Bill > A1902

Introduced Session

The bill, entitled the "New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)," establishes certain rights for consumers concerning the disclosure and processing of a consumer's personally identifiable information. A controller, as that term is defined in the bill, that collects the personally identifiable information of a consumer may lawfully process the personally identifiable information pursuant certain provisions in the bill only if at least one of the following applies: 1) the consumer has given consent to the processing of the personally identifiable information for at least one specific purpose provided by the controller; 2) processing is necessary for the performance of a contract to which the consumer is a party or in order to take steps at the request of the consumer prior to entering into a contract; 3) processing is necessary for compliance with a legal obligation to which the controller is subject; 4) processing is necessary to protect the vital interest of the consumer or another person; 5) processing is necessary for the performance of a task conducted in the public interest or in the exercise of official authority vested in the controller; or 6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the consumer, which require protection of personally identifiable information, including that of a child. The bill provides that a controller that collects the personally identifiable information of a consumer is to, at the time when personally identifiable information is collected, provide to a consumer information concerning the processing of that personally identifiable information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in writing, or by other means, including, where appropriate, by electronic means that shall include, but not be limited to, certain information listed in the bill. The bill further provides that where the controller intends to process a consumer's personally identifiable information for a purpose other than that for which the personally identifiable information was collected, the controller is to provide certain disclosures to the consumer prior to that processing. The processing of personally identifiable information revealing racial or ethnic origin, political opinion, religious or philosophical belief, or trade union membership, and the processing of biometric data for the purpose of uniquely identifying a person, information concerning health or a person's sexual history or orientation is to be prohibited except in certain circumstances provided in the bill. The bill provides that a controller that discloses a consumer's personally identifiable information to a processor or third party is to make certain information provided in the bill available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address. The bill provides that a controller that receives a verified request from a consumer is to provide a response to the consumer within 30 days of the controller's receipt of the request and is to provide information concerning all disclosures of personally identifiable information. The bill provides that if the controller does not take action on a consumer's verified request the controller is to inform the consumer without undue delay and at the latest within one month of receipt of the verified request of the reasons for not taking action and on the ability for the consumer to lodge a complaint with the Office of Data Protection and Responsible Use (office) in the Division of Consumer Affairs in the Department of Law and Public Safety, established by the bill. The bill provides that the purpose of the office is to serve as a clearinghouse of information, comprehensive resource for consumers, controllers, and processors, and regulatory body concerning the security and processing of personally identifiable information. The office's functions are enumerated in the bill. The bill provides that a consumer is to have the right to obtain by any means from the controller rectification of inaccurate personally identifiable information. A consumer is to have the right to obtain by any means from the controller the erasure, or restriction of the processing, of personally identifiable information under certain circumstances provided by the bill. The bill provides that where processing has been restricted, personally identifiable information, with the exception of storage, is to only be processed with the consumer's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another person or legal entity or for the public interest. The bill provides that a controller is to notify each processor and third party that received a consumer's personally identifiable information of any rectification or erasure of personally identifiable information made by a consumer pursuant to the bill or restriction of processing made by a consumer pursuant to the bill. The bill provides that a consumer is to have the right to object, by any means, to the processing of personally identifiable information, at which time the controller is to no longer process the personally identifiable information unless the controller demonstrates compelling legitimate grounds for the processing which overrides the interests, rights, and freedoms of the consumer or for the establishment, exercise, or defense of legal claims. Where personally identifiable information is processed for direct marketing purposes, including profiling, the consumer is to have the right to object at any time to processing of personally identifiable information for this purpose, at which time the personally identifiable information is to no longer be used for this purpose. The bill provides that where personally identifiable information is processed for scientific or historical research purposes or statistical purposes, the consumer is to have the right to object, by any means, to the processing of their personally identifiable information unless the processing is necessary for the public interest. The bill provides that a consumer is not to be subject to a decision based solely on automated decision making, including profiling, which produces legal effects concerning the consumer or similarly significantly affects the consumer except under certain circumstances provided in the bill. The bill provides that a controller is to implement the appropriate technical and organizational measures to ensure and to be able to demonstrate to the office that processing is performed in accordance with the requirements of the bill. The bill requires a controller and processor, in certain situations provided in the bill, to designate in writing to the office a representative that is to serve as a liaison between the controller or processor and the office and public. The bill provides that, where processing is to be conducted on behalf of a controller by a processor, the controller is to contract with a processor providing sufficient guarantees to implement appropriate technical and organization measures in a manner that processing shall meet the requirements the bill. The processor shall not engage another processor without prior specific or general written authorization of the controller. Processing by a processor is to be governed by a contract between a processor and controller that is to include certain provisions provided in the bill. The bill allows the office to adopt standard contractual clauses for the contracts between controllers and processors. The bill provides that a controller and, where applicable, the controller's representative, is to maintain a record of processing activities under its responsibility. A processor and, where applicable, the processor's representative, is to maintain a record of all categories of processing activities carried out on behalf of a controller. These records are to be in writing, including in electronic form, and be made available to the office upon request. Taking into account the technology, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of a person, the bill requires a controller and processor to implement appropriate technical and organization measures to ensure a level of security appropriate to the risk, including certain measures provided in the bill. In assessing the appropriate level of security, account is to be taken concerning the risks that are presented by processing, such as from unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personally identifiable information transmitted, stored, or otherwise processed. Adherence to a code of conduct or certification mechanism approved by the office may be used as an element by which to demonstrate compliance with the requirements established pursuant to the bill. The bill provides that, notwithstanding any other law, rule, or regulation to the contrary, in the event of a data breach resulting in the unauthorized access of personally identifiable information, the controller is to immediately and, where feasible, not later than 72 hours after having become aware of it, notify the office. Where the notification to the office is not made within 72 hours, it is to be accompanied by reasons for the undue delay. A processor is to notify the controller immediately after becoming aware of a data breach resulting in the unauthorized access of personally identifiable information and the notice is to contain certain information provided in the bill. The controller is to document any data breaches resulting in the unauthorized access of personally identifiable information, its effects, and remedial action taken, which is to be made available to the office at the office's request. The bill further provides that, notwithstanding any other law, rule, or regulation to the contrary, in the event of a data breach resulting in the unauthorized access of personally identifiable information that is likely to result in a high risk to the rights and freedoms of a person, the controller is to notify a consumer without undue delay. The bill provides that the data breach notification is to describe in clear and plain language the nature of the data breach but notification is not to be required under certain circumstances provided in the bill. The bill allows the office to notify consumers of a data breach resulting in the unauthorized access of personally identifiable information if the office determines there is a high risk to the rights and freedoms of a person. The bill requires a controller to, prior to processing personally identifiable information, conduct a data protection impact assessment that is to contain certain information provided for in the bill. The office is to establish and publicize a list of the kind of processing operations that are subject to the requirements of the data protection impact assessment. The office may establish and publicize a list of the kind of processing operations for which no data protection impact assessment is required. Where appropriate, a controller is to request input from consumers on the intended processing. The bill requires a controller to consult with the office prior to processing in the event the data protection impact assessment indicates that the processing would result in a high risk to a consumer's personally identifiable information in the absence of measures taken by the controller to mitigate the risk. If the office determines that the controller's data protection impact assessment indicates the processing may violate the provisions the bill, the office is to, within eight weeks of the submission of the data protection impact assessment, provide written advice to the controller, and processor where applicable, concerning best industry practices to conform with the requirements of the bill. The Attorney General is to, in consultation with the State's Chief Information Officer, appoint an executive director to head the office who is to be an individual qualified by training and experience to perform the duties of the office and who is to devote the time as executive director solely to the performance of those duties. It is to be an unlawful practice and violation of the consumer fraud act for a controller or processor to violate any provision of the bill, which includes $10,000 fine for the first offense and a $20,000 for each subsequent offense.

AI Summary

Committee Categories

Ellen Park (D)*, 

Introduced, Referred to Assembly Science, Innovation and Technology Committee (on 01/09/2024)

Official Document