On January 16, 2024, New Jersey (NJ) Governor Phil Murphy signed into law S332/A1971, making New Jersey the latest state with a comprehensive state privacy law. (This follows similar comprehensive state privacy laws in CA, CO, CT, DE, IN, IA, MT, OR, TN, TX, UT, and VA). The law becomes effective one year after its enactment, which will be January 15, 2025. Entities subject the law (“controllers”) will have six (6) months after the effective date to comply with a 30-day cure period for violation that lasts eighteen (18) months after the effective date.

Some high-level notes on New Jersey’s privacy law:

A. Applicability.

Similar to many previous laws, the NJ law applies to “controllers” that: (a) conduct business in the state or that produce products or services targeted to NJ residents, and that (b) meet the following additional threshold criteria. Those criteria include that the controller: (i) controls or processes the personal data of at least 100,000 NJ consumers (excluding personal data processed solely to complete a payment transaction); or (ii) control or process personal data of at least 25,000 NJ consumers and derive revenue or receive a discount on the price of any good or services from the “sale” of personal data.  NJ’s definition of “sale” adopts the broader definition adopted in some other states as the disclosure or exchange of personal data to a third party “for monetary or other valuable consideration”.

Also like many states (but not California), the law only applies to consumers acting in an individual or household context, and not to individuals acting in a commercial or employment context (i.e., it does not extend to employees or the B2B context).

The final version of the law does not contain an exemption for non-profit organizations. It also contains data-level exemptions for de-identified data, “personal health information” (PHI) regulated by HIPAA, as well as an entity-level exemption for financial institutions regulated under Gramm-Leach-Bliley (GLBA), along with several other data-level and entity-level exemptions (e.g., insurance institutions, permitted sales of personal information by the state motor vehicle commission, consumer reporting agencies, etc.) seen in many other state privacy laws.

B. Obligations of Controllers.

Controllers subject to the NJ law have a number of obligations seen in other state laws:

• Data Minimization and Purpose Specification.  Controllers must limit the collection of personal information to what is “adequate, relevant and reasonably necessary” in relation to the purposes for which the data is processed as disclosed to the consumer.  Controllers must also specify the express purposes for which personal data is processed.
• Privacy Notice. Like many other state privacy laws, controllers must provide a reasonably accessible, clear, and meaningful privacy notice including: (1) categories of personal data processed by the controllers; (2) the purposes for processing personal data; (3) the categories of third parties to whom the personal data is disclosed; (4) the categories so personal data shared with third parties; (5) how consumer may exercise their rights under the NJ law; (6) how the controller notifies consumers of material changes to the privacy notice; (7) the privacy notice’s effective date; and (8) an active email address or other online mechanisms by which consumers may contact the controllers.
• Consent. Controllers must obtain consumer consent (i.e., “opt-in”) to process: (1) “sensitive data” (e.g., race, religion, health, financial information, citizenship, children’s data (must be processed in accordance with COPPA)); (2) personal data for purposes that are not reasonably necessary to or compatible with the purposes for which the data originally was processed, as disclosed to the consumer; and (3) personal data of individuals between 13 and 17 years old for the purpose of selling the data, serving targeted advertising, or “profiling” the individual (where the profiling would result in legal or similarly significant effects).
• Data Security. Controllers must take reasonable measures (appropriate to the volume and nature of the personal data at issue) to establish, implement and maintain administrative, technical and physical safeguards to protect the confidentiality, integrity and accessibility of personal data and to secure personal data from unauthorized acquisition.
• Data Protection Assessment. Like some states (e.g., Colorado), controllers are required not to process data that presents a “heightened risk of harm” to consumers without first conducting and documenting a data protection assessment. “Heightened risk of harm” is defined to include: (1) the processing of personal data for profiling or targeted advertising purposes; (2) the “sale” of personal data; (3) the processing of “sensitive data;” and (4) the processing of personal data for the purposes of “profiling,” where such profiling presents a reasonably foreseeable risk of: (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (b) financial or physical injury to consumers, (c) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person, or (d) other substantial injury to consumers.
• Universal Opt-out Mechanisms.  Also like Colorado, which recently finalized its short list of acceptable mechanisms, the law requires that controllers engaged in targeted advertising or the “sale” of personal data must allow consumers to exercise the right to opt out of such processing through a user-selected universal opt-out mechanism.  This requirement would be effective no later than six months following the NJ law’s effective date, and further details will be provided in forthcoming rules and regulations to be adopted by the Division of Consumer Affairs.

C. Consumer Rights.

In addition to the consent requirements above, the NJ law gives consumers the now-standard set of rights of: (1) access (as well as to confirm whether a controller processes the consumer’s personal data); (2) correction; (3) deletion; (4) data portability; and (5) opt-out of the processing of personal data for the purposes of (a) targeted advertising, (b) “sale,” and (c) “profiling” in furtherance of decisions that produce legal or similarly significant effects.  Controllers will have 45 days to respond to consumer requests, with a potential 45-day extension where reasonably necessary.

D. Enforcement.

The law will be enforceable by the NJ Attorney General. There is no private right of action. The law requires the Director of the Division of Consumer Affairs to promulgate implementing rules and regulations, which shall be forthcoming. (Although the effective date is not until January 15, 2025, the Division of Consumer Affairs “may take any anticipatory administrative action in advance as shall be necessary for the implementation of this act.”)

The deadline for controllers to comply with the law’s provisions is six months after the effective date. For 18 months after the law’s effective date, controllers will have a 30-day cure period for violations. If the controller does not cure the violation(s) within that time, an enforcement action may be brought by the Attorney General.

E. Resources

While the final statutory text may not yet be publicly available, the reprint of the bill may be found here.

To see Governor Murphy’s signing statement, click here.