Laws & Statutes NJ NJ-AB-3929
AB-3929
NJ · State · USA
NJ
USA
● Passed
Proposed Effective Date
2026-01-01
New Jersey Assembly Bill No. 3929 — An Act concerning biometric surveillance systems and supplementing P.L.1960, c.39 (C.56:8-1 et seq.)
Prohibits business entities from using biometric surveillance systems (facial recognition or other remote biometric recognition software) on consumers at their physical premises unless they provide clear and conspicuous notice and use the system for a lawful purpose. When biometric surveillance data is used to deny or remove a consumer from premises, the business must provide a detailed explanation of its actions and criteria. The bill also prohibits selling, leasing, trading, sharing, or profiting from biometric surveillance data obtained from consumers. Violations are unlawful practices under the New Jersey Consumer Fraud Act, enforceable by the Attorney General and through private suits, with penalties up to $10,000/$20,000 and treble damages for injured parties. A 30-day cure period applies to first violations.
Mapped Requirements
D-01 Automated Processing Rights & Data Controls H-01 Human Oversight of Automated Decisions
Official Sources
Full Text
Entry Last Reviewed
2026-03-27
AI generated
Summary

Prohibits business entities from using biometric surveillance systems (facial recognition or other remote biometric recognition software) on consumers at their physical premises unless they provide clear and conspicuous notice and use the system for a lawful purpose. When biometric surveillance data is used to deny or remove a consumer from premises, the business must provide a detailed explanation of its actions and criteria. The bill also prohibits selling, leasing, trading, sharing, or profiting from biometric surveillance data obtained from consumers. Violations are unlawful practices under the New Jersey Consumer Fraud Act, enforceable by the Attorney General and through private suits, with penalties up to $10,000/$20,000 and treble damages for injured parties. A 30-day cure period applies to first violations.

Enforcement & Penalties
Enforcement Authority
Enforcement by the Division of Consumer Affairs and the Attorney General under the New Jersey Consumer Fraud Act (P.L.1960, c.39; C.56:8-1 et seq.). The Attorney General may issue cease and desist orders and assess penalties. Private right of action is available under the Consumer Fraud Act for any person who suffers an ascertainable loss. Upon being informed of a first violation, a business entity has a 30-day cure period; if compliance is demonstrated, any penalty for the first violation is waived. The Director of the Division of Consumer Affairs may promulgate rules and regulations to effectuate the act.
Penalties
Violations are unlawful practices under the New Jersey Consumer Fraud Act. Civil penalties of up to $10,000 for a first offense and up to $20,000 for subsequent offenses. The Attorney General may issue cease and desist orders. Injured parties may recover treble damages and costs. Punitive damages may be assessed. First-violation penalties are waived if the business entity demonstrates compliance within 30 days of being informed of the violation.
Who Is Covered
"Business entity" means any natural or legal person, business corporation, professional services corporation, limited liability company, partnership, limited partnership, business trust, association, or any other legal commercial entity organized under the laws of this State or any other state or foreign jurisdiction.
What Is Covered
"Biometric surveillance system" means any computer software that performs facial recognition or other remote biometric recognition.
Compliance Obligations 3 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Section 2(a)-(b)
Plain Language
Business entities are categorically prohibited from using biometric surveillance systems on consumers at their physical premises unless two conditions are met: (1) the business provides clear and conspicuous notice, which can be satisfied by posting a sign at the perimeter of the surveilled area, and (2) the system is used for a lawful purpose. This is a notice-and-lawful-purpose framework rather than an opt-in consent requirement — unlike Illinois BIPA, which requires written informed consent before any biometric identifier collection, New Jersey permits use with posted signage notice alone. The definition of facial recognition is notably broad, covering not only identification but also emotion inference, association tracking, and location inference from face, head, or body characteristics.
Statutory Text
a. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a business entity to use any biometric surveillance system on a consumer at the physical premises of the business entity, except as provided in subsection c. of this section. b. A business entity may use a biometric surveillance system on a consumer at the physical premises of the business entity, if: (1) the business entity provides clear and conspicuous notice to the consumer regarding its use of a biometric surveillance system; and (2) the biometric surveillance system is used for a lawful purpose. The business entity may satisfy the notice requirement of paragraph (1) of this section by posting a sign in a conspicuous location at the perimeter of any area where a biometric surveillance system is being used.
H-01 Human Oversight of Automated Decisions · H-01.1 · Deployer · Biometrics
Section 2(c)
Plain Language
When a business entity uses biometric surveillance data to make an adverse decision about a consumer — specifically denying access to or removing the consumer from the business premises — the business must provide that consumer with a detailed explanation of the actions taken and the criteria the system applied. This is an adverse-action explanation requirement triggered only when biometric data drives a denial or removal decision. The statute requires the explanation to be 'detailed' and to cover both the actions and the criteria, which is more demanding than a generic notice that biometric data was used. The bill does not specify the format or timing of the explanation.
Statutory Text
c. If a business entity uses information obtained through a biometric surveillance system to deny a consumer access to its premises or to remove a consumer from its premises, the business entity shall provide the consumer with a detailed explanation regarding its actions and the criteria used by the business entity in making its determination.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Section 3(a)-(b)
Plain Language
Business entities are categorically prohibited from selling, leasing, trading, sharing, or otherwise profiting from any information obtained through biometric surveillance of consumers. This is a blanket prohibition on secondary use and monetization of biometric surveillance data — there is no consent exception. Unlike the notice-and-lawful-purpose framework in Section 2 that permits use with posted signage, this data commercialization prohibition is absolute. This is comparable to Illinois BIPA's prohibition on profiting from biometric identifiers, though BIPA structures it as a consent requirement rather than an outright ban.
Statutory Text
a. A business entity shall not sell, lease, trade, share, or otherwise profit from information obtained through the business entity's use of a biometric surveillance system on a consumer. b. A violation of this section shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.).