Read the full stored bill text
A2067
ASSEMBLY, No. 2067
STATE OF NEW JERSEY
222nd LEGISLATURE
�
PRE-FILED FOR INTRODUCTION IN THE 2026 SESSION
Sponsored by:
Assemblywoman LINDA S. CARTER
District 22 (Somerset and Union)
Assemblyman CLINTON CALABRESE
District 36 (Bergen and Passaic)
Assemblyman WILLIAM W. SPEARMAN
District 5 (Camden and Gloucester)
SYNOPSIS
���� Requires disclosure of breach of security of
geolocation data.
CURRENT VERSION OF TEXT
���� Introduced Pending Technical Review by Legislative
Counsel.
��
An Act
concerning disclosure of breaches of security
and amending P.L.2005, c.226.
����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:
1.
Section 10 of
P.L.2005, c.226 (C:56:8-161) is amended to read as follows:
���� 10.� As used in sections 10
through 15 of
[
this
amendatory and supplementary act
]
P.L.2005, c.226 (C.56:8-161 through C.56:8-166)
:
���� "Breach of security"
means unauthorized access to electronic files, media or data containing
personal information that compromises the security, confidentiality or
integrity of personal information when access to the personal information has
not been secured by encryption or by any other method or technology that
renders the personal information unreadable or unusable.� Good faith
acquisition of personal information by an employee or agent of the business for
a legitimate business purpose is not a breach of security, provided that the
personal information is not used for a purpose unrelated to the business or
subject to further unauthorized disclosure.
���� "Business" means a
sole proprietorship, partnership, corporation, association, or other entity,
however organized and whether or not organized to operate at a profit,
including a financial institution organized, chartered, or holding a license or
authorization certificate under the law of this State, any other state, the
United States, or of any other country, or the parent or the subsidiary of a
financial institution.
���� "Communicate" means
to send a written or other tangible record or to transmit a record by any means
agreed upon by the persons sending and receiving the record.
���� "Customer" means an
individual who provides personal information to a business.
����
"Geolocation"
means the location of an individual, determined by the location of an
electronic device, including, but not limited to, a cellular phone, computer,
or tablet.
���� "Individual" means a
natural person.
���� "Internet" means the
international computer network of both federal and non-federal interoperable
packet switched data networks.
���� "Personal
information" means an individual's first name or first initial and last
name linked with any one or more of the following data elements:� (1) Social
Security number; (2) driver's license number or State identification card
number;
[
or
]
(3) account
number or credit or debit card
number, in combination with any required security code, access code, or
password that would permit access to an individual's financial account
; or
(4) geolocation
.� Dissociated data that, if linked, would constitute
personal information is personal information if the means to link the
dissociated data were accessed in connection with access to the dissociated
data.
���� For the purposes of sections
10 through 15 of
[
this
amendatory and supplementary act
]
P.L.2005, c.226 (C.56:8-161 through C.56:8-166)
, personal information
shall not include publicly available information that is lawfully made
available to the general public from federal, state or local government
records, or widely distributed media.
���� "Private entity"
means any individual, corporation, company, partnership, firm, association, or
other entity, other than a public entity.
���� "Public entity"
includes the State, and any county, municipality, district, public authority,
public agency, and any other political subdivision or public body in the
State.� For the purposes of sections 10 through 15 of
[
this
amendatory and supplementary act
]
P.L.2005, c.226 (C.56:8-161 through C.56:8-166)
, public entity does not
include the federal government.
���� "Publicly post" or
"publicly display" means to intentionally communicate or otherwise
make available to the general public.
���� "Records" means any
material, regardless of the physical form, on which information is recorded or
preserved by any means, including written or spoken words, graphically
depicted, printed, or electromagnetically transmitted.� Records does not include
publicly available directories containing information an individual has
voluntarily consented to have publicly disseminated or listed.
(cf: P.L.2005, c.226, s.10)
���� 2.��� This act shall take
effect on the 90th day next following enactment.
STATEMENT
���� This bill requires entities
that compile or maintain computerized records that include geolocation data to
disclose to consumers breaches of security of geolocation information.�
���� Under current law, businesses
and public entities are required to disclose breaches that involve personal
information.� Under current law, �personal information� is defined as an
individual's first name or first initial and last name linked with any one or
more of the following data elements: Social Security number; driver�s license
number, or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual�s
financial account. The bill adds geolocation data to the definition of
�personal information� so that a breach of geolocation data would require
businesses and public entities to disclose the breach to consumers.