New Jersey’s Daniel’s Law, effective since July 20, 2023, was created as an amendment to the state’s preexisting privacy law. The law allows an authorized person or entity to request removal of “protected information from the internet or where otherwise made available” and provides for civil liability if valid requests are not complied with promptly.
This law created additional protections in response to the July 19, 2020, murder of Daniel Anderl, the son of New Jersey Federal District Court Judge Esther Salas. Daniel’s killer, a disgruntled litigant, used information accessed from the internet to stalk and attack Judge Salas and her family. In response to the incident, Daniel’s Law was initially passed to protect the disclosure of certain information of judges and other covered persons. Recent state-level amendments to the law have since expanded the field of disclosure to cover more than just internet activity and the common definition of “disclose.”
How the Law Works
New Jersey’s privacy law defines a covered person as an active or retired judicial officer, law enforcement officer, child protective services investigator, prosecutor or the immediate household relatives of any of the former. The law allows an authorized person to request, via written notice, that a covered person’s personal information, such as their home address or unpublished home telephone number, not be disclosed. The written notice must advise that the request is coming from an authorized person and that they are requesting that the entity or person cease the disclosure of the specific information.
Within 10 days of receiving the notice, the receiving party must not disclose or re-disclose on the internet, or otherwise make available, the mentioned personal information. Under the current version of the law, the time to comply with the request is extremely short, calling for nearly immediate action by the recipient.
Daniel’s Law broadly defines the term “disclose” to mean to solicit, sell, manufacture, give, provide, lend, trade, mail, deliver, transfer, post, publish, distribute, circulate, disseminate, present, exhibit, advertise or offer, and includes making available or viewable within a searchable list or database. This broad definition seems to imply nearly any collection or use of protected information, regardless of whether anyone performs a search.
If a business or person violates Daniel’s Law, the business may be held civilly liable for actual damages of not less than $1,000 per violation, punitive damages upon proof of willful or reckless disregard of the law, reasonable attorneys’ fees and costs of litigation, as well as any other preliminary and equitable relief that the court considers appropriate.
The most recent version of Daniel’s Law made the following changes:
- The removal of a prior requirement that a covered person had to receive approval from the Office of Information Privacy before providing notice
- The addition of the definition of an assignee to mean a person or entity to whom or which an authorized person has been assigned, in writing, a covered person’s right to seek protections under this law
- Amendments expanding the civil liability damages that may be available for violations of the law
Who Is Affected by Daniel’s Law?
Daniel’s Law applies to any person, business, entity or association. On its face, the current version of the law does not limit applicability to any industry, type of company or location. However, the scope of applicability has yet to be determined by the courts. The current version of the law appears to have opened the floodgates of litigation against several companies across the country. How the law is being or should be applied, the proper jurisdiction for these lawsuits and how courts will ultimately interpret the law have yet to be determined. Therefore, companies should be aware of the law and its possible implications and prepare to comply with any requests made under Daniel’s Law.
Legal Risks to Businesses
Under the revised New Jersey law, nearly all businesses nationwide face a significant potential risk. The 10-day compliance period, expansive per violation damages and fee-shifting provisions of the statute could have devastating effects on businesses.
Earlier this year, nearly 150 lawsuits were filed in New Jersey against various companies within and beyond the state borders, reaching companies as far as Florida and California. All companies must defend the cases, even those with robust opt-out procedures and privacy protection policies and in full compliance with their respective state and federal privacy requirements. These lawsuits, purportedly on behalf of nearly 20,000 covered persons, claim to have sent tens of thousands of emails to companies requesting immediate nondisclosure. These requests do not mention Daniel’s Law by name, but they provide other public law references. They were sent in a massive, coordinated email campaign sometime between Christmas and beginning of 2024.
Almost immediately following the 10-business day compliance period, cases seeking tens of millions of dollars in damages were filed in the law division of multiple counties in New Jersey state courts. While nearly 70 cases have since been removed to the New Jersey Federal District Court, about half of the first round of cases remain before the various state courts. Many out-of-state businesses now face litigation, some of which may not even be aware of the lawsuits filed against them, and many claim to have never received a nondisclosure request. Some businesses named in lawsuits do not offer the kind of online searching services typically associated with the harm the law aims to prevent, and many small businesses are surprised to learn that they are being sued under this law.
If your business uses addresses or unpublished home phone numbers of New Jersey residents in any way under the broad definition of “disclose,” you may be subject to Daniel’s Law and should be prepared to identify and respond to nondisclosure requests promptly. Given the massive litigation underway in state and federal courts, clarification on the applicability and scope of Daniel’s Law may take some time. Businesses should implement efficient and effective internal policies to identify, respond to and comply with these privacy protection requests. The current legal risks of Daniel’s Law are significant and rapidly evolving. It is important to keep track of any developments in this space that may impact your business.