On January 16, 2024, New Jersey became the fourteenth state to enact comprehensive privacy legislation after the passage of the New Jersey Data Privacy Act (“NJDPA”), adding to the growing national focus on consumer personal data protections, albeit at the state level. 

The NJDPA largely adopts the framework of consumer data privacy laws previously enacted in other states, and generally shares key definitions, business obligations, and core consumer rights governing the collection, use, and transfer of consumer data. However, the NJDPA deviates from the other state privacy laws in a few notable ways, as discussed below.

Nonprofits and Other Notable Exemptions. We have recently surveyed how each state privacy law addresses nonprofit and political organizations within its respective framework. Joining a growing minority of states (Colorado, Oregon, and Delaware), New Jersey does not broadly exempt nonprofit organizations.

In addition, notably absent from the NJDPA is an entity-level exemption for covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”). The law does contain, however, data-specific exemptions for personal health information subject to HIPAA. 

On the other hand, the NJDPA does contain both enterprise-level and data-specific exceptions for financial institutions and information subject to the Gramm-Leach-Bliley Act (“GLBA”).

Otherwise, the NJDPA contains familiar multi-tier jurisdictional thresholds, and will apply to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year meet any of the following criteria: (1) control or process the personal data of at least 100,000 New Jersey consumers; or (2) control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.

Special Treatment of Sensitive Data. The NJDPA is generally in line with the majority of the state privacy laws concerning the requirement for prior consumer consent before a company can process sensitive personal data. However, the definition of sensitive personal data has a broader scope than otherwise found in other state laws, and includes, among other elements, a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. In this regard, the NJDPA borrows certain elements of sensitive personal information as defined under the GLBA.

Enforcement and Penalties. There is no private right of action under the NJDPA - California remains the only state whose privacy laws allow consumers to bring lawsuits for alleged violations. In a departure from other state privacy laws, the NJDPA does not specify any statutory fines. Instead, a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which separately provides for fines of up to US$10,000 for the initial violation and up to US$20,000 for subsequent violations. 

Next Steps

The NJDPA will take effect on January 15, 2025, while potential new comprehensive privacy laws continue to simmer in a handful of other states.