New Jersey Privacy Law Passes

The New Jersey legislature passed Senate Bill 332 in early January, making the Garden State the first to pass a consumer data privacy law in 2024. Governor Phil Murphy signed the law on January 16, 2024, meaning it will go into effect on the same date in 2025.

Here is a breakdown of the key elements of the New Jersey privacy law and the areas where the law varies from other laws already on the books.

Applicability

The New Jersey privacy law will apply to organizations that meet the following criteria:

• Control or process the personal data of 100,000 or more New Jersey consumers (excluding data used solely to complete a payment transaction)
• Control or process the personal data of 25,000 or more New Jersey consumers and derive revenue or receive a discount on the price of any good or service from the sale of data.

Unlike most existing state privacy laws, this law does not have a revenue threshold. Further, the law will apply to nonprofits that meet the applicability thresholds.

New Jersey’s law does not provide an entity exemption for organizations subject to HIPAA but does provide an exemption for data covered under HIPAA. It exempts data and entities governed by the GLBA.

Consumer Rights

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling

Business Obligations:

• Limit collection and processing of personal data to what is adequate, relevant and reasonably necessary to the purposes for which the data was processed
• Gain the consumer’s consent before collecting or processing data. Parental consent is required for children under 13.
• Within six months of the law’s effective date, controllers must honor universal opt-out signals sent for targeted advertising, the sale of data, AND profiling
• Implement reasonable safeguards to protect the personal data within their control
• Cannot discriminate against a consumer for exercising any of the consumer rights
• Provide a reasonably accessible, clear, and meaningful privacy notice that includes:
  • The categories of personal data the controller processes
  • The purpose for processing personal data
  • The categories of all third parties to which the controller may disclose a consumer’s data
  • The categories of personal data that the controller shares with 11 third parties
  • How consumers may exercise their consumer rights
• Ensure contracts control relationships with their processors (note: The law itself details the minimum necessary provisions of these contracts)

Businesses have 45 days to respond to consumer requests. A 45-day extension is available based on the complexity of the request.

Sensitive Data

The New Jersey privacy law also has a unique Sensitive Data definition that includes financial data. In the law, Sensitive Data is defined as:

“Personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.”

Data Protection Assessments

Controllers must conduct and document a data protection assessment before conducting the following activities:

• Processing personal data for purposes of targeted advertising
• Selling personal data
• Processing personal data

To learn more about conducting data protection assessments (or data privacy impact assessments) listen to this episode of our CompliancePointers podcast and check our Overcoming Today’s Biggest Privacy Challenges webinar.

Enforcement

The Attorney General has the sole authority to enforce a violation. New Jersey’s law does not have a private right of action. During the first 18 months the law is in effect, there will be a 30-day right-to-cure period.

CompliancePoint has a team of experienced privacy professionals available to help your organization establish and maintain compliance with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more.