An Overview of New Jersey Consumer Privacy Law

I. Introduction

On January 16, 2024, Governor Phil Murphy signed Senate Bill 332, commonly referred to as the New Jersey Data Privacy Act (NJDPA). This made New Jersey the first state in 2024 and the thirteenth overall to have passed a comprehensive data privacy law.

The most notable aspects of the NJDPA include its scope of applicability which is broader than other privacy laws. Moreover, the law doesn’t provide any private right of action, nor does it establish any independent regulatory authority for its enforcement.

The law is in effect as of January 15, 2025.

II. Who Needs to Comply with NJDPA

A. Material Scope

The law applies to the processing of personal data of New Jersey residents, also referred to as “consumers.” Notably, unlike most of the state privacy laws passed so far, the law broadens the scope of the definition of sensitive data by including consumer financial information. However, business contact and employee data are exempted from the definition of “consumer”, thus excluding employee data from the scope of applicability.

B. Territorial Scope

NJDPA applies to controllers (businesses) operating in the state of New Jersey or providing products and services targeted to residents living in the state. It applies to controllers who, during the calendar year:

• collect or process the personal data of at least 100,000 consumers, excluding data processed exclusively for payment transactions; or
• collect or process the personal data of at least 25,000 consumers, where the controller derives revenue or receives a discount on any service from the sale of personal data.

Unlike other data privacy laws, such as the CPRA, NJDPA doesn’t specify any percentage of the revenue collected from the sale of personal data.

C. Exemptions

NJDPA exempts certain types of entities and data from its applications. The following entities do not fall under the scope of the law:

• Any state agency, political subdivision, division, board, bureau, office, commission, or instrumentality created by a political subdivision.
• Financial institutions or affiliates to such institutions that are subject to the Gramm-Leach-Bliley Act (GLBA).
• The secondary market institutions identified in15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii).
• Insurance institutions that are subject to P.L.1985, c.179 or any other associated insurance fraud regulation.

NJDPA does not apply to the following information and data:

• Data covered under medical laws: The Protected Health Information (PHI) that is collected and processed by an entity subject to privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services (HHS) and pursuant to the Health Insurance Portability and Accountability Act (HIPAA).
• Driver data: Personal data that is subject to the Driver’s Privacy Protection Act of 1994.
• FCRA-related data: Personal data that is collected, processed, shared, or sold by a consumer reporting agency under the Fair Credit Reporting Act (FCRA).
• Research data: Personal data that is collected, processed, or disclosed as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 C.F.R. Parts 50 and 56

III. Definitions of Key Terms

A. Biometric Data

Any data generated by automatic or technological processing, measurements, or analysis of an individual’s biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual.

“Biometric data” shall not include any of the following:

• a digital or physical photograph.
• An audio or video recording.
• Any data generated from a digital or physical photograph or an audio or video recording, unless such data is generated to identify a specific individual.

B. Consumer

Any person residing in New Jersey acting in an individual or household context, excluding persons acting in a commercial or employment context.

C. Consent

A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous, affirmative action; however, it does not include any of the following:

• Acceptance of general or broad terms of use or similar document containing descriptions of personal data processing and other unrelated information.
• Hovering over, muting, pausing, or closing a given piece of content.
• The agreement is obtained through the use of dark patterns.

D. Dark Pattern

Dark Pattern means any of the following:

• A user interface designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice.
• Any other practice the Federal Trade Commission refers to as a dark pattern.

E. Personal Data

Any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

F. Sensitive Data

NJDPA has a broader definition of sensitive data, which includes any personal data that is used or can be used for the purpose of uniquely identifying an individual. Hence, sensitive data includes racial, ethnic, genetic, biometric, sexual orientation, citizenship, immigration status, transgender or non-binary status, and religious, physical, and mental health data. Notably, sensitive data further includes child data and a consumer’s financial information, such as account number, credit or debit card number, account log-in, and access code data, to name a few.

IV. Obligations for Organizations Under NJDPA

A. Data Minimization and Purpose Limitation

The law requires the controllers to limit the processing of the personal data of consumers to only ‘what is relevant, adequate, and reasonably necessary’ and for purposes that are communicated to the consumer at the time of collection. Controllers must obtain the consent of the consumer before using their personal data for any purposes that are either not reasonably necessary or compatible with the purposes initially communicated to the consumer.

B. Consent Requirements

Controllers must obtain consumers’ ‘freely given, specific, informed, and unambiguous’ consent when processing personal data that is not reasonably necessary or compatible with the purposes for which it is collected or disclosed to the consumer initially. In cases where the consumer is at least 13 years of age but younger than 17 years of age, consent must be obtained for the processing of personal data for the purpose of targeted advertising, sale of personal data, or profiling where the profiling would lead to legal or similar significant effects concerning the consumer. Controllers must further seek consent for the processing of sensitive data, and in the case of processing of personal data concerning a known child, compliance with the Children’s Online Privacy Protection Act, 1998 (COPPA) is to be ensured.

Consumers must be provided with a mechanism to revoke their consent. This mechanism must be at least as easy as the one by which the consumer provided the consent. Upon revocation of consent, controllers must cease to process the personal data of consumers as soon as possible but no later than 15 days after receiving such a request.

C. Privacy Notice Requirements

Controllers must provide the consumers with a ‘reasonably accessible, clear, and meaningful’ privacy notice. The notice may include the following information:

• the categories of personal data being processed;
• the purpose for processing;
• the categories of third parties with which the controllers may disclose the personal data;
• the categories of personal data that the controller shares with third parties;
• the rights of consumers under NJDPA, along with instructions related to how consumers can exercise their rights or appeal a controller’s decision;
• the mechanism through which the controller notifies the consumer of any ‘material change’ to the notification; and
• an electronic mailing address or any other mechanism through which the consumer can contact the controller.

D. Data Security Requirements

Similar to many other state data privacy laws, the NJDPA provides a baseline provision for personal data protection. The law requires controllers to establish and implement adequate technical, physical, and administrative data security measures. These measures should ensure the data’s confidentiality, accessibility, and integrity against any unauthorized access while the data is stored or being used.

E. Data Protection Assessment Requirements

The law requires controllers to conduct and document a data protection assessment (DPA) before initiating any processing activity that may contain a ‘heightened risk of harm to a consumer.’ The provision further goes on to define heightened-risk activities that include:

1. the processing of sensitive data, the sale of personal data;
2. the processing of personal data for targeted advertising; or
3. profiling, if the profiling poses a reasonably foreseeable risk of causing unfair or deceptive treatment of, or unlawful disparate impact on consumers, financial or physical injury to consumers, or intrusion upon consumers’ solitude, seclusion, private affairs, or concerns that would be offensive to a reasonable person, or other substantial injury to consumers.

DPAs must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.

The controller must factor into the DPA the use of de-identified data, consumers' reasonable expectations, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed.

Further, a controller must make the DPA available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request. The division may evaluate the DPA for compliance with the duties contained in the law.

F. Data Processor Agreement

Controllers must enter into an agreement with the processor to ensure that the processor remains compliant with the provisions of the law. Among other things, the data processor contract should include the following:

• Processing instructions based on the nature and purpose of processing.
• Types of personal data that are to be processed along with the duration of processing.
• Processors must ensure that the personnel processing or handling the personal data is legally bound to keep it confidential and not disclose it.
• Processors may engage a subcontractor under a written contract, which requires the subcontractor to meet the processor's obligations.
• Processors must ensure that appropriate measures are in place to safeguard the confidentiality, integrity, and accessibility of personal data by setting up security measures appropriate to the risks associated with data processing.
• Processors must delete or return the personal data to the controller at the end of the services unless legally subject to data retention.
• Processors must legally demonstrate compliance with the provisions covered under NJDPA to the controller.

G. Universal Opt-Out Mechanisms

The New Jersey data privacy law follows the pattern of other state data privacy laws and requires controllers to recognize universal opt-out mechanisms. Consumers have the right to opt out of the sale of their personal data by the controller, the use of their personal data for targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The covered controllers had have until July 15, 2024, i.e., six months following the effective date, to meet the requirements. Under NJDPA, the Division of Consumer Affairs in the Department of Law and Public Safety shall adopt the rules and regulations providing details regarding one or more opt-out mechanisms concerning the sale of personal data or the processing of personal data for purposes of targeted advertising or profiling.

H. Non-Discrimination Requirement

Controllers must not process personal data in violation of the laws of New Jersey and federal laws that prohibit unlawful discrimination against consumers.

V.  Data Processor Responsibilities

The NJDPA imposes a number of obligations on data processors. Processor shall:

• Adhere to the instructions of the controller and assist the controller in meeting its obligations under NJDPA.
• Take appropriate technical and organizational measures to fulfill the controller’s obligations to respond to consumer requests, help meet the controller’s obligations regarding the security of processing personal data, and notify the controller of a breach of the security of the system.
• Provide necessary information to enable the controller to conduct and document any Data Protection Assessment (DPA).

VI. Data Subject Rights

The consumers have the following rights under the NJDPA:

A. Right of Confirm and Access

The consumer has the right to confirm whether the controller is processing the personal data of the consumer and to access the data in a manner that does not require the controller to reveal trade secrets.

B. Right of Correction

Consumers can exercise their right to request that controllers correct any inaccuracies in personal data. However, the controller must take into account the purpose of processing and the nature of the information when fulfilling this right.

C. Right of Deletion

Consumers may require controllers to delete any personal data collected on them.

D. Right of Data Portability

Consumers may request controllers to provide them with a copy of their personal data in a technically feasible and readily usable format that allows the consumer to transmit a copy of their data to any other entity without any hindrance.

E. Right of Opting Out

Consumers can exercise their right to opt out of processing activities that involve the sale of their personal data or where the processing is conducted for purposes like targeted advertising or profiling.

Consumers may designate authorized agents or representatives who can exercise their right to opt-out on their behalf. Controllers shall comply with such requests only after verifying—with commercially reasonable effort—the identity of the consumers and the authorized agent.

VII. Regulatory Authority

The Office of the Attorney General of the state of New Jersey has the exclusive authority to enforce the law. However, as mentioned earlier, the law doesn’t provide for a private right of action for consumers. The Director of the Division of Consumer Affairs will promulgate rules and regulations necessary to effectuate the law's purposes.

VIII. How Organizations Can Operationalize NJDPA

Controllers can operationalize NJDPA by considering, among others, the following practices:

• Creating clear policies and procedures for data processing which is in compliance with the New Jersey data privacy law;
• Gaining legal consent of the consumers and clearly communicating to them the purpose of processing and exercisable rights;
• Establishing a streamlined framework to process the lawful requests of data subjects;
• Giving proper training to employees for appropriate handling of personal and sensitive data; and
• Implementing appropriate technical and organizational security measures to protect the integrity and confidentiality of the personal data of consumers.

IX. How Securiti Can Help

Securiti PrivacyOps, an integration of the Data Command Center, helps organizations streamline their compliance efforts with NJDPA through contextual data, AI intelligence, and unified automated controls.

Rated as a leader by the world’s top-rated independent firms, PrivacyOps leverages Data Command Graph to build a knowledge graph of all the rich metadata, security, and privacy policies, and regulatory intelligence, giving you a single-source-of-truth around your data across all systems. This deep intelligence empowers you to automate the full lifecycle of data privacy operations, including but not limited to conducting privacy impact assessments, generating ROPA, fulfilling data privacy rights, managing cookie preferences and consent, updating privacy notices, and sending breach notifications.

Request a demo to learn more.