Anticipated Expansion of Data Breach & Privacy Laws in America
An amendment to New Jersey’s data breach notification requirements of the Consumer Fraud Act, if signed into law as expected, will expand the definition of personal information to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account”, eliminating a business’s ability, under the current law, to avoid notifying consumers when there is a breach of online information.
Assembly Bill 4902 requires commercial Internet websites and online services to notify customers of the collection and disclosure of personally identifiable information and to allow customers to opt out. Specifically, the bill requires any person or entity that owns an Internet website or online service to provide on its Internet website or online service a notification that includes: (1) a complete description of the personally identifiable information that is collected; (2) all third parties with whom a customer’s personally identifiable information may be disclosed; and (3) information concerning one or more designated request addresses that a customer may use to request information under the bill. The bill also requires that Internet websites or online service homepages include a link, entitled “Do Not Sell My Personal Information”, which enables a customer to opt out of the disclosure of personally identifiable information.