Read the full stored bill text
A1401
ASSEMBLY, No. 1401
STATE OF NEW JERSEY
222nd LEGISLATURE
�
PRE-FILED FOR INTRODUCTION IN THE 2026 SESSION
Sponsored by:
Assemblywoman ELLEN J. PARK
District 37 (Bergen)
Assemblyman CODY D. MILLER
District 4 (Atlantic, Camden and Gloucester)
SYNOPSIS
���� Exempts certain personal information and entities
from certain requirements concerning notification and disclosure of personal
data.
CURRENT VERSION OF TEXT
���� Introduced Pending Technical Review by Legislative
Counsel.
��
An Act
concerning privacy and disclosure requirements for certain entities and certain
personal data and amending P.L.2023, c.266.
����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:
�����
1.�� Section 10 of P.L.2023, c.266 (C.56:8-166.13) is amended to read as
follows:
����� 10.�
Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) shall apply to:
����� a.�� protected
health information collected by a covered entity or business associate subject
to the privacy, security, and breach notification rules issued by the United
States Department of Health and Human Services, Parts 160 and 164 of Title 45
of the Code of Federal Regulations, established pursuant to the "Health
Insurance Portability and Accountability Act of 1996
[
,
]
"
(�HIPAA�),
Pub.L.104-191, and the "Health Information
Technology for Economic and Clinical Health Act,"
42 U.S.C. s.17921 et seq.;
or information treated like protected health
information collected, used, or disclosed by a covered entity or business
associate under HIPAA when the information is used or disclosed in accordance
with HIPAA and the information is afforded all the privacy protections and
security safeguards of the federal laws and implementing regulations under
HIPAA;
����� b.�� a
financial institution, data, or an affiliate of a financial institution that is
subject to Title V of the federal "Gramm-Leach-Bliley Act," 15 U.S.C.
s.6801 et seq., and the rules and implementing regulations promulgated
thereunder;
����� c.�� the
secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12
C.F.R. s.1016.3(l)(3)(iii);
����� d.�� an
insurance institution subject to P.L.1985, c.179 (C.17:23A-1 et seq.);
����� e.�� the
sale of a consumer's personal data by the New Jersey Motor Vehicle Commission
that is permitted by the federal "
[
Drivers'
]
Driver�s
Privacy Protection Act of
1994," 18 U.S.C. s.2721 et seq.;
����� f.��� personal
data collected, processed, sold, or disclosed by a consumer reporting agency,
as defined in 15 U.S.C. s.1681a(f), if the collection, processing, sale, or
disclosure of the personal data is limited, governed, and collected,
maintained, disclosed, sold, communicated, or used only as authorized by the
federal "Fair Credit Reporting Act," 15 U.S.C. s.1681 et seq., and
implementing regulations;
����� g.�� any
State agency as defined in section 2 of P.L.1971, c.182 (C.52:13D-13), any
political subdivision, and any division, board, bureau, office, commission, or
other instrumentality created by a political subdivision;
[
or
]
����� h.�� personal
data that is collected, processed, or disclosed, as part of research conducted
in accordance with the Federal Policy for the protection of human subjects
pursuant to 45 C.F.R. Part 46
[
or
]
; human subjects research conducted in accordance
with good clinical practice guidelines issued by The International Council for
Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; or
research conducted in accordance with
the protection of human subjects pursuant to 21 C.F.R. Parts 50 and 56
;
�����
i.
an insurance-support organization as defined in section 2 of P.L.1985, c.179
(C.17:23A-2); or
�����
j.��� a
national securities association registered pursuant to section 15A of the
�Securities Exchange Act of 1934,� 15 U.S.C. s.78a et seq., and any rules or
regulations promulgated thereunder
.
(cf:
P.L.2023, c.266, s.10)
�����
2.�� Section 1 of P.L.2023, c.266 (56:8-166.4) is amended to read as
follows:
����� 1.�� As
used in P.L.2023, c.266 (C.56:8-166.4 et seq.):
����� "Affiliate"
means a legal entity that controls, is controlled by, or is under common
control with another legal entity.� For the purposes of this definition,
"control" means: the ownership of or the power to vote, more than 50
percent of the outstanding shares of any class of voting security of a company;
the control in any manner over the election of a majority of the directors or
individuals exercising similar functions; or the power to exercise a
controlling influence over the management or policies of a company.
����� "Biometric
data" means data generated by automatic or technological processing,
measurements, or analysis of an individual's biological, physical, or
behavioral characteristics, including, but not limited to, fingerprint,
voiceprint, eye retinas, irises, facial mapping, facial geometry, facial
templates, or other unique biological, physical, or behavioral patterns or
characteristics that are used or intended to be used, singularly or in
combination with each other or with other personal data, to identify a specific
individual. "Biometric data" shall not include: a digital or physical
photograph; an audio or video recording; or any data generated from a digital
or physical photograph, or an audio or video recording, unless such data is
generated to identify a specific individual.
����� "Child"
shall have the same meaning as provided in COPPA.
����� "Consent"
means a clear affirmative act signifying a consumer's freely given, specific,
informed, and unambiguous agreement to allow the processing of personal data
relating to the consumer. "Consent" may include a written statement, including
by electronic means, or any other unambiguous affirmative action. "Consent
shall not include: acceptance of a general or broad terms of use or similar
document that contains descriptions of personal data processing along with
other, unrelated information; hovering over, muting, pausing, or closing a
given piece of content; or agreement obtained through the use of dark patterns.
����� "Consumer"
means an identified person who is a resident of this State acting only in an
individual or household context. "Consumer" shall not include a
person acting in a commercial or employment context.
����� "Controller"
means an individual, or legal entity that, alone or jointly with others
determines the purpose and means of processing personal data.
����� "COPPA"
means the federal Children's Online Privacy Protection Act, 15 U.S.C. s.6501 et
seq., and any rules, regulations, guidelines, and exceptions thereto, as may be
amended from time to time.
����� "Dark
pattern" means a user interface designed or manipulated with the
substantial effect of subverting or impairing user autonomy, decision-making,
or choice, and includes, but is not limited to, any practice the United States
Federal Trade Commission refers to as a "dark pattern."
����� "Decisions
that produce legal or similarly significant effects concerning the
consumer" means decisions that result in the provision or denial of
financial or lending services, housing, insurance, education enrollment or
opportunity, criminal justice, employment opportunities, health care services,
or access to essential goods and services.
����� "De-identified
data" means: data that cannot be reasonably used to infer information
about, or otherwise be linked to, an identified or identifiable individual, or
a device linked to such an individual, if the controller that possesses the
data: (1) takes reasonable measures to ensure that the data cannot be
associated with an individual, (2) publicly commits to maintain and use the
data only in a de-identified fashion and not to attempt to re-identify the
data, and (3) contractually obligates any recipients of the information to
comply with the requirements of this paragraph
; or data de-identified in
accordance with the requirements in 45 C.F.R. Part 164, where any recipients of
that data are contractually prohibited from attempting to reidentify the data
.
����� "Designated
request address" means an electronic mail address, Internet website, or
toll-free telephone number that a consumer may use to request the information
required to be provided pursuant to section 3 of P.L.2023, c.266
(C.56:8-166.6).
����� "Personal
data" means any information that is linked or reasonably linkable to an
identified or identifiable person. "Personal data" shall not include
de-identified data or publicly available information.
����� "Precise
geolocation data" means information derived from technology, including,
but not limited to, global positioning system level latitude and longitude
coordinates or other mechanisms, that directly identifies the specific location
of an individual with precision and accuracy within a radius of 1,750 feet.
"Precise geolocation data" does not include the content of
communications or any data generated by or connected to advanced utility
metering infrastructure systems or equipment for use by a utility.
����� "Process"
or "processing" means an operation or set of operations performed,
whether by manual or automated means, on personal data or on sets of personal
data, such as the collection, use, storage, disclosure, analysis, deletion, or modification
of personal data, and also includes the actions of a controller directing a
processor to process personal data.
����� "Processor"
means a person, private entity, public entity, agency, or other entity that
processes personal data on behalf of the controller.
����� "Profiling"
means any form of automated processing performed on personal data to evaluate,
analyze, or predict personal aspects related to an identified or identifiable
individual's economic situation, health, personal preferences, interests, reliability,
behavior, location, or movements.
����� "Publicly
available information" means information that is lawfully made available
from federal, State, or local government records or widely distributed media or
information that a controller has a reasonable basis to believe a consumer has
lawfully made available to the general public and has not restricted to a
specific audience.
����� "Sale"
means the sharing, disclosing, or transferring of personal data for monetary or
other valuable consideration by the controller to a third party.
"Sale" shall not include:
����� The
disclosure of personal data to a processor that processes the personal data on
the controller's behalf;
����� The
disclosure of personal data to a third party for the purposes of providing a
product or service requested by the consumer;
����� The
disclosure or transfer of personal data to an affiliate of the controller;
����� The
disclosure of personal data that the consumer intentionally made available to
the general public through a mass media channel and did not restrict to a
specific audience; or
����� The
disclosure or transfer of personal data to a third party as an asset that is
part of a proposed or actual merger, acquisition, bankruptcy, or other
transaction in which the third party assumes control of all or part of the
controller's assets.
����� "Sensitive
data" means personal data revealing racial or ethnic origin; religious
beliefs; mental or physical health condition, treatment, or diagnosis;
financial information, which shall include a consumer's account number, account
log-in, financial account, or credit or debit card number, in combination with
any required security code, access code, or password that would permit access
to a consumer's financial account; sex life or sexual orientation; citizenship
or immigration status; status as transgender or non-binary; genetic or
biometric data that may be processed for the purpose of uniquely identifying an
individual; personal data collected from a known child; or precise geolocation
data.
����� "Targeted
advertising" means displaying advertisements to a consumer where the
advertisement is selected based on personal data obtained or inferred from that
consumer's activities over time and across nonaffiliated Internet web sites or
online applications to predict such consumer's preferences or interests.
"Targeted advertising" shall not include: advertisements based on
activities within a controller's own internet websites or online applications;
advertisements based on the context of a consumer's current search query, visit
to an internet website or online application; advertisements directed to a
consumer in response to the consumer's request for information or feedback; or
processing personal data solely to measure or report advertising frequency,
performance, or reach.
����� "Third
party" means a person, private entity, public entity, agency, or entity
other than the consumer, controller, or affiliate or processor of the
controller.
����� "Trade
secret" has the same meaning as section 2 of P.L.2011, c.161 (C.56:15-2).
����� "Verified
request" means the process through which a consumer may submit a request
to exercise a right or rights established in P.L.2023, c.266 (C.56:8-166.4 et
seq.), and by which a controller can reasonably authenticate the request and
the consumer making the request using commercially reasonable means.
(cf:
P.L.2023, c.266, s.1)
���� 3. This act shall take effect
immediately.
STATEMENT
���� This bill exempts
insurance-support organizations and national securities associations from the
provisions of current law that require certain entities to notify consumers of
collection and disclosure of personal data.� Under current law, insurance
institutions and other entities are exempt from those requirements.
���� The bill exempts certain data
from disclosure requirements under current law, including:
���� (1) information treated like
protected health information collected, used, or disclosed by a covered entity
or business associate under the "Health Insurance Portability and
Accountability Act of 1996" (HIPAA), when the information is used or disclosed
in accordance with HIPAA and the information is afforded all the privacy
protections and security safeguards of the federal laws and implementing
regulations under HIPAA; and
���� (2) human subjects research
conducted in accordance with good clinical practice guidelines issued by The
International Council for Harmonisation of Technical Requirements for
Pharmaceuticals for Human Use.
���� Finally, the bill expands the
definition of de-identified data under current law to include data
de-identified in accordance with the requirements in HIPAA, where any
recipients of that data are contractually prohibited from attempting to
reidentify the data.