Laws & Statutes NJ NJ-A-3929
A-3929
NJ · State · USA
NJ
USA
● Passed
New Jersey Assembly No. 3929 — An Act concerning biometric surveillance systems and supplementing P.L.1960, c.39 (C.56:8-1 et seq.)
Prohibits business entities from using biometric surveillance systems (facial recognition or other remote biometric recognition) on consumers at their physical premises unless they provide clear and conspicuous notice and the system is used for a lawful purpose. When biometric surveillance data is used to deny a consumer access to or remove them from premises, a detailed explanation of the criteria and determination must be provided. Prohibits business entities from selling, leasing, trading, sharing, or otherwise profiting from biometric surveillance data obtained from consumers. Violations are unlawful practices under the New Jersey Consumer Fraud Act, enforceable by the Attorney General and through private action, with penalties up to $10,000 for a first offense and $20,000 for subsequent offenses, plus treble damages for injured parties. A 30-day cure period applies to first violations.
Legislative History
2026-01-13 introduced Introduced, Referred to Assembly Consumer Affairs Committee
2026-03-19 committee passage Reported out of Assembly Committee, 2nd Reading
Mapped Requirements
S-02 Prohibited Conduct & Output Restrictions H-01 Human Oversight of Automated Decisions D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Prohibits business entities from using biometric surveillance systems (facial recognition or other remote biometric recognition) on consumers at their physical premises unless they provide clear and conspicuous notice and the system is used for a lawful purpose. When biometric surveillance data is used to deny a consumer access to or remove them from premises, a detailed explanation of the criteria and determination must be provided. Prohibits business entities from selling, leasing, trading, sharing, or otherwise profiting from biometric surveillance data obtained from consumers. Violations are unlawful practices under the New Jersey Consumer Fraud Act, enforceable by the Attorney General and through private action, with penalties up to $10,000 for a first offense and $20,000 for subsequent offenses, plus treble damages for injured parties. A 30-day cure period applies to first violations.

Enforcement & Penalties
Enforcement Authority
Enforcement by the Division of Consumer Affairs and the Attorney General under the New Jersey Consumer Fraud Act (P.L.1960, c.39; C.56:8-1 et seq.). The Attorney General may issue cease and desist orders. Private right of action exists under the Consumer Fraud Act for persons who suffer ascertainable loss. Upon being informed of a first violation, the business entity has a 30-day cure period to demonstrate compliance, after which penalties for that first violation are waived.
Penalties
Violations are unlawful practices under the New Jersey Consumer Fraud Act. Monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for any subsequent offense. The Attorney General may issue cease and desist orders and assess punitive damages. Injured parties may recover treble damages and costs. First-violation penalties are waived if the business entity demonstrates compliance within 30 days of being informed of the violation.
Who Is Covered
"Business entity" means any natural or legal person, business corporation, professional services corporation, limited liability company, partnership, limited partnership, business trust, association, or any other legal commercial entity organized under the laws of this State or any other state or foreign jurisdiction.
What Is Covered
"Biometric surveillance system" means any computer software that performs facial recognition or other remote biometric recognition.
Compliance Obligations 3 obligations · click obligation ID to open requirement page
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Section 2(a)-(b)
Plain Language
Business entities are prohibited from using biometric surveillance systems on consumers at their physical premises unless two conditions are met: (1) clear and conspicuous notice is provided to the consumer, and (2) the system is used for a lawful purpose. Notice may be satisfied by posting a sign at the perimeter of the surveilled area. Note that the definition of facial recognition is broad — it covers not only identification but also logging facial, head, or body characteristics to infer emotion, associations, activities, or location. If neither condition is met, use of the system is an unlawful practice under the Consumer Fraud Act. A 30-day cure period applies to first violations (see Section 2(d)).
Statutory Text
a. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a business entity to use any biometric surveillance system on a consumer at the physical premises of the business entity, except as provided in subsection c. of this section. b. A business entity may use a biometric surveillance system on a consumer at the physical premises of the business entity, if: (1) the business entity provides clear and conspicuous notice to the consumer regarding its use of a biometric surveillance system; and (2) the biometric surveillance system is used for a lawful purpose. The business entity may satisfy the notice requirement of paragraph (1) of this section by posting a sign in a conspicuous location at the perimeter of any area where a biometric surveillance system is being used.
H-01 Human Oversight of Automated Decisions · H-01.1 · Deployer · Biometrics
Section 2(c)
Plain Language
When a business entity uses biometric surveillance data to deny a consumer premises access or to remove them, it must provide the consumer with a detailed explanation of both the actions taken and the criteria used to reach that determination. This is an adverse-action explanation obligation — it is triggered only when biometric data leads to a tangible exclusion decision, not merely by operating the system. The explanation must be detailed, not generic.
Statutory Text
c. If a business entity uses information obtained through a biometric surveillance system to deny a consumer access to its premises or to remove a consumer from its premises, the business entity shall provide the consumer with a detailed explanation regarding its actions and the criteria used by the business entity in making its determination.
D-01 Automated Processing Rights & Data Controls · Deployer · Biometrics
Section 3(a)-(b)
Plain Language
Business entities are categorically prohibited from selling, leasing, trading, sharing, or otherwise profiting from any information obtained by using a biometric surveillance system on consumers. There is no consent exception — the prohibition is absolute. This effectively treats biometric surveillance data as non-commercializable. Violations are independent unlawful practices under the Consumer Fraud Act, separate from the notice-and-use requirements in Section 2.
Statutory Text
a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).