On January 15, 2023, New Jersey’s governor signed S332/A1971, making it the fourteenth state with a comprehensive consumer privacy law (yes, we count Florida in the tally!). The law takes effect on January 15, 2025, or 365 days after signing, which slots New Jersey in after Iowa’s law (taking effect January 1, 2025) and before Tennessee’s law (taking effect July 1, 2025).
The substantive requirements of the New Jersey law are not a major departure from the majority of existing state privacy laws, so businesses’ current compliance efforts will go a long way in following New Jersey’s requirements for privacy policies, consumer rights, opt-out mechanisms, data protection impact assessments (“DPIAs”), and contracts with processors, for example. However, New Jersey’s law has several noteworthy features, including its definition of sensitive data, grant of rulemaking authority to the New Jersey Attorney General, and ambiguity concerning a private right of action.
Scope & Applicability
The New Jersey law applies to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents (“consumers”), and that during a calendar year either control or process the personal data of at least:
- 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- 25,000 consumers and the controller derives revenue from the sale of personal data.
Like many other states, the New Jersey law exempts certain data and entities subject to federal laws, like protected health information collected by a covered entity or business associate subject to HIPAA, as well as any financial institution, data, or an affiliate of a financial institution that is subject to Title V of the GLBA.
The New Jersey law does not exempt data under the Family Educational Rights and Privacy Act’s (FERPA) purview, nor does the New Jersey law provide exemptions for data processed by non-profit and educational institutions.
Obligations
The New Jersey law has familiar obligations for privacy policies, consumer rights, information security, contracts with processors, obtaining consent to process sensitive data, and DPIAs.
However, the new law has several notable, uncommon differences:
- Expanded definition of “sensitive data”: Like California’s law, New Jersey’s definition of “sensitive data” includes a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. And, like Oregon and Delaware, sensitive data also includes transgender or non-binary status.
- Opt-in requirements for children’s data: Covered controllers must obtain consent from consumers between the ages of 13 and 16 before processing their data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- Expanded use of universal opt-out mechanisms (UOOMs): In addition to recognizing opt outs for targeted advertising and sales of personal data, controllers must recognize UOOM opt outs of profiling in furtherance of decisions that produce legal or similarly significant effects, which no other state currently requires.
- Limited right to non-discrimination: Whereas most states prohibit controllers from discriminating against consumers for exercising their rights under privacy laws, the New Jersey law only prohibits discrimination against a consumer if the consumer chooses to opt out of sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- Expanded deletion right: When controllers obtain data about a consumer from a source other than the consumer, controllers are required to delete that data upon a consumer request. By comparison, several other states only require controllers to stop processing that data, unless there is a statutory exception.
Rulemaking Authority
In addition, New Jersey’s privacy law also requires the Director of the Division of Consumer Affairs in the Department of Law and Public Safety (i.e., the New Jersey Attorney General) to issue regulations to effectuate the law. Currently, only California and Colorado’s privacy laws allow for similar rulemaking. While New Jersey’s privacy law does not specify a timeline to issue such rulemaking, we expect that forthcoming regulations will provide additional obligations, beyond statutory requirements, for covered entities. Indeed, California and Colorado have demonstrated that regulations can be comprehensive and require dedicated compliance efforts, thus requiring covered controllers to stay up to date on regulatory developments.
Private Right of Action Ambiguity
Lastly, there remains some ambiguity regarding whether New Jersey’s privacy law allows for a private right of action. While one section explicitly provides that the New Jersey Attorney General shall retain exclusive authority to enforce the law and that nothing in the law shall be construed as providing the basis for a private right of action, another section provides that controllers’ violations constitute an unlawful practice under New Jersey’s Consumer Fraud Act, which provides for a private right of action.
In Governor Murphy’s signing statement, he noted that late amendments to the law removed language that would have precluded a private right of action under any other law, and that nothing in this bill “expressly” establishes such a private right of action. However, given the ambiguity, we expect that plaintiffs’ lawyers will test this theory.