New Jersey may soon join those states that have legislated on the security of personally identifiable information (PII). While the bill is ostensibly consumer-friendly, businesses will undoubtedly find it onerous. The bill is sweeping; it applies to every business with annual gross revenue of $5,000,000 or more, along with businesses that buy, receive, sell or share personally identifiable information. It defines PII very broadly to include not only the basics — name, address, telephone number, social security number, driver’s license number, and passport number — but also height and weight, biometric information, race, religion, sexual orientation, health information, and commercial or financial information.
The bill imposes essentially six requirements on businesses that collect PII:
1. The business must inform the consumer at the point of collection as to:
- Which PII it collects.
- The purpose and legal basis for processing the PII.
- All third parties to whom it may disclose PII.
- The purpose of the disclosure, including whether the business profits from it.
- A contact person responsible for PII.
2. The business, at the time the personal information is obtained, must provide the consumer:
- The period of time the data will be stored.
- The right to request access to the consumer’s PII.
3. The business must make the following information available to consumers free of charge upon request:
- Confirmation that it has processed the PII.
- A copy of the PII it processed.
4. The business that receives such a request from a consumer must respond within 30 days.
5. The business must allow the consumer to opt out, with certain exceptions.
6. The business must maintain an information security program that meets all applicable federal laws and/or industry standards.
The bill also includes penalties for failure to comply, though it allows a business 30 days’ notice to cure any violation. Failure to do so subjects the business to fines of between $100 and $750 per incident or actual damages, which the consumer can recover in a civil action. This raises the specter of plaintiffs’ attorneys bringing class actions for millions of dollars against non-compliant businesses.
The bill essentially drags every business in New Jersey with over $5,000,000 in gross revenues (e.g., many small businesses) into the information age. Many businesses will be forced to allocate significant resources to ensure compliance and avoid fines and potential liability. The bill likely will create confusion. For example, it states that a business’ security program must comply with applicable industry standards, without any definition of what those standards might be.
After going through the legislative meat grinder, the bill will probably change substantially. Business groups may well lobby to soften the bill’s more onerous provisions. Every New Jersey business should be cognizant of New Jersey’s developing efforts to protect personally identifiable information.