Laws & Statutes NJ NJ-A-3929
A-3929
NJ · State · USA
NJ
USA
● Pending
New Jersey Assembly No. 3929 — An Act concerning biometric surveillance systems and supplementing P.L.1960, c.39 (C.56:8-1 et seq.)
Prohibits business entities from using biometric surveillance systems on consumers at their physical premises unless the business provides clear and conspicuous notice and uses the system for a lawful purpose. When biometric surveillance data is used to deny a consumer access to or remove a consumer from premises, the business must provide a detailed explanation of its actions and criteria. Separately prohibits the sale, lease, trade, sharing of, or profiting from biometric surveillance information obtained from consumers. Violations are unlawful practices under the New Jersey Consumer Fraud Act, enforceable by the Attorney General with a 30-day cure period for first violations. The bill would take effect on the first day of the sixth month following enactment.
Passage Likelihood
High
Chamber passed chamber of origin
Committee Passed
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-01-13 introduced Introduced, Referred to Assembly Consumer Affairs Committee
2026-03-19 committee passage Reported out of Assembly Committee, 2nd Reading
2026-03-23 Passed by the Assembly (56-16-1) Passed by the Assembly (56-16-1)
2026-05-04 Received in the Senate, Referred to Senate Law and Public Safety Committee Received in the Senate, Referred to Senate Law and Public Safety Committee
Mapped Requirements
S-02 Prohibited Conduct & Output Restrictions H-01 Human Oversight of Automated Decisions D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-05-05
AI generated
Summary

Prohibits business entities from using biometric surveillance systems on consumers at their physical premises unless the business provides clear and conspicuous notice and uses the system for a lawful purpose. When biometric surveillance data is used to deny a consumer access to or remove a consumer from premises, the business must provide a detailed explanation of its actions and criteria. Separately prohibits the sale, lease, trade, sharing of, or profiting from biometric surveillance information obtained from consumers. Violations are unlawful practices under the New Jersey Consumer Fraud Act, enforceable by the Attorney General with a 30-day cure period for first violations. The bill would take effect on the first day of the sixth month following enactment.

Enforcement & Penalties
Enforcement Authority
Enforcement is through the New Jersey Consumer Fraud Act (P.L.1960, c.39; C.56:8-1 et seq.). The Attorney General and the Division of Consumer Affairs have enforcement authority, including the power to issue cease and desist orders. The Consumer Fraud Act also provides a private right of action for aggrieved consumers. The Director of the Division of Consumer Affairs may promulgate rules and regulations to effectuate the bill's provisions. A 30-day cure period applies to first violations — upon being informed of a first violation, a business entity that demonstrates compliance within 30 days has any penalty waived.
Penalties
Violations are unlawful practices under the New Jersey Consumer Fraud Act, which provides for monetary penalties of not more than $10,000 for a first offense and not more than $20,000 for any subsequent offense. The Consumer Fraud Act also authorizes treble damages and costs to injured parties, punitive damages, and cease and desist orders. The 30-day cure provision for first violations may result in waiver of penalties if compliance is demonstrated.
Who Is Covered
"Business entity" means any natural or legal person, business corporation, professional services corporation, limited liability company, partnership, limited partnership, business trust, association, or any other legal commercial entity organized under the laws of this State or any other state or foreign jurisdiction.
What Is Covered
"Biometric surveillance system" means any computer software that performs facial recognition or other remote biometric recognition.
Compliance Obligations 4 obligations · click obligation ID to open requirement page
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Section 2(a)-(b)
Plain Language
Business entities are prohibited from using biometric surveillance systems on consumers at their physical premises unless two conditions are met: (1) the business provides clear and conspicuous notice to the consumer, and (2) the system is used for a lawful purpose. Notice can be satisfied by posting a sign at the perimeter of the surveilled area. Without both conditions, any use is an unlawful practice under the Consumer Fraud Act. This effectively creates a notice-and-lawful-purpose regime rather than an outright ban — businesses that comply with both conditions may use biometric surveillance on-premises.
Statutory Text
a. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a business entity to use any biometric surveillance system on a consumer at the physical premises of the business entity, except as provided in subsection c. of this section. b. A business entity may use a biometric surveillance system on a consumer at the physical premises of the business entity, if: (1) the business entity provides clear and conspicuous notice to the consumer regarding its use of a biometric surveillance system; and (2) the biometric surveillance system is used for a lawful purpose. The business entity may satisfy the notice requirement of paragraph (1) of this section by posting a sign in a conspicuous location at the perimeter of any area where a biometric surveillance system is being used.
H-01 Human Oversight of Automated Decisions · H-01.1 · Deployer · Biometrics
Section 2(c)
Plain Language
When a business entity uses biometric surveillance data to deny a consumer access to its premises or to physically remove a consumer, the business must provide the consumer with a detailed explanation of the actions taken and the criteria the business used to make that determination. This is an adverse-action explanation requirement triggered specifically by access denial or removal decisions informed by biometric surveillance. The explanation must cover both what the business did and why — including the decision criteria, not merely that biometric data was used.
Statutory Text
c. If a business entity uses information obtained through a biometric surveillance system to deny a consumer access to its premises or to remove a consumer from its premises, the business entity shall provide the consumer with a detailed explanation regarding its actions and the criteria used by the business entity in making its determination.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Section 3(a)-(b)
Plain Language
Business entities are categorically prohibited from selling, leasing, trading, sharing, or otherwise profiting from any information obtained through the use of a biometric surveillance system on a consumer. There are no exceptions or consent-based carve-outs — this is a flat ban on commercialization of biometric surveillance data. Violations are unlawful practices under the Consumer Fraud Act. This prohibition applies regardless of whether the business complied with the notice requirement for using the biometric surveillance system in the first place.
Statutory Text
a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).
Other · Biometrics
Section 2(d)
Plain Language
A business entity informed of a first violation has 30 days to come into compliance with the act. If the business demonstrates compliance within that window, any Consumer Fraud Act penalty for the first violation is waived. This is a safe harbor / cure period that modifies enforcement — it creates no independent compliance obligation of its own.
Statutory Text
d. Upon being informed of a first violation, a business entity shall comply with the provisions of this act within 30 days. Upon demonstrating compliance, any penalty provided pursuant to P.L.1960, c.39 (C.56:8-1 et seq.) shall be waived.