NJ Bill Seeks to Regulate the Business of Data
Data is thought to be such a significant commodity in today’s economy that it has been referred to as "the new oil." Business ventures across the globe in assorted industries have recognized and attempted to realize the commercial value of collecting, mining, aggregating, selling, and otherwise exploiting various personally identifiable information (PII) data points attributed to individual consumers, including name, address, online shopping and browsing preferences, geolocation history, and biometrics. The European Union (EU) and California are reshaping the global approach to data privacy legislation and the federal Consumer Financial Protection Bureau (CFPB) has consistently held companies accountable for having inefficient data protection technology and processes in place and/or for misrepresenting same, concluding such conduct to be unfair, deceptive, and abusive. A bill recently introduced in the New Jersey Assembly provides the most recent example of state legislation that, if passed, would extend this more expansive approach to data privacy in New Jersey as well.
Key features of the bill, Assembly Bill A4640, include:
- a broader definition of personally identifiable information, including biometric information, demographic information relating to race, gender, ethnicity, sexual orientation and sexual identity;
- expanded rights for data subjects, including the right to notice, consent, and opt-out of collection and processing, the right of access to their personal data, and the right to request correction of any inaccurate information;
- obligations for businesses covered by the Bill to secure personal information; and
- a private right of action to sue businesses found to be in violation of the Bill. A civil action may be brought for statutory damages or actual damages, and courts may also order injunctive relief.
Intended to supplement the reach of Title 56 of the Revised Statutes relating to trade practices, NJ A4640 establishes security standards and notification requirements for businesses governed by its provisions. It applies to any individual within the State of New Jersey who provides PII, either knowingly or unknowingly, to a business. A number of the Bill’s noteworthy provisions are highlighted below.
Personally Identifiable Information:
The Bill defines PII to include many of the types of information that have traditionally been included in data protection laws, such as social security, driver’s license, or passport numbers or other government-issued ID number, medical information or history, and financial information. It also incorporates a number of other types of information that will be familiar from European privacy regulation and the recently-enacted California Consumer Privacy Act. Under the Bill’s expansive scope, PII includes data that "personally identifies, describes, or is able to be associated" with a person or their children, and would encompass: name; address; email address; phone number; account names or titles; birthdate or age; height and weight; biometric data; information regarding a person’s gender status, identity, or expression or their sexual orientation; race or ethnicity; religion; political affiliation; profession; education; spending history and purchase records; geolocation information; internet or mobile activity, and any content a person creates, such as text, photographs, videos, audio content.
Currently, the best weapon the federal government has in its arsenal is the Federal Trade Commission’s and the CFPB’s prohibitions against unfair, deceptive and abusive practices affecting consumers, but these prohibitions and available enforcement actions are limited to certain industries and their practices. Under the new proposal, two state legislators are seeking to have New Jersey join that list with Assembly Bill A4640, which would expand individuals’ rights with respect to data collected from or about them, broaden the definition of PII to broaden protections to more types of data, and require businesses covered by the act to notify individuals about their data collection practices and meet certain security standards. In doing so, this New Jersey Bill incorporates many of the key features of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). If passed, it would mean a sea-change for companies doing business in New Jersey.
Furthermore, the Bill, as currently drafted, has certain thresholds of applicability but has the potential to reach any business that collects or commercializes PII including, notably, biometric data. Biometric data is defined fairly broadly in the Bill to comprise an individual’s physiological, biological, or behavioral characteristics (such as DNA and genetic information and analysis, fingerprints, voice print, and retinal or iris imaging) that can be used, singly or in combination with each other or with other identifying data, to establish an individual’s identity.
Businesses covered by the bill:
Businesses that have over $5 million in gross annual revenue, derive 50% or more of their revenue from selling personal data, or buy, receive, sell, or share PII of more than 25,000 individuals for commercial purposes must notify and inform an individual as to their data practices before or at the time of data collection; provide information to an individual about use of their data upon request; and facilitate an opt-out process whereby the individual can cease all uses of their data that are not already in process. Highlights of business obligations are described in more detail below. In the consumer financial services space, the inclusion of "buy, sell, or share PII of more than 25,000 individuals . . . ." directly and indirectly implicates the operations of mortgage lenders, title insurance underwriters, large real estate brokerages, non-depository marketplace lenders, consumer debt buyers, and lead generators, to name just a few.
Business obligations under the Bill would include:
Information Security Program:
Covered businesses must maintain an information security program that meets the requirements of any applicable federal law or industry standards. For businesses that are already regulated under federal laws such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), this provision could raise a number of operational questions. Businesses subject to GLBA or HIPAA are likely to already have a set of measures – from technical architecture to internal processes and documented policies and vendor agreements – for the handling of the federally regulated data (e.g., financial data regulated under GLBA and protected health information, or PHI, regulated under HIPAA). However, this New Jersey Bill – like the GDPR and the CCPA – incorporates data privacy obligations for a much broader range of data which is not federally regulated. Consequently, federally-regulated businesses will not be able to simply assume that their current regulatory compliance frameworks are sufficient to ensure compliance with this Bill, if it were enacted into law. Of course, much would remain to be determined through the implementing regulations if this legislation were to be passed. The important point for the moment, prior to knowing whether the Bill might be amended or what enabling regulations might call for, is that under this Bill, if it were to be passed, federally regulated entities might have an obligation to revamp their compliance programs in order to meet these new state requirements.
Notice Prior to Data Collection
The Bill requires a business, before or upon collecting any PII, to provide the following information in clear, transparent, intelligible, and easily accessible form:
- A complete description of the PII the business collects and the means by which it is collected;
- The purpose and legal basis for the collection, access to, disclosure, or storage ("processing") of the PII;
- All third-parties to which the business may disclose the PII and for what purpose, including whether the business profits from the disclosure;
- Contact information for the person responsible for data security and protecting the PII, where applicable;
- The period of time during which the business will store the PII, or the criteria used to determine that period; and
- The person’s right to request from the business access to their PII (per the provision below).
Provide Information Upon Request
Within 30 days of a request, at no charge to the individual, but no more than twice a year, the business will provide:
- Confirmation that the PII is, or has been, processed; and
- A copy of the PII processed in a structured and commonly-used machine-readable format.
Allow Opting Out of PII Processing
A business must maintain a procedure by which a person can opt out of having their PII processed, unless:
- The business has a written contract authorizing a third-party to use the PII in performing services on its behalf;
- The business has a good-faith belief that the processing is required to comply with any applicable law, rule, or regulation, legal process, or court order; or
- Processing is reasonably necessary to avoid fraud, protect the business’s rights or property, or to protect the person or the public from illegal activities as required by law.
Further exceptions exist for the business’s legal obligations and remedies, as well as an exception for the collection and use of PII which has been deidentified or aggregated.
NJ A4640 was sponsored by Assemblywoman Valerie Vainieri Huttle of Bergen County and Assemblyman Jamel C. Holley of Union County. As of January 24, 2019 it is under review by the Assembly Homeland Security and State Preparedness Committee.
Saul Ewing Arnstein & Lehr attorneys handle a wide range of matters related to consumer financial services, data privacy, and cybersecurity. For questions about any of those practices areas, or about this alert, please contact the authors.