On January 16, 2024, New Jersey became the thirteenth US state to enact a comprehensive privacy law, bringing it in line with other states. The law focuses on data privacy by empowering consumers and imposing obligations on businesses. This article provides a roadmap of the New Jersey Data Privacy Act, which includes consumer rights, controller obligations, privacy notice requirements, and a compliance checklist.
Official text: Senate Bill 332
Enforcement date: Jan 15, 2025
What is the New Jersey Data Privacy Act (NJDPA)?
The New Jersey governor signed the state privacy bill on January 16, 2024, representing a major step toward data privacy in the United States. The law requires businesses to recognize global opt-out signals, provide privacy notices, and have a vigilant approach to sensitive data processing.
New Jersey’s privacy law is similar to other privacy laws in the United States, such as Colorado’s. However, certain differences set it apart. One notable difference is that it includes certain financial information in its definition of sensitive data. Additionally, the law does not automatically exempt non-profit organizations from its scope of applicability.
Furthermore, NJDPA emphasizes privacy-by-default principles such as data minimization and purpose limitation. Non-compliance with the law may result in penalties of up to $10,000 for the first violation and up to $20,000 for subsequent violations.
Who does NJDPA apply to?
New Jersey’s privacy law, like any other privacy law, prioritizes the privacy of its residents and applies to entities that have control over the handling of individuals’ personal data. If you’re unsure whether the law applies to your business, we can help you find out.
The law applies to controllers who conduct business in New Jersey or target their products/services to New Jersey residents and meet any of the following requirements in a year:
- Controls/processes the personal data of at least 100,000 consumers (except for completing payment transactions).
- Controls/processes the personal data of at least 25,000 consumers and receives a discount/revenue from the sale of such personal data.
A consumer is a New Jersey resident who acts in a personal or household context but not in a commercial or employment context.
What are the exemptions under NJDPA?
The law carves out exemptions at both data and entity levels. Just like most US privacy laws, the protected health information covered by HIPAA is exempted. Other common exemptions are the data covered by the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act, etc.
Apart from the data level exemptions, New Jersey privacy law also exempts certain entities such as those covered under the GLBA, state or political subdivisions, and secondary market institutions mentioned under 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii).
What is personal data under NJDPA?
Personal data is any information that is linked or reasonably linkable to an identified individual. Some common examples include home addresses, contact numbers, cookie IDs, etc. However, it does not include publicly available and de-identified information.
A piece of information is publicly available if made available by government records, widely distributed media, or the consumer himself, provided that it is meant for the general public and not for a specific audience. De-identified information is incapable of being linked to the individual or his device provided there are no attempts to re-identify it.
What is sensitive data under NJDPA?
Sensitive data are personal data that can cause great harm to the individual if its confidentiality is compromised.
The data that reveal the following are sensitive under the law:
- Racial or ethnic origin
- Religious beliefs
- Mental/physical health condition, treatment, or diagnosis
- Financial information including:
- account number
- log-in credentials
- financial account, credit card, or debit card number combined with security codes, access code, or password
- Sex-life or sexual orientation
- Citizenship or immigration status
- Status as transgender or non-binary
- Genetic/biometric data
- Personal data of a known child
- Precise geo-location data
What are the privacy notice requirements under NJDPA?
A privacy notice must contain the following elements:
- Categories of personal data processed by the controller
- The specific purposes for processing
- Categories of third parties with which the personal data may be disclosed to
- The categories of personal data shared with third parties
- The process for exercising consumer rights including the contact information and the process for appealing against the controller’s decision
- The process of notifying consumers about any changes made to the notice along with its effective date
- Active mail ID or any other online mechanisms through which the consumers can contact the controller
- If the controller sells personal data or uses it for targeted advertising or profiling, it must be disclosed in the notice along with the method to opt out.
What are the consent requirements under NJDPA?
Well-defined consent requirements under the New Jersey privacy law enable consumers to have control over their personal data. Imagine it as a green light. Controllers like businesses cannot use personal data for certain purposes unless they obtain consent from individuals. For instance, before processing sensitive data, prior consent is necessary.
A valid consent is an informed affirmative action given freely, unambiguously, and specifically. Therefore merely hovering over, closing a piece of content, or even accepting a general description may not constitute consent.
In simpler terms, if you think consent obtained using dark patterns is valid under the law, you may lose millions of dollars and your customer’s trust. Therefore, for a hassle-free compliance strategy, you may consider using consent management platforms such as CookieYes.
In the subsequent sections, we will learn more about the circumstances under which consumer consent is mandatory.
Obligations of businesses under the New Jersey Data Privacy Act(NJDPA)
The NJDPA imposes the following obligations upon the controllers and is required to take steps to foster adherence:
Data minimization
Restrict the collection of personal data to what is reasonably required and adequate for the disclosed purpose of collection.
Purpose limitation
The privacy-by-design principles emphasize limiting the processing of personal data to the original purpose of collection.
Consent
Even though New Jersey privacy law follows an opt-out model, consent is an integral part. Businesses cannot process sensitive data without the prior consent of the consumer.
The processing of personal data of children requires parental consent for those under 13 years of age. Furthermore, consumer consent is necessary to process the personal data of children between 13 and 17 years of age for targeted advertising, profiling, or sale of personal data.
Businesses should also provide an effective and convenient method to revoke consent. Furthermore, stop processing the personal data within 15 days of revocation.
Non-discrimination
The law expressly requires businesses to not discriminate among consumers based on their exercise of opt-out rights. This means, businesses must abstain from increasing the price, decreasing the quality, or denying the product, etc. However, the New Jersey privacy law does not prohibit businesses from giving discounts, loyalty programs, or incentives for the sale of such personal data which they have not opted out of. That is only applicable if they have been notified of their rights.
Also, restrain from processing personal data in violation of the federal and state laws against unlawful discrimination.
Data Protection Impact Assessments
Do not process personal data that presents a heightened risk of harm to consumers without conducting data protection impact assessments. Heightened risks include the processing of personal data for purposes like targeted advertising or profiling if they may cause substantial injury to the consumers such as financial injury, unfair treatment, etc. Other instances include the processing of sensitive data and the sale of personal data.
DPIAs must weigh the potential benefits against the risks associated with the processing while maintaining the document confidential.
Consumer request mechanisms
Provide a convenient request mechanism for your consumers. It includes a designated toll-free number, email address, or internet website. Abstain from asking them to create a new account to submit requests. Also, establish a mechanism to appeal against the decisions of the controller regarding the consumer request.
Response to consumer requests
Respond promptly to consumer requests, at the latest within 45 days of the receipt of the request. If necessary due to complexity or a large number of requests, businesses can lawfully extend the response period to another 45 days after giving prompt notification to the consumers.
You must also provide the requested information to the consumers free of charge once in 12 months. The response period for appeals under the New Jersey privacy law is 45 days.
Transparency
Provide a clear and conspicuous privacy notice to consumers including all the specific details such as the categories of personal data collected, the purpose of collection, consumer rights and how to exercise them, etc.
Global opt-outs
Consumers have the right to designate an authorized agent to exercise their opt-out rights. This includes the use of technology. Therefore businesses must recognize global opt-out signals within 6 months after the law becomes effective.
Manage cookie consent
without any hassle
Add a cookie opt-out banner, manage cookie compliance and generate privacy notice for New Jersey Data Privacy Act
Try for free14-day free trialCancel anytime
Security measures
Implement proportionate and reasonable security measures to protect the confidentiality of personal data maintained under your control. Some of such measures include encryption, regular backups, formal policy, etc.
Contractual relationship
Have a contractual relationship with processors and third parties. Ensure their compliance with NJDPA. The contract must determine the rights and obligations of each party, the nature and duration of processing, etc.
What are the rights of consumers under the New Jersey Data Privacy Act?
The rights guaranteed to consumers under NJDPA are similar to most US privacy laws and include the following:
Right to confirm: Consumers can confirm whether a business is processing their personal data and they can also access the data.
Right to correct: The law allows consumers to correct any inaccuracies in their personal data handled by controllers such as businesses.
Right to delete: Consumers can request controllers to delete their personal data.
Right to obtain: Consumers also have the right to obtain a copy of their personal data handled by businesses in a portable and technically feasible manner.
Right to opt-out: As we already know, the New Jersey privacy law follows an opt-out model and allows consumers to opt out of targeted advertising, profiling, and the sale of personal data.
Enforcement and penalties under NJDPA
The exclusive enforcement authority of the New Jersey Privacy law vests with the state Attorney General.
The act provides for a 30-day cure period which sunsets 18 months after enforcement. If the businesses could cure the violation within the said period, enforcement actions may not arise. If not, any breach of this law will be considered a violation of the Consumer Fraud Act and the fines can be up to $10,000 for the first violation and up to $20,000 for subsequent violations.
There is no private right of action under the act.
New Jersey Data Privacy Act (NJDPA) compliance checklist
- Minimize the collection of personal data to what is required for the specific purpose
- Practice purpose limitation and process personal data only for the purposes for which it was collected
- Obtain consent for processing personal data and children’s personal data
- Obtain consent before using teenagers’ personal data (13-17 years) for targeted advertising, profiling, and sale
- Establish convenient methods to receive consumer request
- Do not retaliate against consumers for exercising consumer rights
- Respond to consumer requests promptly
- Provide a clear and conspicuous privacy policy/notice to consumers
- Recognize global opt-out signals
- Have a contractual relationship with processors and third parties involved in the processing of personal data
- Implement reasonable and proportionate security measures
- Conduct data protection impact assessments
California CCPA Vs New Jersey NJDPA [Infographic]
FAQ on New Jersey Data Privacy Act (NJDPA)
The New Jersey Data Privacy Act allows individuals to manage their personal information. The implementation of the legislation will commence on January 15, 2025. NJDPA contains provisions for consumer rights and controller obligations. Businesses would have to obtain consent from consumers for certain purposes and also provide a clear and conspicuous privacy policy/privacy notice.
Being compliant with privacy laws like NJDPA can be laborious, especially when creating privacy policies or managing consent. In that case, consent management solutions like CookieYes can help your hassle-free compliance by implementing cookie consent solutions and creating free privacy policies for your online platforms.
The law provides for a cure period of 30 days which sunsets 18 months after the enforcement of NJDPA on Jan 15, 2025.