Effective date

The New Jersey privacy law will take effect on January 15, 2025, the 365^th day following the date of enactment.

Scope and applicability

The law applies to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year either (1) control or process the personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (2) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. Notably, the scope and applicability section does not specify a revenue percentage threshold.

Nonprofits

Unlike most of the other state comprehensive privacy laws, there is no exemption for nonprofit organizations.

Key exemptions

The New Jersey law contains many of the same exemptions found in the comprehensive privacy laws enacted by other states. For example, there are exemptions for

• Protected health information collected by a covered entity or business associate that is subject to the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services and pursuant to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
• Financial institutions, data, or affiliates of a financial institution subject to Title V of the Gramm-Leach-Bliley Act.
• The sale of a consumer’s personal data by the New Jersey Motor Vehicle Commission under the Drivers’ Privacy Protection Act.
• Personal data collected, processed, sold, or disclosed by a consumer reporting agency as authorized by the Fair Credit Reporting Act.
• Any state agency, political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision.

The New Jersey law does not exempt data subject to the Family Education Rights and Privacy Act.

Definition of “sensitive data”

“Sensitive data” means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, including a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data. New Jersey joins California in including financial information within its definition of “sensitive data.”

Privacy policy content

The New Jersey privacy law requires privacy policies to disclose the following information:

• The categories of the personal data that the controller processes.
• The purpose for processing personal data.
• The categories of all third parties to which the controller may disclose a consumer’s personal data.
• The categories of personal data that the controller shares with third parties, if any.
• How consumers may exercise their rights, including the controller’s contact information and information regarding how a consumer may appeal a controller’s decision with regard to the consumer’s request.
• The process by which the controller notifies consumers of material changes to the notification required to be made available under the law, along with the effective date of the notice.
• An active email address or other online mechanism that the consumer may use to contact the controller.

Additionally, if a controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, it must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

Data subject rights

The law contains many of the standard data subject rights, including the following:

• The right to confirm whether a controller processes the consumer’s personal data and to access that data.
• The right to correct inaccuracies.
• The right to delete.
• The right to data portability.
• The right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

A controller that receives a verified request from a consumer to exercise his or her data subject rights must respond within 45 days of receipt. This initial 45-day period may be extended by an additional 45 days if reasonably necessary. Consumers may appeal a controller’s refusal to take action on a request, and the controller must respond to an appeal within 45 days.

Universal opt-out mechanism requirement

Controllers that process personal data for purposes of targeted advertising or the sale of personal data must recognize a consumer’s right to opt-out through a user-selected universal opt-out mechanism. This requirement is effective no later than six months after the effective date of the law. The law also allows consumers to designate an authorized agent using technology (when the technology exists) to indicate the consumer’s intent to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Data protection impact assessment requirement

Data processing that presents a heightened risk of harm to a consumer is prohibited unless the controller conducts and documents a data protection assessment. The following types of processing present a heightened risk of harm: (1) processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, financial or physical injury to consumers, a physical or other intrusion upon the solitude or seclusion of consumers, or other substantial injury to consumers; (2) selling personal data; and (3) processing sensitive data.

Rulemaking authority

The Director of the Division of Consumer Affairs in the Department of Law and Public Safety has been directed to promulgate regulations that are necessary to carry out the law. California and Colorado are the only states that have promulgated privacy regulations thus far.

Enforcement

There is no private right of action under the New Jersey law.

Cure period

Until the first day of the 18^th month after the effective date, the state Division of Consumer Affairs is required to issue a cure notice to the controller before bringing an enforcement action.

Stay on top of privacy developments

New Jersey is the first state to enact a comprehensive privacy law in 2024, but we anticipate more as the year progresses. Consumer privacy laws in Florida, Montana, Oregon, and Texas will become effective in 2024.