Rules Navigator

Online privacy law could be changed forever by this NJ court decision

Image of the New Jersey Short at dusk.
Photo: Alexi Rosenfeld/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

New Jersey’s privacy law is the only US one that guarantees people a payout when requests to keep information private are ignored. Will it survive judicial review?

You know that it is pretty likely your name and address can be found on the internet through a number of website services. And it can be really difficult to get those details removed.

But this could change. A multibillion-dollar privacy lawsuit in New Jersey’s Supreme Court has the potential of changing the privacy landscape for people, never mind the privacy rules in other states.

As reported by Wired, this court case, like all others, has a story behind it.

Stalked and murdered

In July 2020, a 72-year-old attorney posing as a delivery person rang the doorbell at US district judge Esther Salas’s house in North Brunswick, NJ. When the door opened, the attorney fired a gun, wounding the judge’s husband and killing her son, 20-year-old Daniel Mark Anderl.

The murderer, Salas said, had found her address online and was outraged because she hadn’t handled a case of his client fast enough. In the aftermath, Salas publicly pleaded: “We can make it hard for those who target us to track us down … We can’t just sit back and wait for another tragedy to strike.”

She wanted judges to be able to keep their home addresses private, and New Jersey lawmakers heard and answered her pleas.

Months after the murder, they unanimously enacted Daniel’s Law, which means current and former judges, cops, prosecutors, and others working in criminal justice can have their household’s address and phone numbers withheld from government records in the state.

They also can demand that the data be removed from any website, including popular tools for researching people such as Whitepages, Spokeo, Equifax, and RocketReach.

Companies that don’t comply within 10 business days have to pay a penalty of at least $1,000, which makes New Jersey’s law the only privacy statute in the US that guarantees people a court payout when requests to keep information private are ignored.

At the federal level, most companies are arguing together that the New Jersey statute violates their First Amendment right to freedom of speech, and it’s an argument that’s allowed personal information to stay online before.

That is the provision that is being put to a test in court. In a pile of lawsuits in the state, one entrepreneur named Matt Adkisson and five law firms (including well-known Boies Schiller Flexner and Morgan & Morgan) assembled about 20,000 workers, retirees and their relatives who are suing 150 companies and courting for allegedly failing to honor their requests to have their personal information removed under Daniel’s Law.

And if they are successful, Adkisson estimates this could lead to these companies paying about $8 billion in penalties.

But the main goal is this: Using this narrowly tailored NJ law to act as a catalyst to force data brokers to stop publishing sensitive data about people of all professions nationwide.

If the lawsuit fails, the data broker industry would have demonstrated it has a right under the First Amendment to publish people’s contact information. People would forever be able to be Google-searched for such private details.

“I never thought we would have such a hard time, that it would turn into such a battle,” Adkisson told Wired. “Just home address, phone number, remove it. One state. Twenty-thousand people.”

Data for sale

These websites that sell addresses or phone numbers typically get that data by buying voter or property records from governments, and user account details from companies willing to deal. This data and the ease of obtaining it is greatly helpful to services offering identity verification or targeted advertising, never mind to people looking for an old friend or investigating a crime.

But it can be used by a truly violent person with a grudge.

As Adkisson dug into the data broker industry in 2021, he read about how a law that went into effect the year before had given Californians a right to demand companies delete their personal information. So Adkisson and two cofounders launched a service they called RoundRobin (one of Adkisson’s many entrepreneurial enterprises), to help Californians do just that for a fee.

But the startup firm had no way to enforce the removals it demanded and that customers were paying for; only California’s attorney general could sue for such violations. So the data websites ignored RoundRobin, later renamed Atlas Data privacy.

Google query

Making matters more difficult is the fact that a Google query won’t get you the data held by US home-listing companies such as Zillow or Twilio; they supply data through fee-supported advanced tools that don’t pop up in those standard queries. Companies responding to Atlas would be suspicious of the requests, asking Atlas to authenticate its demands, which seems reasonable, but one even went so far as to say that “if Atlas clients wanted anonymity, they should have used an LLC to buy property instead of their own names.”

Adkisson said that one company refused to remove Atlas clients’ phone numbers and addresses from view and instead needlessly froze entire files in its system, which impeded those people from having credit checks done on their behalf, some of them to support their loan applications.

So far, the defendants that have filed motions to dismiss in state court have all been denied.

At the federal level, most companies are arguing together that the New Jersey statute violates their First Amendment right to freedom of speech, and it’s an argument that’s allowed personal information to stay online before. Federal courts have given leeway to publication of lawmakers’ contact information and actors’ birthdates, leaving doubts over whether cops and judges and their homes and phones would fare any better.

And a US Supreme Court decision in 2011 found a law in Vermont that protected doctors’ privacy unreasonably singled out for data use by drugmakers. Atlas’ foes view Daniel’s Law as similarly arbitrary because it holds New Jersey agencies to different standards than their companies when it comes to keeping data private. They also say it’s unfair that they must remove numbers that people like police officers still list on personal websites.

Others argue that the fear of fines could cause these companies to remove more data than needed or honor invalid requests, saying Atlas’s main motivation is profit.

Ruling with significant impact

A loss for Atlas and its clients could mean that anything done with personal information on the internet is protected as free expression, impeding other attempts to regulate in the digital sphere.

A win could mean more privacy regulations styled after Daniel’s Law; indeed, since early 2023, at least seven states have passed similar laws. But none of them include the monetary penalty that gets lawyers interested in pursuing enforcement.

Adkisson thinks that is why this NJ law is so important – winning there could open that door.

Right now, there are 20 US state privacy laws that have been enacted, even if a few of them don’t yet have effective compliance dates, starting with California’s most sweeping one, enacted in 2018.

The Rhode Island Data Transparency and Privacy Protection Act, the most recent bill passed in 2024, requires disclosing the list of specific third parties – as opposed to just the categories of third parties – to which a business has disclosed a consumer’s personal data upon request. It’s like Oregon and Minnesota’s comprehensive privacy laws, but it goes further to require that a business disclose the third parties to which it “may sell”
personally identifiable information.

Also this year, longer standing bills have been amended, such as the Colorado Privacy Act, which now categorizes neural data as sensitive. The Virginia Consumer Data Protection Act added new protections for children, and California made numerous amendments to the California Consumer Privacy Act, including mandating periodic cybersecurity audits and privacy risk assessments.

Each of the rules are novel but inextricably linked since they involve federal constitutional claims involving some similar provisions or legal reach. They also continue to make this author advocate for clear safeguards under US law (rather than just the patchwork of US laws we have now) that firmly outline what gets protected, by whom, and under what enforcement procedures. Stay tuned.

, , ,

You may also like