The Shifting Sands of Data Privacy Legislation: Preparing New Jersey Businesses for What Is To Come

Over the last four years, both the federal government and numerous state legislatures have proposed and enacted bills addressing the privacy and security of consumer data. In 2018, only two states considered such legislation. By 2022, the federal government, 29 states and the District of Columbia either introduced new data privacy bills or reintroduced bills from the 2021 legislative session. Among these bills is New Jersey Assembly Bill A505, titled the New Jersey Disclosure and Accountability Transparency Act (NJ DaTA). At the federal level, on June 21, 2022, Representative Frank Pallone (D-NJ) introduced H.R. 8152, the American Data Privacy and Protection Act (ADPPA), which represents the latest attempt at comprehensive federal legislation concerning data privacy and security.

At this point, the fate of the ADPPA and NJ DaTA remains uncertain. However, there are five states with new or amended privacy laws becoming effective in 2023, and if a business engages individuals in any of these five states (as a prospect, customer, vendor, supplier, employee or otherwise), it may have to comply with the requirements of one or more of these state laws. In addition, it is clear there is continued pressure on both federal and state lawmakers to enact laws protecting a consumer’s data privacy rights. Therefore, New Jersey businesses should prepare for the advent of new privacy and security obligations by modifying (or perhaps creating) data collection, processing, and storage policies and practices to ensure compliance with the ever-evolving obligations that come along with one of the business’s most valuable resources—an individual’s personal data.

The first and most notable state consumer privacy legislative scheme is the California Consumer Privacy Act (CCPA), which became effective on Jan. 1, 2020, and the California Privacy Rights Act (CPRA), which amends the CCPA and takes effect on Jan. 1, 2023. The CCPA/CPRA requires businesses to accommodate certain rights of all California consumers, including (1) the right to know the specific personal information collected by the business about the consumer, from whom it was collected, why it was collected, and whether it is being sold or shared, and if so, to whom; (2) the right to correct inaccurate personal information; (3) the right to opt out or limit the use and disclosure of certain personal information; and (4) the right to request deletion of any personal information collected by the business. Cal. Civ. Code §1798.100 et seq.

In addition to the CCPA/CPRA, similar comprehensive state privacy laws will go into effect in 2023 in Virginia (the Consumer Data Protection Act), Colorado (the Colorado Privacy Act), Connecticut (the Connecticut Personal Data Privacy and Online Monitoring Act), and Utah (the Utah Consumer Privacy Act). Although there are some differences between the laws, the majority of their provisions are similar to the CCPA/CPRA. All five states guarantee consumers the rights to know, delete and, with the exception of Utah, correct with regard to the collection and use of their personal information. Likewise, all five states, in varying degrees, guarantee a right to opt out of the sale of certain data and require businesses to have a process to respond to a consumer’s request to exercise rights under the statute and to maintain reasonable data security to protect a consumer’s personal data.

With respect to the right to limit use and disclosure of certain personal information, the five states differ in how that right is defined. For example, businesses within the scope of the regulatory schemes in Colorado, Connecticut and Virginia must obtain the consumer’s prior consent before processing their sensitive data (i.e., processing only on a consumer’s opt-in). Utah requires a business, before processing sensitive data, to provide consumers with an opportunity to opt out of the processing (i.e., processing except on a consumer’s opt-out). And in stark contrast to the other states, the CCPA/CPRA does not subject sensitive personal data to any additional or special requirements unless that sensitive data is collected for “the purpose of inferring characteristics about a consumer.”

Finally, and perhaps most significantly from an operations perspective, all five states impose mandatory third-party contracting requirements on businesses that disclose consumer data to third parties. In California, the CCPA/CPRA requires all contracts with service providers to include specific terms and conditions, including a term prohibiting the use of the data disclosed for a purpose other than the business purpose specified in the contract. Colorado, Connecticut, Utah and Virginia go further by requiring such contracts to include provisions that provide specific data processing instructions and describe: (1) the purpose of processing the data; (2) the identification of the type of personal data involved; and (3) the duration of the processing.

Turning to New Jersey, the proposed NJ DaTA legislation would establish certain requirements for disclosure and processing of personally identifiable information (PII) and in many respects shares common ground with the laws enacted by the five other states. For example, the bill grants consumers many of the same rights to the personal information collected by the business, including the rights to know, correct, delete, and limit or opt out of certain categories of processing activities. The bill also requires businesses to provide “a concise, transparent, intelligible, and easily accessible” privacy notice providing information about the processing of the consumer’s PII. In addition, under NJ DaTA, businesses must process the consumer’s data “in a manner that ensures appropriate security of the [PII], including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.”

NJ DaTA also explicitly defines and limits the permissible use of a consumer’s data by expressly requiring the business to obtain a consumer’s “affirmative consent” to the disclosed processing of their PII or to process data only if doing so is necessary for: (1) performance of a contract; (2) compliance with a legal obligation; (3) protection of a vital interest of the consumer or another person; (4) performance of a task conducted in the public interest or in the exercise of official authority; or (5) purposes of legitimate interests pursued by the business or by a third party. The bill also prohibits the processing of certain sensitive PII, except for specific enumerated exceptions. Finally, the bill requires that all processing activities performed for the business by a third party be governed by a contract that includes express terms and conditions regarding the scope of permitted processing, commitment to confidentiality and security of the data, cooperation in responding to consumer’s rights requests, and assistance in demonstrating compliance with the proposed statutory requirements.

The ADPPA is similar in many respects to the laws enacted by the states, but provides more robust protections for consumers in some areas. For example, similar to NJ DaTA, the ADPPA forbids covered businesses from collecting or using an individual’s data beyond what is strictly necessary or for expressly enumerated purposes. Notably, the ADPPA embraces the limited permissible uses contained in NJ DaTA and expands the list to include processing necessary for: (1) limited internal operations; (2) improvement of a product or service for which the relevant data was collected; (3) user authentication; (4) security, harm, and fraud prevention; (5) product recalls; and (6) conducting of public or peer-reviewed research in the public interest.

Despite the historic and bipartisan nature of the ADPPA, and the fact that the bill was voted out of the House Energy and Commerce Committee on July 21, 2022, the legislation seems to have stalled and appears likely to “die on the vine.” While there may be many plausible explanations, one very compelling reason is the current version of the ADPPA states that, with very limited exceptions, it would preempt any state laws that are “covered by the provisions” of the statute or its regulations. The preemption issue has been a sticking point for congressional leaders and a rallying cry for state attorneys general.

Specifically, on July 19, 2022, New Jersey Attorney General Matthew J. Platkin, signed a joint letter with nine other state attorneys general encouraging “Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights” and providing the following comments and recommendations:

1. Congress should adopt a federal baseline and continue to allow states to make decisions about additional protections, similar to the Health Insurance Portability and Accountability Act of 1996 (HIPPA)
2. State laws can bolster privacy protections where there are violations of federal law
3. States are better equipped to keep pace with technology changes “that may allude federal oversight”
4. Preemption would substantially preempt many states’ ability to investigate alleged violations

On Sept. 1, 2022, House Speaker Nancy Pelosi (D-CA) issued a press release stating, while the House Committee on Energy and Commerce should be commended for its work, “it is imperative that California continues offering and enforcing the nation’s strongest privacy rights.”

The current legal landscape informs us there is little doubt that New Jersey businesses and other entities will need to change the ways in which they collect, process, and ensure the security of a consumer’s personal information and respond to a consumer’s request regarding the personal information collected and processed.

Accordingly, businesses should prepare by:

1. updating their privacy notices and policies to inform consumers, in plain and clear language, of what personal information is being collected, disclosed, and/or sold to other parties
2. reviewing and/or implementing mechanisms for tracking and identifying data to better accommodate a consumer’s request to exercise its rights
3. reviewing contract terms with relevant third parties to comply with statutory contracting obligations
4. periodically updating reasonable security practices to protect personal data

These best practices will help protect New Jersey businesses from potential legal and regulatory actions and will facilitate the transition to new compliance obligations when the federal government, the New Jersey legislature, or another state enacts comprehensive consumer privacy legislation.

---

Reprinted with permission from the November 28, 2022 issue of the New Jersey Law Journal. © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.