An amendment to New Jersey’s data breach notification requirements of the Consumer Fraud Act is currently awaiting signature by State Governor Phil Murphy. The bill, Assembly No. 3245, was recently passed by both the New Jersey Senate and Assembly. If signed into law as expected, the amendment will expand the definition of personal information to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” In turn, it would require businesses to notify consumers of online account security breaches – thereby eliminating a business’s ability, under the current law, to avoid notifying consumers when there is a breach of online information. The bill’s statement indicates that its purpose is to provide consumers with the opportunity to quickly change online account information to prevent outside access to online accounts, and to put consumers on notice to monitor for potential identity theft.
In addition to Assembly Bill No. 3245, two other bills have been introduced in New Jersey and both address the State’s focus on privacy protections. Assembly Bill 4902 requires commercial Internet websites and online services to notify customers of the collection and disclosure of personally identifiable information and to allow customers to opt out. Specifically, the bill requires any person or entity that owns an Internet website or online service to provide on its Internet website or online service a notification that includes: (1) a complete description of the personally identifiable information that is collected; (2) all third parties with whom a customer’s personally identifiable information may be disclosed; and (3) information concerning one or more designated request addresses that a customer may use to request information under the bill. The bill also requires that Internet websites or online service homepages include a link, entitled “Do Not Sell My Personal Information”, which enables a customer to opt out of the disclosure of personally identifiable information.
Assembly Bill 4974 requires any person or entity that owns a mobile device application that collects and maintains user global positioning system (“GPS”) data to notify users about how GPS data is disclosed and allow users to opt in to disclosure. Specifically, the bill requires notification, prior to a customer activating a mobile device application, of the following: (1) a complete description of the user GPS data that will be collected through the mobile device application; (2) all third parties to whom the user GPS data may be disclosed; (3) the length of time the user’s GPS data will be retained. In addition, the bill requires the operator to allow a user to opt in to the disclosure of the user’s GPS data.
If signed into law, the above bills will create additional notification and compliance obligations for entities that collect, use, store or disclose what is defined as “personal information” under Assembly Bill No. 3245, “personally identifiable information” under Assembly Bill 4902 and “GPS data” under Assembly Bill 4974. Companies impacted by these bills should be vigilant about monitoring the state of this legislation and consider the potential impact on their current policies and procedures.