Read the full stored bill text
S4109
SENATE, No. 4109
STATE OF NEW JERSEY
222nd LEGISLATURE
�
INTRODUCED MAY 4, 2026
Sponsored by:
Senator� RAJ MUKHERJI
District 32 (Hudson)
SYNOPSIS
���� Prohibits controller of commercial Internet website
or online service from selling sensitive personal data.
CURRENT VERSION OF TEXT
���� As introduced.
��
An Act
concerning personal data and commercial data companies
and amending P.L.2023, c.266.
����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:
���� 1.��� Section 9 of P.L.2023,
c.266 (C.56:8-166.12) is amended to read as follows:
���� 9. �a. �A controller shall:
���� (1) �limit the collection of
personal data to what is adequate, relevant, and reasonably necessary in
relation to the purposes for which such data is processed, as disclosed to the
consumer;
���� (2) �except as otherwise
provided in P.L.2023, c.266 (C.56:8-166.4 et seq.), not process personal data
for purposes that are neither reasonably necessary to, nor compatible with, the
purposes for which such personal data is processed, as disclosed to the consumer,
unless the controller obtains the consumer's consent;
���� (3) �take reasonable measures
to establish, implement, and maintain administrative, technical, and physical
data security practices to protect the confidentiality, integrity, and
accessibility of personal data and to secure personal data during both storage and
use from unauthorized acquisition. The data security practices shall be
appropriate to the volume and nature of the personal data at issue;
���� (4) not process sensitive data
concerning a consumer without first obtaining the consumer's consent, or, in
the case of the processing of personal data concerning a known child, without
processing such data in accordance with COPPA;
���� (5)
not sell sensitive data,
which shall apply to all individuals or legal entities regardless of the number
of consumers whose data the individual or entity controls or processes;
����
(6)
�not process
personal data in violation of the laws of this State and federal laws that
prohibit unlawful discrimination against consumers;
����
[
(6)
]
(7)
provide an effective
mechanism for a consumer to revoke the consumer's consent under this section
that is at least as easy as the mechanism by which the consumer provided the
consumer's consent and, upon revocation of such consent, cease to process the data
as soon as practicable, but not later than 15 days after the receipt of such
request;
����
[
(7)
]
(8)
not process the
personal data of a consumer for purposes of targeted advertising, the sale of
the consumer's personal data, or profiling in furtherance of decisions that
produce legal or similarly significant effects concerning a consumer without
the consumer's consent, under circumstances where a controller has actual
knowledge, or willfully disregards, that the consumer is at least 13 years of
age but younger than 17 years of age;
����
[
(8)
]
(9)
specify the express
purposes for which personal data are processed; and
����
[
(9)
]
(10)
not conduct
processing that presents a heightened risk of harm to a consumer without
conducting and documenting a data protection assessment of each of its
processing activities that involve personal data acquired on or after the
effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.) that present a
heightened risk of harm to a consumer.
���� b.��� Data protection
assessments shall identify and weigh the benefits that may flow, directly and
indirectly, from the processing to the controller, the consumer, other
stakeholders, and the public against the potential risks to the rights of the
consumer associated with the processing, as mitigated by safeguards that the
controller can employ to reduce the risks. The controller shall factor into
this assessment the use of de-identified data and the reasonable expectations
of consumers, as well as the context of the processing and the relationship
between the controller and the consumer whose personal data will be processed.
A controller shall make the data protection assessment available to the
Division of Consumer Affairs in the Department of Law and Public Safety upon
request. The division may evaluate the data protection assessment for
compliance with the duties contained in this section and with other laws. Data
protection assessments shall be confidential and exempt from public inspection
under P.L.1963 c.3 (C.47:1A-1 et al.). The disclosure of a data protection
assessment pursuant to a request from the division under this section shall not
constitute a waiver of any attorney-client privilege or work-product protection
that might otherwise exist with respect to the assessment and any information
contained in the assessment.
���� c.���� For the purposes of
this section, "heightened risk" includes:
���� (1) �processing personal data
for purposes of targeted advertising or for profiling if the profiling presents
a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful
disparate impact on, consumers; financial or physical injury to consumers; a
physical or other intrusion upon the solitude or seclusion, or the private
affairs or concerns, of consumers if the intrusion would be offensive to a
reasonable person; or other substantial injury to consumers;
���� (2) �selling personal data;
and
���� (3) �processing sensitive
data.
���� d.��� A single data protection
assessment may address a comparable set of processing operations that include
similar activities.
(cf: P.L.2023, c.266, s.9)
���� 2.��� This act shall take
effect immediately.
STATEMENT
���� This bill prohibits a
controller of a commercial Internet website or online services from selling
sensitive data, which prohibition will apply to all individuals or legal
entities regardless of the number of consumers whose data the individual or
entity controls or processes.� Under existing law:
���� �controller� means an
individual, or legal entity that, alone or jointly with others determines the
purpose and means of processing personal data; and
���� �sensitive data� means
personal data revealing racial or ethnic origin; religious beliefs; mental or
physical health condition, treatment, or diagnosis; financial information,
which shall include a consumer's account number, account log-in, financial
account, or credit or debit card number, in combination with any required
security code, access code, or password that would permit access to a
consumer's financial account; sex life or sexual orientation; citizenship or
immigration status; status as transgender or non-binary; genetic or biometric
data that may be processed for the purpose of uniquely identifying an
individual; personal data collected from a known child; or precise geolocation
data.