On January 16, 2024, New Jersey became the 13th state to adopt a comprehensive data privacy law when Governor Phil Murphy signed into law Senate Bill 332, the New Jersey Data Privacy Act (“NJDPA”). P.L.2023, c.266. The law requires businesses to disclose information about the personal data that they collect and imposes certain restrictions on the collection and use of that data.
The Scope of the New Jersey Data Privacy Act
The NJDPA regulates the “processing” of personal data, which is broadly defined to mean any operation performed on personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of data.
The NJDPA applies to individuals, businesses, and other entities (called “controllers”) that do business in New Jersey or produce products or provide services targeted to New Jersey residents and that control or process the personal data of at least 100,000 consumers (excluding personal data processed solely for purposes of completing a payment transaction). This threshold is lowered to 25,000 consumers if the controller derives revenue or other financial benefit from the sale of personal data.
Data and Entity Exemptions
Notwithstanding its broad scope, the law exempts from its scope certain types of entities, data, and data processing.
The NJDPA does not apply to data processing “solely for the purpose of completing a transaction.” It also excludes from the definition of “consumer” any “person acting in a commercial or employment context,” bringing it in line with the majority of states that carve out employment data from the scope of their comprehensive privacy laws.
Protected health information collected by an entity subject to HIPAA is also exempt from the law, as are financial institutions, affiliates and data regulated by the Gramm-Leach-Bliley Act, certain insurance institutions and clinical health research.
Privacy Notice Requirement
The NJDPA requires a controller to provide a privacy notice to consumers with information about the personal data that the controller processes and the purposes of the processing of data.
The law requires that the controller limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is collected. In order for a controller to process data for purposes beyond those previously disclosed, the controller must obtain the consumer’s consent.
The notice must indicate the categories of third parties to which personal data may be disclosed and the types of data disclosed, and how consumers may exercise their rights under the NJDPA.
Additionally, the notice must disclose information about the sale of any personal data, use of personal data for targeted advertising, and consumer profiling. The notice is also required to identify a means for the consumer to opt out of such sale or processing.
Finally, the controller must include in the notice an email address or other online mechanism that can be used to contact the controller.
The NJDPA provides consumers with rights concerning personal data in the possession of controllers, including the following:
Universal Opt-Out Mechanism (UOOM)
The NJDPA requires controllers that process personal data for the purposes of targeted advertising or sale to enable consumers to opt out of such processing through a Universal Opt-Out Mechanism (“UOOM”). A UOOM provides consumers with a method, such as a global privacy control built into a web browser or mobile device, by which they can automatically exercise their opt-out rights with all controllers without having to make an affirmative opt-out request with each controller.
Treatment of Sensitive Data and Data About Consumers Under 17 Years of Age
The NJDPA imposes stricter requirements for the collection and processing of “sensitive data.” Sensitive data is defined under the law to include information revealing racial or ethnic origins, religious beliefs, physical health condition, treatment, or diagnosis, sexual orientation, precise geolocation, and genetic or biometric data. Notably, New Jersey’s law is distinct from data privacy laws adopted by other states in that the definition of sensitive data also includes certain financial information.
For consumers aged 13 to 16 years old, the law prohibits the processing of their personal data for purposes of targeted advertising, consumer profiling, or sale of the data without affirmative consent. Information about those under the age of 13 is subject to the more stringent requirements of the federal Children’s Online Privacy Protection Act.
Data Security and Data Processing Assessments
In addition to the above, controllers must maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure the data from unauthorized acquisition.
Controllers that wish to (i) sell any type of personal data, (ii) conduct certain targeted advertising or consumer profiling, or (iii) collect and use sensitive data in any way must first perform a “data protection assessment.” The data protection assessment requires the controller to identify and weigh the benefits of processing the data against the potential risks to the rights of the consumer and must account for the reasonable expectations of the consumer.
Service Provider Oversight
The NJDPA also regulates entities known as “processors” that process personal data on behalf of controllers. Processors are required to assist controllers in complying with the requirements of the NJDPA, to maintain confidentiality with respect to personal data, and enter into written contracts with their subcontractors that ensure compliance with the new law. Those contracts must specify:
Enforcement and Effective Date
The NJDPA provides for the Department of Law and Public Safety to adopt rules and regulations to effectuate the law, and the State Attorney General’s Office has exclusive authority to enforce the law.
Late amendments drew questions as to whether the NJDPA provides for a private right of action. The Governor, in his signing statement, was clear:
[N]othing in this bill expressly establishes such a private right of action, and the provision as amended states that the bill shall not be “construed as providing the basis for . . . a private right of action for violations of [the bill].” Moreover, while this bill does not create a private right of action under this law or under any other law, it should not be construed to supersede or otherwise impact other laws that include a provision creating a private right of action separate and apart from this bill.
The NJDPA takes effect on January 15, 2025; however, the Division of Consumer Affairs in the Department of Law and Public Safety is authorized to take any anticipatory administrative action in advance of the effective date to implement the act.
We will be monitoring this new law, any implementing regulations, or any new legislation amending the NJDPA closely. If you have any questions, please contact one of the following authors or any other attorney in Riker Danzig’s Cyber Security & Data Privacy practice.
 The other twelve states include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia,
 GOVERNOR’S STATEMENT UPON SIGNING SENATE BILL NO. 332 (Sixth Reprint) (January 16, 2024).