Consumers in the Garden State now have comprehensive data privacy protections. But what does that mean for New Jerseyans?
With Gov. Phil Murphy signing Senate Bill 332 (S332/A1971), businesses and entities such as websites and online providers are required to notify consumers when they collect and disclose personal data to third parties, and they must provide customers with the ability to opt out of that collection or disclosure.
In a press release, Gov. Murphy said:
In a rapidly growing digital age, our society has become increasingly dependent on the internet to complete day-to-day tasks from shopping and working to deeply personal tasks such as managing finances and medical care. However, far too often consumer privacy is exploited without consumers knowing that their data is being shared and sold. This important legislation will help consumers reclaim control over their own personal data and allow them the choice to share information that is personal to them.
A number of states—including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia—have passed similar laws, with New Jersey joining the contingent of states passing a comprehensive data privacy act to protect consumers absent a federal law. For an overview of the major characteristics of each U.S. privacy law, check out U.S. Data Privacy Laws: A Guide to the 2024 Landscape.
Let’s dive into the new legislation that expands the U.S. consumer privacy protection landscape.
The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey.
In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:
There are a few key definitions in the law: the NJDPA defines “sale” as “sharing, disclosing, or transferring” data for money or other valuable consideration, similar to California’s law. A “controller” is an individual or legal entity that determines the purpose and means of processing personal data.
Similar to Colorado’s privacy law, it doesn’t define a specific percentage of revenue that must be derived from the sale of data, whereas other states have implemented a 25 or 50 percent threshold.
Unlike most other data privacy laws, the NJDPA doesn’t apply directly to processors—or those who process data on behalf of the controller—though they still have to comply with certain requirements when acting on behalf of a controller.
The NJDPA has a number of exemptions, including:
Notably, nonprofits are not exempt from the NJDPA. Like Connecticut, Delaware, Montana and Oregon, New Jersey’s data privacy law exempts personal data use solely for completing a payment transaction.
Under the NJDPA, consumers are granted certain rights now considered pretty standard. These include the right to:
The law is an “opt-out” model except in the instance of two subcategories: sensitive data and children’s data.
Like other consumer data privacy laws, New Jersey’s data privacy law has a separate definition for and set of standards for businesses or entities that process sensitive data and data of children.
This is where the law’s model switches from opt out to opt in, as businesses must obtain opt-in consent for both data types. When processing the data of a child (i.e. someone under the age of 13), it must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA). Children’s data is also considered sensitive data under the law.
Sensitive data is defined broadly and includes a lengthy list of personal data types, including data that reveals:
It’s also important to note New Jersey’s data privacy law has an expanded definition of financial information, which includes a consumer’s account number, account log-in information, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. The CPRA includes a definition of financial information like this, but the NJDPA is the only law that classifies financial information as sensitive personal information requiring affirmative opt-in consent before it can be processed.
As has become the trend with other data privacy laws, the NJDPA requires businesses to honor universal opt-out mechanisms. These mechanisms essentially enable users to indicate their consent preferences once via a browser plugin like the Global Privacy Control rather than every time they visit a new website. Thus, businesses must be on the lookout for such signals if they want to remain in compliance.
The New Jersey Data Privacy Act outlines a number of obligations for controllers similar to other state laws, who must limit the collection of personal data to what is “adequate, relevant and reasonably necessary;” establish, implement and maintain administrative, technical and physical data security practices; secure data; and not process sensitive data or data of a known child without consent.
Controllers must also post a privacy notice and a link on their website that allows consumers to opt out.
The NJDPA requires controllers to conduct a data protection assessment. Notably, New Jersey’s law requires businesses to make need to make their assessments available to the New Jersey Department of Consumer Affairs upon request, making this a key compliance task to master.
Activities that present a heightened risk and would therefore require a data protection assessment are outlined as:
Targeted advertising or for profiling if it presents a “reasonably foreseeable” risk of unfair or deceptive treatment of, unlawful disparate impact on consumers, financial or physical injury, physical or other intrusion upon the solitude or seclusion or the private affairs of consumers, or if it would be offensive to a reasonable person.
The sale of personal data.
Processing of sensitive data.
Whenever there’s a new law, data privacy or otherwise, business owners and others who process data should review the text with their legal counsel. It’s critical to understand your data landscape—what’s collected, where it comes from, who it’s shared with and for what reason—to determine your legal requirements.
If you’re feeling overwhelmed with information overload, Osano has many resources related to all things privacy, along with solutions to help manage compliance with the growing number of state data privacy laws.
The law goes into effect in January 15, 2025, one year after its enactment.
Like with many other state-level data privacy laws, New Jersey’s Office of the Attorney General will enforce violations for the NJDPA.
The NJDPA has a 30-day cure period, which is on the shorter side for state-level data laws. The cure period also expires after an 18-month grace period in which businesses are expected to adjust (i.e., July 15, 2026)
The New Jersey data privacy law grants rulemaking authority to the Division of Consumer Affairs within the New Jersey Department of Law and Public Safety. No monetary amount is defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.
Yep, New Jersey’s will be among the states that require companies to honor universal opt-out signals. Businesses must recognize them within six months of the act’s effective date (i.e. July 15, 2025).