New Jersey’s Consumer Data Privacy Statute – What You Need to Know
On January 16, 2024, Governor Murphy signed S332 into law, making New Jersey the 13th state to enact legislation designed to protect the personal data of its residents. The law will become effective next year, on January 15, 2025, and imposes various obligations on a person or entity (designated as either a “controller” or a “processor”) that collects, discloses, processes, or sells the personal data of New Jersey consumers. The statute establishes various rights for New Jersey residents with respect to their own personal data and also provides consumers with the ability to opt out of disclosure and sale of their personal data in certain circumstances. Finally, the Division of Consumer Affairs has the authority to develop rules and regulations necessary to effectuate the purposes of the statute, and the Attorney General has sole and exclusive enforcement authority.
The scope of S332 signed by the Governor was expanded significantly from prior versions. As late as December 17, 2023, the bill only applied to a person or entity that operated “any service provided over the Internet that collects and maintains personally identifiable information from a consumer.” The law enacted less than one month later, however, is not limited to collection of data over the internet; it applies to all “personal data” regardless of how it is obtained by the controller – i.e., online, in-person, electronic, hard copy, etc. Our recent analysis of the proposed legislation prior to being adopted by the Legislature and signed by the Governor is here, which includes comments that are reflected in the final version signed into law.
As a threshold matter, the law applies to persons and entities that conduct business in New Jersey or produce products or services targeting New Jersey residents and, during a calendar year, control or process the personal data of either: (1) 100,000 or more New Jersey consumers (excluding personal data processed solely for completing a payment transaction); or (2) at least 25,000 New Jersey consumers (and the person or entity derives a financial benefit from the sale of personal data). The definition of “consumer” specifically excludes “a person acting in a commercial or employment context,” which would appear to exempt all data of employees and business contacts from the scope of the statute.
If the threshold is met, S332 governs the collection, processing, disclosure, and sale of a New Jersey resident’s “personal data,” which is defined as “any information that is linked or reasonably linkable to an identified or identifiable person.” The statute also includes requirements that apply to “sensitive data,” which is defined more broadly than other states by including a range of consumer financial information and status as transgender or non-binary, along with data typically identified as sensitive personal data like racial or ethnic origin, religious beliefs, mental or physical condition, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocation data.
Among the rights granted to New Jersey consumers by S332 are rights to:
- confirm processing and access to personal data by a controller (which is “an individual, or legal entity that, alone or jointly with others determines the purpose and means for processing personal data”)
- correct inaccuracies
- delete personal data
- obtain a copy of personal data in a portable and readily usable format
- opt out of processing for purposes of: (a) targeted advertising; (b) the sale of personal data; or (c) profiling for certain decision-making relating to that consumer.
A controller must respond to a verified consumer rights request within 45 days of receipt, with the potential to have a 45-day extension. Note that opt-out requests, unlike the other consumer rights requests, are not required to be authenticated by a controller, but an opt-out request may be denied if the controller has a good faith, reasonable, and documented belief that the request is fraudulent.
The law also imposes various obligations on a controller, including for example, the following:
- providing to the consumer a reasonably accessible, clear, and meaningful privacy notice that includes: (a) the categories of personal data processed; (b) the purpose for processing; (c) the categories of third parties to which personal data may be disclosed or shared; (d) the way to exercise a consumer right provided by the statute; and (e) an active e-mail address or other online mechanism to contact the controller
- limiting the collection of personal data to what is adequate, relevant, and reasonably necessary
- obtaining the consumer’s consent prior to processing sensitive data
- processing the personal data of a known child in accordance with the Children’s Online Privacy Protection Act (COPPA)
- implementing and maintaining reasonable administrative, physical, and technical data security practices to safeguard personal data
- providing an effective mechanism for a consumer to revoke their consent, and terminating the processing of that personal data no later than 15 days after receipt of the request
- conducting and documenting data protection assessments, specifically for targeted advertising, profiling, selling personal data, and processing sensitive data, in the event that processing personal data presents a “heightened risk” of harm to a consumer
- ensuring that agreements with processors (such as service providers and vendors) include appropriate data protection requirements and obligations.
In addition, S332 requires a controller to allow consumers to exercise the right to opt out of any targeted advertising or the sale of personal data through a user-selected universal opt-out mechanism. This must be implemented by a controller no later than July 15, 2025 (six months after the effective date), and the Division of Consumer Affairs may adopt regulations that detail the technical specifications for one or more universal opt-out mechanisms.
S332 (like many other state data privacy statutes) exempts several types of entities and data classifications from its scope of application, including: (1) any state agency or political subdivision; (2) financial and market institutions regulated by the Gramm-Leach-Bliley Act; (3) protected health information governed by HIPAA and HI-TECH; (4) sales of personal data by the New Jersey Motor Vehicle Commission (as permitted by the federal Driver’s Privacy Protection Act), and; (5) certain research conducted in accordance with federal policy. The law does not provide an exemption for nonprofit institutions that meet the compliance thresholds, which is also a change from prior versions of the legislation.
Finally, the statute specifically states that the New Jersey Attorney General has the “sole and exclusive authority” to enforce the provisions and requirements of S332, and further states that nothing in the statute “shall be construed as providing the basis for, or subject to, a private right of action.”
Although the effective date of this legislation is nearly a year away, all persons and entities that collect or process personal data of New Jersey residents should start developing a plan for compliance, including:
- specifically identifying the personal data actually collected and processed, and determining where that data is located and who has access to it
- reviewing and updating any existing data privacy and protection programs to incorporate compliance measures that meet the unique requirements and obligations of the New Jersey statute
- reviewing contracts with service providers and vendors to ensure that selection and contracting include the necessary representations and commitments with respect to vendor access, use, and processing of personal data on behalf of the organization
- identifying and implementing the process to be used for accepting, responding to, and completing consumer rights requests consistent with statutory requirements.