N.J. lawmaker wants to enact robust internet privacy protections

This story originally appeared on NJ Spotlight

—

New Jersey lawmakers are launching an offensive to try to protect the privacy of residents and allow internet users to prevent the sale of their personal information gathered when they are online.

The Assembly Science, Innovation and Technology Committee is slated to hear today a half dozen measures that would seek to educate individuals and businesses about cybersecurity and put control over the collection and sale of personal information back into the hands of the public.

This discussion comes a day after the U.S. Government Accountability Office released a report urging Congress to consider “comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.” The report noted, “The United States does not have a comprehensive Internet privacy law governing the collection, use, and sale or other disclosure of consumers’ personal information.”

That’s exactly why New Jersey needs to put in place its own privacy protections, said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda.

“This is really about giving consumers power over their data,” Zwicker said. “Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents.”

Making money by using people’s information

The issue of internet privacy is a not new, though it came to the fore within the last year after revelations that the political consulting firm Cambridge Analytica used information from the Facebook profiles of tens of millions of users without their permission.

It is also not only of state, or even national concern. The European Union last May put in place tough online privacy rules that require companies to disclose how they are using an individual’s personal information and to get that person’s permission to use that data, either to sell it or to target ads.

“We are online all the time, our personal and business lives are all there,” Zwicker said. “No one ever anticipated how our data would be monetized.”

The main bill (A-4902) would require commercial websites and online service operators to give customers a complete description of the personally identifiable information that the operator collects about them, as well as a way to prevent the disclosure of this data to third parties. It would cover a wide range of personal information, including name, postal and email addresses, phone numbers, Social Security number, birthday or age, race and ethnicity, sexual orientation, religious or political affiliations, profession and information related to a person’s education, health, finances and internet or mobile phone activity.

Every site that collects information would have to state what data it captures and display an email address or phone number that a customer could use to request their information. Upon request from an individual, the operator would have to provide information on all disclosures of his data within the past year.

Allowing consumers to opt out easily

The sites would also have to post “clearly and conspicuously” a “Do Not Sell My Personal Information” link to a page that would allow customers to opt out of the disclosure of their personal data. Operators would be prohibited from discriminating against or penalizing a customer who opted out of third-party disclosure.

Zwicker said that while uniform federal disclosure rules would be preferable, states can adopt their own regulations. He cited a California law passed last year and set to take effect next January that will provide similar protections to the ones written into his legislation.

“California has already shown that this can be passed,” he said. “That’s driving a lot of what’s happening in other states.”

According to the website government technology, 10 other states have tried or are in the process of passing legislation to protect their residents’ personal data.

In California, lawmakers quickly passed a law, and the governor signed it, last June to head off a ballot initiative that would have enacted even tougher controls. Business and tech groups, including Google, Facebook and Comcast had started contributing funds to defeat the ballot measure. They also oppose the new law but find it more palatable.

“We are going to get the same pushback here,” Zwicker said.

Collecting GPS data

A companion bill that Zwicker is sponsoring (A-4974) is similar to the main legislation but would apply to mobile apps that collect users’ global positioning system (GPS) or geographic data.

These apps would also have to notify users of the type of data collected and parties to which they provide this data, as well as the length of time they keep users’ GPS information. Operators of these apps would have to ask users to opt in before allowing data disclosure. Users that chose not to allow their information to be shared could only be asked to opt in once every 12 months. Apps could not discriminate against those who did not opt in.

Zwicker noted that mobile devices with GPS location data enabled are constantly being tracked. He said A-4974 is an effort to “shine a light” on how this information is used.

“Let’s say I use Yelp to find a good restaurant nearby,” Zwicker said, referring to the crowd-sourced app through which users can review restaurants and other businesses and search to find establishments nearby. “I have no idea what Yelp does with that information. I should at least know that.”

A third bill (A-4978) prohibits online education service providers, including tutoring or test-preparation sites and apps, for children in grades K-12 from sharing or selling information about individual students that identifies them, their educational records or other data. The use of anonymized information or the sharing of information as required by law would be permitted.

The other measures

Other measures being considered include:

• A-4975, which would add breaches of GPS data to the types of data breaches that would have to be disclosed to consumers by entities that compile or maintain such records;
• A-4976, which would require the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) to develop and post online informational materials for consumers concerning cybersecurity best practices and awareness, including how individuals can protect their data and information on reporting a cybersecurity threat to state or federal authorities;
• A-4854, which would require that the NJCCIC develop and post similar information as A-4976 for businesses, to also include advice on cybersecurity training for employees, as well as the creation of a website with information about electronic mail fraud, including how to report suspected fraud.

Zwicker said his goal is to move the measures out of committee, but he and other sponsors are considering technical amendments to ensure that any new restrictions are lawful.

“I’m not interested in watering these down,” he said. “But I don’t want to push them to the floor (of the Assembly) until we make sure we get them right.”