Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

LLM Firewall

Secure your GenAI applications with distributed and context-aware LLM firewalls

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

LLM Firewall

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View

LLM Firewall

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

An Overview of New Jersey Consumer Privacy Law

By Anas Baig | Reviewed By Usman Tariq

Published May 24, 2024 / Updated July 1, 2024

I. Introduction

On January 16, 2024, Governor Phil Murphy signed Senate Bill 332, commonly referred to as the New Jersey Data Privacy Act (NJDPA). This made New Jersey the first state in 2024 and the thirteenth overall to have passed a comprehensive data privacy law.

The most notable aspects of the NJDPA include its scope of applicability which is broader than other privacy laws. Moreover, the law doesn’t provide any private right of action, nor does it establish any independent regulatory authority for its enforcement.

The law will become effective on January 15, 2025.

II. Who Needs to Comply with NJDPA

A. Material Scope

The law applies to the processing of personal data of New Jersey residents, also referred to as “consumers.” Notably, unlike most of the state privacy laws passed so far, the law broadens the scope of the definition of sensitive data by including consumer financial information. However, business contact and employee data are exempted from the definition of “consumer”, thus excluding employee data from the scope of applicability.

B. Territorial Scope

NJDPA applies to controllers (businesses) operating in the state of New Jersey or providing products and services targeted to residents living in the state. It applies to controllers who, during the calendar year:

collect or process the personal data of at least 100,000 consumers, excluding data processed exclusively for payment transactions; or
collect or process the personal data of at least 25,000 consumers, where the controller derives revenue or receives a discount on any service from the sale of personal data.

Unlike other data privacy laws, such as the CPRA, NJDPA doesn’t specify any percentage of the revenue collected from the sale of personal data.

C. Exemptions

NJDPA exempts certain types of entities and data from its applications. The following entities do not fall under the scope of the law:

Any state agency, political subdivision, division, board, bureau, office, commission, or instrumentality created by a political subdivision.
Financial institutions or affiliates to such institutions that are subject to the Gramm-Leach-Bliley Act (GLBA).
The secondary market institutions identified in15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii).
Insurance institutions that are subject to P.L.1985, c.179 or any other associated insurance fraud regulation.

NJDPA does not apply to the following information and data:

Data covered under medical laws: The Protected Health Information (PHI) that is collected and processed by an entity subject to privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services (HHS) and pursuant to the Health Insurance Portability and Accountability Act (HIPAA).
Driver data: Personal data that is subject to the Driver’s Privacy Protection Act of 1994.
FCRA-related data: Personal data that is collected, processed, shared, or sold by a consumer reporting agency under the Fair Credit Reporting Act (FCRA).
Research data: Personal data that is collected, processed, or disclosed as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 C.F.R. Parts 50 and 56

III. Definitions of Key Terms

A. Biometric Data

Any data generated by automatic or technological processing, measurements, or analysis of an individual’s biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual.

“Biometric data” shall not include any of the following:

a digital or physical photograph.
An audio or video recording.
Any data generated from a digital or physical photograph or an audio or video recording, unless such data is generated to identify a specific individual.

B. Consumer

Any person residing in New Jersey acting in an individual or household context, excluding persons acting in a commercial or employment context.

A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, or any other unambiguous, affirmative action; however, it does not include any of the following:

Acceptance of general or broad terms of use or similar document containing descriptions of personal data processing and other unrelated information.
Hovering over, muting, pausing, or closing a given piece of content.
The agreement is obtained through the use of dark patterns.

D. Dark Pattern

Dark Pattern means any of the following:

A user interface designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice.
Any other practice the Federal Trade Commission refers to as a dark pattern.

E. Personal Data

Any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

F. Sensitive Data

NJDPA has a broader definition of sensitive data, which includes any personal data that is used or can be used for the purpose of uniquely identifying an individual. Hence, sensitive data includes racial, ethnic, genetic, biometric, sexual orientation, citizenship, immigration status, transgender or non-binary status, and religious, physical, and mental health data. Notably, sensitive data further includes child data and a consumer’s financial information, such as account number, credit or debit card number, account log-in, and access code data, to name a few.

IV. Obligations for Organizations Under NJDPA

A. Data Minimization and Purpose Limitation

The law requires the controllers to limit the processing of the personal data of consumers to only ‘what is relevant, adequate, and reasonably necessary’ and for purposes that are communicated to the consumer at the time of collection. Controllers must obtain the consent of the consumer before using their personal data for any purposes that are either not reasonably necessary or compatible with the purposes initially communicated to the consumer.

Controllers must obtain consumers’ ‘freely given, specific, informed, and unambiguous’ consent when processing personal data that is not reasonably necessary or compatible with the purposes for which it is collected or disclosed to the consumer initially. In cases where the consumer is at least 13 years of age but younger than 17 years of age, consent must be obtained for the processing of personal data for the purpose of targeted advertising, sale of personal data, or profiling where the profiling would lead to legal or similar significant effects concerning the consumer. Controllers must further seek consent for the processing of sensitive data, and in the case of processing of personal data concerning a known child, compliance with the Children’s Online Privacy Protection Act, 1998 (COPPA) is to be ensured.

Consumers must be provided with a mechanism to revoke their consent. This mechanism must be at least as easy as the one by which the consumer provided the consent. Upon revocation of consent, controllers must cease to process the personal data of consumers as soon as possible but no later than 15 days after receiving such a request.

C. Privacy Notice Requirements

Controllers must provide the consumers with a ‘reasonably accessible, clear, and meaningful’ privacy notice. The notice may include the following information:

the categories of personal data being processed;
the purpose for processing;
the categories of third parties with which the controllers may disclose the personal data;
the categories of personal data that the controller shares with third parties;
the rights of consumers under NJDPA, along with instructions related to how consumers can exercise their rights or appeal a controller’s decision;
the mechanism through which the controller notifies the consumer of any ‘material change’ to the notification; and
an electronic mailing address or any other mechanism through which the consumer can contact the controller.

D. Data Security Requirements

Similar to many other state data privacy laws, the NJDPA provides a baseline provision for personal data protection. The law requires controllers to establish and implement adequate technical, physical, and administrative data security measures. These measures should ensure the data’s confidentiality, accessibility, and integrity against any unauthorized access while the data is stored or being used.

E. Data Protection Assessment Requirements

The law requires controllers to conduct and document a data protection assessment (DPA) before initiating any processing activity that may contain a ‘heightened risk of harm to a consumer.’ The provision further goes on to define heightened-risk activities that include:

the processing of sensitive data, the sale of personal data;
the processing of personal data for targeted advertising; or
profiling, if the profiling poses a reasonably foreseeable risk of causing unfair or deceptive treatment of, or unlawful disparate impact on consumers, financial or physical injury to consumers, or intrusion upon consumers’ solitude, seclusion, private affairs, or concerns that would be offensive to a reasonable person, or other substantial injury to consumers.

DPAs must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.

The controller must factor into the DPA the use of de-identified data, consumers' reasonable expectations, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed.

Further, a controller must make the DPA available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request. The division may evaluate the DPA for compliance with the duties contained in the law.

F. Data Processor Agreement

Controllers must enter into an agreement with the processor to ensure that the processor remains compliant with the provisions of the law. Among other things, the data processor contract should include the following:

Processing instructions based on the nature and purpose of processing.
Types of personal data that are to be processed along with the duration of processing.
Processors must ensure that the personnel processing or handling the personal data is legally bound to keep it confidential and not disclose it.
Processors may engage a subcontractor under a written contract, which requires the subcontractor to meet the processor's obligations.
Processors must ensure that appropriate measures are in place to safeguard the confidentiality, integrity, and accessibility of personal data by setting up security measures appropriate to the risks associated with data processing.
Processors must delete or return the personal data to the controller at the end of the services unless legally subject to data retention.
Processors must legally demonstrate compliance with the provisions covered under NJDPA to the controller.

G. Universal Opt-Out Mechanisms

The New Jersey data privacy law follows the pattern of other state data privacy laws and requires controllers to recognize universal opt-out mechanisms. Consumers have the right to opt out of the sale of their personal data by the controller, the use of their personal data for targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The covered controllers have until July 15, 2024, i.e., six months following the effective date, to meet the requirements. Under NJDPA, the Division of Consumer Affairs in the Department of Law and Public Safety shall adopt the rules and regulations providing details regarding one or more opt-out mechanisms concerning the sale of personal data or the processing of personal data for purposes of targeted advertising or profiling.

H. Non-Discrimination Requirement

Controllers must not process personal data in violation of the laws of New Jersey and federal laws that prohibit unlawful discrimination against consumers.

V. Data Processor Responsibilities

The NJDPA imposes a number of obligations on data processors. Processor shall:

Adhere to the instructions of the controller and assist the controller in meeting its obligations under NJDPA.
Take appropriate technical and organizational measures to fulfill the controller’s obligations to respond to consumer requests, help meet the controller’s obligations regarding the security of processing personal data, and notify the controller of a breach of the security of the system.
Provide necessary information to enable the controller to conduct and document any Data Protection Assessment (DPA).

VI. Data Subject Rights

The consumers have the following rights under the NJDPA:

A. Right of Confirm and Access

The consumer has the right to confirm whether the controller is processing the personal data of the consumer and to access the data in a manner that does not require the controller to reveal trade secrets.

B. Right of Correction

Consumers can exercise their right to request that controllers correct any inaccuracies in personal data. However, the controller must take into account the purpose of processing and the nature of the information when fulfilling this right.

C. Right of Deletion

Consumers may require controllers to delete any personal data collected on them.

D. Right of Data Portability

Consumers may request controllers to provide them with a copy of their personal data in a technically feasible and readily usable format that allows the consumer to transmit a copy of their data to any other entity without any hindrance.

E. Right of Opting Out

Consumers can exercise their right to opt out of processing activities that involve the sale of their personal data or where the processing is conducted for purposes like targeted advertising or profiling.

Consumers may designate authorized agents or representatives who can exercise their right to opt-out on their behalf. Controllers shall comply with such requests only after verifying—with commercially reasonable effort—the identity of the consumers and the authorized agent.

VII. Regulatory Authority

The Office of the Attorney General of the state of New Jersey has the exclusive authority to enforce the law. However, as mentioned earlier, the law doesn’t provide for a private right of action for consumers. The Director of the Division of Consumer Affairs will promulgate rules and regulations necessary to effectuate the law's purposes.

VIII. How Organizations Can Operationalize NJDPA

Controllers can operationalize NJDPA by considering, among others, the following practices:

Creating clear policies and procedures for data processing which is in compliance with the New Jersey data privacy law;
Gaining legal consent of the consumers and clearly communicating to them the purpose of processing and exercisable rights;
Establishing a streamlined framework to process the lawful requests of data subjects;
Giving proper training to employees for appropriate handling of personal and sensitive data; and
Implementing appropriate technical and organizational security measures to protect the integrity and confidentiality of the personal data of consumers.

IX. How Securiti Can Help

Securiti PrivacyOps, an integration of the Data Command Center, helps organizations streamline their compliance efforts with NJDPA through contextual data, AI intelligence, and unified automated controls.

Rated as a leader by the world’s top-rated independent firms, PrivacyOps leverages Data Command Graph to build a knowledge graph of all the rich metadata, security, and privacy policies, and regulatory intelligence, giving you a single-source-of-truth around your data across all systems. This deep intelligence empowers you to automate the full lifecycle of data privacy operations, including but not limited to conducting privacy impact assessments, generating ROPA, fulfilling data privacy rights, managing cookie preferences and consent, updating privacy notices, and sending breach notifications.

Request a demo to learn more.