Data Backup Digest

Personal data privacy is a hot issue as of late. It's easy to see why – with hundreds of reported data breaches every year in the United States alone, and with millions of records compromised, it's time to get a handle on these issues before they truly become insurmountable.

Fortunately, local governments are finally starting to come to the aide of consumers – the average men and women who are virtually powerless when it comes to controlling their personal data online. One of the most recent efforts originates from the state of New Jersey – and they're just one name in a growing list of states that are all fighting for greater transparency, accountability, and individual control.

Introducing Assembly Bill 4902

Assembly Bill 4902, also known as AB 4902, states that all operators of commercial websites and online services – such as offsite data storage centers, apps, and utilities – most inform users of any processes or activities that involve the collection of their personally identifiable information (PII). They must also provide disclosures of this fact to all third-party companies.

In addition, operators must provide their users with a simple and straightforward method of opting out of these data collection processes. This is achieved by including a "Do Not Sell My Information" link. It's also important to note that enforcement of the bill, despite its origination in the state of New Jersey, is not strictly limited to businesses or operators within the state. Instead, it applies to anyone who collects PII from any New Jersey resident.

The bill attempts to clarify exactly what constitutes PII by specifying any information that: "personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service."

It also includes some generic examples of what might be considered PII, including personal names, home addresses, IP addresses, phone numbers, photos, Social Security numbers, race, education, health, and many more. Although the list is non-exhaustive, and specific issues would be handled on a case-by-case basis, the published list provides a great starting point for companies that do business in the state of New Jersey.

Joining the Crowd

Although data privacy isn't highly regulated within the United States or any other country, the past few years have resulted in some great strides toward achieving standardization and regulation. The Health Insurance Portability Accountability Act, or HIPAA, was enacted in 1996 – but this was created prior to the Information Age and the big data boom.

Similarly, the Children's Online Privacy Protection Act of 1998, or COPPA, was implemented in 1998 and the Fair and Accurate Credit Transactions Act, FACTA, followed shortly thereafter in 2003. While all of these measures made considerable progress, there hasn't been much effort to update or even replace them to better fit the new standards of the 21st century.

Other countries are joining the crowd, too. The General Data Protection Regulation, which was signed into EU law in 2018, is one of the most recent and well-known acts – but it also has some shortcomings that need to be addressed in the future.

Although New Jersey's AB 4902 has yet to be signed into law, the fact that lawmakers are finally starting to take this issue seriously is certainly a step in the right direction.