On January 16, 2024, New Jersey Governor Phil Murphy signed Senate Bill (SB) 332, establishing New Jersey’s consumer data privacy law, the New Jersey Data Privacy Act (NJDPA) which will be effective January 15, 2025. This legislation marks New Jersey as the first state to implement comprehensive privacy legislation in 2024, joining the ranks of 13 other states with similar laws. With legislation stalled at the federal level for the foreseeable future, the NJDPA symbolizes a growing national focus on strengthening consumer personal data protection at the state level.
Although the NJDPA shares many similarities with other comprehensive state privacy laws such as the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (CDPA), there are also significant differences. Therefore, compliance with existing consumer data privacy laws may not be sufficient to meet the requirements of the NJDPA, and businesses must ensure that they comply with the distinct requirements and approaches taken by each state.
The NJDPA applies to any business (controller) that “conducts business in New Jersey or produces products or services that are targeted to residents of New Jersey,” and, during a calendar year, meets either of the following thresholds:
Notably, like Colorado’s CPA, the NJDPA does not provide a revenue threshold for the percentage of revenue a business must derive from the sale of data. Most other current state privacy laws generally apply only if the business derives between 25% to 50% of annual revenue from the sale of personal data. In addition, applicability under the NJDPA does not involve any form of a revenue threshold, meaning businesses with minimal processing of personal data may not be subject to the law, even if they have high revenues.
The NJDPA applies to a business’s or “controllers’” processing of “personal data,” defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” Personal data explicitly excludes de-identified data and publicly available data.
Importantly, the NJDPA draws a clear line between consumer data and employment or commercial data. The NJDPA applies only to information about “consumers,” who aredefined as residents of New Jersey acting only in an individual or household context. Thus, the NJDPA, like most state privacy laws except California’s CPRA, does not apply to information about individuals acting in a commercial or employment context – including as a job applicant or as a beneficiary of another individual acting in the employment context.
The NJDPA includes many now common exemptions, including state agencies and data regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA). However, the NJDPA does not contain an entity exemption for HIPAA-regulated entities or exempt data processed by nonprofits or institutions of higher education (or educational data subject to FERPA).
Additionally, as noted above, the NJDPA’s definition of personal data explicitly excludes de-identified and publicly available data. The approach to de-identified data in the NJDPA is similar to that of the Virginia CDPA, requiring the controller to “publicly commit” to keeping the data de-identified and to contractually obligate any recipients of the data to comply with the same. As such, businesses subject to the NJDPA may need to review and revise contracts involving the sharing of de-identified data. The NJDPA’s definition of “publicly available information” is also broader than laws like the CPRA, including not only information lawfully made available from government records but also information that the controller has a reasonable basis to believe that the consumer has lawfully made available to the general public.
The NJDPA imposes several obligations on controllers of personal data. These obligations are designed to ensure that businesses handle personal data responsibly and transparently.
Similar to other consumer data privacy laws, controllers must provide consumers with a privacy notice that is reasonably accessible, clear, and meaningful. The privacy notice must include the following information:
– Categories of personal data processed.
– Purposes for processing personal data.
– Categories of third parties with whom data is disclosed.
– How consumers can exercise their rights under the law (see Consumer Rights below).
– Methods for notifying consumers of material changes to the privacy notice.
– An active electronic contact method for inquiries.
If a controller sells personal data to third parties or processes personal data for targeted advertising or profiling purposes, the privacy notice must clearly and conspicuously disclose such sales or processing. It must also explain the method by which a consumer can opt-out of such sale or processing. Controllers are prohibited from discriminating against a consumer for opting out of the processing for sale, targeted advertising, or profiling.
Beginning six months after the effective date of the NJDPA, any controller that processes personal data for purposes of targeted advertising, the sale of personal data, or profiling will be required to allow consumers to opt-out of such processing through a user-selected universal opt-out mechanism. California and Colorado have already approved the use of the General Privacy Control (GPC) browser signal for this purpose.
Controllers must obtain explicit consent (via an opt-in) before processing sensitive data. This includes financial information (including a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account); information that reveals racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or precise geolocation data.
Controllers must also obtain consent prior to processing the personal data of (i) minors under age 13 (and must process the data in accordance with the federal Children’s Online Privacy Protection Act (COPPA)); and (ii) minors ages 13-16 for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
The NJDPA (similar to the Colorado CPA) prohibits controllers from processing data that poses a “heightened risk of harm” to consumers without first conducting and documenting a data protection assessment. The term “heightened risk of harm” is defined as:
Similar to other consumer data privacy laws, controllers must enter into contracts containing certain terms and conditions with processors that meet the obligations of the NJDPA.
Similar to other consumer data privacy laws, the NJDPA grants consumers the right to confirm whether a business is processing their personal data and to access their personal data, correct any inaccuracies in their personal data, have personal data deleted, and obtain their personal data in a portable format twice per year. Consumers have the right to opt out of the processing of their personal data for the purposes of (a) targeted advertising, (b) the sale of personal data, or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
Controllers are required to respond within 45 days of receipt of a consumer rights request, with an additional 45 day extension permitted under certain circumstances. Controllers are also required to respond and provide the requested information free of charge up to once per year but may charge for additional requests within a 12-month period.
The NJDPA does not allow for a private right of action for consumers. Instead, like many other state consumer data privacy laws, the NJDPA will be enforced exclusively by the NJ Attorney General. For the first 18 months after the law’s effective date, controllers will have a 30-day cure period to remedy any violations. If the controller fails to cure a violation within that time, an enforcement action may be brought by the Attorney General.
The Division of Consumer Affairs may pass regulations to effectuate the NJDPA.
The NJDPA does not specify any statutory fines. However, a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to US$10,000 for the initial violation and up to US$20,000 for subsequent violations.
The NJDPA is the first of many laws anticipated to join the growing patchwork of sector-specific and state-specific privacy laws in 2024. Therefore, it is crucial for organizations that may be subject to the new laws to take proactive steps to ensure they are working toward compliance. For organizations that are already in or are currently working towards compliance with consumer data privacy laws already in effect such as California’s CPRA, Colorado’s CPA, or the Virginia CDPA, there will likely be significant overlap in those efforts and the policies and procedures adopted pursuant to those laws. However, organizations that have not been subject to other similar privacy laws will likely need to expend significant resources to ensure compliance. As such, organizations should prioritize the following activities to ensure compliance and ease the burden of compliance in the future:
For more information about the New Jersey Data Privacy Act and its requirements, or for assistance with compliance, please contact either of the authors or any of the Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy area of focus.
Close This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.
