[co-author: Victoria Okraszewski]
On Jan. 16, 2024, the New Jersey Governor signed the New Jersey Data Privacy Act (the Act) into law, making New Jersey the 13th state to adopt a broad consumer protection law. While the Act follows the suit of many other comprehensive privacy laws, it is more expansive in many regards, particularly concerning its threshold for applicability, broader definitions than other state privacy laws, inclusion of required opt-out mechanisms and expansive child privacy protections. The law will take effect in January, 2025. Some of the most important aspects of the law are detailed below.
Organizations Covered
The Act will apply to entities and individuals that conduct business in New Jersey or produce products or services that are targeted to New Jersey consumers, and that during the preceding calendar year either:
- Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- Control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.
Notably, similar to Colorado and Texas, the law does not include a revenue threshold.
Definitions
“Consumer” is broadly defined by the Act as a New Jersey resident acting in an individual, job seeking or household context. Unlike the CCPA and GDPR, this definition does not apply to individuals acting in the employment context.
Adding more nuance, the Act expands the definition of "sensitive data" beyond many other consumer privacy laws to include financial information. This information includes consumer’s account number, account log-in credentials, financial account, or credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. This inclusion is significant, as the Act requires covered entities to obtain consent prior to processing and collecting sensitive data.
Consumer Rights
The Act grants New Jersey consumers broad rights concerning their personal data, which are similar to the consumer rights found under many of the other state consumer privacy laws. These consumer privacy rights include the right to know and access personal data, correct inaccuracies in the consumer’s personal data, delete personal data, obtain a copy of the data and opt out of the processing of personal data for (a) targeted advertising, (b) the sale of personal data or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Other Requirements for Covered Entities.
Covered entities are required to publish a privacy notice that must contain certain information regarding an entity’s collection, use, disclosure and retention practice. Further, following in the footsteps of Colorado, Connecticut, Montana, Oregon, Delaware and Texas, the Act requires covered entities to recognize Universal Opt-Out Methods (UOOMs) within six months of the Act’s effective date. These UOOMs apply to targeted advertising and the sale of personal data. UOOMs are a mechanism by which consumers can exercise their right to “opt out” of a platform processing their personal data for certain purposes by sending a signal indicating the consumer’s opt out preferences.
In addition, the Act requires covered entities to conduct data protection assessments if there is a heightened risk of harm before conducting such processing. Activities that may have such heightened risk including certain targeted advertising practices, sale of personal data or processing sensitive information.
Children’s Data
The Act specifically prohibits the processing the personal data of consumers between the ages of 13 and 17 for certain activities, such as targeted advertising, without proper consent. This provision applies if the covered entity has actual knowledge or willfully disregards that the consumer is in this age group. This provision is similar to provisions regarding children’s data in Delaware and Oregon privacy laws. However, New Jersey takes it a step further by including an affirmative opt-in consent requirement and provides protection for individuals in a larger age range. Such expansive requirements around children’s data demonstrate legislatures increased focused on children’s privacy.
Exemptions
The exemptions included in the Act are much narrower than those in other privacy laws. Notably, the Act applies to nonprofit organizations that meet the threshold requirements detailed above. Additionally, the Act does not provide exemptions for institutions of higher education nor any exemption for information subject to the Family Educational Rights and Privacy Act (FERPA).
The Act exempts certain types of data and entities, such as personal health information as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach Bliley Act (GLBA) financial institutions and some state agencies.
Enforcement
The Act does not contain any private right of action for consumers and will be exclusively enforced by the New Jersey Attorney General. Covered entities will have a 30-day cure period to remedy violations of the law for the first 18 months the law is effective. Similar to California, the Act also requires the Division of Consumer Affairs to issue regulations to effectuate the intent of the Act.
While there is much overlap between the Act and other consumer privacy laws, there are also notable differences that will affect covered entities’ compliance obligations. Therefore, during the period between the enactment and effective date, businesses subject to the Act should begin to assess current data collection and processing activities as well as any internal and public-facing policies.
[View source.]
