Part 1 – What Data is (maybe?) Covered and Who Must Comply with the New Jersey Data Privacy Act?
This week we take a quick look at the newest state effort to tackle data privacy. New Jersey entered the data privacy playing field last week with Governor Murphy putting pen to paper on a new comprehensive Data Privacy Act. 332_R6 significantly strengthens New Jersey’s consumer protection and privacy laws, placing enforcement in the hands of the New Jersey Division of Consumer Affairs (“DCA”) and the Attorney General’s Office. While it shares some similarities with other recently enacted state privacy laws, the New Jersey Data Privacy Act (“NJDPA”) has a few surprises and some potential complications, especially for healthcare providers and other healthcare entities.
The NJDPA will apply to “controllers,” that is, individuals, or legal entities that, alone or jointly with others determine the purpose and means of processing personal data, and to entities that process data on their behalf (“processors”). Controllers will have until January 15, 2025, to bring their practices into compliance, requiring careful scrutiny and planning to tackle some of the NJDPA’s more onerous requirements.
The new statute provides New Jersey consumers (residents of New Jersey acting only in an individual or household context, and not in a commercial or employment context) with greater control over and information about how their personal data is collected and used by controllers, including data deemed to be sensitive. It requires the provision of accessible, clear and meaningful privacy notices, and the ability for consumers to consent to and opt out (including through a user-selected universal opt-out mechanism) of certain targeted advertising, profiling and sales involving their personal data. The statute also affords consumers the rights to request deletion, correct inaccuracies and receive copies of personal data maintained about them. Finally, the NJDPA establishes additional steps that controllers and their processors must take to limit data collection and establish appropriate privacy and security measures, including the obligation to conduct a data protection assessment (which notably, must be made available to the DCA, upon request) that addresses any heightened risks associated with a controller’s processing of personal data.
The first part of the test is whether the controller controls or processes “personal data” of consumers. There are a few important definitions here to look at closely. First, under the broad definition established by the NJDPA, “personal data” is any information that is linked or reasonably linkable to an identified or identifiable person, but does not include publicly available information or de-identified data. “Publicly available information” means information that a “controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.” And last, but not least, “processing” personal data includes any “operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.”
In addition, certain other types of data and entities are excluded by the NJDPA, including research data, data processed solely for payment transactions, and data which is “protected health information” (“PHI”) collected by a covered entity or business associate (as defined by HIPAA). However, covered entities and their business associates are not wholly excluded by the NJDPA by virtue of their status as such. Entities such as financial institutions and their affiliates which are subject to the Gramm-Leach-Bliley Act, certain secondary market and insurance institutions, consumer reporting agencies, and state agencies, including the New Jersey Motor Vehicle Commission, are, however, excluded by the NJDPA.
To recap, data that constitutes PHI, employment data, research data, payment transaction data and publicly available information is excluded. Other data collected by a covered entity or business associate which meets the definition of “personal data” is not excluded. Got all that?
So what does this mean then for data such as IP addresses which a controller may routinely collect through its websites from visitor traffic? Is this considered “publicly available information” because anyone accessing the Internet has the ability to access such IP address? Is this considered PHI? Or is it “personal data” protected by and subject to the requirements of the NJDPA?
The Department of Health and Human Services (“HHS”) has taken the problematic approach at the federal level that IP addresses collected by a health care provider’s website when an individual visits the website may be PHI subject to HIPAA. Although a suit has been filed by the American Hospital Association and others (the “AHA Suit”) against HHS regarding its December 2022 Online Tracking Technologies subregulatory guidance that took this position, it remains an open question and area of risk for health care providers. You can read Helen’s November post for background information about this lawsuit and why the Online Tracking Technologies guidance is so problematic for HIPAA covered entities and their business associates.
If HHS is determined to be correct that this data constitutes PHI (although we, among others in the health care industry, believe they are not), then this potentially removes at least website visitor data collection from the definition of “personal data” under the NJDPA, and therefore, would not count towards NJDPA’s threshold. BUT, this would create a host of challenges under HIPAA. If, however, HHS is determined to be incorrect and this data is not PHI, then IP addresses could potentially be viewed by the NJDPA as “personal data”.
As a relief for smaller entities, the NJDPA establishes an eligibility threshold which must also be satisfied for an entity to fall within the purview of the NJDPA. The NJDPA will apply only to controllers that:
Conduct business in New Jersey or produce products and services targeted to New Jersey residents,
Which either, during a calendar year, (a) control or process the personal data of at least 100,000 consumers (excluding such data processes solely for payment transactions) or (b) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.
While the threshold seems to set the bar high, “processing” includes not only the collection or use of personal data across potentially multiple different services or data collection pathways operated by a controller, but also storage of personal data. Therefore, large volumes of records collected and maintained over the years due to entity record keeping practices may trigger the NJDPA’s applicability, even if a controller has far fewer current customers within a calendar year and even if the information was collected prior to the effective date of the statute. This means that even though smaller health care providers and organizations will likely be spared from the NJDPA’s reach, larger health care systems and health care organizations will need to take a closer look at the types and amount of data they collect.
For example, the average multi-provider health care system maintains one or more websites that promote the services of its affiliated providers and its affiliated hospital foundation, and which may collect certain website visitor data. Its affiliated hospital foundation may manage and analyze extensive donor records which may be processed by the health care system as well. Its various affiliated entities also may conduct comprehensive community outreach and related activities for individuals in the communities they serve. This could very well push a health care system just over the threshold, particularly given the breadth of how the NJDPA defines personal data.
A decision on the AHA Suit is not expected anytime soon, given the lawsuit was filed in November 2023. However, health care entities should take steps to determine whether they may be subject to the NJDPA’s requirements when they take effect next January. This includes taking inventory of the different types of consumer data they may collect and maintain separate from any medical records and other patient and research data subject to HIPAA to determine whether they are processing “personal data”. As part of this process, health care entities should also identify the purposes for which such data is collected and whether the current data collected is reasonable, proportionate and necessary to accomplish such purposes. Health care entities will also need to estimate the total number of consumers whose data they may process, and whether they are currently collecting and using the data for one or more purposes, or maintaining for archival and other purposes.
Stay tuned for Part 2 where we take a deeper dive into the consumer rights, consent and opt-out (and opt-in!) requirements established by the NJDPA!