New Jersey Passes Data Privacy Act
Key Takeaways: New Jersey became the thirteenth state to enact a comprehensive consumer privacy law, with an effective date in early 2025. The New Jersey Data Privacy Act is fairly consistent with the existing consumer privacy laws in Connecticut and Virginia, with some key differences in its defined terms and the scope of consumer rights provided.
On January 16, 2024, New Jersey became the thirteenth state to adopt a comprehensive data privacy law. The New Jersey Data Privacy Act (the “NJDPA”), introduces distinctive privacy provisions that require careful consideration for businesses aiming to ensure compliance. The NJDPA will take effect on January 16, 2025.
Applicability and Scope
The NJDPA defines the “controller” as an individual, or legal entity, that alone or jointly with others determines the purpose and means of processing personal data. The NJDPA applies to controllers that conduct business in the state of New Jersey or produce products or services that target residents of the state and meet either of the following criteria: a) control or process data of at least 100,000 New Jersey consumers; or b) control or process the personal data of at least 25,000 New Jersey consumers and such control results in revenue or receipt of a discount on the price of any goods or services from the sale of the data. Notably, the NJDPA does not include a revenue threshold for controllers for the law to apply. Like all other state laws except for the California Consumer Privacy Act, “consumer” does not include employees or business-to-business contacts.
The NJDPA’s applicability exemptions are narrower than those provided in other state privacy laws. While the NJDPA does include the standard exemptions for entities subject to the Gramm–Leach–Bliley Act (“GLBA”) and state related insurance companies, there is no entity-level Health Insurance Portability and Accountability Act (“HIPAA”) exemption, though personal health information subject to HIPAA is exempt. Notably, the NJDPA will apply to nonprofit organizations that meet the applicability thresholds.
The controller is required to provide a comprehensive privacy notice to consumers that encompasses the following key elements, which are generally consistent with those required by other state privacy laws: 1) the categories of the personal data the controller collects; 2) the categories of the third parties to whom the controller may disclose a consumer’s personal data; 3) the categories of personal data the controller shares with third parties; and 4) the process by which consumers can exercise their rights.
Unlike other state privacy laws, the NJDPA also requires that the privacy notice inform consumers of 1) the express purpose of the processing of the personal data; 2) the process by which the controller notifies consumers of material changes to the privacy notice, along with the effective date of the privacy notice, and 3) an active electronic mail address or other online mechanism that the consumer may utilize to contact the controller.
Requirements for Processors
Like other state privacy laws, the NJDPA requires processors to adhere to the instructions of the controller to meet their obligations under the NJDPA. Processors are obliged to assist controllers with the following duties:
- Take appropriate and organizational measures to assist the controller’s obligation to respond to consumer requests
- Assist controller with the security of processing the personal data
- Provide information to the controller to enable controller to conduct and document any data protection assessments
As detailed in the NJDPA, consumers have several rights at their disposal for protecting their personal data. Consumers have the right to:
- Confirm whether a controller processes and has access to the consumer’s personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete the consumer’s personal data;
- Obtain a copy of the consumer’s personal data in a form that would allow the consumer to transmit the data to another entity without issue;
- Opt out of the processing of the consumer’s personal data for the purposes of;
- Targeted advertising
- For the sale of personal data.
The controller must allow a consumer to submit requests via a third party who serves as the customer’s authorized agent and acts on the consumer’s behalf. A controller is required to verify the identity of the consumer and verify the authorized agent’s authority to act on the consumer’s behalf.
Controllers have 45 days from the date of receipt of the request from the consumer to process a response. However, the NJDPA allows the controller the flexibility to extend the response period by an additional 45 days, taking into consideration such factors as the complexity and number of requests.
Like Colorado, Connecticut, Montana, Oregon, Delaware, and Texas, the NJDPA requires the controller to honor consumer requests sent through universal opt-out mechanisms. Specifically, consumers may use universal opt-out mechanisms to opt out of targeted advertising or the sale of their data. Controllers are given six months after the effective date of the NJDPA to implement processes to recognize universal opt-out mechanisms. The NJDPA also allows the Division of Consumer Affairs in the Department of Law and Safety to adopt rules and regulations that detail the technical specifications for one or more universal opt-out mechanisms, and further guidance on this subject is expected.
Opt-In Consent for Processing of Sensitive Data
The NJDPA is the first state privacy law to include financial information as a category of sensitive data. Sensitive data under the NJDPA consists of the following: data on racial or ethnic origin; religious beliefs; mental or physical health conditions, treatment or diagnosis; financial information (e.g., account number and the required passcode or PIN); sex life or sexual orientation; citizenship or immigration status; status as transgender or nonbinary; genetic or biometric data that may be used for unique identification; personal data about a child (under the age of 13); and precise geolocation (within a radius of 1,750 feet). The definition of biometric data is broader than that found in other state laws and includes physical and behavioral characteristics, as well as data generated by “technical processing” or “analysis”.
Opt-in consent from the consumer (or from a parent, in the case of a known child under the age of 13) is required in order to process sensitive data.
Data Protection Assessments
Controllers will be required to conduct data protection assessments before engaging in the following processing activities: processing personal data for targeted advertising; selling personal data; processing personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms; or processing sensitive data. The controller must weigh the benefits of the processing to the controller, consumer, and public against the harms and potential mitigating measures. Impact assessments conducted in accordance with other state privacy laws will be sufficient under the NJDPA as well.
The Office of the Attorney General will be solely and exclusively authorized to enforce a violation of the NJDPA. During the first 18 months that the NJDPA is in effect, the New Jersey Attorney General may provide businesses with a 30-day notice and cure period for purported violations. A business that violates the NJDPA may be subject to fines of up to $10,000 per violation. The NJDPA does not include a private right of action.
Koley Jessen will continue to monitor developments related to New Jersey’s new data privacy law and advise as updates become available. If you have inquiries regarding your business’s compliance with the law or the necessary steps to take, please reach out to one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area for expert assistance.
*Special thanks to Data Privacy & Cybersecurity Support Specialist Briseyda Garcia-Ticas for her contributions to this article.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.