With a vibrant population of more than 9 million, New Jersey is a crucial market for most global businesses operating in the USA. On the 16th of January, the New Jersey governor signed Bill SB 332 into law,  “An Act concerning commercial Internet websites, online services, consumers, and personally identifiable information” (The New Jersey Data Privacy Act). 

 

This new law made the Garden State the 14th US State that has enacted a new data privacy law regime. From requiring businesses to obtain consent before processing personal data to having a transparent privacy policy, the New Jersey Data Privacy Act imposes various obligations on businesses.

 

Keep reading to learn what they are and how to operate without legal risks in New Jersey. 

 

Summary

 

 

 

What is the New Jersey Data Privacy Act?

 

After the New Jersey legislature passed Senate Bill 332, the New Jersey Governor signed into law the New Jersey Consumer Privacy Law on the 16th of January 2024.  The new Law will come into force one year later, on 16th January 2025, giving businesses sufficient time to understand the requirements and build a compliance program. 

 

The new Law regulates the collection, processing, and use of personal information of New Jersey residents acting in individual or household capacity. For instance, if your website or web/app platform is accessible to New Jersey consumers and they submit their details, such as their names, emails, and credit card details, to contact you or purchase services, it is likely that the new Act will apply to you.

 

The new Act applies to businesses that satisfy certain thresholds. If you fulfill one of the following thresholds, you will have to comply with the new Law: 

 

  • Process the personal data of at least 100,000 New Jersey residents, excluding personal data processed solely to complete a payment transaction, or 

  • Process the personal data of at least 25,000 New Jersey residents and derive revenue from the sale of personal data.

 

As you can infer from these thresholds, your revenue is not a defining criterion when it comes to applicability. If your processing activities exceed these thresholds, you will be subject to the new Law regardless of your revenue.

 

What are the exemptions to the NJDPA?

 

Even when you exceed the thresholds specified above, you may still be exempt from the new Law’s requirements if one of the exemptions applies to your data processing activity. 

 

Firstly, when an individual and/or organization acts in a commercial or employment context, processing data will not be subject to the Act. Business contact information, such as business email addresses and employee-related information, including recruitment information, are excluded from the scope of the Act. 

 

Secondly, publicly available information and de-identified data are outside the scope of the new Act. 

 

Thirdly, government agencies and financial institutions subject to the Gramm-Leach-Bliley Act and protected health information under the Health Insurance Portability and Accountability Act are all exempt from the Act

 

Another important point to note is that the Law does not exempt non-profit institutions and educational institutions from the scope of the Act. Therefore, these organizations may be subject to the requirements of the new Act. 

 

Main obligations under the New Jersey Data Privacy Act

 

A mockup of a consent banner in a laptop with some example content, with a USA flag on the left

 

If you operate in the USA and exceed the thresholds for the Act's applicability, you must comply with the New Jersey Data Privacy Act. The key obligations you need to consider are as follows.

 

Displaying a comprehensive privacy notice to consumers

Without transparency on how you collect and process consumer data, the consumers would not be able to exercise their rights. Therefore, the New Jersey Data Privacy Act requires that you “provide to a consumer a reasonably accessible, clear, and meaningful privacy notice.” 

 

This privacy notice must at least include the following information about the handling of consumer data: 

 

  • What categories of personal data you collect and use

  • Purposes for the collection and processing of personal data

  • Categories of recipients to whom you disclose personal data

  • Categories of personal data that you share with third parties

  • How consumers may contact you and how they can exercise their rights, such as their access and deletion rights

  • Explaining how you sell personal data to third parties for the purposes of targeted advertisement

  • How you will notify consumers of the material changes you make to the privacy notice

 

Implementing a consent mechanism 

Before collecting and processing certain data types, you need to obtain consumer consent. 

 

Firstly, you cannot collect sensitive data or data on children without prior consent from consumers. Under the Act, sensitive data includes personal data that reveals “racial or ethnic origin, religious belief, physical health condition, treatment, or diagnosis.”

 

Financial information such as credit card numbers, account details, and CVC codes also fall under the definition of sensitive data.  In addition, biometric data, data concerning physical health conditions, sexual orientation, and data related to financial accounts are all outside the scope of the Act.

 

The new Act also limits the secondary use of collected data. Under the Act, you cannot process collected data for other purposes if the new purpose is “neither reasonably necessary to, nor compatible with” the original purpose.

 

Collecting consent can be done using a Consent Management Platform.

 

How to select the right CMP?

 

Complying with data subject rights 

The Act provides consumers with various data subject rights, similar to the California Consumer Privacy Act. When you receive a request from a consumer to exercise these rights, you have 45 days to respond to the request, and you can extend this deadline by 45 more days.

 

Under the new Act, the consumers may exercise the following rights

 

  1. Right to confirm processing of personal data: Consumers have the right to ask for confirmation of whether you hold and process their data.

  2. Right to access and obtain a copy of personal data: The new Act allows consumers to access their data directly and also asks to obtain a copy of their data in a suitable format to be transmitted to another data controller.

  3. Right to data deletion: Consumers may submit a request to delete personal data related to himself/herself.

  4. Right to rectification: Consumers are also entitled to make a request to correct any inaccuracies in the personal data you hold about them.

  5. Right to opt out: The New Jersey Data Privacy Act also allows consumers to opt out of the sale of their personal data, use of their personal data for targeted advertising, and processing of their data for profiling. 

 

Implementing appropriate data security measures 

Under the new Act, businesses are responsible for designing and implementing appropriate data security measures to maintain and guarantee the confidentiality, integrity, and accessibility of personal data (source: New Jersey Legislature).

 

When determining the appropriate measures, businesses should consider the volume of personal data they handle and the nature of the data. For instance, sensitive data such as financial information would require more robust physical, organizational, and technical security measures. 

 

However, one of the most important parts of the New Jersey Data Privacy Act is the obligation to offer consumers an opt-out mechanism.

 

Opt-out obligation under the New Jersey Data Privacy Act (NJDPA)

 

The New Jersey Data Privacy Act provides consumers with more control and freedom when it comes to whether a business can sell personal data or whether it can carry out targeted advertising. 

 

Under the new Act, you must provide a mechanism for consumers to opt out of the following three data processing activities:

 

  • Targeted advertising

  • Sale of personal data

  • Forms of profiling with potentially significant legal effects on the consumer.

 

The opt-out mechanism you implement should comply with the following requirements: 

 

  • Consumer-friendly, clearly described, and easy to use by the average consumer;

  • As consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation, and

  • Enabling the controller to accurately determine whether the consumer is a resident of New Jersey and whether the consumer has made a legitimate request to opt out of the processing of personal data for the purposes of any sale of such consumer’s personal data or targeted advertising.

 

An example of an opt-out mechanism could be a privacy banner that can be surfaced by users and which communicates clearly about users’ rights and gives them the opportunity to fine-tune their preferences. To learn more, check out our article about consent banner formats, including opt-out:

 

Learn more about consent banner formats

 

Who enforces the New Jersey Consumer Privacy Law?

 

The new Act does not establish a new data protection authority. Instead, it gives the New Jersey Attorney General the exclusive authority to enforce the Act and bring enforcement action against non-compliant organizations.

 

There is no private right of action under the new Act. 

 

How can Didomi help you comply with the New Jersey Data Privacy Act?

 

When it comes to complying with the New Jersey Data Privacy Act, obtaining valid consent from consumers, providing the right to opt-out, and displaying a compliance privacy notice are the top priorities. 

 

  • When collecting sensitive personal data, such as financial information, you must obtain consent first.

  • You must build and display a compliant privacy notice to your customers as a business. 

 

This is where our Global Privacy UX Solutions come into play. Our Consent Management Platform (CMP) allows you to collect consent and, most importantly, keep a record of it all. Our offering also includes privacy request management, compliance monitoring, and more.

 

Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you comply with the new New Jersey Consumer Privacy Law: 

 

Talk to an expert

 

Frequently Asked Questions (FAQ)

 

 When does the New Jersey Data Privacy Act come into force?

The Governor of New Jersey signed the new Act into law on 16th January 2024, and the New Jersey Data Privacy Act will be enforceable in January 2025.

 

Who can bring enforcement action against non-compliant organizations?

Only the Attorney General of New Jersey may bring enforcement action against the non-compliance with the new Act. 

 

What are the penalties under the New Jersey Data Privacy Act?

The first violation may result in fines of up to 10,000 $. Subsequent violations may be fined up to 20,000$ each. 

 

Can consumers sue organizations?

No, the Act does not provide consumers with a private right of action for non-compliance with processing personal data.

 

What is the deadline for responding to data subject requests from consumers? 

You have 45 days to respond to a request, such as a request to access personal data. This can be extended for 45 days further.

 

Is there an obligation to carry out data protection assessment?

Yes. When there is a heightened risk of harm to consumers, the new Act requires you to conduct a data protection assessment for the specific data processing activity.