On January 8, 2024, the New Jersey Assembly and Senate passed Senate Bill 332 (S. 332, or the “Act”), and it was signed into law by Governor Phil Murphy on January 16. This makes New Jersey the first state to enact a comprehensive privacy law in 2024 (as we have previously written, the New Hampshire House passed a comprehensive privacy bill on January 4 that is currently awaiting Senate concurrence) and the 13th state overall with a comprehensive privacy law on the books. The law will go into effect 365 days from its enactment date (which will be January 15, 2025), and is notable in applying to nonprofit entities, provided that they meet the Act’s applicability thresholds.
Generally, the New Jersey bill adheres to the same general framework that we have seen with many recently enacted state comprehensive privacy laws (as opposed to California’s more-prescriptive framework). Most notably, it does not include a private right of action or establish any sort of privacy-specific regulatory entity. That said, the Act does include some unique provisions. For example, the Act is likely to apply more broadly than some other states’ privacy laws — it lacks some of the exemptions seen in other states’ laws (including, as noted above, for nonprofit entities), does not include any specific revenue thresholds in its applicability provisions, and features a broader definition of “sensitive data” (to include certain types of financial information). The Act also includes certain provisions that companies’ privacy compliance teams should be aware of, particularly with regards to data protection assessments and opt-out preference signals. Finally, the Act empowers the New Jersey Department of Law and Public Safety’s Division of Consumer Affairs to issue regulations related to the Act.
In this post, we summarize notable provisions of the New Jersey bill and highlight key takeaways for companies looking to understand how this bill will affect their privacy compliance obligations. To stay up to date on the latest state privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
KEY TAKEAWAYS
- Broader Applicability and Narrower Exemptions. The Act applies to entities that do business in New Jersey and (1) process the personal data of at least 100,000 New Jersey residents or (2) process the personal data of at least 25,000 New Jersey residents and derive revenue from the sale of personal data. Notably, unlike many state comprehensive privacy laws, the New Jersey law does not impose any concrete revenue thresholds (e.g., a requirement that a controller derive a specific percentage of revenue from personal data sales or generate a certain amount of total revenue). Further, while the Act does include many of the standard comprehensive privacy law exemptions related to data processed pursuant to federal statutes like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA), it does not include certain other common exemptions, such as those for educational data subject to the Family Educational Rights and Privacy Act (FERPA), or data processed by nonprofits or institutions of higher education.
- Financial Information as Sensitive Data. The New Jersey law is notable in including “financial information” as a form of sensitive data, defined as “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” This definition is similar to that used in the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA). Like many state comprehensive privacy laws, the New Jersey law requires companies to obtain consent from consumers before processing sensitive data.
- Data Protection Assessments. The Act requires companies to conduct data protection assessments of “processing that presents a heightened risk of harm to a consumer” before conducting such processing. Such “heightened risk” results from activities such as certain forms of targeted advertising and profiling, sales of personal data, and processing of sensitive data.
- Opt-Out Preference Signals. The Act requires controllers to recognize requests to opt-out of processing of personal data for purposes of targeted advertising or sale of personal data sent via opt-out preference signals (which the Act refers to as “universal opt-out mechanism[s]”), beginning six months after the Act takes effect. The Act further grants the Division of Consumer Affairs authority to promulgate regulations detailing the technical specifications of those mechanisms.
- Heightened Protections for Children’s Data. The Act prohibits a controller from processing the personal data of a consumer for the purposes of targeted advertising, sale of personal data, or certain types of profiling without the consumer’s consent where the controller has actual knowledge that the consumer is 13 to 16 years old.
- No Private Right of Action. The Act does not contain a private right of action. Instead, the New Jersey Attorney General retains exclusive enforcement authority.
- Rulemaking Authority. The Act requires the Division of Consumer Affairs to issue rules and regulations to effectuate the Act’s purposes. To date, only California and Colorado have passed comprehensive privacy laws providing for such rulemaking authority.
- Effective Date. The Act will take effect 365 days after its enactment.
KEY PROVISIONS
- Key Definitions:
- Consumer: The Act defines “consumer” to mean “a resident of [New Jersey] acting only in an individual or household context” and specifically states that “a person acting in a commercial or employment context” is not a “consumer” for purposes of the Act.
- Sale: The Act defines “sale” to mean “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party” (emphasis added).
- Sensitive data: The Act defines “sensitive data” as “personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data” (emphasis added).
- Applicability Thresholds: The Act applies to controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents and during a calendar year: (1) control or process the personal data of at least 100,000 New Jersey residents (“excluding personal data processed solely for the purpose of completing a payment transaction”); or (2) control or process the personal data of at least 25,000 New Jersey residents and derive revenue or receive a discount on goods or services from the sale of personal data.
- Exemptions: The Act includes exemptions for certain types of entities and data categories, including health information under HIPAA; financial institutions and data subject to the GLBA; certain insurance institutions; certain personal data covered by the Driver’s Privacy Protection Act; personal data governed by FCRA; and state entities and political subdivisions of the state.
- Notably, the Act does not exempt nonprofit organizations or institutions of higher education. Further, the Act does not create exemptions for information governed under various commonly exempted federal regimes, such as personal data governed by FERPA.
- Privacy Notice: The Act requires controllers to provide consumers with a privacy notice that includes: (1) categories of personal data processed by the controller; (2) purposes for processing personal data; (3) categories of third parties to which personal data is disclosed; (4) categories of personal data that are shared with third parties (if any); (5) how consumers can exercise their rights under the Act and appeal a controller’s decisions as to exercises of such rights; (6) how the controller notifies consumers of material changes to the privacy notice; and (7) an active email address or other online contact mechanism for the controller. Additionally, a controller that processes personal data for purposes of targeted advertising, sale of personal data, or profiling must clearly and conspicuously disclose such processing and the method by which consumers can opt-out of such processing.
- Consumer Data Rights: The Act creates individual rights for consumers, including the right to confirm whether a controller is processing personal data and to access said data; the right to correct inaccuracies; the right to delete personal data; the right to obtain a portable copy of personal data; and the right to opt out of the processing of data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Opt-Out Preference Signals: Beginning no later than 6 months following the Act’s effective date, a controller that processes personal data for purposes of targeted advertising or the sale of personal data must allow consumers “to exercise the right to opt-out of such processing through a user-selected universal opt-out mechanism.” Further, the Act grants the authority to promulgate rules and regulations that detail the technical specifications for universal opt-out mechanisms to the Division of Consumer Affairs.
- Notably, the Act also states that a consumer may “designate an authorized agent using technology … that allows the consumer to indicate the consumer’s intent to opt-out of the collection and processing for the purpose of any sale of data or for the purpose of targeted advertising or, when such technology exists, for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer” (emphasis added). The Act then states that controllers must comply with opt-out requests received through such authorized agents.
- Opt-In for Sensitive Data Processing: The Act prohibits controllers from processing sensitive data “without first obtaining the consumer’s consent.”
- Privacy by Design: The Act incorporates privacy by design principles, such as purpose limitation and reasonable security practices.
- Children’s Privacy: The Act prohibits controllers from processing personal data for purposes of targeted advertising, sale of personal data, or certain types of profiling without a consumer’s consent where the controller has actual knowledge (or willfully disregards) that a consumer is 13 to 16 years old.
- Data Protection Assessments: The Act requires that controllers not conduct processing activities that present a heightened risk of harm to a consumer without first conducting a data protection assessment in relation to such processing activity.
- “Heightened risk” activities include (1) processing information for targeted advertising or profiling “if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers”; (2) selling personal data; and (3) processing sensitive data.
- Processor Duties: The Act imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
- Enforcement: Violations are only enforceable by the New Jersey Attorney General. Violations of the Act are considered unlawful practices under the New Jersey Consumer Fraud Act (P.L.1960, c.39 (C.56:8-1 et seq.)). Further, the Act grants the Division of Consumer Affairs rulemaking authority.
- Cure Period: During the first 18 months following the effective date, the Division of Consumer Affairs must issue a notice and grant a controller a 30-day cure period before any enforcement action is taken, as long as the Division determines that a cure is possible. The Act does not extend this cure period beyond the first 18 months following the effective date.
- Effective Date: The Act will go into effect 365 days following its date of enactment.