Just one month into 2024 and two states have already passed comprehensive consumer data privacy bills. In New Jersey, the legislature passed and on January 16 the governor signed S. 332 (“New Jersey Act”). And in New Hampshire, the legislature passed SB 225 (“New Hampshire Act”), which currently awaits Governor Chris Sununu’s signature. New Hampshire (if SB 225 is enacted) and New Jersey will thus join California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, bringing the total count to fourteen states with comprehensive data privacy laws. The New Jersey Act will take effect January 15, 2025, and the New Hampshire Act (if enacted) will take effect January 1, 2025.
If keeping up with the seemingly endless stream of comprehensive state privacy laws feels more overwhelming than sticking with your New Year’s Resolutions, there is some good news. Both the New Jersey Act and New Hampshire Act closely model the Connecticut Data Privacy Act that took effect in 2023. Each Act, however, also includes contains nuances worth your attention.
Broad applicability, with a Twist on Familiar Exemptions in New Jersey
The New Jersey Act applies to organizations that control or process personal data of at least 100,000 New Jersey residents, excluding personal data processed solely for the purpose of completing a payment transaction or those that hold personal data on at least 25,000 individuals while generating revenue from the sale of that personal data. Notably, the New Jersey Act does not impose a minimum revenue threshold on businesses that sell personal data, and further distinguishes itself by including nonprofit organizations or institutions of higher education within its scope.
While the New Jersey Act includes many common data-level exemptions for data processed under the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA), it stands apart from other laws and does not exempt educational data subject to the Family Educational Rights and Privacy Act (FERPA). Data relating to state residents acting in a commercial or employment context, however, will be exempt.
The New Hampshire Act’s scope and applicability will be more familiar to those tracking the development of state privacy laws. If enacted, the New Hampshire Act will apply to organizations that conduct business in New Hampshire or that produce products or services that are targeted to New Hampshire residents and that during a one year period: (a) Controlled or processed personal data of at least 35,000 consumers, excluding personal data or processed solely for the purpose of completing a payment transaction; or (b) Controlled or processed personal data of at least 10,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data.
Consumer rights that generally align with non-California state privacy laws
Both acts include consumer rights that generally align with the Connecticut Data Privacy Act and those that apply under other non-California state laws. Both Acts will provide their state’s residents with right to (1) know whether an organization is processing their personal data, (2) access such personal data, (3) correct inaccuracies in their personal data, (4) delete their personal data, and (5) data portability. Additionally, New Jersey residents will have the right to opt-out of sales of personal data and profiling in furtherance of decisions that produce legal (or similar significant effects) concerning the resident, but New Hampshire residents will only have the right to opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Universal Opt-out Mechanisms
Both New Jersey and New Hampshire join the growing trend of requiring organizations to respond to universal opt-out mechanisms (“UOOMs”). The New Hampshire Act would require controllers to allow a consumer to opt out of any processing of personal data for the purposes of targeted advertising or any sale of personal data through an opt-out preference signal, which requires the consumer to make an affirmative choice to opt out of the processing of such personal data. The New Jersey Act will require the same six months after the Act takes effect.
The New Jersey Act further distinguishes itself, however, by requiring UOOMs to allow users to signal their desire to opt out of profiling when such technology exists, in addition to opt-outs for sales and targeted ads. The New Jersey Act directs the Division of Consumer Affairs in the Department of Law and Public Safety to adopt rules and regulations concerning the technical specifications for UOOMs.
Data Protection Impact Assessment Before Higher Risk Processing
The New Jersey Act requires organizations to conduct a data protection impact assessment for “processing that presents a heightened risk of harm to a consumer” before conducting such processing. The New Hampshire Act, if enacted, will also require controllers to conduct those assessments but does not specifically require those assessments to take place prior to processing. Under both acts, high-risk processing activities requiring a data protection impact assessment include targeted advertising and profiling, sales of personal data, and the processing of sensitive data.
Stricter Requirements for Children’s Data
Both the New Hampshire and New Jersey Acts create heightened protections for children’s data. Each requires opt-in consent for the processing of personal data of children between 13 and 16 for the purposes of targeted advertising or for selling personal . The New Jersey Act also requires opt-in consent for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Both Acts require organizations that control or process personal data of children under the age of 13 to comply with the Children’s Online Privacy Protection Act (COPPA).
These heightened protections for children’s data are similar to those contained in the Delaware Privacy Act and demonstrate an increasing interest in state protection of children’s data. Understanding whether your organization processes children’s data and the associated risks should thus be top of mind for any organization going into 2024.
Rulemaking provisions
Joining the group of states whose laws contemplate the adoption of more granular and detailed implementing rules (which currently includes Colorado and California), the New Jersey Act grants broad authority to the New Jersey Director of the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate rules to effectuate the purpose of the New Jersey Act.
The New Hampshire Act also contemplates rulemaking, but of a much narrower sort: the law directs the New Hampshire Secretary of State to develop standards for privacy policies.
Both acts, therefore, will both warrant careful observation as these implementing rules emerge over the next year.
Exclusive enforcement authority for AGs, with no private right of action
Fortunately, neither the New Jersey Act nor the New Hampshire Act contains a private right of action. Both Acts reserve exclusive enforcement authority to their respective state attorneys general. The New Jersey Act allows a 30-day notice-and-cure period that sunsets in July 2026. While New Hampshire (if enacted) will allow for a 60-day notice-and-cure period for violations. The New Hampshire cure period does not sunset completely but beginning in 2026, the cure period is subject to the attorney general’s discretion.
* * * *
2023 saw five comprehensive state privacy laws take effect and three more will become effective in 2024: Oregon (July 1, 2024), Texas (July 1, 2024), and Montana (October 1, 2024). New Hampshire and New Jersey’s entry into the game signal that this trend continues apace in 2024, and that this patchwork of state privacy law will only become more intricate and complex.
