A flood of class action lawsuits have been filed against companies alleging violations of New Jersey's Daniel's Law. The statute – enacted after the son of a New Jersey federal judge was fatally shot by a disgruntled lawyer – is designed to protect judicial officials, law enforcement officers, child protective investigators and their immediate family members (described in the statute as "covered persons") from the unauthorized disclosure of certain personal information. Over the past few days, plaintiffs' attorneys have filed more than 100 complaints in New Jersey state court on behalf of covered persons, asserting that the defendant companies failed to fulfill nondisclosure requests made by the plaintiffs. Defendants in these cases have received up to 20,000 nondisclosure requests from allegedly covered persons (who ostensibly have assigned their claims to "Atlas Data Privacy Corporation," a named plaintiff).
Under the New Jersey law, companies that disclose on the internet or "otherwise make available" the home addresses or unpublished telephone numbers of covered persons are required to cease making such disclosures within 10 business days after receiving notice from a covered person or their authorized agent. Although the law originally gave courts discretion in awarding actual damages or $1,000 in liquidated damages, under a 2023 amendment, New Jersey courts are required to award "actual damages, but not less than liquidated damages computed at the rate of $1,000 for each violation" of the law. The plaintiffs in these suits are seeking substantial damages – the greater of actual damages or $1,000 in statutory liquidated damages per violation per defendant – as well as punitive damages for alleged willful or reckless violation of the law and attorney fees. As such, potential exposure (assuming 20,000 violations – one per covered person) is at least $20 million plus punitive damages and attorney fees.
If your company has received nondisclosure requests (like the one below), we recommend the following steps that can help you ascertain and mitigate your risk:
- Look for deletion requests related to Daniel's Law. The plaintiffs have largely been using the same template language. Here is a sample:
- Entities receiving these requests have 10 business days to satisfy them after receiving notice from the covered person or their agent. As such, if you are still within the 10-business day time-frame, we recommend taking steps to locate the covered person making the request and delete their information from your systems (and any systems of third-party service providers with whom you work).Ideally, you also would want to ensure that the covered person's home address and/or unpublished telephone number is no longer made available on or through your services, such as deleting the data or suppressing these data fields within your systems to the extent technically feasible.
- Continue to monitor for Daniel's Law requests on a going-forward basis and respond to such requests within 10 business days.
If you think your company stores and/or makes available data about covered persons, please reach out to a member of the c/d/p team to discuss.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
