Articles

The New Jersey Data Privacy Act (NJDPA): The Basics

Written by Matt Davis, CIPM (IAPP) | February 5, 2024

Consumers in the Garden State now have comprehensive data privacy protections. But what does that mean for New Jerseyans?

With Gov. Phil Murphy signing Senate Bill 332 (S332/A1971), businesses and entities such as websites and online providers are required to notify consumers when they collect and disclose personal data to third parties, and they must provide customers with the ability to opt out of that collection or disclosure.

In a press release, Gov. Murphy said:

In a rapidly growing digital age, our society has become increasingly dependent on the internet to complete day-to-day tasks from shopping and working to deeply personal tasks such as managing finances and medical care. However, far too often consumer privacy is exploited without consumers knowing that their data is being shared and sold. This important legislation will help consumers reclaim control over their own personal data and allow them the choice to share information that is personal to them.

A number of states—including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia—have passed similar laws, with New Jersey joining the contingent of states passing a comprehensive data privacy act to protect consumers absent a federal law. For an overview of the major characteristics of each U.S. privacy law, check out U.S. Data Privacy Laws: A Guide to the 2024 Landscape.

Let’s dive into the new legislation that expands the U.S. consumer privacy protection landscape.

What is the NJDPA?

The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey.

NJDPA Applicability and Exemptions

In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:

  • Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction, or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

There are a few key definitions in the law: the NJDPA defines “sale” as “sharing, disclosing, or transferring” data for money or other valuable consideration, similar to California’s law. A “controller” is an individual or legal entity that determines the purpose and means of processing personal data.

Similar to Colorado’s privacy law, it doesn’t define a specific percentage of revenue that must be derived from the sale of data, whereas other states have implemented a 25 or 50 percent threshold.

Exemptions to New Jersey’s Data Privacy Law

Unlike most other data privacy laws, the NJDPA doesn’t apply directly to processors—or those who process data on behalf of the controller—though they still have to comply with certain requirements when acting on behalf of a controller.  

The NJDPA has a number of exemptions, including:

  • Data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
  • Financial institutions subject to the Gramm-Leach Bliley Act (GLBA).
  • Secondary market institutions.
  • Insurance institutions subject to certain laws.
  • The state’s Motor Vehicle Commission.
  • Personal information covered by the Fair Credit Reporting Act.

Notably, nonprofits are not exempt from the NJDPA. Like Connecticut, Delaware, Montana and Oregon, New Jersey’s data privacy law exempts personal data use solely for completing a payment transaction.

Consumer Rights Granted by New Jersey’s Data Privacy Law

Under the NJDPA, consumers are granted certain rights now considered pretty standard. These include the right to:

  • Confirm whether a controller processes personal data and access that data.
  • Correct inaccuracies in their personal data.
  • Delete personal data.
  • Obtain a copy of personal data in a portable, readily usable and transferable format.
  • Opt out of processing of personal data for targeted advertising or profiling.

The law is an “opt-out” model except in the instance of two subcategories: sensitive data and children’s data.

Sensitive Data and Children’s Data

Like other consumer data privacy laws, New Jersey’s data privacy law has a separate definition for and set of standards for businesses or entities that process sensitive data and data of children.

This is where the law’s model switches from opt out to opt in, as businesses must obtain opt-in consent for both data types. When processing the data of a child (i.e. someone under the age of 13), it must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA). Children’s data is also considered sensitive data under the law.

Sensitive data is defined broadly and includes a lengthy list of personal data types, including data that reveals:

  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health condition, treatment, or diagnosis.
  • Sex life or sexual orientation.
  • Citizenship or immigration status.
  • Status as a transgender or nonbinary person.
  • Genetic or biometric data that may be process for identifying an individual.
  • Personal data collected from a known child.
  • Precise geolocation data.
  • Financial information.

It’s also important to note New Jersey’s data privacy law has an expanded definition of financial information, which includes a consumer’s account number, account log-in information, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. The CPRA includes a definition of financial information like this, but the NJDPA is the only law that classifies financial information as sensitive personal information requiring affirmative opt-in consent before it can be processed.

The NJDPA and Universal Opt-Out Mechanisms

As has become the trend with other data privacy laws, the NJDPA requires businesses to honor universal opt-out mechanisms. These mechanisms essentially enable users to indicate their consent preferences once via a browser plugin like the Global Privacy Control rather than every time they visit a new website. Thus, businesses must be on the lookout for such signals if they want to remain in compliance.

Obligations of Controllers

The New Jersey Data Privacy Act outlines a number of obligations for controllers similar to other state laws, who must limit the collection of personal data to what is “adequate, relevant and reasonably necessary;” establish, implement and maintain administrative, technical and physical data security practices; secure data; and not process sensitive data or data of a known child without consent.

Controllers must also post a privacy notice and a link on their website that allows consumers to opt out.

Data Protection Assessments Under the NJDPA

The NJDPA requires controllers to conduct a data protection assessment. Notably, New Jersey’s law requires businesses to make need to make their assessments available to the New Jersey Department of Consumer Affairs upon request, making this a key compliance task to master.

Activities that present a heightened risk and would therefore require a data protection assessment are outlined as:

  • Targeted advertising or for profiling if it presents a “reasonably foreseeable” risk of unfair or deceptive treatment of, unlawful disparate impact on consumers, financial or physical injury, physical or other intrusion upon the solitude or seclusion or the private affairs of consumers, or if it would be offensive to a reasonable person.

  • The sale of personal data.

  •  Processing of sensitive data.

What Does the NJDPA Mean for Businesses?

Whenever there’s a new law, data privacy or otherwise, business owners and others who process data should review the text with their legal counsel. It’s critical to understand your data landscape—what’s collected, where it comes from, who it’s shared with and for what reason—to determine your legal requirements.

If you’re feeling overwhelmed with information overload, Osano has many resources related to all things privacy, along with solutions to help manage compliance with the growing number of state data privacy laws.

New Jersey Data Privacy Act: Frequently Asked Questions

When does the NJDPA go into effect?

The law goes into effect in January 15, 2025, one year after its enactment.

Who enforces the New Jersey data privacy act?

Like with many other state-level data privacy laws, New Jersey’s Office of the Attorney General will enforce violations for the NJDPA.

Does New Jersey’s law provide a cure period for violations?

The NJDPA has a 30-day cure period, which is on the shorter side for state-level data laws. The cure period also expires after an 18-month grace period in which businesses are expected to adjust (i.e., July 15, 2026)

What is the penalty for violating the NJDPA?

The New Jersey data privacy law grants rulemaking authority to the Division of Consumer Affairs within the New Jersey Department of Law and Public Safety. No monetary amount is defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.

Does New Jersey’s privacy law require businesses to honor global opt-out signals?

Yep, New Jersey’s will be among the states that require companies to honor universal opt-out signals. Businesses must recognize them within six months of the act’s effective date (i.e. July 15, 2025).