What is New Jersey's Daniel's Law? Requirements and Risks
4 days ago
3 min read
1
8
0
Too often in the news, we hear about targeted attacks on people in politics and law enforcement.
The Minnesota assassin who killed two lawmakers got their home addresses from people search sites.
A similar incident happened in New Jersey when a vengeful criminal targeted a NJ Superior Court Judge and killed his son Daniel Berman.
Lawmakers responded by making one of the strictest data privacy laws in the country. With a Private Right of Action, Daniel's law has also become one of the most litigated laws in the country.
Here, we'll break down the tragic history behind the law, what the requirements are to keep in compliance, and an explanation of the lawsuits happening for violators.
The Tragic History Behind Daniel's Law
Daniel's Law was initiated in response to a heartbreaking event. In 2018, the son of New Jersey Superior Court Judge Glenn Berman was murdered in a violent attack that shocked the community. This tragedy not only devastated the Berman family but raised serious concerns about the safety of those serving in public positions.
After this incident, New Jersey's legislators took action. They passed Daniel's Law in 2020, which is specifically designed to safeguard the personal information of judges, prosecutors, law enforcement officers, and their immediate family members.
By restricting access to their addresses, phone numbers, and other identifying details, the law aims to prevent similar tragedies and enhance the safety of these public servants.
Requirements under Daniel's Law
The simple version is:
Companies that get a Daniel's Law request to delete the data of a public official have to remove that individuals data and stop selling/sharing their data.
Under Daniel's Law, an "Authorized Person" (like judges, prosecutors, law enforcement officers, and their immediate family members) can request the deletion of their personal data from public databases and opt-out of the sale/sharing of data by private companies.
This includes names, addresses, email addresses, phone numbers, and any other identifying information that could put them or their families at risk.
For public agencies: Authorized People must submit a request to the relevant government agency including the official's full name, position, and the reasons justifying the removal of their information.
For private companies: Authorized People have been known to submit requests to removed remove their data via email or any other method for submitting Data Subject Requests the company supports in their Privacy Policy.
How Daniel's Law Differs from Other Privacy Laws
Most data privacy laws in the US allow 30-45 days to process and respond to a data deletion or opt-out request.
Daniel's Law allows only 10 days.
As if that wasn't challenging enough - Daniel's Law grants a Private Right of Action so people and their lawyers can sue you directly without waiting for a government enforcer to get involved!
Current State of Litigation
One organization - Atlas Data Privacy Corporation (“Atlas”) - has filed over 150 lawsuits against various companies on behalf of over 19,000 covered persons in the span of about 1 year.
Atlas sends 10s of 1,000s of emails at once from @AtlasMail.com - if you fail to fulfill the requests in the allotted 10 days, and there is proof of it (like public facing profiles) - there is a very real risk of litigation.
Tips for Companies to Protect Themselves
For being such a strict law with high consequences - Daniel's Law got shockingly little press and many businesses find themselves out of compliance without realizing it.
Here's a few things you can do to prepare for an onslaught of opt-out emails.
Organize your Data Subject Requests: Keeping requests organized in a Privacy@ email inbox instead of a generic Support@ will save you a lot of headache in the long run.
Have a Process: You gotta know what you're going to do when you get 10,000 emails to delete. How do you organize, manage, execute. Document your process.
Make Deletions Automatic: Time is of the essence. If you've got data of Authorized People, you should build an "easy button" to delete a user record in your database(s).
Check your public data: Your risk is especially high if there's evidence you didn't delete an Authorized Person. If data is publicly accessible or purchasable, make sure your deletions get pushed to the public websites a$ap.
Automate Your Privacy Inbox: Unless you love copying and pasting names and email addresses out of emails, a tool to automatically extract and process the requests in your Privacy Inbox will go a long way.
Who is Superset?
Superset is a tech platform that specializes in Data Broker compliance.
We help Data Brokers stay on top on compliance with DROP, State Registrations, Privacy Inbox Management, and more.
Still have questions?
Reach out! I'm around to answer any questions and love talking privacy & compliance :)
Zane Witherspoon, CIPP/US
CEO - Superset
