February 19, 2020

February 18, 2020

Subscribe to Latest Legal News and Analysis

February 17, 2020

Subscribe to Latest Legal News and Analysis

New Jersey Bills Would Give Consumers Control Over Their Personal Data Privacy

New Jersey has joined a growing list of states considering legislation on data privacy to promote transparency, accountability, and individual choice. One bill would create new obligations for commercial entities whose online website or services collect personally identifiable information (PII) from individuals in New Jersey. A second bill would regulate an operator’s use of global positioning system (GPS) data belonging to a customer in New Jersey.

Assembly Bill 4902 (AB 4902)

AB 4902 requires an operator of a commercial internet website or online service (e.g., offsite data storage and apps) that collects PII from customers online to provide customers with notice of its data collection activities and disclosures to third parties. The operator also must allow customers to opt out of the sale or disclosure of their PII to a third party by providing a conspicuous online “Do Not Sell My Information” link. The operator need not be located in New Jersey, as long as it collects the PII from a customer “within” New Jersey.

These customer notice-and-choice rights apply to information that “personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service.” The bill includes a non-exhaustive list of PII examples covering a broad range of information relating to a customer, as well as a customer’s children, such as names, addresses, IP addresses, phone numbers, photos, Social Security number, race and ethnicity, sexual orientation, religious or political affiliations, education, health, account balances, payment history, and internet or mobile phone activity.

A website or online service might collect covered PII in many ways, including from customer shipping information, testimonials, and surveys, requests for product information, online job applications, cookies and web analytics, and even dinner reservations. These provisions apply regardless of the customer’s purpose for accessing the website or service. The bottom line is that if a customer accesses a commercial operator’s website or online service and the operator collects his or her PII, AB 4902’s notice-and-choice rights apply.

Assembly Bill 4974 (AB 4974)

AB 4974 creates notice-and-choice rights for customers whose geolocation or GPS data is collected by an operator during use of a mobile application. An operator of mobile device applications must notify users about the GPS data collected, who it may be disclosed or sold to, how long it is retained, and the right to opt in to its disclosure or sale. AB 4974 defines an operator as a person or entity that owns a mobile device application that collects and maintains the user’s GPS data. Similar to AB 4902, the operator need not be a person or entity located in New Jersey and the user, or customer, is an individual “within” New Jersey.


In response to consumers’ increasing awareness of organizations’ data collection practices, data security, and individual data privacy rights, numerous states have drafted or proposed data protection legislation. Many of the proposed legislation under consideration, including New Jersey’s, create significant compliance obligations for companies that collect, use, or store personal data. These companies should consider assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs) to prepare. An organization can begin by identifying all PII it collects, uses, discloses, sells, or stores; identifying cookies, pixels, and web tracking activities on its website; reviewing and updating online privacy policies; minimizing PII collection to only what is necessary; establishing and following a data retention schedule; and implementing internal policies, procedures, and training to support a meaningful data protection program.

Jackson Lewis P.C. © 2020


About this Author

Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Mary Costigan, Jackson Lewis Law Firm, Privacy Attorney, Cybersecurity, New Jersey

Mary T. Costigan is an Associate in the Morristown, New Jersey, office of Jackson Lewis P.C. She holds a Certified Information Privacy Professional/US designation from the International Association of Privacy Professionals (iapp). Ms. Costigan advises multinational, national, and regional companies on emerging privacy and cybersecurity issues, including the broad and growing array of mandates, best practices, and preventive safeguards. In particular, she focuses on advising and assisting clients in matters relating to compliance with the General Data Protection Regulation (GDPR) and U.S. privacy and data security standards such as HIPAA/HITECH. She also assists clients with data breach preparation and response, biometric data collection policies, vendor security assessments, and data security agreements, including business associate agreements.