New Jersey lawmakers just passed a bill that would create the state’s first consumer data privacy legal framework, providing consumers with more control over their personal information and requiring businesses to make significant changes to their data practices. Governor Phil Murphy now has 45 days to act on the bill after the state Senate and Assembly passed the final version on January 8. What are the 9 things NJ businesses should consider as we prepare for this significant new compliance obligation?

1. Will SB 332 apply to your business?

SB 332 applies to entities considered to be “data controllers” under the statute. These are companies that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that during a calendar year either:

• control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of at least 25,000 consumers and the business derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

2. Does SB 332 apply to employment or business-to-business entities?

As with most other states’ data privacy laws, SB 332 would not apply to employment or business to business data. The definition of “consumer” specifically excludes persons acting in a commercial or employment context, which would also eliminate job applicants from coverage under the law.  

3. How does SB 332 define “Personal Data”?

“Personal data” is any information that is linked or reasonably linkable to an identified or identifiable person. It does not include de-identified data or publicly available information.

4. What rights does SB 332 grant consumers?

Under SB 332, consumers will have certain rights to:

• confirm whether a business processes the consumer’s personal data and accesses such personal data (without requiring a business to provide the data in a manner that would reveal its trade secrets);
• correct inaccuracies in the consumer’s personal data, taking into account the nature of the information and the purposes of the processing of the information;
• delete personal data concerning the consumer;
• obtain a copy of the consumer’s personal data held by the business in a portable and readily usable format that allows the consumer to transmit the data to another entity (again, without requiring a business to provide the data in a manner that would reveal its trade secrets); and
• opt out of the processing of personal data for the purposes of (a) targeted advertising; (b) the sale of personal data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

5. Under SB 332, what type of privacy notice is required?

Businesses will need to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that shall include:

• the categories of the personal data that the business processes;
• the purpose for processing personal data;
• the categories of all third parties to which the business may disclose a consumer’s personal data;
• the categories of personal data that the business shares with third parties;
• how consumers may exercise their consumer rights, including the business’ contact information and how a consumer may appeal a business’ decision with regard to the consumer’s request;
• the process by which the business notifies consumers of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and
• an active electronic mail address or other online mechanism that the consumer may use to contact the business.

Additionally, if a business sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, this needs to be disclosed. The business needs to clearly and conspicuously disclose the sale or processing in a manner in which a consumer may exercise the right to opt out of either practice.

6. How does SB 332 compare to other states’ consumer privacy laws?

Although it conforms to most states’ treatment of employment and business-to-business entities, SB 332 differs from some other state laws as well. Notable comparators include:

• As noted above, the law will not apply to employment situations, unlike California’s broad requirements.
• The attorney general will have authority to create regulations related to the law, a model shared so far only with California and Colorado.
• The date for opt-in consent requirements on children is higher than the COPPA-standard 13 years of age. Similar to California, New Jersey will set the age at 16.
• The law will expressly require businesses to include the use of cookies/pixels and other tracking technology in its notice to consumers. This is similar to California but differs from some other states’ laws (such as Colorado and Virginia) which don’t specifically mention cookies.
• Businesses must conduct and document data privacy assessments prior to engaging in certain processing activities under the new law, contrary to most other states.
• Unlike a number of other consumer privacy laws, the law will apply to nonprofits that otherwise meet applicability standards (like Colorado’s privacy law).
• New Jersey’s law contains a 30-day right to cure that expires 18 months after the effective date. This is similar to the Virginia and Oregon laws (which also have 30-day cure periods), but not quite as long as Connecticut and Delaware (which have a 60-day cure periods).
• The law provides exemptions for regulated entities that are both similar to and different than those in other states. Like California and Colorado, it does not contain an entity-level exemption for HIPAA-covered entities or business associates, although it does exclude protected health information collected by such entities. On the other hand, following the trend elsewhere, both financial institutions and data subject to the GLBA are exempt from SB 332’s requirements.

7. How would SB 332 be enforced?

SB 332 grants exclusive authority to enforce its provisions to the Attorney General. Potential penalties include penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. If there is any good news, it’s that there is no private right of action that would allow consumers to file claims against businesses in court.

8. What’s next?

If Governor Murphy approves or takes no action within 45 days, SB 332 will take effect one year after its enactment date.

9. What should businesses do to prepare for compliance?

If your business will be subject to SB 332, your next steps may include:

• Assessing your organization’s current data collection and privacy practices;
• Conducting an inventory of data that your organization has historically collected about consumers;
• Considering the types of data that your organization will likely collect about consumers in the future;
• Identifying the information that your organization collects about minors;
• Developing policies and procedures for responding to consumer requests; and
• Working with data privacy counsel to ensure that your organization is in compliance with SB 332.