On January 8, 2024, the New Jersey Legislature passed the New Jersey Data Privacy Act (NJDPA). The bill, SB 332, will soon head to Governor Phil Murphy’s desk for signing. Assuming the bill is signed quickly, it will go into effect in early 2025.
The NJDPA largely tracks the consumer privacy laws in Connecticut and Virginia, continuing a trend among new state privacy laws. However, there are nuances in the NJDPA that make it a bit different. Businesses subject to the NJDPA will have to take steps above and beyond existing or planned compliance activities in order to comply with the new law.
Below is an overview of the key aspects of the NJDPA. You can access information about all of the state consumer laws that have been enacted by consulting our interactive state privacy law map.
WHO DOES THE NJDPA APPLY TO?
The NJDPA does not include a revenue threshold. Rather, the bill mirrors the applicability thresholds of Colorado’s consumer law. To be subject to the NJDPA, a business must do business in New Jersey or target products or services to New Jersey consumers, and either:
Control or process the personal data of 100,000 or more New Jersey consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction), or
Control or process the personal data of 25,000 or more New Jersey consumers and derive revenue or receive a discount on the price of any good or service from the sale of data.
WHO IS A “CONSUMER”?
In the NJDPA, a consumer is a natural person who is a resident of New Jersey acting in a personal context. This means that employees and business-to-business contacts are excluded.
WHAT IS “PERSONAL DATA”?
Personal data is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” It excludes, however, de-identified data and publicly available data. The limitations for de-identified data and publicly available data closely track those of Virginia (i.e., de-identification requires a public commitment to keep data de-identified, and public data encompasses both data from government files and data that is generally available through mass media sources).
WHO CAN ENFORCE?
The New Jersey attorney general has exclusive enforcement authority, and there is an express provision asserting that the NJDPA does not create any private right of action. For the first 18 months that the law is in effect, the attorney general can provide companies with 30 days’ notice and a cure period prior to commencing any enforcement actions. Violations of the NJDPA can accrue at a rate of up to $10,000 per violation.
WHO IS EXEMPT?
The NJDPA’s exemptions are significantly narrower than exemptions in other states’ laws. There are the more typical exemptions for Gramm-Leach-Bliley Act-regulated entities and state-regulated insurance companies, but otherwise the exemptions are limited. There is no Health Insurance Portability and Accountability Act-entity exemption, though personal health information itself is exempt. Personal information handled by a consumer reporting agency is also exempt, as is information used in connection with human subject research under federal law.
In addition, the NJDPA does not apply to government entities.
The NJDPA will apply to nonprofit organizations that otherwise meet the applicability thresholds.
The NJDPA does have broad exemptions for certain routine use cases such as compliance with law, preventing fraud or injury to others, and defending legal claims.
WHAT OBLIGATIONS ARE IMPOSED?
The NJDPA imposes the following obligations on data controllers, which mirror those we see in other state privacy laws:
Limit the purpose of processing personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data was processed
Take steps to implement reasonable safeguards for the personal data within their control
Refrain from discriminating against consumers for exercising their rights and from processing personal data in violation of federal laws that prohibit discrimination
Be transparent in their reasonably accessible, clear and meaningful privacy notice
Ensure contracts control relationships with their processors (note: The law itself details the minimum necessary provisions of these contracts)
WHAT CONSUMER RIGHTS ARE CREATED BY THE NJDPA?
Controllers must provide a standard set of consumer rights to New Jersey consumers:
Opt-out rights related to the sale of personal data, targeted marketing and profiling, and automated decision-making that could have significant legal effects (such as those related to housing, drinking water, credit, etc.)
Deletion rights (with respect to the data provided by or about the consumer)
Rights to know and access data held by the business
Data portability rights (limited to data the consumer previously provided)
Controllers are given the option to respond to a data portability request with a “representative summary” of the personal data held rather than the data itself
In addition, beginning six months after the NJDPA’s effective date, controllers will be required to recognize user-selected universal opt-out mechanisms when opting out of targeted advertising and the sale of data.
The NJDPA will frustrate some companies because it introduces yet another definition of sensitive data, mixing and matching from the definitions in Delaware, California and other states.
The definition of sensitive data includes data on racial or ethnic origin; religious beliefs; mental or physical health conditions, treatment or diagnosis; financial information (e.g., account number and the required passcode or PIN); sex life or sexual orientation; citizenship or immigration status; status as transgender or nonbinary; genetic or biometric data that may be used for unique identification; personal data about a child (under the age of 13); and precise geolocation (within a radius of 1,750 feet).
A controller may not process (including collect) sensitive data without obtaining the consumer’s consent (or a parent’s consent, in the case of a known child under the age of 13).
RESPOND TO CONSUMER INQUIRIES
Controllers must respond to a consumer personal data request within 45 days of receipt of the request, with a 45-day extension available. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within 45 days. If the appeal is denied, controllers must provide the consumer with a method for contacting the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety.
DATA PROTECTION ASSESSMENTS
Controllers will need to conduct and document privacy assessments before they engage in certain processing activities, including:
Processing personal data for targeted advertising
Selling personal data
Processing personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms
Processing sensitive data (as defined above)
The required assessment must analyze the benefits of the processing to the company, consumer and public while weighing the harms and potential mitigants. The NJDPA allows for the use of impact assessments done under other state laws to count toward the requirements of the NJDPA.
WHEN DOES THE NJDPA TAKE EFFECT?
The NJDPA will come into effect 365 days after its effective date.
Creating a successful, effective and comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders.