Back to New Jersey

A1360 • 2026

"New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

"New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Park, Ellen J.
Last action
2026-01-13
Official status
Introduced, Referred to Assembly Science, Innovation and Technology Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

"New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

"New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

What This Bill Does

  • "New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.
  • Topic: Science, Innovation and Technology Fiscal note: This bill has been certified by OLS for a fiscal note.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-01-13 New Jersey Legislature

    Introduced, Referred to Assembly Science, Innovation and Technology Committee

Official Summary Text

"New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.
Topic:
Science, Innovation and Technology
Fiscal note:
This bill has been certified by OLS for a fiscal note.

Current Bill Text

Read the full stored bill text
A1360

ASSEMBLY, No. 1360

STATE OF NEW JERSEY

222nd LEGISLATURE

�

PRE-FILED FOR INTRODUCTION IN THE 2026 SESSION

Sponsored by:

Assemblywoman ELLEN J. PARK

District 37 (Bergen)

SYNOPSIS

���� "New Jersey Disclosure and Accountability
Transparency Act (NJ DaTA)"; establishes certain requirements for
disclosure and processing of personally identifiable information; establishes
Office of Data Protection and Responsible Use in Division of Consumer Affairs.

CURRENT VERSION OF TEXT

���� Introduced Pending Technical Review by Legislative
Counsel.

��

An Act

concerning the disclosure and processing of
personally identifiable information and supplementing Title 56 of the Revised
Statutes.

����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:

���� 1.��� This bill shall be known
and may be cited as the �New Jersey Disclosure and Accountability Transparency
Act (NJ DaTA).�

���� 2.��� As used in P.L.��� ,
c.��� (C.����� ) (pending before the Legislature as this bill):

���� �Automated decision making�
means computational process, including one derived from machine learning,
statistics, or other data processing, that makes a decision or facilitates
human decision making.

���� �Biometric data� means
personally identifiable information concerning the physical, physiological, or
behavioral characteristics of a person.

���� �Consent� means any freely
given, specific, informed, and unambiguous indication by a consumer that the
consumer gives in a statement or by clear affirmative action, and signifies
agreement to the processing of personally identifiable information.

���� �Consumer�
means an individual in this State who
provides, either knowingly or unknowingly, personally identifiable information
to a controller.

���� �Controller� means a person or
legal entity that collects, maintains, and determines the purposes and means of
processing personally identifiable information.

���� �De-identified information�
means: information that cannot be linked to a consumer without additional
information that is kept separately; or information that has been modified to a
degree that the risk of re-identification, consistent with guidance from the
Federal Trade Commission and the National Institute of Standards and
Technology, is small, as determined by the Director of the Division of Consumer
Affairs in the Department of Law and Public Safety pursuant to section 25 of
P.L.��� , c.��� (C.����� ) (pending before the Legislature as this bill), that
is subject to a public commitment by the controller not to attempt to
re-identify the data, and to which one or more enforceable controls to prevent
re-identification has been applied, which may include legal, administrative,
technical, or contractual controls.

���� �Designated request address�
means an electronic mail address, Internet website, or toll-free telephone
number that a consumer may use to request a copy of the information required to
be provided pursuant to section 5 of P.L.��� , c.��� (C.����� ) (pending before
the Legislature as this bill).

���� �Disclose� means to release,
transfer, share, disseminate, make available, rent, sell, or otherwise
communicate orally, in writing, or by electronic or any other means to a third
party or processor a consumer�s personally identifiable information.

���� �Office� means Office of Data
Protection and Responsible Use in the Division of Consumer Affairs in the
Department of Law and Public Safety established pursuant to section 22 of P.L.���
, c. (C. ) (pending
before the Legislature as this bill).

���� �Person� means a consumer or a
minor child in the custody of the consumer.

���� �Personally identifiable
information� means any information that is linked or reasonably linkable to an
identified or identifiable consumer, including a minor child in the custody of
the consumer. �Personally identifiable information� shall not include
de-identified information or publicly available information.

���� �Portability� means the
ability to receive personally identifiable information in a structured,
commonly used, and machine-readable format from a controller that shall be able
to be transmitted to another controller without formatting hindrance.

���� �Process� means an operation that
is performed on personally identifiable information, whether or not by
automated means, including, but not limited to: collection; recording;
organization; structuring; storage; adaptation or alteration; retrieval;
consultation; use; disclosure by transmission; dissemination or otherwise
making available; alignment or combination; restriction; erasure; or
destruction.

���� �Processor� means a person or
legal entity that processes information on behalf of a controller.

���� �Profiling� means any form of
automated decision making using personally identifiable information to evaluate
certain personal aspects of a person, including, but not limited to, analyzing
or predicting aspects concerning that person�s performance at work, economic
situation, health, personal preferences, interests, reliability, behavior,
location, or movements.

���� �Publicly available
information� means information that is lawfully made available from federal,
State, or local government records, or widely-distributed media.

���� �Third party� means an
individual, private entity, public entity, agency, or entity other than the
consumer, controller, or processor.

���� �Verified request� means a
request that is made by a consumer, a consumer on behalf of a minor child in
the custody of a consumer, or a third-party authorized by law to act on behalf
of the consumer whose personally identifiable information was processed, and
that a controller can reasonably verify as the person whose personally
identifiable information was processed, or is a third-party authorized by the
consumer to act on the consumer�s behalf.

���� 3.��� a.� The collection and
processing of a consumer�s personally identifiable information shall be:

���� (1)�� collected and processed
only upon the consumer affirmatively opting in to the collection, pursuant to
section 4 of P.L.��� , c.��� (C.����� ) (pending before the Legislature as this
bill);

���� (2)�� processed lawfully,
fairly, and in a transparent manner in relation to the consumer;

���� (3)�� collected for specified,
explicit, and legitimate purposes and not further processed in a manner that is
incompatible with those purposes;

���� (4)�� adequate, relevant, and
limited to what is necessary in relation to the purposes for which the
personally identifiable information is processed;

���� (5)�� accurate and, where
necessary, kept up to date and every reasonable step shall be taken to ensure
that personally identifiable information that is inaccurate is erased or
rectified without delay;

���� (6)�� kept in a form which
permits identification of consumers for no longer than is necessary for the
purposes for which the personally identifiable information is processed; and

���� (7)�� processed in a manner
that ensures appropriate security of the personally identifiable information,
including protection against unauthorized or unlawful processing and against
accidental loss, destruction, or damage, using appropriate technical or organizational
measures.

���� b.��� A controller shall be
responsible for, and be able to demonstrate to the office, established pursuant
to section 22 of P.L. , c.��� (C.����� ) (pending before
the Legislature as this bill), in a form and manner determined by the office,
compliance with subsection a. of this section.

���� 4.��� A controller that
collects the personally identifiable information of a consumer may lawfully
process the personally identifiable information pursuant to P.L.��� , c.���
(C.����� ) (pending before the Legislature as this bill) only if at least one
of the following applies:

���� a.���� the consumer has given
affirmative consent to opt in to the processing of the personally identifiable
information for at least one specific purpose provided by the controller
pursuant to subsection b. of this section;

���� b.��� the processing is
necessary for the performance of a contract to which the consumer is a party or
in order to take steps at the request of the consumer prior to entering into a
contract;

���� c.���� the processing is
necessary for compliance with a legal obligation to which the controller is
subject;

���� d.��� the processing is
necessary to protect the vital interest of the consumer or another person;

���� e.���� the processing is
necessary for the performance of a task conducted in the public interest or in
the exercise of official authority vested in the controller; or

���� f.���� the processing is
necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where those interests are overridden by
the interests or fundamental rights and freedoms of the consumer, which require
protection of personally identifiable information, including that of a child.

���� 5.��� a.� A controller that
collects the personally identifiable information of a consumer shall, at the
time when personally identifiable information is collected, provide to a
consumer information concerning the processing of that personally identifiable
information in a concise, transparent, intelligible, and easily accessible
form, using clear and plain language, in writing, or by other means, including,
where appropriate, by electronic means. That provided information shall
include, but not be limited to:

���� (1)�� the categories of the
personally identifiable information that the controller processes;

���� (2)�� the categories of all
processors and third parties with which the controller may disclose a
consumer�s personally identifiable information, including processors in other
countries or states that may not provide suitable safeguards pursuant to P.L. , c. (C. ) (pending
before the Legislature as this bill);

���� (3)�� the purpose of the
processing for which the personally identifiable information is intended and
the legal basis for the processing, pursuant to P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill);

���� (4)�� a description of the
process for a consumer to review and request changes to any of the consumer�s
personally identifiable information;

���� (5)�� the process by which the
controller notifies consumers of material changes to the notification required
to be made available pursuant to this subsection, along with the effective date
of the notice;

���� (6)�� information concerning
one or more designated request addresses;

���� (7)�� the identity and the
contact details of the controller and, where applicable, the controller�s
representative, designated pursuant to section 14 of P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill);

���� (8)�� the period of time for
which the personally identifiable information shall be stored, or if that is
not possible, the criteria used to determine that period;

���� (9)�� notification of the
consumer�s right to:

���� (a)�� request from the
controller access to and rectification or erasure of personally identifiable
information, restriction of processing concerning the consumer, or to object to
processing;

���� (b)�� the portability of
personally identifiable information;

���� (c)�� withdraw consent to
processing at any time without affecting the lawfulness of processing based on
consent before its withdrawal; and

���� (d)�� lodge a complaint with
the office, which shall include all contact information for the office;

���� (10) whether the provision of
personally identifiable information is a statutory or contractual requirement,
or a requirement necessary to enter into a contract, whether the consumer is
obliged to provide the personally identifiable information and, if so, the
possible consequences of failure to provide the personally identifiable
information;

���� (11) the existence of
automated decision making, including profiling, and meaningful information
concerning the logic involved and significance and potential consequences of
automated decision making for the consumer; and

���� (12) any other information the
office deems appropriate.

���� b.��� Where the controller
intends to process a consumer�s personally identifiable information for a
purpose other than that for which the personally identifiable information was
collected, the controller shall provide the consumer prior to that processing
with disclosure pursuant to subsection a. of this section for that latest
processing.

���� c.���� In addition to the
requirements of subsection a. of this section, a controller shall include the
notification as a section of the controller�s privacy policy, which shall not
substitute for the requirements of subsection a. of this section.

���� 6.��� a.� The processing of
personally identifiable information revealing racial or ethnic origin,
political opinion, religious or philosophical belief, or trade union
membership, and the processing of biometric data for the purpose of uniquely
identifying a person, information concerning health or a person�s sexual
history or orientation shall be prohibited.

���� b.��� The provisions of
subsection a. of this section shall not apply if:

���� (1)�� the consumer has given
affirmative consent to opt in to the processing of the personally identifiable
information listed in subsection a. of this section for one or more purposes
specified by the controller;

���� (2)�� the processing is
necessary for the purposes of carrying out the obligations and specific rights
of the controller or of the consumer pursuant to State or federal law;

���� (3)�� the processing is
necessary to protect the vital interest of the consumer where the consumer is
physically or legally incapable of giving consent;

���� (4)�� the processing is
conducted in the course of its legitimate activities with appropriate
safeguards, as determined by the office, by a foundation, association, or any
other nonprofit entity with a political, philosophical, religious, or trade
union aim and on condition that the processing relates solely to the members or
to former members of the body or to persons who have regular contact with it in
connection with its purposes and that the personally identifiable information
is not disclosed outside that body without the consumer�s consent;

���� (5)�� the processing relates
to personally identifiable information that is publically available;

���� (6)�� the processing is
necessary for the establishment, exercise, or defense of legal claims or court
order;

���� (7)�� the processing is
necessary for the purposes of preventive or occupational medicine, for the
assessment of the working capacity of the employee, medical diagnosis, the
provision of health or social care or treatment or the management of healthcare
pursuant to State or federal law;

���� (9)�� the processing is
necessary for public health purposes; or

���� (10) the processing is
necessary for archiving purposes in the public, scientific, or historical
interest, as determined by the office.

���� c.���� The processing of
personally identifiable information concerning criminal convictions and
offences shall be permitted only under the control of a State or federal agency
and with the appropriate safeguards for the rights and freedom of the consumer.
A comprehensive register of criminal convictions shall be kept only under the
control of a State or federal agency.

���� 7.��� a.� A controller that
discloses a consumer�s personally identifiable information to a processor or
third party shall make the following information available to the consumer free
of charge upon receipt of a verified request from the consumer for this
information through a designated request address:

���� (1)�� the purposes of the
processing;

���� (2)�� the category or
categories of a consumer�s personally identifiable information that were
disclosed;

���� (3)�� the category or
categories of the processors and third parties that received the consumer�s
personally identifiable information;

���� (4)�� where possible, the
period of time for which the personally identifiable information will be stored
by the controller, processor, or third party, or, if not possible, the criteria
used to determine that period of time;

���� (5)�� if personally
identifiable information was not obtained directly from a consumer, any
available information concerning the source of that consumer�s personally
identifiable information;

���� (6)�� the existence of
automated decision making, including profiling, and information about the logic
involved, and the significance and consequences of this processing to the
consumer; and

���� (7)�� a copy of the personally
identifiable information undergoing processing. For more than a single copy,
the controller may charge a reasonable fee based on administrative costs.

���� b.��� A controller that
receives a verified request from a consumer pursuant to subsection a. of this
section shall provide a response to the consumer within 30 days of the
controller�s receipt of the request and shall provide the information pursuant
to subsection a. of this section for all disclosures of personally identifiable
information.

���� c.���� If the controller does
not take action on a consumer�s verified request the controller shall inform
the consumer without undue delay and at the latest within one month of receipt
of the verified request of the reasons for not taking action and on the ability
for the consumer to lodge a complaint with the office.

���� d.��� Where verified requests
from a consumer are unfounded, excessive, or repetitive, the controller may
either:

���� (1)�� charge a reasonable fee
taking into account the administrative costs of providing the information or
communication; or

���� (2)�� refuse to act on the
request, following the requirements established pursuant to subsection c. of
this section.

���� e.���� The controller shall
bear the burden of demonstrating the unfounded, excessive, or repetitive
character of the request.

���� f.���� This section shall not
apply to personally identifiable information disclosed prior to the effective
date of
P.L. , c. (C. )
(pending before the Legislature as this bill) or to publically available
information.

���� 8.��� a.� A consumer shall
have the right to obtain by any means from the controller rectification of
inaccurate personally identifiable information.

���� b.��� A consumer shall have
the right to obtain by any means from the controller the erasure of personally
identifiable information where one of the following applies:

���� (1)�� the personally
identifiable information is no longer necessary in relation to the purpose for
which it was collected or otherwise processed;

���� (2)�� the consumer withdraws
consent made pursuant to subsection a. of section 4 of P.L.��� , c.��� (C.�����
) (pending before the Legislature as this bill) on which the processing is
based and where there is no other legal ground for the processing; or

���� (3)�� the consumer objects to
the processing pursuant to section 11 of P.L.��� , c.��� (C.����� ) (pending
before the Legislature as this bill) and there are no overriding legitimate
grounds for the processing.

���� 9.��� a.� A consumer shall
have the right to obtain by any means from the controller a restriction of
processing of personally identifiable information where one of the following
applies:

���� (1)�� the accuracy of the
personally identifiable information is contested by the consumer for a period
enabling the controller to verify the accuracy of the personally identifiable
information;

���� (2)�� the processing is
unlawful and the consumer opposes the erasure of the personally identifiable
information;

���� (3)�� the controller no longer
needs the personally identifiable information for the purposes of the
processing but the consumer requires that personally identifiable information
for the establishment, exercise, or defense of legal claims; or

���� (4)�� the consumer has
objected to processing pursuant to section 11 of P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill) pending the verification of
whether the legitimate grounds of the controller override those of the
consumer.

���� b.��� Where processing has
been restricted pursuant to subsection a. of this section, personally
identifiable information, with the exception of storage, shall only be
processed with the consumer�s consent or for the establishment, exercise, or
defense of legal claims or for the protection of the rights of another person
or legal entity or for the public interest.

���� c.���� A consumer that has
obtained restriction pursuant to subsection a. of this section shall be
informed by the controller before the restriction of processing is lifted.

���� 10.� A controller shall notify
each processor and third party to which a controller has disclosed a consumer�s
personally identifiable information of any rectification or erasure of
personally identifiable information made by a consumer pursuant to section 8 of
P.L.��� , c.��� (C.����� ) (pending before the Legislature as this bill) or
restriction of processing made by a consumer pursuant to section 9 of P.L.��� ,
c.��� (C.����� ) (pending before the Legislature as this bill).

���� 11.� a.� A consumer shall have
the right to object, by any means, to the processing of personally identifiable
information, at which time the controller shall no longer process the
personally identifiable information unless the controller demonstrates compelling
legitimate grounds, as determined by the office, for the processing which
overrides the interests, rights, and freedoms of the consumer or for the
establishment, exercise, or defense of legal claims.

���� b.��� Where personally
identifiable information is processed for direct marketing purposes, including
profiling, the consumer shall have the right to object at any time to
processing of personally identifiable information for this purpose, at which
time the personally identifiable information shall no longer be used for this
purpose.

���� c.���� Where personally
identifiable information is processed for scientific or historical research
purposes or statistical purposes, the consumer shall have the right to object,
by any means, to the processing of their personally identifiable information
unless the processing is necessary for the public interest, as determined by
the office.

���� 12.� a.� A consumer shall not
be subject to a decision based solely on automated decision making, including
profiling, which produces legal effects concerning the consumer or similarly
significantly affects the consumer.

���� b.��� The provisions of
subsection a. of this section shall not apply if the decision:

���� (1)�� is necessary for
entering into, or performance of, a contract between the consumer and the
controller;

���� (2)�� is authorized by law and
which also includes measures to safeguard the consumer�s rights pursuant to
section 3 of P.L.��� , c. (C.����� ) (pending before the
Legislature as this bill);

���� (3)�� is based on the
consumer�s explicit consent.

���� c.���� The provisions of
subsection b. of this section shall not be based on the categories of
personally identifiable information listed in section 6 of P.L.��� , c.���
(C.����� ) (pending before the Legislature as this bill) unless suitable
measures are taken to ensure the consumer�s rights, freedoms, and legitimate
interests are in place, as determined by the office.

���� 13.� a.� A controller shall
implement the appropriate technical and organizational measures to ensure and
to be able to demonstrate to the office that processing is performed in
accordance with P.L. , c.��� (C.����� ) (pending before
the Legislature as this bill).

���� b.��� Taking into account the
technology, cost of implementation, and the nature, scope, context, and purpose
of processing, and the rights of the consumer, the controller shall at the time
of the determination of the means of processing and at the time of the
processing itself, implement technical and organization measures, that are
designed to implement data-protection principles and safeguards into the
processing in order to meet the requirements of P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill).

���� c.���� A controller shall
implement technical and organizational measures to ensure that, by default,
only personally identifiable information necessary for the specific purpose of
processing is processed, including the period of storage.

���� 14.� a.� A controller and
processor shall designate in writing to the office a representative that shall
serve as a liaison between the controller or processor and the office and
public.

���� b.��� The provisions of
subsection a. of this section shall not apply to a controller or processor
that:

���� (1)�� processes personally
identifiable information occasionally, does not include, on a large scale, the
processing of the categories of personally identifiable information listed in
section 6 of P.L.��� , c.��� (C.����� ) (pending before the Legislature as this
bill), processes criminal convictions and offenses, or processes information in
a manner that is unlikely to result in a risk to the rights and freedoms of a
person, as determined by the office; or

���� (2)�� is a State agency or any
political subdivision thereof.

���� 15.� a.� Where processing is
to be conducted on behalf of a controller by a processor, the controller shall
contract with a processor providing sufficient guarantees to implement
appropriate technical and organization measures in a manner that processing
shall meet the requirements of P.L.��� , c.��� (C.����� ) (pending before the
Legislature as this bill).

���� b.��� The processor shall not
engage another processor without prior specific or general written
authorization of the controller.

���� c.���� Processing by a
processor shall be governed by a contract between a processor and controller
that shall include, but not be limited to:

���� (1)�� a stipulation that the
processor shall process the personally identifiable information using
documented instructions from the controller, including the instructions on the
transfer of personally identifiable information to another country or
international organization;

���� (2)�� a commitment to the
confidentiality and data security of the personally identifiable information to
be processed required by law;

���� (3)�� assistance in
cooperating with the controller to fulfill the controller�s obligation to
respond to consumer requests to exercise rights established pursuant to P.L.���
, c.��� (C.����� ) (pending before the Legislature as this bill);

���� (4)�� an agreement by the
processor to delete or return all personally identifiable information at the
request of the controller;

���� (5)�� the processor making
available to the controller all information necessary to demonstrate compliance
with the obligations established pursuant to P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill); and

���� (6)�� where the processor
engages another processor for carrying out processing on behalf of the
controller, that contract shall include the same confidentiality and data
security requirements as in the contract between the controller and initial
processor.

���� d.��� The office may adopt
standard contractual clauses for the contracts between a controller and a
processor pursuant to the provisions of P.L.��� , c.��� (C.����� ) (pending
before the Legislature as this bill).

���� 16.� a.� A controller and,
where applicable, the controller�s representative, established pursuant to
section 14 of P.L.��� , c. (C. )
(pending before the Legislature as this bill), shall maintain a record of
processing activities under its responsibility. The record shall contain, but
not be limited to, the following information:

���� (1)�� the name and contact
details of the controller and, where applicable, any other controller, or the
controller�s representative;

���� (2)�� the purpose of the
processing;

���� (3)�� a description of the
categories of consumers and categories of personally identifiable information;

���� (4)�� the categories of
recipients to whom the personally identifiable information has been or will be
disclosed, including recipients in other counties or international
organizations;

���� (5)�� where possible, the
potential time limits for erasure of the different categories of personally
identifiable information;

���� (6)�� where possible, a
description of the technical and organizational security measures required
pursuant to section 17 of P.L.��� , c.��� (C.����� ) (pending before the
Legislature as this bill).

���� b.��� A processor and, where
applicable, the processor�s representative, shall maintain a record of all
categories of processing activities carried out on behalf of a controller. The
record shall contain, but not be limited to, the following information:

���� (1)�� the name and contact
details of the processor or processors and of each controller on behalf of
which the processor is acting and, where applicable, of the controller�s or the
processor�s representative;

���� (2)�� the categories of
processing carried out on behalf of the controller;

���� (3)�� where applicable,
transfers of personally identifiable information to another country or an
international organization;

���� (4)�� where possible, a
description of the technical and organizational security measures required
pursuant to section 17 of P.L.��� , c.��� (C.����� ) (pending before the
Legislature as this bill).

���� c.���� The information
required pursuant to subsections a. and b. of this section shall be in writing,
including in electronic form, and shall be made available to the office upon
request.

���� 17.� a.� Taking into account
the technology, the costs of implementation, and the nature, scope, context,
and purposes of processing, as well as the risk of varying likelihood and
severity for the rights and freedoms of a person, the controller and processor shall
implement appropriate technical and organization measures to ensure a level of
security appropriate to the risk, including, but not limited to:

���� (1)�� using de-identified
information where possible;

���� (2)�� the ability to ensure
the ongoing confidentiality, integrity, availability, and resilience of
processing systems and services;

���� (3)�� the ability to restore
the availability and access to personally identifiable information in a timely
manner in the event of a physical or technical data breach; and

���� (4)�� a process for regularly
testing, assessing, and evaluating the effectiveness of technical and
organization measures for ensuring the security of the processing.

���� b.��� In assessing the
appropriate level of security, account shall be taken concerning the risks that
are presented by processing, such as from unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to personally identifiable
information transmitted, stored, or otherwise processed.

���� c.���� Adherence to a code of
conduct or certification mechanism approved by the office, pursuant to
paragraph (1) of subsection b. of section 22 of P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill), may be used as an element by
which to demonstrate compliance with the requirements established pursuant to
this section.

���� 18.� a.� Notwithstanding any
other law, rule, or regulation to the contrary, in the event of a data breach
resulting in the unauthorized access of personally identifiable information,
the controller shall immediately and, where feasible, not later than 72 hours
after having become aware of it, notify the office. Where the notification to
the office is not made within 72 hours, it shall be accompanied by reasons for
the undue delay.

���� b.��� The processor shall
immediately notify the controller after becoming aware of a data breach
resulting in the unauthorized access of personally identifiable information and
shall contain, but not be limited to, the following information:

���� (1)�� a description of the
nature of the data breach including the categories and approximate number of
consumers affected and the categories and approximate number of compromised
records;

���� (2)�� the name and contact
details where more information can be obtained;

���� (3)�� a description of the
likely consequences of the data breach; and

���� (4)�� a description of the
measures taken or proposed to be taken by the processor to address the data
breach.

���� c.���� The controller shall
document any data breaches resulting in the unauthorized access of personally
identifiable information, its effects, and remedial action taken, which shall
be made available to the office at the office�s request.

���� 19.� a.� Notwithstanding any
other law, rule, or regulation to the contrary, in the event of a data breach
resulting in the unauthorized access of personally identifiable information
that is likely to result in a high risk to the rights and freedoms of a person,
the controller shall immediately notify a consumer.

���� b.��� The data breach
notification shall describe in clear and plain language the nature of the data
breach and contain, but not be limited to:

���� (1)�� the name and contact
details where more information can be obtained;

���� (2)�� a description of the
likely consequences of the data breach; and

���� (3)�� a description of the
measures taken or proposed to be taken by the controller to address the data
breach.

���� c.���� Notification pursuant
to this section shall not be required if one of the following are met:

���� (1)�� the controller has
implemented appropriate technical and organization protection measures and
those measures were applied to the personally identifiable information affected
by the data breach, such as rendering the personally identifiable information
unintelligible to any person who is not authorized to access it;

���� (2)�� the controller has taken
subsequent measures that ensure that the high risk to the rights and freedoms
of a person are no longer likely to materialize; or

���� (3)�� it would involve
disproportionate effort, which, in that case, there shall instead be a public
communication or similar measure where consumers are informed in an equally
effective manner.

���� d.��� The office may notify
consumers of a data breach resulting in the unauthorized access of personally
identifiable information if the office determines there is a high risk to the
rights and freedoms of a person.

���� 20.� a.� A controller shall,
prior to processing personally identifiable information, conduct a data
protection impact assessment that shall be submitted to the office and that
shall contain, but not be limited to:

���� (1)�� a systematic description
of potential processing operations and the purpose of the processing, including
where applicable, the legitimate interest pursued by the controller;

���� (2)�� an assessment of the
necessity and proportionality of the processing operations in relation to the
purpose;

���� (3)�� an assessment of the
risks to the rights and freedoms of consumers; and

���� (4)�� potential measures to
address the risks, including safeguards, security measures, and mechanisms to
ensure the protection of personal data and to demonstrate compliance with P.L.���
, c. (C. ) (pending
before the Legislature as this bill).

���� b.��� The office shall
establish and publicize a list of the kind of processing operations that are
subject to the requirements of this section.

���� c.���� The office may
establish and publicize a list of the kind of processing operations for which
no data protection impact assessment is required.

���� d.��� Where appropriate, a
controller shall request input from consumers on the intended processing.

���� 21.� a.� The controller shall
consult with the office prior to processing in the event the data protection
impact assessment, required pursuant to section 20 of P.L.��� , c.��� (C.�����
) (pending before the Legislature as this bill), indicates that the processing
would result in a high risk to a consumer�s personally identifiable information
in the absence of measures taken by the controller to mitigate the risk.

���� b.��� If the office determines
that the controller�s data protection impact assessment indicates the
processing may violate the provisions of P.L.��� , c.��� (C.����� ) (pending
before the Legislature as this bill), the office shall, within eight weeks of
the submission of the data protection impact assessment, provide written advice
to the controller, and processor where applicable, concerning best industry
practices to conform with the requirements of P.L. , c. (C. )
(pending before the Legislature as this bill).

���� 22.� a.� There is established
the Office of Data Protection and Responsible Use in the Division of Consumer
Affairs in the Department of Law and Public Safety. The purpose of this office
shall be to serve as a clearinghouse of information, comprehensive resource for
consumers, controllers, and processors, and regulatory body concerning the
security and processing of personally identifiable information.

���� b.��� The office�s functions
shall include, but not be limited to:

���� (1)�� direction and oversight
to controllers and processors on complying with the provisions of P.L.��� ,
c.��� (C.����� ) (pending before the Legislature as this bill), including
developing a code of conduct or certification mechanism for controllers and
processors to use in developing data security procedures;

���� (2)�� development and
distribution of informational materials for consumers concerning personally
identifiable information protection best practices, consumer rights concerning
personally identifiable information, and any other subject the office deems
relevant to fulfilling its functions;

���� (3)�� reviewing current and
proposed legislation and regulations pertaining to personally identifiable
information protection and security and making recommendations concerning
potential legislation and regulations;

���� (4)�� conducting biannual
public hearings for the purpose of gathering public input concerning what types
of information constitute personally identifiable information that should be
monitored by the office, advancements in technology relating to the collection
of personally identifiable information, and any other subject the office deems
relevant to fulfilling its functions;

���� (5)�� receiving, cataloging,
and investigating reports of potential violations of P.L.��� , c.��� (C.����� )
(pending before the Legislature as this bill) and reporting the findings to the
Attorney General for potential legal action; and

���� (6)�� cooperation with other
State and federal agencies with the intent of ensuring the uniform application
of P.L.��� , c.��� (C.����� ) (pending before the Legislature as this bill).

���� c.���� The Attorney General shall,
in consultation with the State�s Chief Information Officer, appoint an
executive director to head the office who shall be an individual qualified by
training and experience to perform the duties of the office and who shall
devote the time as executive director solely to the performance of those
duties.

���� d.��� The office shall be
entitled to call to its assistance and avail itself of the services of the
employees of any State department, board, bureau, commission, or agency it may
require and as may be available for its purposes.

���� 23.� Nothing in P.L.��� ,
c.��� (C.����� ) (pending before the Legislature as this bill) shall apply to:

���� a.���� protected health
information collected by a covered entity or business associate subject to the
privacy, security, and breach notification rules issued by the United States
Department of Health and Human Services, Parts 160 and 164 of Title 45 of the
Code of Federal Regulations, established pursuant to the "Health Insurance
Portability and Accountability Act of 1996," Pub.L.104-191, and the
�Health Information Technology for Economic and Clinical Health Act,� 42 U.S.C.
s.17921 et seq..

���� b.��� a financial institution
or an affiliate of a financial institution that is subject to Title V of the
federal �Gramm-Leach-Bliley Act of 1999,� 15 U.S.C. s.6801 et seq., and the
rules and implementing regulations promulgated thereunder;�

���� c.���� the secondary market
institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R.
s.1016.3(l)(3)(iii); or

���� d.��� an insurance institution
subject to P.L.1985, c.179 (C.17:23A-1 et seq.).

���� e.���� the sale of a
consumer�s personally identifiable information by the New Jersey Motor Vehicle
Commission that is permitted by the federal "Drivers' Privacy Protection
Act of 1994," 18 U.S.C. s.2721 et seq.;

���� f.���� personally identifiable
information collected, processed, sold, or disclosed by a consumer reporting
agency, as defined in 15 U.S.C. s.1681a(f), if the collection, processing,
sale, or disclosure of the personally identifiable information is limited by the
federal �Fair Credit Reporting Act,� 15 U.S.C. s.1681 et seq., and implementing
regulations; and

���� g.��� an operator, as that
term is defined in section 1 of P.L.2019, c.494 (C.����� ), acting in
compliance with the provisions of P.L.2019, c.494 (C.����� ).

���� 24.� It shall be an unlawful
practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a controller or
processor to violate any provision of P.L.��� , c.��� (C.����� ) (pending before
the Legislature as this bill).

���� 25.� The Director of the
Division of Consumer Affairs in the Department of Law and Public Safety shall
promulgate rules and regulations, pursuant to the �Administrative Procedure
Act,� P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the
purposes of P.L.���� �, c. ��(C.�� �) (pending before the Legislature as this
bill).

���� 26.� This act shall take
effect on the first day of the sixth month following the date of enactment.

STATEMENT

���� The bill, entitled the �New
Jersey Disclosure and Accountability Transparency Act (NJ DaTA),� establishes
certain rights for consumers concerning the disclosure and processing of a
consumer�s personally identifiable information. A controller, as that term is
defined in the bill, that collects the personally identifiable information of a
consumer may lawfully process the personally identifiable information pursuant
certain provisions in the bill only if at least one of the following applies:

���� 1)��� the consumer has given
consent to the processing of the personally identifiable information for at
least one specific purpose provided by the controller;

���� 2)��� processing is necessary
for the performance of a contract to which the consumer is a party or in order
to take steps at the request of the consumer prior to entering into a contract;

���� 3)��� processing is necessary
for compliance with a legal obligation to which the controller is subject;

���� 4)��� processing is necessary
to protect the vital interest of the consumer or another person;

���� 5)��� processing is necessary
for the performance of a task conducted in the public interest or in the
exercise of official authority vested in the controller; or

���� 6)��� processing is necessary
for the purposes of the legitimate interests pursued by the controller or by a
third party, except where those interests are overridden by the interests or
fundamental rights and freedoms of the consumer, which require protection of
personally identifiable information, including that of a child.

���� The bill provides that a
controller that collects the personally identifiable information of a consumer
is to, at the time when personally identifiable information is collected,
provide to a consumer information concerning the processing of that personally
identifiable information in a concise, transparent, intelligible, and easily
accessible form, using clear and plain language, in writing, or by other means,
including, where appropriate, by electronic means that shall include, but not
be limited to, certain information listed in the bill. The bill further
provides that where the controller intends to process a consumer�s personally
identifiable information for a purpose other than that for which the personally
identifiable information was collected, the controller is to provide certain
disclosures to the consumer prior to that processing.

���� The processing of personally
identifiable information revealing racial or ethnic origin, political opinion,
religious or philosophical belief, or trade union membership, and the
processing of biometric data for the purpose of uniquely identifying a person,
information concerning health or a person�s sexual history or orientation is to
be prohibited except in certain circumstances provided in the bill.

���� The bill provides that a
controller that discloses a consumer�s personally identifiable information to a
processor or third party is to make certain information provided in the bill
available to the consumer free of charge upon receipt of a verified request
from the consumer for this information through a designated request address.

���� The bill provides that a
controller that receives a verified request from a consumer is to provide a
response to the consumer within 30 days of the controller�s receipt of the
request and is to provide information concerning all disclosures of personally
identifiable information.

���� The bill provides that if the
controller does not take action on a consumer�s verified request the controller
is to inform the consumer without undue delay and at the latest within one
month of receipt of the verified request of the reasons for not taking action
and on the ability for the consumer to lodge a complaint with the Office of
Data Protection and Responsible Use (office) in the Division of Consumer
Affairs in the Department of Law and Public Safety, established by the bill.

���� The bill provides that the
purpose of the office is to serve as a clearinghouse of information,
comprehensive resource for consumers, controllers, and processors, and
regulatory body concerning the security and processing of personally
identifiable information. The office�s functions are enumerated in the bill.

���� The bill provides that a
consumer is to have the right to obtain by any means from the controller
rectification of inaccurate personally identifiable information. A consumer is
to have the right to obtain by any means from the controller the erasure, or restriction
of the processing, of personally identifiable information under certain
circumstances provided by the bill.

���� The bill provides that where
processing has been restricted, personally identifiable information, with the
exception of storage, is to only be processed with the consumer�s consent or
for the establishment, exercise, or defense of legal claims or for the
protection of the rights of another person or legal entity or for the public
interest.

���� The bill provides that a
controller is to notify each processor and third party that received a
consumer�s personally identifiable information of any rectification or erasure
of personally identifiable information made by a consumer pursuant to the bill or
restriction of processing made by a consumer pursuant to the bill.

���� The bill provides that a
consumer is to have the right to object, by any means, to the processing of
personally identifiable information, at which time the controller is to no
longer process the personally identifiable information unless the controller demonstrates
compelling legitimate grounds for the processing which overrides the interests,
rights, and freedoms of the consumer or for the establishment, exercise, or
defense of legal claims.

���� Where personally identifiable
information is processed for direct marketing purposes, including profiling,
the consumer is to have the right to object at any time to processing of
personally identifiable information for this purpose, at which time the personally
identifiable information is to no longer be used for this purpose.

���� The bill provides that where
personally identifiable information is processed for scientific or historical
research purposes or statistical purposes, the consumer is to have the right to
object, by any means, to the processing of their personally identifiable
information unless the processing is necessary for the public interest.

���� The bill provides that a
consumer is not to be subject to a decision based solely on automated decision
making, including profiling, which produces legal effects concerning the
consumer or similarly significantly affects the consumer except under certain
circumstances provided in the bill.

���� The bill provides that a
controller is to implement the appropriate technical and organizational
measures to ensure and to be able to demonstrate to the office that processing
is performed in accordance with the requirements of the bill.

���� The bill requires a controller
and processor, in certain situations provided in the bill, to designate in
writing to the office a representative that is to serve as a liaison between
the controller or processor and the office and public.

���� The bill provides that, where
processing is to be conducted on behalf of a controller by a processor, the
controller is to contract with a processor providing sufficient guarantees to
implement appropriate technical and organization measures in a manner that
processing shall meet the requirements the bill. The processor shall not engage
another processor without prior specific or general written authorization of
the controller.

���� Processing by a processor is
to be governed by a contract between a processor and controller that is to
include certain provisions provided in the bill.

���� The bill allows the office to
adopt standard contractual clauses for the contracts between controllers and
processors.

���� The bill provides that a
controller and, where applicable, the controller�s representative, is to
maintain a record of processing activities under its responsibility. A
processor and, where applicable, the processor�s representative, is to maintain
a record of all categories of processing activities carried out on behalf of a
controller. These records are to be in writing, including in electronic form,
and be made available to the office upon request.

���� Taking into account the
technology, the costs of implementation, and the nature, scope, context, and
purposes of processing, as well as the risk of varying likelihood and severity
for the rights and freedoms of a person, the bill requires a controller and
processor to implement appropriate technical and organization measures to
ensure a level of security appropriate to the risk, including certain measures
provided in the bill.

���� In assessing the appropriate
level of security, account is to be taken concerning the risks that are
presented by processing, such as from unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to personally identifiable information
transmitted, stored, or otherwise processed.

���� Adherence to a code of conduct
or certification mechanism approved by the office may be used as an element by
which to demonstrate compliance with the requirements established pursuant to
the bill.

���� The bill provides that,
notwithstanding any other law, rule, or regulation to the contrary, in the
event of a data breach resulting in the unauthorized access of personally
identifiable information, the controller is to immediately and, where feasible,
not later than 72 hours after having become aware of it, notify the office.
Where the notification to the office is not made within 72 hours, it is to be
accompanied by reasons for the undue delay.

���� A processor is to notify the
controller immediately after becoming aware of a data breach resulting in the
unauthorized access of personally identifiable information and the notice is to
contain certain information provided in the bill.

���� The controller is to document
any data breaches resulting in the unauthorized access of personally
identifiable information, its effects, and remedial action taken, which is to
be made available to the office at the office�s request.

���� The bill further provides
that, notwithstanding any other law, rule, or regulation to the contrary, in
the event of a data breach resulting in the unauthorized access of personally
identifiable information that is likely to result in a high risk to the rights
and freedoms of a person, the controller is to notify a consumer without undue
delay.

���� The bill provides that the
data breach notification is to describe in clear and plain language the nature
of the data breach but notification is not to be required under certain
circumstances provided in the bill.

���� The bill allows the office to
notify consumers of a data breach resulting in the unauthorized access of
personally identifiable information if the office determines there is a high
risk to the rights and freedoms of a person.

���� The bill requires a controller
to, prior to processing personally identifiable information, conduct a data
protection impact assessment that is to contain certain information provided
for in the bill.

���� The office is to establish and
publicize a list of the kind of processing operations that are subject to the
requirements of the data protection impact assessment. The office may establish
and publicize a list of the kind of processing operations for which no data
protection impact assessment is required. Where appropriate, a controller is to
request input from consumers on the intended processing.

���� The bill requires a controller
to consult with the office prior to processing in the event the data protection
impact assessment indicates that the processing would result in a high risk to
a consumer�s personally identifiable information in the absence of measures
taken by the controller to mitigate the risk. If the office determines that the
controller�s data protection impact assessment indicates the processing may
violate the provisions the bill, the office is to, within eight weeks of the
submission of the data protection impact assessment, provide written advice to
the controller, and processor where applicable, concerning best industry
practices to conform with the requirements of the bill.

���� The Attorney General is to, in
consultation with the State�s Chief Information Officer, appoint an executive director
to head the office who is to be an individual qualified by training and
experience to perform the duties of the office and who is to devote the time as
executive director solely to the performance of those duties.

���� It is to be an unlawful
practice and violation of the consumer fraud act for a controller or processor
to violate any provision of the bill, which includes $10,000 fine for the first
offense and a $20,000 for each subsequent offense.