Bill > A2297

Introduced Session

This bill establishes certain data privacy protection requirements for consumer health data, health care providers, and patients. The bill defines a "regulated entity" to mean any legal entity that: conducts business in New Jersey, or produces or provides products or services that are targeted to consumers in New Jersey; and alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. "Regulated entity" does not mean a government agency, tribal nation, or contracted service provider when processing consumer health data on behalf of the government agency. Under the bill, each regulated entity in the State is to maintain a consumer health data privacy policy that details how data may be collected and shared and how consumer can exercise their rights provided by the bill concerning consumer health data. "Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The bill establishes certain requirements for regulated entities to collect, share, and sell consumer health data, which includes requiring consumers to provide consent or authorization in order for a regulated entity to collect, share, or sell any consumer health data. Under the bill, consumers will have certain rights concerning their consumer health data, including: confirming which data is being collected, shared, or sold; withdrawing consent for the collection, sharing, or sale of the data; or requesting the deletion of the data. The bill establishes certain requirements for regulated entities to process any requests for the deletion of a consumer's consumer health data. The bill requires a regulated entity to restrict access to consumer health data as necessary and to establish certain data security practice to protect consumer health data. The bill provides that a processer may process consumer health data only pursuant to a binding contract between the processor and the regulated entity that sets forth the processing instructions and limits the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity. The bill prohibits any person from implementing a geofence around an entity that provides in-person health care services where such geofence would be used to: identify or track consumers seeking health care services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services. The bill provides that any violation of bill's provisions will be considered an unlawful practice in violation of P.L.1960, c.39 (C.56:8-1 et seq.) The bill outlines certain entities and types of information and data that are exempted from the provisions of the bill. The bill provides that nothing in the bill's provisions is to construed to restrict a regulated entity's or processor's ability for the collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under State law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under State law or federal law, except that such entity bears the burden of demonstrating that such processing qualifies for the exemption provided under the bill.

AI Summary

Committee Categories

Margie Donlon (D)*, 

Introduced, Referred to Assembly Health Committee (on 01/13/2026)

Official Document