Data Protection Report - Norton Rose Fulbright

You may not believe that dogs have much to do with privacy and security, but on September 20, 2021, New Jersey’s highest state court ruled that dog owners’ names and addresses were public and therefore not exempt from disclosure by a city dog licensing authority, but other information (such as dog breed and name) raised security concerns.  Bozzi v. City of Jersey City, — A.3d —- (2021) (2021 WL 4256377).


The case began when a home improvement company that installs “invisible fences” (electronic fences that emit signals to keep dogs within the fence boundaries) sought to obtain the names and addresses of dog owners in Jersey City, New Jersey, so that he could send marketing materials to them.  (Jersey City, like many cities and towns, requires that dog owners obtain a license for each dog from the city.)  The city declined to provide the information, stating that releasing the information would violate the dog owners’ “reasonable expectation of privacy.”

The Courts

The contractor sued, and won at the trial court level.  That court ruled that New Jersey’s open public records law did not include an exception for this information, and that dog owners did not have an objectively reasonable belief that the license registration information would be kept private and confidential.  The appeals court agreed, as did the New Jersey Supreme Court, by a vote of 5-2.

The key portion of the New Jersey Supreme Court’s ruling states:  “Owning a dog is, inherently, a public endeavor. Owners — and the dogs themselves — are regularly exposed to the public during daily walks, grooming sessions, and veterinarian visits.  . . .    Dog owners who continually expose their dogs to the public cannot claim that dog ownership is a private undertaking. . . .  dog owners are fully aware of the public exposure of their actions.”  Slip op. at 8.  The court also, in dicta, indicated that other information, such as the dog’s breed, name, and purpose may raise security concerns, as we will detail in the next section.

The dissent felt “there exists an objectively reasonable privacy interest in the records and that the privacy interest outweighs the need for disclosure” and would have ruled against the contractor.

Lessons Learned

Public endeavors are not private.  At least in New Jersey, dog owner names and addresses are available to anyone who asks because owning a dog is “inherently, a public endeavor.”  In other words, information that individual intentionally discloses by walking a dog is not private.  And information that is public to a dog can be public to humans:  the U.S. Supreme Court unanimously ruled that a drug-sniffing dog’s alert constituted “probable cause” for police to search a vehicle.  (Florida v. Harris, 568 U.S. 237 (2013))

What other information does the fact convey and does it increase risk to the individual if a company elects to disclose it?  In this case, the New Jersey Supreme Court pointed out that disclosing a dog’s breed could be “a risk to public safety given the high value of certain purebred dogs.”  If someone has a purebred German Shepherd or Chow, publishing that information can make the dog more likely to be targeted by thieves.  The Court also stated that disclosing the purpose of the dog, such as a law enforcement dog, “must be kept confidential for the health and safety of the owners and the dogs.”  Personal information of law enforcement officers is frequently exempt from public record disclosure to protect the health and safety of the officers and their families.  If your company elects to make collected information public, would that be exposing these individuals to a risk of physical harm?

Is the information valuable in another way, such as a security measure?  The New Jersey Supreme Court also pointed out that “the names of dogs may need to be excluded, given that many people use the names of their beloved pets as passwords or answers to important security questions.”  Focus on other uses that can be made of the data your company has collected, prior to deciding to make that data public.  Could disclosure expose the individual to a risk of financial harm or identity theft?

Do you need the information at all?  Dog toy manufacturers are now selling “stuffing-free” toys, because every dog owner knows that any stuffed toy will eventually be ripped open and the stuffing will go everywhere.  A stuffing-free toy can provide just as much fun for your dog, without the mess.  The same principle can apply to your databases:  are they stuffed with old data, which some threat actor can grab and sell on the dark web?  Instead, consider making your databases “stuffing-free” and dispose of data your company no longer needs—and perhaps save your company a $2 million fine in the next regulatory audit as well.