Lucky Number 13: New Jersey Enacts Comprehensive Privacy LawJanuary 22, 2024
On January 16, 2024, New Jersey’s Governor signed Senate Bill 332 (the “Act”), enacting a comprehensive privacy law for the State of New Jersey. After a slew of state comprehensive privacy laws enacted in 2023, New Jersey continues this trend by becoming the thirteenth state to do so. The Act will take effect on January 15, 2025, and has many similarities to the other state comprehensive privacy laws, while also maintaining some distinctions.
The Act applies to persons or entities conducting business in New Jersey or producing products or services that are targeted to residents of New Jersey and that, during a calendar year, either:
- control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Notably, unlike many other privacy laws, the Act does not have a minimum threshold for the amount of revenue a business must derive from the sale of personal data in order to be subject to the law. The Act applies to non-profit organizations and institutions of higher education that meet the Act’s applicability thresholds. Other state comprehensive privacy laws vary on whether they apply to non-profits, with states recently trending towards including them.
Additionally, the Act does not apply to certain entities, such as governmental entities and financial institutions governed by the Gramm-Leach-Bliley Act, and certain types of information, such as protected health information under HIPAA and personal data processed by a consumer reporting agency under the Fair Credit Reporting Act.
Like the vast majority of the state comprehensive privacy laws, the Act narrowly defines “consumer” to mean an individual who is a New Jersey resident acting only in an individual or householder context. As a result, employee personal data and business contact personal data fall outside the scope of the Act.
The Act regulates such consumers’ “personal data,” in addition to a special category of personal data known as “sensitive data,” which it defines as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis; (ii) a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; (iii) sex life or sexual orientation; (iv) citizenship status or immigration status; (v) status as transgender or non-binary; (vi) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; (vii) personal data of a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. The Act’s definition of “sensitive data” is broader than most other state privacy laws, in part because it includes certain types of financial information. This is particularly important because the Act requires controllers to obtain consent from consumers before processing sensitive data.
Under the Act, the “sale of personal data” means the exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party, which aligns with the definitions in the state comprehensive privacy laws in California, Connecticut, Colorado, Delaware, Montana, Florida, Texas, and Oregon. The Act also provides broad exceptions to the definition of “sale” that are similar to exceptions in other state comprehensive privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller or to a third party or affiliate for the purpose of providing a product or service requested by a consumer.
In general, the compliance obligations found in the Act are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. Further, like the privacy laws in Colorado, Connecticut, Delaware, Florida, Indiana, Montana, Tennessee, Texas, Virginia, and Oregon, the Act requires controllers to conduct and document data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, or, in certain instances, profiling.
Consumer Rights and Requests
The Act also aligns with other state comprehensive privacy laws in that it grants consumers rights regarding their personal data. Specifically, the Act grants consumers the right to make requests to (1) confirm whether a controller is processing the consumer’s personal data and access such personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; and (5) opt out of the processing of their personal data for targeted advertising, the sale of personal data, or certain types of profiling.
When a consumer requests to exercise these rights, the Act grants a controller 45 days to respond, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the consumer’s requests. Additionally, the Act requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 45 days to respond to an appeal. The state comprehensive privacy laws in California and Utah do not contain a right to appeal.
Enforcement & Rulemaking Authority
Similar to other state comprehensive privacy laws, the Act has no private right of action. Rather, the New Jersey Attorney General’s Office has exclusive enforcement authority. For the first 18 months the Act is in effect, the Division of Consumer Affairs must issue a notice and grant a controller a 30-day cure period before any enforcement action is taken, as long as a cure is possible. The Act does not extend this cure period beyond the first 18 months following the effective date. Unlike other state comprehensive privacy laws, however, the Act does not contain its own penalty amounts, but violations of the Act are considered unlawful practices under the New Jersey Consumer Fraud Act.
The Act requires the Division of Consumer Affairs to issue rules and regulations to effectuate the Act’s purposes. To date, only California and Colorado have passed comprehensive privacy laws providing for such rulemaking authority.
It appears that 2024 is picking up where 2023 left off with respect to the passage of state comprehensive privacy laws. It is important to remember that, while these laws contain many similarities, they are not uniform. Developing and maintaining compliance efforts with the state comprehensive privacy laws is important for all covered businesses. Businesses, whether for-profit or non-profit, that have not been subject to such laws in the past should become familiar with applicable state comprehensive privacy laws and develop compliance policies and procedures.
If you would like assistance with, or have any questions about, complying with the Act or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.