Privacy & Information Security Law Blog

On January 16, 2024, Governor Phil Murphy signed into law Bill 332, making New Jersey the 14^th state with a comprehensive state privacy law. The law is set to take effect in January 2025.

Applicability

The law will apply to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year meet any of the following criteria: (1) control or process the personal data of at least 100,000 New Jersey consumers (notably excluding personal data processed solely for the purpose of completing a payment transaction); or (2) control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the “sale” of personal data. In line with the CCPA and other state privacy laws, the New Jersey law broadly defines “sale” as the disclosure of personal data to a third party for “monetary or other valuable consideration.”

On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

On January 18, 2022, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, requiring employers to provide written notice to employees prior to the use of tracking devices in vehicles used by employees (the “Act”). The Act will go into effect on April 18, 2022.

On March 2, 2022, eight states announced a bipartisan, nationwide investigation into whether TikTok operates in a way that causes or exacerbates harm to the physical and mental health of children, teens and young adults. The probe will further consider whether the company violated state consumer protection laws and put the public at risk.

On December 15, 2021, the New Jersey Acting Attorney General Andrew J. Bruck announced that its Division of Consumer Affairs had reached a $425,000 settlement with New Jersey-based providers of cancer care, Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, “RCCA”), over alleged failures to adequately safeguard patient data.

On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information (“PHI”) safeguards.

On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.

On October 30, 2018, ATA Consulting LLC (doing business as Best Medical Transcription) agreed to a $200,000 settlement with the New Jersey Attorney General resulting from a server misconfiguration that allowed private medical records to be posted publicly online. The fine was suspended to $31,000 based on the company’s financial condition. Read the settlement.

On September 7, 2018, the New Jersey Attorney General announced a settlement with data management software developer Lightyear Dealer Technologies, LLC, doing business as DealerBuilt, resolving an investigation by the state Division of Consumer Affairs into a data breach that exposed the personal information of car dealership customers in New Jersey and across the country. The breach occurred in 2016, when a researcher exposed a gap in the company’s security and gained access to unencrypted files containing names, addresses, social security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.

On August 3, 2018, California-based Unixiz Inc. (“Unixiz”) agreed to shut down its “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.

On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

On February 17, 2017, Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) agreed to pay $1.1 million as part of a settlement with the New Jersey Division of Consumer Affairs (the “Division”) regarding allegations that Horizon did not adequately protect the privacy of nearly 690,000 policyholders.

On February 6, 2017, the FTC announced that it has agreed to settle charges that VIZIO, Inc. (“VIZIO”), installed software on about 11 million consumer televisions to collect viewing data without consumers’ knowledge or consent. The stipulated federal court order requires VIZIO to pay $2.2 million to the FTC and New Jersey Division of Consumer Affairs. 

On September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?

On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corporation (“Wyndham”) settled charges brought by the FTC stemming from allegations that the company unfairly failed to maintain reasonable data security practices. The case is FTC v. Wyndham Worldwide Corporation, et al. (2:13-CV-01887-ES-JAD) in the U.S. District Court for the District of New Jersey.

On November 22, 2013, New Jersey’s Acting Attorney General announced that the State had entered into a settlement agreement with Dokogeo, Inc. (“Dokogeo”), a California-based company that makes mobile device applications, regarding allegations that one of the company’s mobile apps violated the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the recently amended Children’s Online Privacy Protection Rule (the “Rule”) and the New Jersey Consumer Fraud Act.

On January 6, 2012, the United States District Court for the District of Massachusetts granted Michaels Stores, Inc.’s (“Michaels”) a motion to dismiss against a customer-plaintiff who alleged that Michaels’ in-store information collection practices violated Massachusetts law. Although the court ruled in Michaels’ favor, it found that customer ZIP codes do constitute personal information under Massachusetts state law when collected in the context of a credit card transaction. The plaintiff’s class action complaint alleged that “Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of” Massachusetts General Laws Chapter 93, Section 105(a) (“Section 105(a)”). Specifically, Section 105(a) states that “[n]o person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.

As reported in BNA’s Privacy Law Watch, on April 1, 2011, a New York law went in effect requiring manufacturers of certain electronic equipment, including devices that have hard drives capable of storing personal information or other confidential data, to register with the Department of Environmental Conservation and maintain an electronic waste acceptance program.  The program must include convenient methods for consumers to return electronic waste to the manufacturer and instructions on how consumers can destroy data on the devices before recycling or disposing of them.  Retailers of covered electronic equipment will be required to provide consumers with information at the point of sale about opportunities offered by manufacturers for the return of electronic waste, to the extent they have been provided such information by the manufacturer.

On March 30, 2010, the New Jersey Supreme Court ruled for the former employee in Stengart v. Loving Care Agency, Inc. on the employee’s claim that state common privacy law protected certain of her emails from review by the employer.