On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 332 (the "New Jersey Data Privacy Law") making New Jersey the thirteenth state to adopt comprehensive data privacy legislation. This signing continues the unprecedented momentum seen in 2023 with the enactment of several other U.S. state data privacy laws that have taken or will take effect. The New Jersey Data Privacy Law will take effect on January 15, 2025. The New Jersey Office of the Attorney General will have exclusive enforcement authority, and there is no private right of action available under this act. In this latest in our series of articles on US State Data Privacy Laws, we have summarized below the key components of New Jersey's Data Privacy Law.
Who does New Jersey's Data Privacy Law apply to?
New Jersey's Data Privacy Law imposes obligations on "controllers" – individuals or legal entities that determine the purpose and means of processing personal information – who conduct business in New Jersey or produce products or services targeted to residents of New Jersey and also, within the calendar year:
- Control or process personal data of at least 100,000 New Jersey consumers; or
- Control or process personal data of 25,000 New Jersey consumers and derive revenue (or receive discounts) from the sale of personal data.
What rights does New Jersey's Data Privacy Law give to consumers?
New Jersey's Data Privacy Law gives consumers rights that are largely consistent with other US State Data Privacy Laws. Consumers - New Jersey residents acting only in an individual or household context -, may:
- Confirm whether a controller accesses and processes their personal data;
- Correct inaccuracies in their personal data;
- Delete their personal data;
- Obtain a copy of their personal data held by the controller in a readily usable format (i.e., data portability); and
- Opt out of processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling. Consumers may also designate an authorized agent to exercise their right to opt out on their behalf.
New Jersey's Data Privacy Law requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days, unless it is reasonably necessary to extend that time and the controller notifies the consumer of the extension within 45 days.
Controllers must also establish a process for consumers to appeal denials of their requests, within a reasonable time after communicating that denial. The appeal process must be "conspicuously available and similar to the process for submitting [initial requests]." If the controller denies an appeal, the controller must provide a way for the consumer to contact the Division of Consumer Affairs in the Department of Law and Public Safety to lodge a complaint.
What obligations does New Jersey's Data Privacy Law impose on controllers and processors?
New Jersey's Data Privacy Law applies to "personal data," which is any information that is "linked or reasonably linkable to an identified or identifiable person," and, like other US State Data Privacy Laws, excludes de-identified data and publicly available information.
The law requires controllers to provide consumers a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data it processes; its purpose for processing the data; the categories of all third parties to which it may disclose the personal data and which categories of data it may disclose; information on how consumers may exercise their rights and appeal controller's decisions; the process by which the controller notifies consumers of material changes to their notice, along with the effective date of the notice; and an active email address or other online mechanism the consumer may use to contact the controller.
Controllers must also:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes with which the data is processed – unless the controller obtains the consumer's consent;
- Establish and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure it from unauthorized access;
- Clearly disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising or profiling, and provide a clear method for consumers to opt out;
- Not process "sensitive data" without the consumer's express consent, or in the case of a known child, in accordance with the Children's Online Privacy Protection Act. Sensitive data is defined as personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition or treatment; sex life or sexual orientation; financial information, including account access details; citizenship or immigration status; transgender or non-binary status; genetic or biometric data that could identify an individual; data collected from a known child; and geolocation data;
- Not process personal data for targeted advertising, sale, or profiling without express consent, where the controller knows, or willfully disregards, that the consumer is at least 13 years old but younger than 17 years old;
- Process data in a non-discriminatory manner as defined under state and federal law;
- Provide a mechanism for a consumer to revoke consent to process personal data that is at least as easy as the mechanism for them to have given consent, and to cease processing the data within 15 days of revocation of consent; and
- Conduct a data protection impact assessment on the processing of personal data that presents a heightened risk of harm to the consumer, including targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair or deceptive treatment or disparate impact on consumers, financial or physical injury to consumers, or an intrusion offensive to a reasonable consumer upon their "solitude or seclusion, or the private affairs, or concerns."
New Jersey's Data Privacy Law requires that, starting six months after its effective date, July 15, 2025, controllers must allow consumers to opt out of processing their personal data by using a user-selected universal opt-out mechanism ("UOOM"). A number of other states, including California, Connecticut, and Texas, also mandate the use of UOOMs. The law also authorizes the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety to adopt rules and regulations as needed to clarify the technical specifications for UOOMs.
New Jersey's Data Privacy Law also imposes requirements on "processors" (a person or entity who processes personal data on behalf of a controller). Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding consumer rights requests and security of data processing. New Jersey's Data Privacy Law requires that processing be governed by a contract between the controller and processor that outlines relevant privacy provisions set forth under the act.
Key Aspects of New Jersey's Data Privacy Law
- Definition of a Controller. Unlike some other US State Data Privacy Laws, New Jersey's Data Privacy Law does not provide for a minimum amount or percentage of revenue to be derived from the sale of personal data in order for the law to apply.
- Department of Law and Safety Rulemaking. The act empowers the Director of the Division of Consumer Affairs in the Department of Law and Safety to promulgate rules and regulations necessary to implement its provisions.
- Mandated Use of UOOMs. Like a number of other states that have passed comprehensive data privacy laws, New Jersey has opted to require controllers to allow consumers to communicate their privacy preferences automatically, through the use of online UOOMs.
- Definition of Sensitive Data. New Jersey's Data Privacy Law's definition of sensitive data is broader than that of many other states, adding financial information, including a consumer's account number, account log-in, credit or debit card number, together with any code or password that would allow access to the account. Other categories of sensitive information are racial or ethnic origin; immigration or citizenship status; religious beliefs; mental or physical health condition, treatment, or diagnosis; sex life or sexual orientation; transgender or non-binary status; precise geolocation data; personal data collected from a known child; and genetic or biometric data.
- Obtaining Affirmative Consent. New Jersey's Data Privacy Law requires controllers to first obtain consent before processing consumers' sensitive data as well as before knowingly processing the personal data of minors between the ages of 13-17 for targeted advertising, sale, or profiling.
- Processing Agreement Required between Controllers and Processors. Like certain other US State Data Privacy Laws, the New Jersey's Data Privacy Law requires controllers to enter into contracts with data processors governing the processor's data processing procedures. Contracts under New Jersey's Data Privacy Law must set forth clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The law also requires processors to delete or return personal data upon the controller's request.
- Attorney General Investigations and Enforcement. Like most of the US State Data Privacy Laws, New Jersey's Data Privacy Law does not provide for a private right of action. The New Jersey Attorney General may conduct enforcement actions under the state's Consumer Fraud Act. Before initiating an action, the Division of Consumer Affairs in the Department of Law and Public Safety must provide notice to the controller or processor, giving 30 days to cure the noticed violation, if a cure is deemed possible. The cure provision expires 18 months after the New Jersey's Data Privacy Law becomes effective.
White & Case's Data, Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide for general steps to take to comply with US State Data Privacy Laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP