New Jersey recently became the first state to pass a comprehensive privacy law in 2024. New Jersey is the thirteenth state to pass such a law—and yet another comprehensive privacy law is making its way through New Hampshire’s legislature.
Key Provisions in New Jersey’s Privacy Law
New Jersey’s privacy law is set to take effect on January 15, 2025. Here are some of the key provisions of which business owners and executives should be aware:
1. Applicability
Entities that are subject to New Jersey’s privacy law are those that either: (i) process the personal data of at least 100,000 New Jersey residents; or, (ii) process the personal data of at least 25,000 New Jersey residents and derive revenue from selling these data. Unlike many comprehensive privacy laws already on the books, New Jersey’s law does not include a revenue threshold for applicability. As a result, entities that are not subject to other states’ privacy laws may need to address compliance in New Jersey beginning in 2025. It does contain exemptions for protected health information collected by covered entities or business associates under the Health Insurance Portability and Accountability Act (“HIPAA”).
2. Personal Data and Sensitive Data
New Jersey’s privacy law defines both “personal data” and “sensitive data,” and it applies different rules and requirements to each type of information. Under the statute, “personal data” means, “any information that is linked or reasonably linkable to an identified or identifiable person.” In contrast, “sensitive data” is a subset of personal data that includes, “data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; [and] financial information,” among personal and identifying characteristics. Understanding whether a particular piece of information constitutes personal data or sensitive data under the statute will be critical for establishing and maintaining compliance.
3. Data Protection Assessments
Entities that process “sensitive data” (including health data), sell personal data, conduct targeted advertising and engage in other activities that present “heightened risk” for consumers must conduct data protection assessments before collecting sensitive personal data from consumers. The statute includes specific requirements for conducting these assessments, including weighing “the potential risks to the rights of the consumer associated with the processing.”
4. No Private Right of Action
Similar to the laws in other states, while New Jersey’s privacy law is intended to protect consumers, it does not provide a private right of action. Instead, enforcement authority rests solely with the government. The statute gives the New Jersey Department of Law and Public Safety’s Division of Consumer Affairs the power to issue enabling regulations. The Attorney General of New Jersey currently has authority to enforce the law.
Additional Requirements
From instituting heightened protections for children’s data to implementing effective opt-out mechanisms, New Jersey’s comprehensive privacy law establishes several additional requirements as well.
