[author: Kate Prince]
New Jersey rang in the new year with the signing of a state privacy bill. On Jan. 16, Gov. Phil Murphy signed SB No. 322, stating he was proud that New Jersey had joined the ranks of states with consumer privacy bills.
Businesses that abide by the Connecticut Data Privacy Act and Colorado Privacy Act will find that many terms in the New Jersey bill overlap with these laws, but there are some key differences that companies will need to keep their eye on.
The New Jersey law (the Act) will go into effect Jan. 15, 2025.
Scope and Applicability
The Act will apply to “controllers that conduct business in the State or produce products or services that are targeted to the residents of the State, and that during a calendar year either:
- control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.”
Section 2.
Government entities, certain regulated entities and data, and institutions of higher education are exempt.
Privacy Notice, Disclosures and Opt-Out Requirements
Like other state privacy laws, the Act requires that a controller’s privacy notice be “reasonably accessible, clear, and meaningful.” Section 3. The notice must disclose the categories of personal data being processed, the purpose of the processing, the categories of personal data that the controller shares with third parties, the option to opt out of targeted advertising or profiling, how the controller informs consumers of material changes to the privacy notice, an email address or online mechanism that the consumer can use to contact the controller, and how consumers may exercise their consumer rights and appeal decisions. The process for a consumer to appeal a denied request must be conspicuously available and similar in process to submitting the initial request.
Notably, if an appeal is denied, the controller must provide the consumer with either an online mechanism or some other means with which to submit a complaint to the Division of Consumer Affairs.
Starting July 2025, controllers that sell personal data or process personal data for targeted advertising must honor a universal opt-out mechanism.
Timeline for Responding to Privacy Requests
Controllers must respond to requests within 45 days of receipt. An additional 45 days is allowed when reasonably necessary, provided the controller informs the consumer within the initial 45-day period and provides the reason for the delay.
Controllers must also respond within 45 days with any action taken, or not taken, in response to an appeal.
Data Protection Assessments and Contracts with Third Parties
Data protection assessments are required for the processing of personal data that has a heightened risk of harm to the consumer.
The assessment must be made available to the Office of Attorney General’s Division of Consumer Affairs upon request.
Processors must assist the controller in meeting their obligations under the Act.
Enforcement
The attorney general has exclusive authority to enforce violations. However, a cure right exists and does not sunset until July 1, 2026.
Notable Differences
- No exception for nonprofits.
- A data-level (not entity-level) HIPAA exemption, exempting PHI collected by a HIPAA covered entity or business associate.
- The director of the Division of Consumer Affairs has been authorized to promulgate rules necessary to carry out the Act. There is no timeline for this rulemaking.
Final Thoughts
While this might be the first new privacy law of 2024, it is far from the last. New Hampshire recently passed its own law, which is currently awaiting the governor’s signature. Companies will need to monitor the resulting rulemaking from the director of the Division of Consumer Affairs as they adjust their policies and procedures to comply.
[View source.]
