Heightened concerns for the privacy and security of personal information in 2019 prompted at least 25 state legislatures across the country to propose a variety of bills addressing the privacy of consumer data. In New Jersey and New York, legislators are acting to enhance businesses’ privacy and security obligations, including the privacy practices and policies of commercial entities and commercial websites that collect, process, and store personal information of state residents. These enhanced obligations promote individual interests in privacy and security, but they also may have a dramatic effect on a company’s ongoing compliance efforts and the resulting costs. Based on pending legislation in New Jersey and recently enacted legislation in New York, all affected businesses should implement, or review and reassess, their data privacy and security programs, as well as their breach prevention and response activities, in order to meet the requirements of today’s ever-evolving compliance regimes.

Bills currently pending in the New Jersey Senate and Assembly would implement new requirements for companies doing business in New Jersey that collect or process the personal information of New Jersey residents. Although Senate Bill 2834 (with companion Assembly Bill 4902) and Senate Bill 3153 (with companion Assembly Bill 4640) have very similar compliance requirements, there are some substantive differences—perhaps most notably, whether an exemption will be allowed for certain businesses below a threshold of annual revenue or total number of people from whom personal information is collected. There has been considerable discussion since these bills were introduced about the scope, terms, and requirements of any legislation that may ultimately be enacted. At this juncture, it remains unclear what the final terms of any enacted statute will be, and it is likely that any legislation enacted will represent a blending of the requirements of both bills. To ensure that businesses are prepared for the legislation ultimately enacted, this article highlights some of the more restrictive provisions of the bills being considered to ensure transparency about what personal information a business collects, what that information is used for, and who that information is shared with.