NJ S4315

Bill

NJ S4315

Requires controller or processor to de-identify personal data and prohibits re-identification of de-identified data.

Introduced
05/12/2025

In Committee
05/12/2025

Crossed Over

Passed

Dead

Introduced Session

2024-2025 Regular Session

Bill Summary

This bill amends current law on the sale or processing of personal data to provide that a controller or processor of personal data is required to de-identify personal data before sale. The bill also prohibits a controller or processor from (1) re-identifying de-identified data before or after the sale of personal data that has been previously de-identified; (2) providing a third party the means to re-identify personal data after the sale of de-identified data to the third party; or (3) engaging a third party to re-identify de-identified data before or after the sale of the de-identified data. Pursuant to the bill, "re-identify" means to link de-identified data to an identified or identifiable individual, or a device linked to such an individual. The bill requires the Director of the Division of Consumer Affairs (director) in the Department of Law and Public Safety to establish standards for the de-identification of personal data. The bill also permits the director to allow exceptions to the requirements of de-identification or prohibitions on re-identification, provided that: (1) the director expects any exception to benefit the public; and (2) any exception is limited to the purpose of medical studies or the purpose of preventing or alleviating environmental hazards.

AI Summary

This bill requires controllers or processors of personal data to de-identify such data before selling it and prohibits the re-identification of that de-identified data. Specifically, the bill defines "de-identified data" as information that cannot be reasonably linked to an individual, and "re-identification" means attempting to reconnect de-identified data to a specific person. The bill prevents controllers and processors from re-identifying de-identified data themselves, providing third parties with the means to do so, or hiring third parties to re-identify the data. The Director of the Division of Consumer Affairs will establish standards for data de-identification and may create limited exceptions to these rules, but only if the exceptions are expected to benefit the public and are specifically related to medical studies or environmental hazard prevention. Violations of these provisions will be considered unlawful practices, and the Office of the Attorney General will have exclusive enforcement authority. The bill amends existing New Jersey privacy legislation and will take effect 365 days after enactment, giving businesses time to adjust their data handling practices to comply with the new requirements.

Committee Categories

Business and Industry

Sponsors (1)

Joe Pennacchio (R)*,

Last Action

Introduced in the Senate, Referred to Senate Commerce Committee (on 05/12/2025)

Official Document

https://www.njleg.state.nj.us/bill-search/2024/S4315

(1 Companion Bills)

Version:

Document Type	Source Location
State Bill Page	https://www.njleg.state.nj.us/bill-search/2024/S4315
BillText	https://pub.njleg.gov/Bills/2024/S4500/4315_I1.HTM

Bill > S4315

summary

Introduced Session

Bill Summary

AI Summary

Committee Categories

Sponsors (1)

Last Action

Official Document

bill text

bill summary

bill summary

bill summary