In January, New Jersey adopted a comprehensive data privacy law that will require businesses to disclose their data privacy practices and impose limitations on the collection and use of personal data relating to New Jersey residents. The legislation, which is colloquially referred to as the New Jersey Data Privacy Act (NJDPA), goes into effect on Jan. 15, 2025. Following in the legislative footsteps of states like California and Virginia, the law imposes new regulatory requirements upon businesses in the name of protecting the privacy of the state’s residents. The New Jersey Office of the Attorney General will have exclusive enforcement authority, and there is currently no private right of action available under this act.
The NJDPA applies to a wide range of businesses, both within and outside New Jersey, as long as they meet certain criteria. The NJDPA regulates the “processing” of personal data, which is broadly defined to mean any operation performed on personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of data.
The NJDPA applies to individuals, businesses, and other entities (called “controllers”) that do business in New Jersey or produce products or provide services targeted to New Jersey residents and that control or process the personal data of at least 100,000 consumers (excluding personal data processed solely for purposes of completing a payment transaction). This threshold is lowered to 25,000 consumers if the controller derives revenue or other financial benefit from the sale of personal data. A consumer is defined as a New Jersey resident acting only in an individual or household context. The NJDPA defines “sale” as “sharing, disclosing, or transferring” data for money or other valuable consideration, similar to California’s Consumer Privacy Act (CCPA). However, like Colorado’s state privacy law, it does not define a specific percentage of revenue that must be derived from the sale of data.
The NJDPA does not apply to data processing “solely for the purpose of completing a transaction,” which is intended to exempt ordinary sales processing. It also excludes from the definition of “consumer” any “person acting in a commercial or employment context,” bringing it in line with the majority of states that carve out employment data from the scope of their comprehensive privacy laws.
Further, protected health information collected by an entity subject to HIPAA is also exempt from the law, as are financial institutions, affiliates and data regulated by the Gramm-Leach-Bliley Act, certain insurance institutions and clinical health research. The act, however, does not contain an exemption for nonprofits.
The NJDPA mirrors aspects of other landmark privacy laws like the CCPA and the European Union’s General Data Protection Regulation (GDPR) but includes unique provisions tailored to New Jersey’s residents and businesses, including:
Expanded Consumer Rights: Residents can access, correct, delete, or opt out of the sale or sharing of their personal data.
Transparency Requirements: Companies must disclose what data they collect, why they collect it, and how it is used. They must provide to consumers a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data the business processes; its purpose for processing the data; the categories of all third parties to which it may disclose the personal data and which categories of data it may disclose; information on how consumers may exercise their rights and appeal controller's decisions; the process by which the controller notifies consumers of material changes to their notice, along with the effective date of the notice; and an active email address or other online mechanism the consumer may use to contact the controller.
Data Minimization: Companies are required to limit the data they collect to only what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes with which the data is processed—unless the controller obtains the consumer's consent.
Stricter Consent Rules: Companies must obtain clear and affirmative consent before processing sensitive personal information.
NJDPA applies to "personal data," which is any information that is "linked or reasonably linkable to an identified or identifiable person," and, like other states privacy laws, excludes de-identified data and publicly available information.
The NJDPA imposes stricter requirements for the collection and processing of “sensitive data.” Sensitive data is defined under the law to include information revealing racial or ethnic origins, religious beliefs, physical health condition, treatment, or diagnosis, sexual orientation, precise geolocation, and genetic or biometric data. Notably, New Jersey’s law is distinct from data privacy laws adopted by other states in that the definition of sensitive data also includes certain financial information. For consumers aged 13 to 16 years old, the law prohibits the processing of their personal data for purposes of targeted advertising, consumer profiling, or sale of the data without affirmative consent. Information about those under the age of 13 is subject to the more stringent requirements of the federal Children’s Online Privacy Protection Act.
The NJDPA requires that, starting six months after its effective date, July 15, 2025, controllers must allow consumers to opt out of processing their personal data by using a user-selected universal opt-out mechanism (UOOM). A number of other states, including California, Connecticut, and Texas, also mandate the use of UOOMs. The law also authorizes the New Jersey Division of Consumer Affairs (DCA) to adopt rules and regulations as needed to clarify the technical specifications for UOOMs.
Additionally, controllers must maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure the data from unauthorized acquisition.
Controllers that wish to (i) sell any type of personal data, (ii) conduct certain targeted advertising or consumer profiling, or (iii) collect and use sensitive data in any way must first perform a “data protection assessment.” The data protection assessment requires the controller to identify and weigh the benefits of processing the data against the potential risks to the rights of the consumer and must account for the reasonable expectations of the consumer.
NJDPA requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days, unless it is reasonably necessary to extend that time and the controller notifies the consumer of the extension within 45 days.
Controllers must also establish a process for consumers to appeal denials of their requests, within a reasonable time after communicating that denial. The appeal process must be “conspicuously available and similar to the process for submitting [initial requests].” If the controller denies an appeal, the controller must provide a way for the consumer to contact the DCA to file a complaint.
Before initiating an action, the DCA must provide notice to the controller or processor, giving 30 days to cure the noticed violation, if a cure is deemed possible. The cure provision expires 18 months after NJDPA becomes effective. The NJDPA takes effect on Jan. 15, 2025; however, the DCA is the authorized agency to take any anticipatory administrative action in advance of the effective date to implement the act. NJDPA requires the DCA to promulgate implementing rules and regulations to effectuate its purpose, which is currently underway.
With the advent of the NJDPA, New Jersey is offering its residents enhanced consumer privacy protections, and businesses that control and process personal data of New Jersey residents should take stock of their obligations under the new law.
Michael P. O’Mullan is managing partner of Riker Danzig and a member of the firm’s commercial litigation group and cybersecurity & data privacy group. Robert P. Vacchiano is counsel in Riker Danzig’s insurance and reinsurance group and cybersecurity & data privacy group. Labinot A. Berlajolli is a former deputy attorney general – affirmative civil enforcement at the New Jersey Attorney General’s Office and an associate in Riker Danzig’s commercial litigation group and cybersecurity & data privacy group.
