United States: New Jersey Adopts Comprehensive Data Privacy Law Imposing New Obligations On Businesses

On January 16, 2024, New Jersey became the 13th state to adopt a comprehensive data privacy law when Governor Phil Murphy signed into law Senate Bill 332, the New Jersey Data Privacy Act (“NJDPA”).[1] P.L.2023, c.266. The law requires businesses to disclose information about the personal data that they collect and imposes certain restrictions on the collection and use of that data.

The Scope of the New Jersey Data Privacy Act

The NJDPA regulates the “processing” of personal data, which is broadly defined to mean any operation performed on personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of data.

The NJDPA applies to individuals, businesses, and other entities (called “controllers”) that do business in New Jersey or produce products or provide services targeted to New Jersey residents and that control or process the personal data of at least 100,000 consumers (excluding personal data processed solely for purposes of completing a payment transaction). This threshold is lowered to 25,000 consumers if the controller derives revenue or other financial benefit from the sale of personal data.

Data and Entity Exemptions

Notwithstanding its broad scope, the law exempts from its scope certain types of entities, data, and data processing.

The NJDPA does not apply to data processing “solely for the purpose of completing a transaction.” It also excludes from the definition of “consumer” any “person acting in a commercial or employment context,” bringing it in line with the majority of states that carve out employment data from the scope of their comprehensive privacy laws.

Protected health information collected by an entity subject to HIPAA is also exempt from the law, as are financial institutions, affiliates and data regulated by the Gramm-Leach-Bliley Act, certain insurance institutions and clinical health research.

Privacy Notice Requirement

The NJDPA requires a controller to provide a privacy notice to consumers with information about the personal data that the controller processes and the purposes of the processing of data.

The law requires that the controller limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is collected. In order for a controller to process data for purposes beyond those previously disclosed, the controller must obtain the consumer's consent.

The notice must indicate the categories of third parties to which personal data may be disclosed and the types of data disclosed, and how consumers may exercise their rights under the NJDPA.

Additionally, the notice must disclose information about the sale of any personal data, use of personal data for targeted advertising, and consumer profiling. The notice is also required to identify a means for the consumer to opt out of such sale or processing.

Finally, the controller must include in the notice an email address or other online mechanism that can be used to contact the controller.

Consumer Rights

The NJDPA provides consumers with rights concerning personal data in the possession of controllers, including the following:

• Right to Know  – Consumers have a right to know whether a controller processes their personal data.
• Right to Access  – Consumers have a right to access the personal data that a controller has collected about them and to obtain a copy of the data in a portable and readily usable format.
• Right to Correct  – Consumers have a right to correct inaccuracies in the data held by a controller.
• Right to Delete  – Consumers have a right to request that a controller delete personal data concerning the consumer.
• Right to Opt-Out  – Consumers have a right to opt out of the processing of their personal data for the purposes of targeted advertising, consumer profiling, or the sale of their personal data.

Universal Opt-Out Mechanism (UOOM)

The NJDPA requires controllers that process personal data for the purposes of targeted advertising or sale to enable consumers to opt out of such processing through a Universal Opt-Out Mechanism (“UOOM”). A UOOM provides consumers with a method, such as a global privacy control built into a web browser or mobile device, by which they can automatically exercise their opt-out rights with all controllers without having to make an affirmative opt-out request with each controller.

Treatment of Sensitive Data and Data About Consumers Under 17 Years of Age

The NJDPA imposes stricter requirements for the collection and processing of “sensitive data.” Sensitive data is defined under the law to include information revealing racial or ethnic origins, religious beliefs, physical health condition, treatment, or diagnosis, sexual orientation, precise geolocation, and genetic or biometric data. Notably, New Jersey's law is distinct from data privacy laws adopted by other states in that the definition of sensitive data also includes certain financial information.

For consumers aged 13 to 16 years old, the law prohibits the processing of their personal data for purposes of targeted advertising, consumer profiling, or sale of the data without affirmative consent. Information about those under the age of 13 is subject to the more stringent requirements of the federal Children's Online Privacy Protection Act.

Data Security and Data Processing Assessments

In addition to the above, controllers must maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure the data from unauthorized acquisition.

Controllers that wish to (i) sell any type of personal data, (ii) conduct certain targeted advertising or consumer profiling, or (iii) collect and use sensitive data in any way must first perform a “data protection assessment.” The data protection assessment requires the controller to identify and weigh the benefits of processing the data against the potential risks to the rights of the consumer and must account for the reasonable expectations of the consumer.

Service Provider Oversight

The NJDPA also regulates entities known as “processors” that process personal data on behalf of controllers. Processors are required to assist controllers in complying with the requirements of the NJDPA, to maintain confidentiality with respect to personal data, and enter into written contracts with their subcontractors that ensure compliance with the new law. Those contracts must specify:

• The nature and purpose of the processing,
• Types of personal data subject to processing and the duration of the processing,
• Measures taken to maintain data security,
• Right of the controller to request return or deletion of all personal data, and
• The obligation of the processor to provide the controller with information confirming compliance with the obligations of the NJDPA.

Enforcement and Effective Date

The NJDPA provides for the Department of Law and Public Safety to adopt rules and regulations to effectuate the law, and the State Attorney General's Office has exclusive authority to enforce the law.

Late amendments drew questions as to whether the NJDPA provides for a private right of action. The Governor, in his signing statement, was clear:

The NJDPA takes effect on January 15, 2025; however, the Division of Consumer Affairs in the Department of Law and Public Safety is authorized to take any anticipatory administrative action in advance of the effective date to implement the act.

Footnotes

1. The other twelve states include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia,

2. GOVERNOR'S STATEMENT UPON SIGNING SENATE BILL NO. 332 (Sixth Reprint) (January 16, 2024).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.