Key Insights

New Jersey has become the 13th state in the United States to enact a comprehensive privacy law. With the passage of S332 in January 2024, New Jersey joins the growing list of states with robust data protection legislation. Once signed by the governor, the law will take effect one year later, meaning enforcement will begin in early 2025. 

 

New Jersey Data Privacy Act Overview

The New Jersey Consumer Data Privacy Bill, formally referred to as Senate Bill 332, represents a comprehensive legislative effort to safeguard consumer data privacy within the state. This act aligns closely with privacy laws enacted in other U.S. states, establishing a framework that places significant responsibilities on businesses regarding the collection, use, and protection of consumer data. It also introduces a set of robust privacy rights for consumers, enabling them to have greater control over how their personal information is handled, including rights to access, delete, and opt out of data sales or sharing.

 

Scope and Applicability

  1. The law applies to controllers operating business in New Jersey or offering products or services to state residents during a calendar year.
  2. Control or process the personal data of at least 100,000 consumers, excluding data handled solely for payment transaction purposes; or
  3. Control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.

Exemptions include:

  • Non-profits
  • Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
  • Health data covered under HIPAA and HITECH
  • Secondary market institutions
  • Insurance companies
  • Personal information covered by the FCRA

 

Personal Data Under the New Jersey State Privacy Law

Personal data refers to any information associated with an individual that can be used to identify them. This definition is consistent with international data protection standards and includes details such as names, email addresses, IP addresses, purchase records, and other identifiable information.

 

Sensitive Data Under the New Jersey State Privacy Law

Personal data that discloses an individual’s racial or ethnic background, religious beliefs, or information related to their mental or physical health, including conditions, treatments, or diagnoses comes under sensitive data.

  1. Financial information, including a consumer’s account number, account log-in, financial account, or credit/debit card number, along with any required security code, access code, or password permitting access to a consumer’s financial account 
  2. Sex life or sexual orientation
  3. Citizenship or immigration status
  4. Status as transgender or non-binary
  5. Genetic or biometric data that may uniquely identify an individual
  6. Personal data collected from a known child
  7. Precise geolocation data

Under New Jersey law, sensitive data is subject to specific regulations. If you handle these types of data, you may be required to obtain consent for processing and conduct a data protection impact assessment.

 

Controller and Processor Obligations

Businesses that collect personal data for processing must:

  1. Collect only the minimum data required to fulfill processing purposes.
  2. Not processing personal data for purposes that are not reasonably necessary or aligned with those disclosed to the consumer, unless the controller obtains the consumer’s consent.
  3. Implement administrative, technical, and physical data security practices.
  4. Collect consent for processing sensitive or children’s data and provide mechanisms for revoking consent.
  5. Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
  6. Not process a child’s personal data for targeted advertising, selling personal data, or profiling that results in decisions with legal or similarly significant effects on the consumer without obtaining their consent, when the controller is aware or deliberately ignores that the consumer age is between 13 and 17 years.
  7. Specify the express purposes for which personal data is processed.
  8. Conduct a data protection impact assessment where necessary.
  9. Ensure that they have written agreements with service providers for the processing of data.

Processors must:

  1. Comply with the controller’s instructions for data processing.
  2. Assist the controller in meeting its obligations under the law.
  3. Take appropriate technical and organizational measures, insofar as possible, to fulfill the controller’s obligation to respond to consumer requests.
  4. Help the controller meet any data security requirements.
  5. Provide information to the controller to conduct and document any data protection assessments.
  6. Keep the data confidential.
  7. Engage subcontractors only based on a written contract requiring that the subcontractor meets the requirements imposed on the service provider.

 

Provisions for Contracts Between Controllers and Service Providers

A written data processing agreement between the controller and the service provider must govern data processing. The contract must include at least:

  1. The processing instructions to which the processor is bound, including the nature and purpose of processing New Jersey residents’ data.
  2. The type of personal data subject to processing and the duration of the processing.
  3. The duty of the service provider to assist the controller in proving compliance and conducting data protection impact assessments.
  4. The requirement for the service provider to delete all processed personal data upon the controller’s request.

 

NJCDPB Privacy Policy

A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes, at a minimum:

  1. The categories of personal data that the controller processes.
  2. The purpose for processing personal data.
  3. The categories of all third parties to which the controller may disclose a consumer’s personal data.
  4. The categories of personal data the controller shares with third parties, if any.
  5. Instructions on how consumers may exercise their rights, including the controller’s contact information and how to appeal a controller’s decision regarding the consumer’s request.
  6. The process by which the controller notifies consumers of material changes to the notice, along with the effective date of the notice.
  7. An active email address or other online mechanism that consumers may use to contact the controller.

If a controller sells personal data to third parties or processes personal data for targeted advertising, sales, or profiling that leads to decisions with legal or similarly significant impacts on a consumer, the controller must inform consumers about such activities. They must also explain how consumers can exercise their right to opt out of these sales or processing activities. This is the required minimum, and additional information may be added.

 

Definition of “Sale”

The NJCDPB defines the sale of personal information as the “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”

The definition does not include:

  1. Disclosure of personal data to a processor that processes data on the controller’s behalf.
  2. Disclosure of personal data to a third party to provide a product or service requested by the consumer.
  3. Disclosure or transfer of personal data to an affiliate of the controller.
  4. Disclosure of personal data that the consumer has intentionally made available to the general public through mass media and has not restricted to a specific audience.
  5. Disclosure or transfer of personal data to a third party as part of a merger, acquisition, bankruptcy, or other transaction where the third party assumes control of part or all of the controller’s assets.
  6. Consumers have the right to opt out of the sale of personal information upon request. If such a request is received, the law requires compliance.

 

Consumer Rights and Requests

New Jersey consumers have the right to:

  1. Confirm whether a controller processes their personal data and access it, excluding trade secrets.
  2. Correct inaccuracies in their personal data.
  3. Delete their personal data.
  4. Data portability.
  5. Opt out of processing personal data for: Targeted advertising. The sale of personal data. Profiling in furtherance of decisions that have legal or similarly significant effects.

Controllers must establish channels for exercising consumer rights, such as email addresses, contact forms, or toll-free numbers. Under New Jersey privacy provisions, they have 45 days to respond to a request, with a possible 45-day extension if necessary. 

 

What Is the Right to Opt-Out?

The right to opt-out allows consumers to require a controller to:

  1. Not sell their personal information.
  2. Not process their data for targeted advertising.
  3. Not profile them or use their data for automated decision-making.

The Division of Consumer Affairs in the Department of Law is expected to pass rules on how consumers may opt out. Businesses must honor universal opt-out mechanisms and provide an opt-out link on their websites.

 

Universal Opt-Out Mechanisms

Controllers are required to respect universal opt-out mechanisms, which send signals to websites indicating the consumer’s wish to opt out. Controllers must honor these signals and, once technology permits, also respect opt-outs for targeted advertising.

 

Data Protection Impact Assessments

Data protection impact assessments (DPIAs) evaluate the benefits and risks of processing personal data, balancing these against potential risks to consumer rights. Risks should be minimized using appropriate safeguards.

Businesses must conduct a DPIA if they:

  1. Sell personal data.
  2. Process sensitive data.
  3. Process data for targeted advertising or profiling.

Controllers are required to provide these assessments to the New Jersey Division of Consumer Affairs within the Department of Law and Public Safety upon request. These assessments remain confidential and are not accessible for public review. Sharing an assessment with the Division does not compromise legal protections, including attorney-client privilege.

 

Enforcement and Penalties

The New Jersey consumer data privacy law will be enforced by the New Jersey Attorney General. During the first 18 months following the law’s implementation, businesses may be granted a 30-day period to address and rectify violations. After this initial period, penalties will be imposed for each violation.