New Jersey Passes Comprehensive Privacy Law to Lead the 2024 Wave of State Privacy Laws
On January 16, 2024, New Jersey Governor Phil Murphy signed Senate Bill (SB) 332, establishing New Jersey’s consumer data privacy law, the New Jersey Data Privacy Act (NJDPA) which will be effective January 15, 2025. This legislation marks New Jersey as the first state to implement comprehensive privacy legislation in 2024, joining the ranks of 13 other states with similar laws. With legislation stalled at the federal level for the foreseeable future, the NJDPA symbolizes a growing national focus on strengthening consumer personal data protection at the state level.
Although the NJDPA shares many similarities with other comprehensive state privacy laws such as the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (CDPA), there are also significant differences. Therefore, compliance with existing consumer data privacy laws may not be sufficient to meet the requirements of the NJDPA, and businesses must ensure that they comply with the distinct requirements and approaches taken by each state.
Applicability and Exemptions
Criteria for Applicability
The NJDPA applies to any business (controller) that “conducts business in New Jersey or produces products or services that are targeted to residents of New Jersey,” and, during a calendar year, meets either of the following thresholds:
- Controls or processes the personal data of 100,000 or more New Jersey consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction), or
- Controls or processes the personal data of 25,000 or more New Jersey consumers and derives revenue or receives a discount on the price of any good or service from the sale of personal data.
Notably, like Colorado’s CPA, the NJDPA does not provide a revenue threshold for the percentage of revenue a business must derive from the sale of data. Most other current state privacy laws generally apply only if the business derives between 25% to 50% of annual revenue from the sale of personal data. In addition, applicability under the NJDPA does not involve any form of a revenue threshold, meaning businesses with minimal processing of personal data may not be subject to the law, even if they have high revenues.
Personal Data
The NJDPA applies to a business’s or “controllers’” processing of “personal data,” defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” Personal data explicitly excludes de-identified data and publicly available data.
Consumer vs. Commercial Data
Importantly, the NJDPA draws a clear line between consumer data and employment or commercial data. The NJDPA applies only to information about “consumers,” who aredefined as residents of New Jersey acting only in an individual or household context. Thus, the NJDPA, like most state privacy laws except California’s CPRA, does not apply to information about individuals acting in a commercial or employment context – including as a job applicant or as a beneficiary of another individual acting in the employment context.
Exemptions
The NJDPA includes many now common exemptions, including state agencies and data regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA). However, the NJDPA does not contain an entity exemption for HIPAA-regulated entities or exempt data processed by nonprofits or institutions of higher education (or educational data subject to FERPA).
Additionally, as noted above, the NJDPA’s definition of personal data explicitly excludes de-identified and publicly available data. The approach to de-identified data in the NJDPA is similar to that of the Virginia CDPA, requiring the controller to “publicly commit” to keeping the data de-identified and to contractually obligate any recipients of the data to comply with the same. As such, businesses subject to the NJDPA may need to review and revise contracts involving the sharing of de-identified data. The NJDPA’s definition of “publicly available information” is also broader than laws like the CPRA, including not only information lawfully made available from government records but also information that the controller has a reasonable basis to believe that the consumer has lawfully made available to the general public.
Business Obligations
The NJDPA imposes several obligations on controllers of personal data. These obligations are designed to ensure that businesses handle personal data responsibly and transparently.
Transparency
Similar to other consumer data privacy laws, controllers must provide consumers with a privacy notice that is reasonably accessible, clear, and meaningful. The privacy notice must include the following information:
– Categories of personal data processed.
– Purposes for processing personal data.
– Categories of third parties with whom data is disclosed.
– How consumers can exercise their rights under the law (see Consumer Rights below).
– Methods for notifying consumers of material changes to the privacy notice.
– An active electronic contact method for inquiries.
If a controller sells personal data to third parties or processes personal data for targeted advertising or profiling purposes, the privacy notice must clearly and conspicuously disclose such sales or processing. It must also explain the method by which a consumer can opt-out of such sale or processing. Controllers are prohibited from discriminating against a consumer for opting out of the processing for sale, targeted advertising, or profiling.
Universal Opt-Out Mechanism
Beginning six months after the effective date of the NJDPA, any controller that processes personal data for purposes of targeted advertising, the sale of personal data, or profiling will be required to allow consumers to opt-out of such processing through a user-selected universal opt-out mechanism. California and Colorado have already approved the use of the General Privacy Control (GPC) browser signal for this purpose.
Obtain Consent for Certain Processing
Controllers must obtain explicit consent (via an opt-in) before processing sensitive data. This includes financial information (including a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account); information that reveals racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or precise geolocation data.
Controllers must also obtain consent prior to processing the personal data of (i) minors under age 13 (and must process the data in accordance with the federal Children’s Online Privacy Protection Act (COPPA)); and (ii) minors ages 13-16 for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Data Protection Assessment
The NJDPA (similar to the Colorado CPA) prohibits controllers from processing data that poses a “heightened risk of harm” to consumers without first conducting and documenting a data protection assessment. The term “heightened risk of harm” is defined as:
- Processing personal data for profiling or targeted advertising purposes
- The “sale” of personal data
- Processing “sensitive data”
- Processing personal data for profiling if such profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of, or unlawful disparate impact on, consumers
- Financial or physical injury to consumers
- A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person
- Other substantial injury to consumers.
Contracts with Processors
Similar to other consumer data privacy laws, controllers must enter into contracts containing certain terms and conditions with processors that meet the obligations of the NJDPA.
Consumer Rights
Similar to other consumer data privacy laws, the NJDPA grants consumers the right to confirm whether a business is processing their personal data and to access their personal data, correct any inaccuracies in their personal data, have personal data deleted, and obtain their personal data in a portable format twice per year. Consumers have the right to opt out of the processing of their personal data for the purposes of (a) targeted advertising, (b) the sale of personal data, or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
Controllers are required to respond within 45 days of receipt of a consumer rights request, with an additional 45 day extension permitted under certain circumstances. Controllers are also required to respond and provide the requested information free of charge up to once per year but may charge for additional requests within a 12-month period.
Enforcement
The NJDPA does not allow for a private right of action for consumers. Instead, like many other state consumer data privacy laws, the NJDPA will be enforced exclusively by the NJ Attorney General. For the first 18 months after the law’s effective date, controllers will have a 30-day cure period to remedy any violations. If the controller fails to cure a violation within that time, an enforcement action may be brought by the Attorney General.
The Division of Consumer Affairs may pass regulations to effectuate the NJDPA.
Fines
The NJDPA does not specify any statutory fines. However, a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to US$10,000 for the initial violation and up to US$20,000 for subsequent violations.
Impact to Businesses
The NJDPA is the first of many laws anticipated to join the growing patchwork of sector-specific and state-specific privacy laws in 2024. Therefore, it is crucial for organizations that may be subject to the new laws to take proactive steps to ensure they are working toward compliance. For organizations that are already in or are currently working towards compliance with consumer data privacy laws already in effect such as California’s CPRA, Colorado’s CPA, or the Virginia CDPA, there will likely be significant overlap in those efforts and the policies and procedures adopted pursuant to those laws. However, organizations that have not been subject to other similar privacy laws will likely need to expend significant resources to ensure compliance. As such, organizations should prioritize the following activities to ensure compliance and ease the burden of compliance in the future:
- Undertake a data mapping exercise to understand the types of data the organization processes and maintains, the purposes for which the data is used, and whether all data is needed.
- Perform a privacy impact assessment.
- Begin engagements with independent cybersecurity audit firms for “heightened risk of harm” processing.
- Update policies and procedures to comply with the new requirements and obligations of the NJDPA.
- Start developing business processes to allow consumers to exercise their new rights.
- Ensure the organization has a reasonably accessible, clear, and meaningful privacy notice that is compliant with the requirements of the NJDPA.
- Review business relationships with third-party data processors to understand the role of each party and potential requirements.
For more information about the New Jersey Data Privacy Act and its requirements, or for assistance with compliance, please contact either of the authors or any of the Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy area of focus.