sexual orientation, religious or political affiliations, education, health, account balances, payment history, and internet or mobile phone activity.

A website or online service might collect covered PII in many ways, including from customer shipping information, testimonials, and surveys, requests for product information, online job applications, cookies and web analytics, and even dinner reservations. These provisions apply regardless of the customer’s purpose for accessing the website or service. The bottom line is that if a customer accesses a commercial operator’s website or online service and the operator collects his or her PII, AB 4902’s notice-and-choice rights apply.

Assembly Bill 4974 (AB 4974)

AB 4974 creates notice-and-choice rights for customers whose geolocation or GPS data is collected by an operator during use of a mobile application. An operator of mobile device applications must notify users about the GPS data collected, who it may be disclosed or sold to, how long it is retained, and the right to opt in to its disclosure or sale. AB 4974 defines an operator as a person or entity that owns a mobile device application that collects and maintains the user’s GPS data. Similar to AB 4902, the operator need not be a person or entity located in New Jersey and the user, or customer, is an individual “within” New Jersey.

***

In response to consumers’ increasing awareness of organizations’ data collection practices, data security, and individual data privacy rights, numerous states have drafted or proposed data protection legislation. Many of the proposed legislation under consideration, including New Jersey’s, create significant compliance obligations for companies that collect, use, or store personal data. These companies should consider assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs) to prepare. An organization can begin by identifying all PII it collects, uses, discloses, sells, or stores; identifying cookies, pixels, and web tracking activities on its website; reviewing and updating online privacy policies; minimizing PII collection to only what is necessary; establishing and following a data retention schedule; and implementing internal policies, procedures, and training to support a meaningful data protection program.