New Jersey Governor Signs Comprehensive Privacy Law

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 322 ("the Act"), making New Jersey the fourteenth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware. The Act will take effect on January 16, 2025.

Most of the Act's provisions cover the same ground as prior state privacy laws that follow the Virginia model by including the typical consumer rights and privacy policy disclosures and exclusions, with these primary exceptions:

• The Director of the Division of Consumer Affairs in the Office of the Attorney General has rulemaking authority (joining only California, Colorado, and Florida) with no specific scope or timeline.
• The required Universal Opt-Out Mechanism will allow consumers to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects – which is unique among the general state privacy laws to date – in addition to opting out of targeted advertising and sales of personal information.
• Controllers must obtain opt-in consent to process personal information when the controller has actual knowledge or willfully disregards that the consumer is a child who is at least 13 years of age and younger than 17 years of age, when that processing is for the purpose of targeted advertising, data sale, or profiling.
• The definition of biometric data includes data generated by automatic or technical processing of an individual's biological, physical, or behavioral characteristics. Most states do not include physical or behavioral characteristics in their biometric data definitions, although it is not clear how much of a practical difference this will make in application. Although physical and digital photographs as well as audio and video recordings are excluded from the definition, data generated from them to identify a specific individual is included.
• The Act defines "sensitive" data to include potentially all of a consumer's financial information (to the extent it is not covered by the Gramm-Leach-Bliley Act), which is also a first among the general state privacy laws.
• Personal information processed solely for the purpose of completing a payment transaction is excluded from the personal data of 100,000 New Jersey residents needed to meet the jurisdictional threshold.

We highlight key aspects of the Act below.

Application Thresholds

The Act applies to entities that conduct business in New Jersey or produce products or services targeted to New Jersey residents and who: (1) control or process the personal data of at least 100,000 New Jersey residents, excluding from that count those residents whose data is processed solely for the purpose of completing a payment transaction (which is not a typical exclusion from a number of residents threshold); or (2) control or process the personal data of at least 25,000 New Jersey residents and derive revenue, or receive a discount (in any amount) on the price of goods or services, from the sale of personal data.

Consumer Rights

The Act provides consumers with a familiar set of rights regarding their personal data, including confirmation of processing, access, correction, deletion, and portability, and allows consumers to opt out of the processing of personal data for targeted advertising, sales of their personal data, and profiling in furtherance of decisions with legal or similarly significant effects regarding the consumer.[1] Consumers are defined as New Jersey residents acting only in an individual or household context, which is consistent with all other states but California, which includes employees.

Children's Data

Like other state privacy laws, the Act defines the personal data of consumers known to be under 13 years old as "sensitive data" and requires controllers to process such data in accordance with the Children's Online Privacy Protection Act (COPPA). Controllers are required to obtain consent from consumers who they have actual knowledge or willfully disregard are at least 13 but younger than 17 before processing such consumers' personal data for targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Information Security

Like other state privacy laws, the Act generally requires companies to maintain reasonable and appropriate data security practices but does not enumerate specific safeguards (such as encryption or multifactor authentication).

Exemptions

The Act exempts a variety of entities and types of data, including:

• Protected heath information (PHI) collected by covered entities or business associates subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and
• Any financial institution, data, or affiliate of a financial institution subject to Title V of the GLBA.[2]

Like Delaware's privacy law, the Act has no broad exemption for HIPAA-covered entities and business associates, instead exempting specific types of health data, including HIPAA-covered PHI. HIPAA-covered entities and business associates that hold some personal data that is not PHI (for example, data of employees and certain marketing-related data) will have to conduct detailed assessments of their compliance obligations under the Act based on the nature and status of the personal data they process. Unlike some other state privacy laws, the Act does not exempt personal data protected by the Family Educational Rights and Privacy Act (FERPA) or processed by non-profit organizations or educational institutions. An earlier version of the Act had an express exemption for non-profits, but the signed version does not.

Privacy Notices

Like other comprehensive state privacy laws, the Act requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" privacy notice with the typical disclosures regarding categories of personal data processed, purpose for processing, categories of third parties to which the controller may disclose the personal data, categories of personal data shared with third parties, how consumers may exercise their rights and appeal adverse decisions, whether data is sold or used for targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, mechanisms to opt out, notification of material changes, and an email address or other online contact mechanism.

Processor Contracts

The Act directs controllers and processors to enter into contracts requiring processors to:

• Impose a duty of confidentiality on all individuals processing personal data;
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
• Delete or return personal data at termination of the agreement;
• Demonstrate compliance with the Act upon request;
• Cooperate with the controller's data protection assessments; and
• Use subcontractors that are subject to the same privacy requirements as processors.

Universal Opt-Out Mechanisms

The Act requires controllers to recognize universal opt-out mechanisms (UOOMs) beginning July 16, 2025. Unlike other state privacy laws, the Act requires controllers to recognize universal opt-out mechanisms regarding profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Also, unlike most other state privacy laws, the Act prohibits the use of UOOMs that are configured to opt in by default, unless the controller is able to determine that the consumer has affirmatively selected the opt-in setting and that the setting reflects the consumer's actual choice to opt in to such processing. This provision appears to turn the opt-out framework into an opt-in regime when consumers use UOOMs, and it is not consistent with the rest of the Act, which expressly requires controllers to give consumers the opportunity to opt out of these activities. This provision may complicate controllers' compliance with other state privacy laws, such as those in California and Colorado that allow consumers to opt out via an UOOM and do not prohibit opt-in settings by default. Indeed, it is hard to square this provision with another provision in the Act that requires UOOMs recognized under the Act to be "as consistent as possible with any other similar platform, technology, or mechanism" required by law.

Definition of Sensitive Data

The Act is the first state privacy law to define "sensitive data" to include potentially all of a consumer's financial information (other than data covered by the Gramm-Leach-Bliley Act). The definition includes but is not expressly limited to "a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account." The scope of financial information covered by the definition is therefore potentially quite broad because the Act does not limit the term to the subset of financial information provided by way of example or otherwise define "financial information" according to any limiting principle.[3] Because the Act requires controllers to obtain opt-in consent before processing "sensitive data," companies will need to adjust their data processing practices regarding personal financial data to ensure compliance with New Jersey law.[4]

Data Protection Assessments

The Act contains typical provisions regarding data protection assessments (DPAs), requiring controllers to conduct DPAs for the following processing activities:

• Targeted advertising;
• Sales of personal data;
• Profiling, if certain risk factors are met;
• Processing sensitive data; and
• Any processing activities that present a "heightened risk of harm."

The Act prohibits controllers from processing information subject to a DPA prior to the completion and documentation of the DPA, but it allows a single DPA to address a comparable set of processing operations that include similar activities. However, unlike other state privacy laws, the Act does not expressly allow controllers to use DPAs they have prepared to satisfy other state laws that require data protection assessments that are similar in scope and effect to the requirements of the Act.

Enforcement

The New Jersey's Office of the Attorney General (OAG) has exclusive authority to enforce the Act. Notably, the Act grants the OAG's Division of Consumer Affairs broad authority to promulgate rules necessary to carry out the purposes of the law, making New Jersey the fourth state (along with California, Colorado, and Florida) to authorize rulemaking to further the purposes of a comprehensive privacy law. The Act does not provide a timeline for the rulemaking.

No Private Right of Action

The Act expressly precludes a private right of action for violations of the law.

30-Day Cure Period with Sunset Provision

The Act requires the OAG to provide controllers notice of and 30 days to cure violations if the OAG determines that a cure is possible. However, the cure provision sunsets on July 16, 2026, eighteen months after the law's effective date.

Looking Ahead

The New Jersey law adds yet another layer of privacy compliance complexity for U.S. businesses. While businesses should be able to use their current privacy compliance programs to account for most of the Act's statutory requirements, the Act imposes several unique obligations, increasing enforcement risk. Moreover, the OAG's rulemaking authority allows for possibly additional obligations and interpretations of the Act like the rules under California's, Colorado's, and Florida's privacy laws. As a result, proper and timely privacy compliance should be prioritized for businesses that do business and target consumers in New Jersey.

DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.

This post has been republished on NYU's Compliance & Enforcement blog.