New Jersey adopts comprehensive privacy legislation
New Jersey has joined about a dozen other states by enacting new and comprehensive privacy legislation. The law, Bill S332, was signed into law on January 16, 2024 and will take effect in January 2025.
The law applies to data controllers that do business in New Jersey or target New Jersey residents and (1) process the personal data of at least 100,000 New Jersey residents (except when the data is processed solely for the purpose of completing a payment transaction), or (2) process the personal data of at least 25,000 New Jersey residents and derive revenue from the sale of personal data.
Both “personal data” and “sensitive data” are covered by the law. Personal data is defined as non-public information that is linked or reasonably linkable to an identified or identifiable person. “Sensitive data” is “personal data” that reveals an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data; personal data collected from a known child; or precise geolocation data.
Of note, S322 does not apply to data processed under certain federal statutes, such as the Health Insurance Portability and Accountability Act or HIPAA, the Gramm-Leach-Bliley Act or GLBA, and the Fair Credit Reporting Act or FCRA.
Rights and obligations conferred by the law
The new law grants a number of rights to consumers that are similar to the set of rights granted to consumers by other laws in various states who have adopted comprehensive privacy legislation. These include the rights of:
- Confirmation: the right to confirm whether a controller processes the consumer’s data
- Access: The right to access their individual personal data in possession of the controller
- Correction: the right to request a correction of inaccuracies regarding the consumer’s data
- Data portability: the right to obtain a copy of personal data in possession of the controller in a format that is readily transferable to another entity
- Opt-out: the right opt-out of the processing of personal data for the purposes of (a) targeted advertising, (b) the sale of personal data, and (c) profiling.
It further defines numerous actions that are required of covered data controllers, including:
- Privacy notice: controllers must provide consumers with a privacy notice that informs the consumer of
- The categories of personal data processed by the controller;
- The purpose(s) for processing personal data;
- The categories of third parties to which personal data may be disclosed;
- The categories of personal data that are shared with third parties (if any);
- Methods by which consumers can exercise their rights under the Act and appeal a controller’s decisions as to those rights;
- How the controller notifies consumers of material changes to the privacy notice; and
- An active email address or other online contact mechanism for the controller.
There are also requirements to undertake certain data security measures. For instance, controllers must take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use. In addition to taking steps to secure data, the law sets out requirements for data minimization. Controllers must limit the collection of personal data to that which is adequate, relevant, and reasonably necessary to the purposes for which such data is processed. Data controllers must also specify the express purposes for which personal data are processed. Data controllers must also obtain consumer consent to process “sensitive data.” That required consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data.
When assessing whether certain data can even be processed, an organization must conduct a Data Protection Assessment. The law prohibits controllers from data processing that presents a “heightened risk of harm” to consumers without conducting and documenting a data protection assessment. Processing activities which present a “heightened risk of harm” include (a) processing personal data for purposes of targeted advertising; (b) processing personal data for purposes of profiling if the profiling presents a risk of certain harms (including unfair treatment or discrimination, financial or physical injury, invasion of consumer privacy); (c) selling personal data; and (d) processing sensitive data.
Finally, consumers now have an opt-out mechanism available to them in order to exercise additional control over their data. Controllers that conduct targeted advertising or sell personal data must provide a mechanism whereby consumers can opt-out of such processing through a user-selected universal opt-out mechanism. (This requirement will not go into effect until July 2025, or six months after the effective date of S322. Additionally, S322 states that the NJ Department of Consumer Affairs may adopt rules or regulations that provide specifications for a compliant opt-out mechanism.)
New Jersey’s data privacy law does not include a private right of action for consumers. Instead, the New Jersey Office of the Attorney General is granted sole and exclusive authority to enforce its provisions. The law also includes a “cure provision.” For the first 18 months of the law’s enactment (i.e., until July 2026), the Attorney General may not institute an enforcement action against a data controller without first giving the controller notice of the alleged violation and providing a 30-day period for the controller to cure the violation, if possible. Finally, the law grants rulemaking authority to the NJ Division of Consumer Affairs, so rules and regulations should be expected at some time in the next 12 months.
New Jersey’s comprehensive privacy legislation does not go into effect until next year. However, S322 represents a significant overhaul of the state’s privacy law landscape, and will demand the implementation of multiple policies and procedures for data controllers. New Jersey businesses that process and sell data—and out-of-state entities that target New Jersey residents—should begin preparing now so updated and compliant procedures can be rolled out for 2025. For reference, you can read the text of the bill and Governor Murphy’s signing statement.
The McDonald Hopkins' Data Privacy Team will continue tracking the progress of this legislation and provide additional updates. Please contact us to discuss this new law and its implications.