Bill > S1389

Introduced Session

This bill imposes requirements on certain entities (i.e., controllers) that determine the purposes and means of processing personal data. However, the provisions of the bill would only apply to controllers, which conduct business in the State or produce products or services that are targeted to residents of the State, and which control or process the personal data of a minimum number of consumers each year. The bill requires a controller to provide notice to consumers of the collection and disclosure of "personal data," as that term is defined in the bill, to third parties. The bill also sets forth various requirements concerning the information that is required to be included in this notice. The bill also imposes other requirements and limitations on controllers regarding the processing of personal data, including limiting the collection and processing of personal data, taking reasonable measures to protect personal data, and obtaining consumer consent before processing certain data. Specifically, the bill imposes additional restrictions on the processing of sensitive data, as defined in the bill, or the processing of a child's personal data. Additionally, the bill requires a controller that processes personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer to allow consumers to exercise the right to opt-out of such processing through a user-selected universal opt-out mechanism. The bill permits a consumer to authorize another person to act on the consumer's behalf to opt out of the sale of personal data. The bill prohibits a controller from discriminating against a consumer if the consumer chooses to opt out of the processing for sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects of the consumer's personal data, provided certain exceptions. The bill requires a controller to complete data protection assessments, as described in the bill, and to make such assessments available to the Division of Consumer Affairs. The bill provides that a processor, in addition to a controller, has certain duties under the bill. A processor is required to cooperate with a controller so that a controller remains in compliance with the bill. Under the bill, the consumers of a controller may submit a verified request to exercise any rights established under the bill. The bill requires a controller to respond to each verified request within 45 days, except as extended in certain circumstances. Any information provided in response to a verified request would be provided free of charge, except that a controller may charge a fee for a second or subsequent request submitted within a 12-month period. The bill also requires a controller to establish a process for consumers to appeal the controller's refusal to take action on a request. The bill also establishes certain consumer rights concerning personal data, including the right to: confirm whether a controller may process or access the consumer's personal data; correct inaccuracies in the consumer's personal data; delete personal data concerning the consumer; obtain a copy of the consumer's personal data held by the controller in a portable format; and opt out of the processing of personal data for the purposes of (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

AI Summary

Committee Categories

Troy Singleton (D)*,  Linda Greenstein (D),  Nellie Pou (D), 

Withdrawn Because Approved P.L.2023, c.266. (on 01/09/2024)

Official Document