Earlier this month New Jersey became the thirteenth state to pass a comprehensive privacy law aimed at protecting residents’ personal information and starting a new round of comprehensive state privacy laws providing such safeguards in lieu of a federal privacy law. Following a number of starts, stalls, and amendments throughout 2022 and 2023, the law was finalized on the last day of the 2023 legislative session and was signed by Governor Phil Murphy on January 16, 2024. The law will go into effect in January 2025.

Applicability

The New Jersey law applies to businesses that operate in the State or produce products or services that are targeted to residents of the State, and that during a calendar year, either:

(a) control or process the personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completely a payment transaction – a nuanced difference from other state privacy laws); or

(b) control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

Of note, the law does not apply to protected health information collected by a covered entity or business associate subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  It also does not apply to financial institutions, data, or affiliates of financial institutions that are subject to the requirements of the Gramm-Leach-Bliley Act (“GLBA”).

Comparison to Other State Privacy Laws

Like other state privacy laws, the New Jersey law requires businesses to provide customers with notice of the collection and disclosure of personal information to third parties and to provide them with a number of privacy rights, including the ability to opt-out of the collection or disclosure of their personal information. The right to opt-out of processing must be available to consumers through a user-selected universal opt-out mechanism.

The New Jersey law also includes a definition for “sensitive personal information”.  However, the definition specifically includes financial information about the individual, which includes “…a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”  The law also requires data protection assessments that “…identify and weigh the benefits that may flow, directly or indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.”

Notice Requirements

Businesses that meet the threshold applicability for the New Jersey law and collect “personally identifiable information” of a consumer online must provide notice that includes:  (1) the categories of the personally identifiable information collected; (2) the categories of all third parties to which the business may disclose personally identifiable information; (3) whether a third party may collect personally identifiable information; (4) a description of the process for an individuals to review or request changes to any personally identifiable information; (5) the effective date of the notice (as well as details regarding how consumers will be made aware of any material updates to the notice); and (6) designated request addresses for the business.  The business shall provide a toll-free number, email address or both means by which consumers can make requests regarding their personally identifiable information.

Consumer Rights

Consumers shall have the right to confirm whether the business processes their personal data and accesses such personal data (and obtain a copy of such personal data in a portable and readily-usable format); correct inaccuracies in their personal data; delete personal data; and opt out of the processing of personal data for the purposes of (1) targeted advertising; (2) the sale of personal data; or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Businesses have 60 days in which to provide a response to a consumer’s verified request.

Preparing for Enforcement

As with the other state privacy, businesses operating in New Jersey have some time to ensure compliance requirements are implemented and will likely already have many of the requirements in place. The law is to take effect 365 days following the date of enactment. For 18 months following the effective date, the Division of Consumer Affairs in the Department of Law and Public Safety may allow a cure period of 30 days after receiving notice of an alleged noncompliance.  The Office of the Attorney General shall have sole and exclusive authority to enforce any violations and there is no private right of action. The Attorney General is also responsible for providing regulations for implementation – mirroring both California and Colorado.

Businesses that must meet all of the individual state privacy laws should continue to refine their processes for updating privacy policies, handling data subject requests, and updating data processing agreements.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.