Starting Jan. 15, 2025, the New Jersey Data Protection Act (the “Act”) goes into effect. If you are thinking, “Yawn, yet another state privacy law that reads like gibberish but luckily doesn’t affect my company,” you may be wrong. Do you have 100,000 New Jersey customers or visitors to your website annually? If yes, we recommend you keep reading.
Application. The Act will apply to an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing any information that is linked or reasonably linkable to an identified or identifiable person (controller) (i) conducting business in New Jersey or targeting New Jersey residents and (ii) either (a) controlling or processing personal data of at least 100,000 consumers excluding data processed solely for the purpose of completing a payment transaction or (b) controlling or processing personal data of at least 25,000 consumers and deriving any revenue or receiving any discounts from selling personal data. A revenue threshold that may have saved your company from compliance with other state privacy laws, like California, isn’t present here.
Sale or selling is broadly defined in the Act and includes “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration the controller to a third party.” For example, if you exchange personal information collected on your website for better advertising insights, then this may be considered a sale because the company is receiving valuable consideration (e.g., how many people looked at a certain product) in exchange for personal data.
A controller is “an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.” For example, if you have a commercial website, you normally collect personal data on every user who visits your website.
Action Items for Businesses That Collect Data from New Jersey Residents
Action Item No. 1: Update your external privacy policy
The Act requires controllers of New Jersey resident personal data to provide an accessible, clear and meaningful privacy notice to consumers that must include: the categories of the personal data that it processes; the purpose for processing personal data; categories of all third parties to which the controller may disclose a consumer’s personal data; categories of personal data that the controller shares with a third party; how consumers may exercise their consumer rights, including the controller’s contact information and how a consumer may appeal a controller’s decision with regard to the request; the process by which the controller notifies consumers of material changes to the notification required to be made available and the effective date of the notice; and an active email address or other online mechanism that the consumer may use to contact the controller. Controllers can begin to meet these requirements by having a privacy policy drafted and posted to their websites or in person as required.
Action: Review and update your privacy policy if needed by Jan. 15, 2024.
Action Item No. 2: Prepare to process data subject rights requests
Consumers have the right to:
- Confirm personal data collected
- Correct inaccuracies in personal data
- Delete personal data
- Obtain a copy of the personal data
- Opt out of processing of certain processing of personal data
A controller must respond to a verified consumer request within 45 days. To best field these responses, controllers can set up mechanisms to receive requests from consumers. This can include having an email listed for consumers to contact or provide consumers with a request form. Requests submitted by email may result in cryptic requests such as an email header containing only the word “delete” and controllers will need to direct internal resources to handle these requests. A request form can have mandatory fields and eliminate free text that will make capturing the request in a record format easy to track in your database. If your company has a good data map, a form can be used in automating the handling of the request.
Action: Draft a data subject access request (“DSAR”) policy for handling DSARS. Using the policy, develop the process for handling DSARS.
Action Item No. 3: Add a universal opt-out mechanism
Beginning June 15, 2025, a controller that processes personal data for purposes of targeted advertising or the sale of personal data must allow consumers to exercise the right to opt out of such processing through a user-configured universal opt-out mechanism. This is not the same as a Do Not Track signal. Instead, users can opt out of the sale and sharing of their personal information by using a browser that supports a universal opt-out mechanism, such as Global Privacy Control (“GPC”) or downloading and installing a plugin that supports a universal opt-out mechanism on their web browser. The Act requires controllers who sell personal data or collect personal data for targeted advertising to honor the mechanism setting before the user even clicks through the privacy pop-ups on the website.
The Division of Consumer Affairs in the Department of Law and Public Safety is permitted to adopt rules and regulations that detail the technical specifications for one or more universal opt-out mechanisms. We do not have insight as to when those specifications will be provided, but because states often replicate solutions from other states, it might be helpful to review how the Colorado attorney general selected a universal opt-out mechanism (see https://privacycg.github.io/gpc-spec/). The GPC is also accepted by the California Privacy Protection Agency and attorney general. It is unlikely that New Jersey will choose a specification that would not be compatible with California and Colorado.
Much of a company’s regulatory privacy obligations are not easily verified without an internal investigation. For example, a company can state that it has reasonable security measures in place. Because those security measures are internal to a company, those measures are not normally called into question unless there is an incident that leads to a publicly reported data breach. That is not the case for determining how a company honors a user’s cookie choices and the configuration of a universal opt-out mechanism. The result of the cookie choices and the configuration of the universal opt-out mechanism can be seen by viewing cookies left on the browser. If a user opts out of advertising cookies and advertising cookies are still being placed on the browser, that is proof that the user’s choice was not properly implemented. We do not have insight at this time as to what the focus of enforcement will be under this new law, but common sense tells us that this would be low-hanging fruit for the enforcement team. The New Jersey Division of Consumer Affairs is given rulemaking authority and shall have sole and exclusive authority to enforce a violation. The Act expressly states that there is no private right of action for violations.
Action: Draft a policy and procedures for the universal opt-out mechanism and then either purchase an off-the-shelf solution or develop a solution inhouse that supports the procedures.
Action Item No. 4: Conduct a risk of harm to consumers analysis
Controllers will also be required to conduct a data protection assessment before processing personal data that presents a heightened risk of harm to a consumer. Determining whether processing presents a “heightened risk” includes : the processing personal data for purposes of targeted advertising or profiling if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or physical injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns of consumers if the intrusion would be offensive to a reasonable person or other substantial injury to consumers; and selling personal data and processing sensitive data. A data protection assessment is a process where organizations analyze how data is collected, stored, used and retained, identify the risks associated with each process, and then evaluate how to reduce the risks identified.
Action: Adopt a risk assessment approach and conduct a risk assessment. Then apply the findings of the risk assessment to determine if there is a heightened risk of harm to consumers.
Processors are the controller’s service providers that follow the processing instructions provided by the controller.
Action Item No. 5: Extend protection of personal data through service provider obligations
What Processors Must Do. The Act also controls for how processors act, including requiring processors to assist the controllers to meet their obligations under the Act. The Act requires certain contract provisions to be in place and binding on both parties between processors and controllers. These include: the processing instructions to which the processor is bound, including the nature and purpose of the processing; the type of personal data subject to the processing, and the duration of the processing; at the discretion of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; the processor shall make available to the controller all information necessary to demonstrate compliance with obligations in this Act; and the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller’s designated assessor.
Action: Incorporate privacy and security contractual obligations into your company’s procurement process through the implementation of a data protection/processing agreement (“DPA”). Review current contracts and add DPAs where appropriate.
Other Unique Aspects of Law
Sensitive data as defined in the Act includes financial information that shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account.
Consumer consent is required for the processing of personal data of a consumer for targeted advertising, sale of personal data, or certain profiling if the consumer is between the ages of 13 and 17. Consent under the Act can be given by acceptance of an online written statement, but it does not include acceptance of general or broad terms or use of a similar document that combines data processing with other unrelated information.
If your organization already complies with the California Consumer Privacy Act, be aware that this Act requires affirmative opt-in consent from consumers to collect sensitive data. So, when updating or creating these policies, controllers should also prepare an explicit consent statement, if applicable, for the collection of sensitive data.
Conclusion. We have identified several action items above that may apply to your company. Depending on your company’s existing policies, procedures and infrastructure, you may already be well positioned to comply with the new law with little or no effort. For those companies that know they have work to do to comply, we recommend putting together a roadmap that identifies outstanding action items, action item milestones, action item owners and linear dependencies to be compliant on or before the Jan. 15, 2025, and July 15, 2025, deadlines.
