[co-author: Vertis McMillan]

New Jersey has become the first state to enact a comprehensive consumer privacy law in 2024. The New Jersey Data Privacy Act will take effect January 15, 2025.

The law draws inspiration from the comprehensive state consumer privacy laws that have come before it, but leaves its mark with:

• A Broader Scope of Applicability: Including applying to small businesses, nonprofits and educational institutions.
• Narrower / More Ambiguous Exceptions: Including a less clear B2B and employee data exception, a narrower Fair Credit Reporting Act (FCRA) exception and a narrower Health Insurance Portability and Accountability Act (HIPAA) exception.
• Financial Information as Sensitive Data: Including a potentially broad definition of “financial information” as “sensitive data.”
• Child-Focused Privacy Provisions: Including classifying personal data of children under 13 as “sensitive data” subject to consent requirements and imposing separate consent requirements for selling personal data of children under 17 or processing their personal data for targeted advertising / profiling purposes.

Otherwise the New Jersey law largely tracks similar comprehensive state consumer privacy laws.

Who is required to comply?
What information is protected?
What obligations do controllers have?
What obligations do processors have?
What rights does the law grant consumers?
How is the law enforced?

Who is required to comply?

Controllers and Processors

The New Jersey Data Privacy Act applies to controllers that conduct business in New Jersey or produce products or services that target New Jersey residents if the companies:

• Control or process the data of at least 100,000 New Jersey consumers; or
• Control or process the personal data of at least 25,000 New Jersey consumers and derive revenue (or receive a discount on the price of any goods or services) from the sale or personal data.

Most obligations the law imposes apply to controllers (i.e., entities that determine the purpose and means of processing personal data). The law also imposes obligations on processors (i.e., the entities processing personal data solely on behalf of the controllers) either by contract or by direct application of the statute.

Small Businesses, Nonprofits and Educational Institutions

Following the trend of other comprehensive state consumer privacy laws, the New Jersey law does not have a specified revenue threshold for its scope of applicability. That means small companies that process sufficient personal data will be subject to the law.

In addition, New Jersey is one of the few states to apply its comprehensive consumer privacy law to nonprofit organizations.

Lastly, the New Jersey law does not exempt institutions of higher education or data regulated by the federal Family Educational Rights and Privacy Act, which are relatively common under the other comprehensive state consumer privacy laws.

Other Statutory Exemptions

The New Jersey privacy law incorporates an exception for business-to-business and employee-related data through its definition of “consumer” (i.e., it does not include a person acting in a commercial or employment context). Yet the law stops short of incorporating a broader / clearer B2B / employee data exception like those found in the other comprehensive state consumer privacy laws. This invites ambiguity as to whether the exceptions should be read as broadly as those in the other statutes.

In addition, the law incorporates exceptions common to comprehensive state consumer privacy laws, including exceptions for:

• New Jersey government entities.
• Financial institutions subject to the Gramm-Leach-Bliley Act.
• Data collected, processed, sold or disclosed by a consumer reporting agency pursuant to the FCRA (this exception is written somewhat more narrowly than exceptions in other states).
• Protected health information collected by a covered entity or business associate subject to HIPAA. (This exception does not extend broadly to personal data processed by a HIPAA covered entity).

The law also contains a number of additional limitations on the authority of the New Jersey privacy law that are beyond the scope of this article.

What information is protected?

Personal Data

The New Jersey Data Privacy Act protects “Personal Data,” which is defined broadly to mean information that is linked or reasonably linkable to a person.

Sensitive Data

The law delineates “Sensitive Data” as a separate category of personal data that includes:

• Personal data revealing racial or ethnic origin.
• Religious beliefs.
• Mental or physical health condition, treatment or diagnosis.
• Sex life or sexual orientation.
• Citizenship or immigration status.
• Status as transgender or non-binary.
• Genetic or biometric data.
• Personal data collected from a child the company knows is under 13.
• Precise geolocation data.

The law also defines “Sensitive Data” to include financial information such as “a consumer’s account number, account log-in, financial account, or credit or debit card number” along with other information that would permit access to a consumer’s financial account. Construed narrowly, this would align New Jersey’s definition of sensitive data with California’s definition of “sensitive personal information” when it comes to financial accounts. However, ambiguity in the way the term “financial information” is incorporated into the definition of “sensitive data” invites uncertainty regarding whether other types of financial information may qualify as sensitive data under the law.

De-identified Data and Publicly Available Information

Like the other comprehensive state consumer privacy laws, the one in New Jersey excludes de-identified data and publicly available information from the definition of Personal Data.

What obligations do controllers have?

The New Jersey privacy law requires controllers to:

• Privacy Notice: Provide consumers with a reasonably accessible, clear and meaningful privacy notice about the controller’s privacy practices and consumer’s rights.
• Data Minimization: Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purpose for which such data is processed, as disclosed to the consumer.
• Purpose Limitation: Not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent, or an exception applies.
• Sensitive Data Restriction: Not process sensitive data concerning a consumer without first obtaining the consumer’s consent.
• Children’s Data Restriction:
  • Not process data about a child under 13 without obtaining consent and otherwise processing such data in accordance with COPPA.
  • Not process personal data of a consumer for purposes of targeted advertising, personal data sales or profiling in furtherance of decisions that produce legal or similarly significant effects without the consumer’s consent, under circumstances where the controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years old but younger than 17 years old.
• Reasonable Security: Establish, implement and maintain administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition.
• Data Protection Assessments: Conduct data protection assessments for:
  • The processing of personal data for purposes of targeted advertising.
  • The processing of personal data for purposes of profiling that presents a reasonably foreseeable risk to the consumer.
  • The sale of personal data.
  • The processing of sensitive data.
  • Any processing activities involving personal data that present a heightened risk of harm to consumers.
• Processor Contracts: Enter into a contract with any processor that includes instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the manner in which the processor must assist the controller.
• No Discrimination:
  • Not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
  • Not discriminate against a consumer if the consumer chooses to opt out of the processing.

What obligations do processors have?

The New Jersey privacy law requires processors to (among other things):

• Assist Controllers: Adhere to the instructions of the controller and help the controller meet its obligations under the law.
• Confidentiality: Ensure each person processing personal data is subject to a duty of confidentiality.
• Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Establish a clear allocation of the responsibilities between the processor and the controller for implementation.
• Contract Obligations: Enter into the necessary contract with the controller and ensure each subcontractor is subject to a written contract that requires the subcontractor to meet the obligations of the processor with respect to personal data.

What rights does the law grant consumers?

The new law provides the following rights:

• Right to Know: To confirm whether a controller processes the consumer’s personal data.
• Right to Access / Portability: To obtain access to the consumer’s personal data and a copy of the data in a readily transmittable form.
• Right to Correction: To correct inaccuracies in the consumer’s personal data.
• Right to Deletion: To delete the consumer’s personal data.
• Right to Opt Out: To opt out of processing personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

In line with a growing trend among comprehensive state consumer privacy laws, the New Jersey Data Privacy Act will require controllers to receive and effectuate user-selected universal opt-out mechanisms (starting July 15, 2025) and provide consumers the right to appeal decisions.

How is the law enforced?

The New Jersey Attorney General will enforce the privacy law through civil actions and injunctive relief under New Jersey’s Consumer Fraud Act, which carries penalties of up to $10,000 for the first and up to $20,000 for subsequent violations. However, the Act provides a 30-day cure period for any violation (until July 15, 2026), and there is no private right of action.

Conclusion

New Jersey’s privacy law follows the framework set by proceeding comprehensive state consumer privacy laws. However, it applies to a broader range of organizations and adds ambiguity / nuance to common obligations. The law grants the Division of Consumer Affairs rulemaking authority to issue rules and regulations to effectuate its purposes, so we may get clarity on the less precise provisions before it takes effect. However, companies that have implemented privacy programs to address other comprehensive state consumer privacy laws should be in good shape to extend their programs to address the New Jersey law, too.