Today another state privacy law came live in New Jersey. Officially on January 16, 2024, Governor Phil Murphy signed Senate Bill 332 into law, establishing the New Jersey Data Privacy Act (NJDPA). This legislation positions New Jersey as the 14th state to enact a comprehensive consumer data privacy law, reflecting a growing trend toward enhanced data protection across the United States. Soon we will be at 20 states with privacy laws and over 95 countries with data privacy laws that we need to help businesses adhere to.
Scope and Applicability of NJDPA
The NJDPA applies to businesses that either conduct operations within New Jersey or offer products or services targeted at its residents, provided they meet one of the following criteria during a calendar year:
- Process or control the personal data of at least 100,000 consumers, excluding data processed solely for completing payment transactions.
- Process or control the personal data of at least 25,000 consumers and derive revenue or receive discounts from the sale of personal data.
Notably, the Act does not set a specific revenue threshold, meaning that even businesses with substantial revenues may be exempt if they do not meet the consumer data processing criteria.
Consumer Rights
Under the NJDPA, consumers are granted several rights concerning their personal data:
- Access: The right to confirm whether a controller is processing their personal data and to access such data.
- Correction: The right to correct inaccuracies in their personal data.
- Deletion: The right to delete personal data concerning them.
- Data Portability: The right to obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
- Opt-Out: The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
These rights empower consumers to have greater control over their personal information and its use by businesses.
Business Obligations
Businesses subject to the NJDPA are required to:
- Provide Clear Privacy Notices: Offer consumers a reasonably accessible, clear, and meaningful privacy notice detailing the categories of personal data processed, purposes for processing, categories of third parties with whom data is shared, and how consumers can exercise their rights. Did you know that Captain Compliance provides this exact solution and can automate these requirements for ongoing compliance?
- Implement Data Protection Assessments: Conduct assessments for processing activities that present a heightened risk of harm to consumers, such as processing sensitive data or engaging in profiling.
- Adhere to Data Minimization and Purpose Limitation Principles: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes and avoid processing data for unrelated purposes without obtaining consumer consent.
- Establish Data Security Practices: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of personal data.
These obligations align with practices seen in other state privacy laws, promoting transparency and accountability in data processing activities.
Exemptions
The NJDPA provides specific exemptions, including:
- Protected Health Information: Data collected by covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).
- Financial Institutions: Entities and data subject to the Gramm-Leach-Bliley Act (GLBA).
However, the Act does not exempt non-profit organizations or institutions of higher education, marking a departure from certain other state privacy laws.
Enforcement and Effective Dates
The New Jersey Attorney General holds exclusive authority to enforce the NJDPA. The Act explicitly states that it does not provide a basis for a private right of action. Most provisions will take effect on January 15, 2025, with requirements to recognize universal opt-out mechanisms becoming effective on July 15, 2025.
Implications for Businesses
Businesses operating in New Jersey should assess their data processing activities to determine applicability under the NJDPA. Given the absence of a revenue threshold, companies of varying sizes may be subject to compliance if they meet the specified data processing criteria. It is advisable for businesses to begin implementing necessary changes to policies, procedures, and systems to align with the Act’s requirements ahead of its effective dates.
In summary, the New Jersey Data Privacy Act represents a significant step in the state’s commitment to protecting consumer privacy, aligning with a broader national movement toward comprehensive data protection legislation. While there are a lot of similarities with other state privacy laws Jersey has it’s on unique attributes and businesses should not wait to get compliant as its only a matter of time before a law firm in NJ pops up filing arbitration claims like Swigart Law is doing in California costing business owners millions of dollars.