WeVote

Bill

Bill

S 4016

Concerns social media privacy and data management for children and establishes New Jersey Children's Data Protection Commission.

2026-2027 Regular Session Introduced by Joe Vitale

Establishes strict privacy protections for minors on social media in New Jersey, requiring risk assessments, default high privacy, and a new Children’s Data Protection Commission t

Introduced in the Senate, Referred to Senate Health, Human Services and Senior Citizens Committee
0
WeVote Research Nonpartisan
Bill Summary · S 4016

Summary of Bill S 4016 (Session 222) – New Jersey

Purpose and intent

  • Establishes social media privacy and data management standards for children (under 18) and creates the New Jersey Children’s Data Protection Commission.
  • Aims to protect children’s privacy online, require risk assessments for platforms likely to be accessed by children, and provide oversight and guidance to balance safety with privacy rights.

Key definitions (for clarity)

  • Child/Children: individuals under 18.
  • Data Protection Impact Assessment (DPIA): a systematic risk review of how a social media platform handles children's data.
  • Likely to be accessed by children: indicators include directed content toward kids, significant child audience, child-targeted ads, child-friendly design, or internal evidence that a large child audience exists.
  • Online service/product/feature: excludes broadband/telecom services and physical product delivery.
  • Personal information: broad set of data about a child, including identifiers, contact info, geolocation, content like photos or videos, and any data that can be tied to a child across services.
  • Profiling: automated processing used to evaluate or predict aspects of a person.
  • Social media platform: public/semi-public services that allow profiles, connections, and user-generated content, with explicit caveats about certain messaging services not alone constituting a platform.

Main provisions

1) DPIA and pre-launch requirements (for each new service/feature likely to be accessed by children)

  • Before offering to New Jersey residents, platforms must:
    • Complete a DPIA and keep records for as long as children may access it.
    • Document risks to children’s health and well-being and create a plan to mitigate them before access.
    • Estimate age appropriateness for child users based on risk or apply child protections to all users.
    • Set default privacy settings for children at a high privacy level unless a compelling in-child-interest reason exists to deviate.
    • Provide clear, age-appropriate privacy information, terms, and standards.
    • If monitoring/tracking is available, give an obvious signal when being monitored to the child.
    • Enforce platform terms and provide accessible tools for exercising privacy rights and reporting concerns.

2) DPIA content and frequency

  • DPIAs must cover:
    • Purpose and use of children’s data, and risk of material detriment.
    • Design risks to safety, health, and well-being, including harmful content, contact, conduct, exploitation, and harmful algorithms.
    • Use of targeted advertising and design features that increase usage by children (e.g., autoplay, rewards, notifications).
    • Scope and purpose of collecting/processing children’s personal information.
  • Platforms must review all DPIAs at least every two years.

3) Confidentiality and enforcement

  • DPIAs submitted to the Attorney General are confidential and not public records, with privilege protections preserved where applicable.

4) Prohibitions on practices harming children

  • Prohibits using a child’s information in ways that are materially detrimental to health or well-being.
  • Defaults and profiling: default profiling is restricted; profiling may be allowed only with safeguards and either necessity for service or a compelling interest in the child’s best interests.
  • Restrictions on collecting/selling/sharing/retaining unnecessary data about children.
  • Geolocation: strict limits on collecting/sharing geolocation by default; if collected, it must be strictly necessary and disclosed to the user.

5) Civil penalties and enforcement

  • Violations may lead to injunctions and civil penalties:
    • Up to $2,500 per affected child for negligent violations.
    • Up to $7,500 per affected child for intentional violations.
  • Penalties awarded via civil action by the Attorney General; funds offset AG costs.
  • There is a cure option: if a platform corrects violations within 90 days and provides a written cure statement, penalties for cured violations may be avoided.
  • The bill does not establish a private right of action.

New Jersey Children’s Data Protection Commission

  • Created within the Division of Consumer Affairs, Department of Law and Public Safety.
  • Composition: nine members with expertise in child privacy, health (physical and mental), computer science, and children’s rights.
    • 3 appointed by Governor, 3 by Senate President, 3 by Speaker of the Assembly.
  • Terms: three-year terms (initial appointments staggered for 1–3 years).
  • Functions:
    • Gather input from academics, consumer groups, and businesses.
    • Make recommendations on best practices to identify child-accessible services, prioritize child welfare in privacy design, ensure proportionate and minimally invasive privacy measures, assess risks, and publish clear privacy information suitable for children.
    • Advise on leveraging the Division of Consumer Affairs for long-term policy development.
  • Organization: initial organizational meeting within 30 days after appointments; elections of chair and vice-chair at that meeting.
  • Compensation: members serve without compensation but may be reimbursed for travel/expenses.
  • Staffing: the division will provide staff support and the commission may use state resources as needed.
  • Reporting: must prepare a findings and recommendations report within six months of organizational meeting and annually thereafter.

Effective date

  • The act becomes effective on the first day of the thirtieth month after enactment (i.e., a long lead time before full effect).

Impact overview

  • Affects social media platforms with services likely to be accessed by children operating in New Jersey.
  • Introduces mandatory risk assessments, privacy-by-default practices for minors, stricter data collection/sharing limits, and enhanced transparency.
  • Establishes a governance body to oversee, study, and propose further child-centered privacy practices and policies.
  • Provides a framework for enforcement through the Attorney General with civil penalties and an eventual regulatory regime, while not creating a private right of action for individuals.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.