New Jersey Passes Consumer Data Privacy Bill

New Jersey Passes Consumer Data Privacy Bill

The New Jersey legislature passed the New Jersey Data Privacy Act (“NJDPA”) in Senate Bill 332.  With the signing of this bill by the governor, New Jersey becomes the first state in 2024 to enact a consumer data privacy law.  It will become effect on January 16, 2025.
The NJDPA, as with a few other states, does not contain a revenue threshold.  It applies to a business (“Controllers”) that annually controls or processes the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction; or control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.  It does not cover consumers acting in a commercial or employment context.  One important change from other consumer data privacy laws is that the law will apply to nonprofit organizations that meet the applicability thresholds referenced above.
Another unique difference in the NJDPA is that there are two new disclosures required in the online privacy policy.  A description of the process by which the controller will notify consumers of material changes to the privacy policy, and an active email address or other online mechanism that consumers may use to contact the controller.
The Act requires the New Jersey Department of Law and Public Safety’s Division of Consumer Affairs to issue rules and regulations related to the Act.  We await those additional rules and regulations as with Colorado and California.  We will update you once the final rules and regulations are released.
Below is a brief list of Controller requirements:
  1. Privacy Notice.  Controllers shall provide consumer a privacy notice with the following information:
    1. Categories of the personal data that the controller processes;
    2. Purposes of processing personal data;
    3. Categories of all third parties to which the controller may disclose a consumer’s personal data;
    4. Categories of personal data that the controller shares with third parties, if any;
    5. How consumers may exercise their consumer rights;
    6. Process by which the controller notifies consumers of material changes to the notification;
    7. An active email address or other online mechanism that consumers may use to contact the controller; and
    8. If the controller sells personal data to third parties or processes personal data for purposes of targeted advertising, the sale of personal data, or profiling on a consumer; and
    9. The controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may opt out of the sale or processing.
  2. Processor Agreements.  Controllers must have a contract with their processors that clearly sets forth instructions for data processing activities on behalf of the Controller in order to avoid classification of sale to service providers.
  3. Sensitive Data.  There is a unique definition of sensitive data and a controller may not process or collect sensitive data without obtaining the consumer’s consent (or a parent’s consent, in the case of a known child under the age of 13).
  4. Data Protection Assessments.  The NJDPA will require assessments before they engage in certain processing activities.
  5. Universal Opt-Out Mechanisms. Beginning six months after the effective date, the NJDPA will require controllers to recognize user-selected universal opt-out mechanism when opting out of targeted advertising and the sale of data.
The NJDPA gives New Jersey residents the following rights:
  1. Confirm processing,
  2. Access personal data being processed,
  3. Correct inaccuracies in the consumer’s personal data,
  4. Delete personal data concerning the consumer,
  5. Obtain a copy of the consumer’s data (or a “representative summary”),
  6. Appeal right, and
  7. Opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Enforcement authority is vested exclusively with the Attorney General.  There is a 30 cure notice available for 18 months after the law comes into effect.  The fines can be up to $10,000 per violation.  There is no private right of action for consumers.
Explore our comprehensive CLIClaw Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.

Stay Ahead of What's Coming Next

CLIClaw helps you see regulations early, understand what it means, and act before it becomes a problem. Members get plain-English analysis, practical guidance, and early warnings on privacy and compliance issues that directly impact your business. If you work with consumer data, waiting is the riskiest option.
Become a CLIClaw Member
JOIN TODAY