Search form

New Jersey Bills Would Give Consumers Control Over Their Personal Data Privacy

By Jason C. Gavejian and Mary T. Costigan
  • March 11, 2019

New Jersey has joined a growing list of states considering legislation on data privacy to promote transparency, accountability, and individual choice. One bill would create new obligations for commercial entities whose online website or services collect personally identifiable information (PII) from individuals in New Jersey. A second bill would regulate an operator’s use of global positioning system (GPS) data belonging to a customer in New Jersey.

Assembly Bill 4902 (AB 4902)

AB 4902 requires an operator of a commercial internet website or online service (e.g., offsite data storage and apps) that collects PII from customers online to provide customers with notice of its data collection activities and disclosures to third parties. The operator also must allow customers to opt out of the sale or disclosure of their PII to a third party by providing a conspicuous online “Do Not Sell My Information” link. The operator need not be located in New Jersey, as long as it collects the PII from a customer “within” New Jersey.

These customer notice-and-choice rights apply to information that “personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service.” The bill includes a non-exhaustive list of PII examples covering a broad range of information relating to a customer, as well as a customer’s children, such as names, addresses, IP addresses, phone numbers, photos, Social Security number, race and ethnicity, sexual orientation, religious or political affiliations, education, health, account balances, payment history, and internet or mobile phone activity.

A website or online service might collect covered PII in many ways, including from customer shipping information, testimonials, and surveys, requests for product information, online job applications, cookies and web analytics, and even dinner reservations. These provisions apply regardless of the customer’s purpose for accessing the website or service. The bottom line is that if a customer accesses a commercial operator’s website or online service and the operator collects his or her PII, AB 4902’s notice-and-choice rights apply.

Assembly Bill 4974 (AB 4974)

AB 4974 creates notice-and-choice rights for customers whose geolocation or GPS data is collected by an operator during use of a mobile application. An operator of mobile device applications must notify users about the GPS data collected, who it may be disclosed or sold to, how long it is retained, and the right to opt in to its disclosure or sale. AB 4974 defines an operator as a person or entity that owns a mobile device application that collects and maintains the user’s GPS data. Similar to AB 4902, the operator need not be a person or entity located in New Jersey and the user, or customer, is an individual “within” New Jersey.


In response to consumers’ increasing awareness of organizations’ data collection practices, data security, and individual data privacy rights, numerous states have drafted or proposed data protection legislation. Many of the proposed legislation under consideration, including New Jersey’s, create significant compliance obligations for companies that collect, use, or store personal data. These companies should consider assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs) to prepare. An organization can begin by identifying all PII it collects, uses, discloses, sells, or stores; identifying cookies, pixels, and web tracking activities on its website; reviewing and updating online privacy policies; minimizing PII collection to only what is necessary; establishing and following a data retention schedule; and implementing internal policies, procedures, and training to support a meaningful data protection program.

Jackson Lewis is available to answer questions about the New Jersey bills or data privacy and protection.

©2019 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Reproduction of this material in whole or in part is prohibited without the express prior written consent of Jackson Lewis P.C., a law firm that built its reputation on providing workplace law representation to management. Founded in 1958, the firm has grown to more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries including government relations, healthcare and sports law. More information about Jackson Lewis can be found at

See AllRelated Articles You May Like

October 10, 2019

California Consumer Privacy Act FAQs for Covered Businesses

October 10, 2019

Set to take effect January 1, 2020, the California Consumer Privacy Act (CCPA), considered one of the most expansive U.S. privacy laws to date, places limitations on the collection and sale of a consumer’s personal information and provides consumers certain rights with respect to their personal information. Organizations should be... Read More

August 1, 2019

Healthcare Organizations, Is Your Patient Portal Secure?

August 1, 2019

Healthcare organizations’ traditional cybersecurity measures are insufficient against today’s cyberattacks, according to a report from LexisNexis® Risk Solutions and the Information Security Media Group released in July 2019. Even as healthcare organizations embrace new technologies (such as patient portals), the report shows that... Read More

July 26, 2019

New York Enacts SHIELD Act, Adding Data Security Requirements and Strengthening Data Breach Requirements

July 26, 2019

New York has enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to amend the state’s data breach notification law to impose more expansive data security and data breach notification requirements on companies. The move aims to ensure New York residents are better protected against data breaches of their private... Read More