It was the scenario that many people in the digital advertising world feared: yet another privacy law. In the past several months, the industry has had to digest not only the GDPR, but also the sweeping California Consumer Privacy Act of 2018. Most recently, on July 23, 2018, two Democratic state senators from New Jersey introduced a privacy bill, S2834, which, if passed and signed into law, would saddle the industry with additional, burdensome regulations. Equally important, the New Jersey bill is modeled on the poorly drafted California law, increasing the belief that other states will adopt the same template for their own regulations.
The bill requires operators of commercial internet websites or online services to notify customers of the collection and disclosure of their personally identifiable information (PII). As with the California law, the bill’s definitions are so broadly drafted that they are virtually boundless. For example, “customer” means “an individual within [New Jersey] who provides, either knowingly or unknowingly, personally identifiable information ….” Unlike most other state privacy laws, which generally protect the states’ residents, the bill purports to cover any individual within the state, regardless of residency.
Similarly, the definition of “personally identifiable information” is so expansive that it is difficult to conceive of any online service – especially one in the digital advertising ecosystem – that does not collect personal data. Under the proposed law, personally identifiable information means “any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service….” The definition lists 20 non-exhaustive categories of PII, including not only customary ones such as name and address, but also less-sensitive information such as height. Again, unlike many privacy laws – including California’s – there is no exception for anonymized, de-identified, or aggregated data.
Like the California law, the bill includes certain notice and disclosure obligations and imposes a “Do Not Sell My Personal Information” restriction. Specifically, the bill mandates that:
- Any operator that collects PII of a customer:
- Clearly and conspicuously post on its website or online service homepage a link titled “Do Not Sell My Personal Information,” which enables the customer to opt out of the disclosure of the customer’s PII
- If an operator discloses a customer’s PII and receives a request from the customer, the operator must, within 30 days of the request, provide the following information at no cost: (1) the customer’s PII that it disclosed in the past 12 months and (2) the names and contact information for the third parties that received the customer’s PII
Similar to the California law, the bill prohibits operators from discriminating against or penalizing any customer who elects to opt out of the disclosure of his or her PII. However, unlike the California law, the bill does not expressly permit the operator to charge such a consumer a different price or rate or provide a different level or quality of service to account for the fact that the operator will no longer be allowed to commercialize the data. If the California law is suspect on constitutional grounds, it is difficult to argue how this provision in the New Jersey bill does not constitute an unauthorized taking.
The panoply of disparate, overlapping, and often contradictory state privacy laws is increasingly making operating in the online space, including the digital advertising industry, complicated at best and untenable at worst. If states continue to use the flawed California law as a template for their own privacy statutes, confusion, uncertainty, and compliance costs will continue to rise.
In spite of the various benefits of federalism, there are instances where federal legislation is required. Data privacy is one such area. There are signs from the White House and the Commerce Department that the federal government may step in and create a national privacy standard. Although similar prior efforts have died on the vine, the confluence of GDPR, the Cambridge Analytica scandal, and the numerous competing state laws may compel the federal government to step in and address not only the legitimate privacy concerns of consumers, but also the business and operational realities of living in a digital, connected world.