Back to New Jersey

A2297 • 2026

Establishes certain data privacy protection requirements for consumer health data, health care providers, and patients.

Establishes certain data privacy protection requirements for consumer health data, health care providers, and patients.

Privacy
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Donlon, Margie, M.D.
Last action
2026-01-13
Official status
Introduced, Referred to Assembly Health Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Establishes certain data privacy protection requirements for consumer health data, health care providers, and patients.

Establishes certain data privacy protection requirements for consumer health data, health care providers, and patients.

What This Bill Does

  • Establishes certain data privacy protection requirements for consumer health data, health care providers, and patients.
  • Topic: Health Fiscal note: This bill has not been certified by OLS for a fiscal note.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-01-13 New Jersey Legislature

    Introduced, Referred to Assembly Health Committee

Official Summary Text

Establishes certain data privacy protection requirements for consumer health data, health care providers, and patients.
Topic:
Health
Fiscal note:
This bill has not been certified by OLS for a fiscal note.

Current Bill Text

Read the full stored bill text
A2297

ASSEMBLY, No. 2297

STATE OF NEW JERSEY

222nd LEGISLATURE

�

PRE-FILED FOR INTRODUCTION IN THE 2026 SESSION

Sponsored by:

Assemblywoman MARGIE DONLON, M.D.

District 11 (Monmouth)

SYNOPSIS

���� Establishes certain data privacy protection
requirements for consumer health data, health care providers, and patients.

CURRENT VERSION OF TEXT

���� Introduced Pending Technical Review by Legislative
Counsel.

��

An Act

concerning consumer health data and
supplementing Title 56 of the Revised Statutes.

����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:

���� 1.� As used in this act:

���� a.� "Abortion" means
the termination of a pregnancy for purposes other than producing a live birth.

���� b.� "Affiliate"
means a legal entity that shares common branding with another legal entity and
controls, is controlled by, or is under common control with another legal
entity. For the purposes of this definition, "control" or "controlled"
shall mean:

���� (1)� ownership of, or the
power to vote, more than 50 percent of the outstanding shares of any class of
voting security of a company;

���� (2)� control in any manner
over the election of a majority of the directors or of individuals exercising
similar functions; or

���� (3)� the power to exercise
controlling influence over the management of a company.

���� c.� "Authenticate"
means to use reasonable means to determine that a request to exercise any of
the rights afforded in this act is being made by, or on behalf of, the consumer
who is entitled to exercise such consumer rights with respect to the consumer
health data at issue.

���� d.� "Biometric data"
means data that is generated from the measurement or technological processing
of an individual's physiological, biological, or behavioral characteristics and
that identifies a consumer, whether individually or in combination with other
data.� Biometric data shall include, but shall not be limited to:� imagery of
the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice
recordings, from which an identifier template can be extracted; or keystroke
patterns or rhythms and gait patterns or rhythms that contain identifying
information.

���� e.� "Collect" means
to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise
process consumer health data in any manner.

���� f.� "Consent" means
a clear affirmative act that signifies a consumer's freely given, specific,
informed, opt-in, voluntary, and unambiguous agreement, which may include
written consent provided by electronic means.� "Consent" may not be
obtained by:�

���� (1)� a consumer's acceptance
of a general or broad terms of use agreement or a similar document that
contains descriptions of personal data processing along with other unrelated
information;

���� (2)� a consumer hovering over,
muting, pausing, or closing a given piece of content; or

���� (3)� a consumer's agreement
obtained through the use of deceptive designs.

���� g.� "Consumer"
means: a natural person who is a New Jersey resident; a natural person whose
consumer health data is collected in New Jersey; or a natural person who acts
only in an individual or household context, however identified, including by
any unique identifier. "Consumer" shall not include an individual
acting in an employment context.

���� h.� "Consumer health
data" or �data� means personal information that is linked or reasonably
linkable to a consumer and that identifies the consumer's past, present, or
future physical or mental health status including, but not limited to:�

���� (1)� individual health
conditions, treatment, diseases, diagnotstic testing, or diagnosis, and social,
psychological, behavioral, and medical interventions;

���� (2)� health-related surgeries
or procedures;

���� (3)� use or purchase of
prescribed medication;

���� (4) bodily functions, vital
signs, symptoms, or measurements of the consumer�s health;

���� (5)� reproductive or sexual
health information;

���� (6)� biometric data;

���� (7)� genetic data;

���� (8)� precise location
information that could reasonably indicate a consumer's attempt to acquire or
receive health services or supplies;

���� (9)� data that identifies a
consumer seeking health care services; or ��

���� (10)� any information that a
regulated entity, or their respective processor, processes to associate or
identify a consumer with consumer health data that is derived or extrapolated
from non-health information such as proxy, derivative, inferred, or emergent
data by any means, including algorithms or machine learning.�

���� "Consumer health
data" shall not include personal information that is used to engage in
public or peer-reviewed scientific, historical, or statistical research in the
public interest that adheres to all other applicable ethics and privacy laws and
is approved, monitored, and governed by an institutional review board, human
subjects research ethics review board, or a similar independent oversight
entity that determines that the regulated entity has implemented reasonable
safeguards to mitigate privacy risks associated with research, including any
risks associated with reidentification.

���� i.� "Deceptive
design" means a user interface designed or manipulated with the effect of
subverting or impairing user autonomy, decision making, or choice.

���� j.� �Deidentified data"
means data that cannot reasonably be used to infer information about, or
otherwise be linked to, an identified or identifiable consumer, or a device
linked to such consumer.

���� k.� "Genetic data"
means any data, regardless of its format, that concerns a consumer's genetic
characteristics. "Genetic data" shall include, but shall not be
limited to:� raw sequence data that result from the sequencing of a consumer's
complete extracted deoxyribonucleic acid (DNA) or a portion of the extracted
DNA; genotypic and phenotypic information that results from analyzing the raw
sequence data; and self-reported health data that a consumer submits to a
regulated entity and that is analyzed in connection with consumer's raw
sequence data.

���� l.� "Geofence" means
technology that uses global positioning coordinates, cell tower connectivity,
cellular data, radio frequency identification, Wifi data, or any other form of
spatial or location detection to establish a virtual boundary around a specific
physical location, or to locate a consumer within a virtual boundary.� For
purposes of this definition, "geofence" shall mean a virtual boundary
that is 2,000 feet or less from the perimeter of the physical location.

���� m.� "Health care
services" means any service provided to a person to assess, measure,
improve, or learn about a person's mental or physical health, including but not
limited to:� individual health conditions, status, diseases, or diagnoses; social,
psychological, behavioral, and medical interventions; health-related surgeries
or procedures; use or purchase of medication; bodily functions, vital signs,
symptoms, or measurements of the person�s health; diagnoses or diagnostic
testing, treatment, or medication; or reproductive health services.

���� n.� "Homepage" means
the introductory page of an Internet website and any Internet webpage where
personal information is collected.� In the case of an online service, such as a
mobile application, homepage means the application's platform page or download
page, and a link within the application, such as from the application
configuration, "about," "information," or settings page.

���� p.� "Person" means,
where applicable, natural persons, corporations, trusts, unincorporated
associations, and partnerships. "Person" shall not include government
agencies, tribal nations, or contracted service providers when processing
consumer health data on behalf of a government agency.

���� q.� "Personal
information" means information that identifies or is reasonably capable of
being associated or linked, directly or indirectly, with a particular consumer.
"Personal information" shall includes, but not be limited to, data
associated with a persistent unique identifier, such as a cookie ID, an IP
address, a device identifier, or any other form of persistent unique
identifier.� "Personal information" shall not include publicly
available information or deidentified data.

���� r.� "Precise location
information" means information derived from technology including, but not
limited to, global positioning system level latitude and longitude coordinates
or other mechanisms, that directly identifies the specific location of an
individual with precision and accuracy within a radius of 1,750 feet.
"Precise location information" shall not include the content of
communications, or any data generated by or connected to advanced utility
metering infrastructure systems or equipment for use by a utility.

���� s.� "Process" or
"processing" means any operation or set of operations performed on
consumer health data.

���� t.� "Processor"
means a person that processes consumer health data on behalf of a regulated
entity.

���� u.� "Publicly available
information" means information that is lawfully made available through
federal, State, or municipal government records or widely distributed media,
and� a regulated entity has a reasonable basis to believe a consumer has
lawfully made available to the general public. "Publicly available
information" shall not include any biometric data collected about a
consumer by a business without the consumer's consent.

���� v.� "Regulated
entity" means any legal entity that: conducts business in New Jersey, or
produces or provides products or services that are targeted to consumers in New
Jersey; and alone or jointly with others, determines the purpose and means of
collecting, processing, sharing, or selling of consumer health data.
"Regulated entity" shall not mean government agencies, tribal
nations, or contracted service providers when processing consumer health data
on behalf of the government agency.

���� w.� "Reproductive or
sexual health information" means personal information relating to seeking
or obtaining past, present, or future reproductive or sexual health services.
"Reproductive or sexual health information" shall include, but be not
limited to:

���� (1)� precise location
information that could reasonably indicate a consumer's attempt to acquire or
receive reproductive or sexual health services;

���� (2)� efforts to research or
obtain reproductive or sexual health services; or

���� (3)� any reproductive or
sexual health information that is derived, extrapolated, or inferred, including
from non-health information such as proxy, derivative, inferred, emergent, or
algorithmic data.

���� x.� "Reproductive or
sexual health services" means health services or products that support or
relate to a consumer's reproductive system or sexual well-being, including but
not limited to:

���� (1)� individual health
conditions, status, diseases, diagnostic testin, or diagnoses;

���� (2) social, psychological,
behavioral, and medical interventions;

���� (3)� health-related surgeries
or procedures including, but not limited to, abortions;

���� (4)� use or purchase of
medication including, but not limited to, medications for the purposes of
abortion;

���� (5) bodily functions, vital
signs, symptoms, or measurements of the consumer�s health; and

���� (6)� medical or nonmedical
services related to and provided in conjunction with an abortion, including but
not limited to associated diagnostics, counseling, supplies, and follow-up
services.

���� y.� "Sell" or
"sale" means the exchange of consumer health data for monetary or
other valuable consideration.� "Sell" or "sale" shall not
include the exchange of consumer health data for monetary or other valuable consideration:
to a third party as an asset that is part of a merger, acquisition, bankruptcy,
or other transaction in which the third party assumes control of all or part of
the regulated entity's assets that complies with the requirements and obligations
in this chapter; or by a regulated entity to a processor when such exchange is
consistent with the purpose for which the consumer health data was collected
and disclosed to the consumer.

���� z.� "Share" or
"sharing" means to release, disclose, disseminate, divulge, make
available, provide access to, license, or otherwise communicate orally, in
writing, or by electronic or other means, consumer health data by a regulated entity
to a third party or affiliate.� The term "share" or
"sharing" shall not include:

���� (1)� the disclosure of
consumer health data by a regulated entity to a processor when such sharing is
to provide goods or services in a manner consistent with the purpose for which
the consumer health data was collected and disclosed to the consumer;

���� (2)� the disclosure of
consumer health data to a third party with whom the consumer has a direct
relationship when:

���� (a)� the disclosure is for
purposes of providing a product or service requested by the consumer;

���� (b) the regulated entity
maintains control and ownership of the data; and

���� (c) the third party uses the
consumer health data only at direction from the regulated entity and consistent
with the purpose for which it was collected and consented to by the consumer;
or

���� (d)� the disclosure or
transfer of personal data to a third party as an asset that is part of a
merger, acquisition, bankruptcy, or other transaction in which the third party
assumes control of all or part of the regulated entity's assets and complies with
the requirements and obligations in this chapter.

���� aa.� "Third party"
means an entity other than a consumer, regulated entity, processor, or
affiliate of the regulated entity.

���� 2.� a.� A regulated entity
shall maintain a consumer health data privacy policy that clearly and
conspicuously discloses:

���� (1)� the categories of
consumer health data collected and the purpose for which the data is collected,
including how the data will be used;

���� (2)� the categories of sources
from which the consumer health data is collected;

���� (3)� the categories of
consumer health data that is shared;

���� (4)� a list of the categories
of third parties and specific affiliates with whom the regulated entity shares
the consumer health data; and

���� (5) how a consumer can
exercise any rights provided pursuant to section 4 of this act.

���� b.� A regulated entity shall
prominently publish a link to its consumer health data privacy policy on its
Internet website.

���� c.� A regulated entity may not
collect, use, or share additional categories of consumer health data not
disclosed in the consumer health data privacy policy without first disclosing
the additional categories and obtaining the consumer's affirmative consent
prior to the collection, use, or sharing of such consumer health data.

���� d.� A regulated entity may not
collect, use, or share consumer health data for additional purposes not
disclosed in the consumer health data privacy policy without first disclosing
the additional purposes and obtaining the consumer's affirmative consent prior
to the collection, use, or sharing of such consumer health data.

���� e.�� It shall be a violation
of this act for a regulated entity to contract with a processor to process
consumer health data in a manner that is inconsistent with the regulated
entity's consumer health data privacy policy.

���� 3.� a.� A regulated entity
shall not collect any consumer health data except:

���� (1) with consent from the
consumer for such collection for a specified purpose; or

���� (2) to the extent necessary to
provide a product or service that the consumer to whom such consumer health
data relates has requested from such regulated entity.

���� b.� A regulated entity may not
share any consumer health data except:

���� (1) with consent from the
consumer for such sharing that is separate and distinct from the consent
obtained to collect consumer health data; or

���� (2) to the extent necessary to
provide a product or service that the consumer to whom such consumer health
data relates has requested from such regulated entity.

���� c.� Consent required under
this section shall be obtained prior to the collection or sharing, as
applicable, of any consumer health data, and the request for consent shall
clearly and conspicuously disclose:

���� (1)� the categories of
consumer health data collected or shared;

���� (2)� the purpose of the
collection or sharing of the consumer health data, including the specific ways
in which it will be used;

���� (3)� the categories of
entities with whom the consumer health data is shared; and

���� (4)� how the consumer can
withdraw consent from future collection or sharing of the consumer's health
data.

���� d.� A regulated entity shall
not unlawfully discriminate against a consumer for exercising any rights
included section 4 of this act.

���� 4.� a.� A consumer shall have
the right to:

���� (1)� confirm whether a
regulated entity is collecting, sharing, or selling consumer health data
concerning the consumer and to access such data, including a list of all third
parties and affiliates with whom the regulated entity has shared or sold the consumer
health data and an active email address or other online mechanism that the
consumer may use to contact these third parties;

���� (2)� withdraw consent from the
regulated entity's collection and sharing of consumer health data concerning
the consumer; and

���� (3)� have consumer health data
concerning the consumer deleted and may exercise that right by informing the
regulated entity of the consumer's request for deletion.

���� b.� (1)� A regulated entity
that receives a consumer's request to delete any consumer health data
concerning the consumer shall:

���� (a)� delete the consumer
health data from its records, including from all parts of the regulated
entity's network, including archived or backup systems pursuant to paragraph
(3) of this subsection; and

���� (b)� notify all affiliates,
processors, contractors, and other third parties with whom the regulated entity
has shared consumer health data of the deletion request.

���� (2) All affiliates,
processors, contractors, and other third parties that receive notice of a
consumer's deletion request pursuant to this subsection shall honor the
consumer's deletion request and delete the consumer health data from its
records.

���� (3)� If consumer health data
that a consumer requests to be deleted is stored on archived or backup systems,
then the request for deletion may be delayed to enable restoration of the
archived or backup systems and such delay may not exceed six months from
authenticating the deletion request.

���� c.� A consumer may exercise
the rights set forth in subsection a. of this section by submitting a request,
at any time, to a regulated entity.� Such a request may be made by a secure and
reliable means established by the regulated entity and described in its
consumer health data privacy policy pursuant to section 2 of this act. The
method shall take into account the ways in which consumers normally interact
with the regulated entity, the need for secure and reliable communication of
such requests, and the ability of the regulated entity to authenticate the
identity of the consumer making the request. A regulated entity may not require
a consumer to create a new account in order to exercise consumer rights
pursuant to this section, but may require a consumer to use an existing
account.

���� d.� If a regulated entity is
unable to authenticate a request using commercially reasonable efforts, the
regulated entity shall not be required to comply with a request to initiate an
action under this section and may request that the consumer provide additional
information reasonably necessary to authenticate the consumer and the
consumer's request.

���� e.� Information provided in
response to a consumer request shall be provided by a regulated entity free of
charge, up to twice annually per consumer.� If requests from a consumer are
manifestly unfounded, excessive, or repetitive, the regulated entity may charge
the consumer a reasonable fee to cover the administrative costs of complying
with the request or decline to act on the request. The regulated entity shall
bear the burden of demonstrating the manifestly unfounded, excessive, or
repetitive nature of the request.

���� f.� A regulated entity shall
comply with a consumer's request within 45 days of receipt of the request
submitted pursuant to the methods described in this section.� The response
period may be extended once by 45 additional days when reasonably necessary,
taking into account the complexity and number of the consumer's requests, so
long as the regulated entity informs the consumer of any such extension within
the initial 45-day response period, together with the reason for the extension.

���� g.� A regulated entity shall
establish a process for a consumer to appeal the regulated entity's refusal to
take action on a request within a reasonable period of time after the
consumer's receipt of the decision. The appeal process shall be conspicuously
available and similar to the process for submitting requests to initiate action
pursuant to this section. Within 45 days of receipt of an appeal, a regulated
entity shall inform the consumer in writing of any action taken or not taken in
response to the appeal, including a written explanation of the reasons for the
decisions. If the appeal is denied, the regulated entity shall also provide the
consumer with an online mechanism, if available, or other method through which
the consumer may contact the Attorney General to submit a complaint.

���� 5.� A regulated entity shall:

���� a.� restrict access to
consumer health data by the employees, processors, and contractors of such
regulated entity to only those employees, processors, and contractors for which
access is necessary to further the purposes for which the consumer provided consent
or where necessary to provide a product or service that the consumer to whom
such consumer health data relates has requested from such regulated entity; and

���� b.� establish, implement, and
maintain administrative, technical, and physical data security practices that,
at a minimum, satisfy reasonable standard of care within the regulated entity's
industry to protect the confidentiality, integrity, and accessibility of
consumer health data appropriate to the volume and nature of the consumer
health data at issue.

���� 6.� � a.� A processor may
process consumer health data only pursuant to a binding contract between the
processor and the regulated entity that sets forth the processing instructions
and limits the actions the processor may take with respect to the consumer health
data it processes on behalf of the regulated entity.

���� b.� A processor may process
consumer health data only in a manner that is consistent with the binding
instructions set forth in the contract with the regulated entity.

���� c.� To the extent possible, a
processor shall assist the regulated entity by appropriate technical and
organizational measures in fulfilling the regulated entity's obligations under
this act.

���� d.� If a processor fails to
adhere to the regulated entity's instructions or processes consumer health data
in a manner that is outside the scope of the processor's contract with the
regulated entity, the processor shall be considered a regulated entity with
regard to such data and shall be subject to all the requirements of this act
with regard to such data.

���� 7.� a.� It shall be unlawful
for any person to sell or offer to sell consumer health data concerning a
consumer without first obtaining valid authorization from the consumer.� The
sale of consumer health data shall be consistent with the valid authorization
signed by the consumer, which authorization shall be separate and distinct from
the any consent obtained to collect or share consumer health data.

���� b.� A valid authorization to
sell consumer health data shall be written in plain language and shall contain
the following:

���� (1) the specific consumer
health data concerning the consumer that the person intends to sell;

���� (2) the name and contact
information of the person collecting and selling the consumer health data;

���� (3) the name and contact
information of the person purchasing the consumer health data from the seller
identified in paragraph (2) of this subsection;

���� (4) a description of the
purpose for the sale, including how the consumer health data will be gathered
and how it will be used by the purchaser identified in paragraph (3) of this
subsection when sold;

���� (5) a statement that the
provision of goods or services may not be conditioned on the consumer signing
the valid authorization;

���� (6) a statement that the
consumer has a right to revoke the valid authorization at any time and a
description on how to submit a revocation of the valid authorization;

���� (7) a statement that the
consumer health data sold pursuant to the valid authorization may be subject to
redisclosure by the purchaser and may no longer be protected by this section;

���� (8) an expiration date for the
valid authorization that expires one year from when the consumer signs the
valid authorization; and

���� (9) the signature of the
consumer and date.

���� c.� An authorization shall not
be valid if the document has any of the following defects:

���� (1) the expiration date has
passed;

���� (2) the authorization does not
contain all the information required under this section;

���� (3) the authorization has been
revoked by the consumer;

���� (4) the authorization has been
combined with other documents to create a compound authorization; or

���� (5) the provision of goods or
services is conditioned on the consumer signing the authorization.

���� d. A copy of the signed valid
authorization shall be provided to the consumer.

���� e. The seller and purchaser of
consumer health data shall retain a copy of each valid authorization for sale
of consumer health data for six years from the date of its signature or the
date when it was last in effect, whichever is later.

���� 8.� It shall be unlawful for
any person to implement a geofence around an entity that provides in-person
health care services where such geofence would be used to:� identify or track
consumers seeking health care services;� collect consumer health data from
consumers; or send notifications, messages, or advertisements to consumers
related to their consumer health data or health care services.

���� 9.� A violation of this act
shall be considered an unlawful practice in violation of P.L.1960, c.39
(C.56:8-1 et seq.).

���� 10.� a.� The provisions of
this act shall not apply to any:

���� (1)� body, authority, board,
bureau, commission, district or agency of this State or of any political
subdivision of this State;�

���� (2)� nonprofit organization;

���� (3)� institution of higher
education;

���� (4)� national securities
association that is registered under 15 U.S.C s.78o-3 of the federal Securities
Exchange Act of 1934, as amended from time to time;

���� (5)� financial institution or
data subject to Title V of the federal Gramm-Leach-Bliley Act, 15 U.S.C s.6801
et seq.; or

���� (6)� covered entity or
business associate, as defined in 45 C.F.R. s.160.103.

���� b.� The following information
and data shall be exempt from the provisions of this act:

���� (1)� protected health
information under the federal Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191;

���� (2)� patient-identifying
information for purposes of 42 U.S.C s.290dd-2;

���� (3)� identifiable private
information for purposes of the federal policy for the protection of human
subjects under 45 C.F.R Part 46;

���� (4)� identifiable private
information that is otherwise information collected as part of human subjects
research pursuant to the Good Clinical Practice Guidelines issued by the
International Council for Harmonization of Technical Requirements for Pharmaceuticals
for Human Use;

���� (5)� the protection of human
subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared
in research, as defined in 45 C.F.R. s.164.501 that is conducted in accordance
with the standards set forth under federal law, or other research conducted in
accordance with applicable law;

���� (6)� information and documents
created for purposes of the federal Health Care Quality Improvement Act of
1986, 42 U.S.C. s.11101 et seq.;

���� (7)� patient safety work
product for the purposes of federal Patient Safety and Quality Improvement Act,
42 U.S.C. s.299b-21 et seq., as

amended from time to time;

���� (8)� information derived from
any of the health care related information listed in paragraph (3) of this
subsection that is deidentified in accordance with the requirements for
de-identification pursuant to the federal Health Insurance Portability and
Accountability Act of 1996, Pub. L. No. 104-191;

���� (9)� information originating
from and intermingled to be indistinguishable with, or information treated in
the same manner as, information exempt under this subsection that is maintained
by a covered entity or business associate, program or qualified service
organization, as specified in 42 U.S.C. s.290dd-2, as amended from time to
time;

���� (10)� information used for
public health activities and purposes as authorized by the federal Health
Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191,
community health activities and population

health activities;

���� (11) � the collection,
maintenance, disclosure, sale, communication or use of any personal information
bearing on a consumer's credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics or mode of living by a consumer
reporting agency, furnisher or user that provides information for use in a
consumer report, and by a user of a consumer report, but only to the extent
that such activity is regulated by and authorized under the federal Fair Credit
Reporting Act, 15 U.S.C. s.1681 et seq., as amended from time to time;

���� (12)� personal data collected,
processed, sold or disclosed in compliance with the federal Driver's Privacy
Protection Act of 1994, 18 U.S.C. s.2721 et seq., as amended from time to time;

���� (13)� personal data regulated
by the federal Family Educational

Rights and Privacy Act, 20 U.S.C. s.1232g et seq., as amended from time to
time;

���� (14)� personal data collected,
processed, sold or disclosed in compliance with the federal Farm Credit Act, 12
U.S.C. s.2001 et seq., as amended from time to time;

���� (15)� data processed or
maintained:

���� (a)� in the course of an
individual applying to, employed by or acting as an agent or independent
contractor of a regulated entity, processor, or third party, to the extent that
the data is collected and used within the context of that role;���������

���� (b)� as the emergency contact
information of a consumer used for

emergency contact purposes; or

���� (c)� that is necessary to
retain to administer benefits for another individual relating to the individual
who is the subject of the information under paragraph (1) of this subsection
and used for the purposes of administering such benefits; and

���� (16)� personal data collected,
processed, sold or disclosed in relation to price, route or service, as such
terms are used in the federal Airline Deregulation Act, 49 U.S.C. s.40101 et
seq., as amended from time to time, by an air carrier, to the extent that the
provisions of this act are preempted by the federal Airline Deregulation Act,
49 U.S.C. s.41713, as amended from time to time.

���� 11.� a.� Nothing in this act
shall be construed to restrict a regulated entity's or processor's ability for
the collection, use, or disclosure of consumer health data to prevent, detect,
protect against, or respond to security incidents, identity theft, fraud,
harassment, malicious or deceptive activities, or any activity that is illegal
under State law or federal law; preserve the integrity or security of systems;
or investigate, report, or prosecute those responsible for any such action that
is illegal under State law or federal law.

���� b.� If a regulated entity or
processor processes consumer health data pursuant to subsection a. of this
section, such entity shall bear the burden of demonstrating that such
processing qualifies for the exemption provided under this section.

���� 12.� The Director of the
Division of Consumer Affairs in the Department of Law and Public Safety shall
adopt rules and regulations, pursuant to the �Administrative Procedure Act,�
P.L.1968, c.410 (C.52:14B-1 et seq.), as shall be necessary for the implementation
of P.L.��� , c.��� (C.������� ) (pending before the Legislature as this bill).

���� 13.� This act shall take
effect immediately.

STATEMENT

���� This bill establishes certain
data privacy protection requirements for consumer health data, health care
providers, and patients.

���� The bill defines a "regulated
entity" to mean any legal entity that: conducts business in New Jersey, or
produces or provides products or services that are targeted to consumers in New
Jersey; and alone or jointly with others, determines the purpose and means of
collecting, processing, sharing, or selling of consumer health data.� "Regulated
entity" does not mean a government agency, tribal nation, or contracted
service provider when processing consumer health data on behalf of the
government agency.

���� Under the bill, each regulated
entity in the State is to maintain a consumer health data privacy policy that
details how data may be collected and shared and how consumer can exercise
their rights provided by the bill concerning consumer health data.� �Consumer
health data" means personal information that is linked or reasonably
linkable to a consumer and that identifies the consumer's past, present, or
future physical or mental health status.

���� The bill establishes certain
requirements for regulated entities to collect, share, and sell consumer health
data, which includes requiring consumers to provide consent or authorization in
order for a regulated entity to collect, share, or sell any consumer health
data.� Under the bill, consumers will have certain rights concerning their
consumer health data, including: confirming which data is being collected,
shared, or sold; withdrawing consent for the collection, sharing, or sale of
the data; or requesting the deletion of the data.� The bill establishes certain
requirements for regulated entities to process any requests for the deletion of
a consumer�s consumer health data.

���� The bill requires a regulated
entity to restrict access to consumer health data as necessary and to establish
certain data security practice to protect consumer health data.

���� The bill provides that a
processer may process consumer health data only pursuant to a binding contract
between the processor and the regulated entity that sets forth the processing
instructions and limits the actions the processor may take with respect to the
consumer health data it processes on behalf of the regulated entity.

���� The bill prohibits any person
from implementing a geofence around an entity that provides in-person health
care services where such geofence would be used to:� identify or track
consumers seeking health care services; collect consumer health data from
consumers; or send notifications, messages, or advertisements to consumers
related to their consumer health data or health care services.

���� The bill provides that any violation
of bill�s provisions will be considered an unlawful practice in violation of
P.L.1960, c.39 (C.56:8-1 et seq.)

���� The bill outlines certain
entities and types of information and data that are exempted from the
provisions of the bill.�

���� The bill provides that nothing
in the bill�s provisions is to construed to restrict a regulated entity's or
processor's ability for the collection, use, or disclosure of consumer health
data to prevent, detect, protect against, or respond to security incidents,
identity theft, fraud, harassment, malicious or deceptive activities, or any activity
that is illegal under State law or federal law; preserve the integrity or
security of systems; or investigate, report, or prosecute those responsible for
any such action that is illegal under State law or federal law, except that such
entity bears the burden of demonstrating that such processing qualifies for the
exemption provided under the bill.