New Jersey Gov. Phil Murphy on Jan. 16 signed into law Senate Bill 332, making New Jersey the 13th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon and Delaware. The law will go into effect Jan. 16, 2025.
The Act applies to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year either:
- control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.
Exemptions include, but are not limited to:
- A financial institution, data, or affiliate of a financial institution that is subject to Gramm-Leach-Bliley Act and implementing rules;
- Protected health information collected under the Health Insurance Portability and Accountability Act of 1996;
- Personal data collected, processed, sold, or disclosed by a consumer reporting agency as authorized by the Fair Credit Reporting Act.
Consumers have the right to:
- Confirm a controller’s processing of their personal data;
- Correct inaccuracies in their personal data;
- Delete their personal data;
- Obtain a copy of their personal data held by the controller;
- Opt out of the processing of their personal data if the processing is for the purpose of targeted advertising, sale of their personal data, or certain profiling.
A controller may not process sensitive data concerning a consumer without first obtaining the consumer’s consent, or, in the case of the processing of personal data concerning a known child, without processing such data in accordance with the Children’s Online Privacy and Protection Act.
“Sensitive data” means personal data revealing:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical health condition, treatment, or diagnosis;
- Financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account;
- Sex life or sexual orientation;
- Citizenship or immigration status;
- Status as transgender or non-binary;
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
- Personal data collected from a known child; or
- Precise geolocation data.
A contract between a controller and processor must clearly set forth:
- The processing instructions to which the processor is bound, including the nature and purpose of the processing;
- The type of personal data subject to the processing, and the duration of the processing;
- That the processor ensures each person processing the personal data is subject to a duty of confidentiality;
- That any subcontractor engaged by the processor is subject to the same contractual obligations as between the controller and the processor;
- That the controller and processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- That the processor deletes or returns all personal data to the controller as requested at the end of the provision of services;
- That the processor makes available to the controller all information necessary to demonstrate compliance; and
- That the processor allows for, and contributes to, reasonable assessments and inspections by the controller.
DATA PROTECTION ASSESSMENTS
A controller must conduct a data protection assessment for processing that presents a heightened risk of harm to a consumer, including:
- Processing personal data for the purposes of targeted advertising or certain profiling;
- Selling personal data;
- Processing sensitive data.
The Act does not create a private right of action. A violation that is not cured within 30 days of notice is an unlawful practice under N.J. Stat. § 56:8-1, et seq., and the Attorney General may seek injunctive relief, costs, and penalties of not more than $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense.
The Attorney General, through the Division of Consumer Affairs, is charged with promulgating rules and regulations.
This legislation, which was introduced in 2022, is a good example of legislators listening to stakeholders and making appropriate changes in response. The bill was amended six times, with the next to the last gutting the bill and replacing it with provisions akin to those in laws adopted by most other states, which will be a relief to those incorporating the requirements into a compliance program. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.