New Jersey took a giant leap in pursuit of protecting consumers with the passage of the New Jersey Data Privacy Act (NJDPA) set to become effective January 15, 2025. The NJDPA is a comprehensive privacy law aimed at protecting the personal information of New Jersey residents. In an era where personal data is increasingly vulnerable to exploitation and misuse, states across the country are taking measures to safeguard the privacy of their residents. Once the new law is implemented, many businesses both inside and outside of New Jersey will be required to notify New Jersey consumers about the collection and disclosure of those consumers’ personal data and abide by other privacy-related requirements.
Does the NJDPA Apply to You?
The NJDPA protects consumer residents in New Jersey acting only in an individual or household context. It does not apply to New Jersey residents acting in a commercial or employment context. Moreover, for the NJDPA to be applicable, the entity must be a “controller,” i.e., an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. The NJDPA defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable person that includes identifying information, including “sensitive data” of consumers that reveals, among various items, certain immutable characteristics such as race and sexual orientation, biometric data such as biological, physical, or behavioral characteristics, and financial information. Personal data explicitly excludes de-identified data and publicly available data. Notably, the new law does not apply to certain companies such as state-regulated insurance providers, financial institutions or businesses already regulated by the Gramm-Leach Bliley Act, and certain governmental entities.
A business that is not otherwise exempt from the NJDPA must also conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and, during a calendar year, meet either one of the following thresholds for the law to apply:
- Controls or processes the personal data of 100,000 or more New Jersey consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction, or
- Controls or processes the personal data of 25,000 or more New Jersey consumers and derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.
Key Provisions of the NJDPA:
Some important provisions of the NJDPA to keep in mind include the following:
- An Expansive Definition of Personal Information: Personal data is broadly defined, encompassing not only traditional identifiers like email addresses but also more contemporary data such as biometric information, online identifiers, citizenship, and precise geolocation data.
- Consumer Rights and Control: New Jersey consumers are given greater control over their personal data. Such individuals or households now have the right to know whether a controller processes and accesses the consumer’s personal data, what information is being collected about the consumer, how the collected information is being used, and to whom it is being disclosed. This transparency ensures that consumers can make informed decisions about sharing their data with businesses. The consumer also has the right to correct inaccuracies, delete personal data concerning the consumer, and obtain a copy of the consumer’s personal data being held.
- Opt-Out Mechanism: An opt-out mechanism allows consumers to refuse processing of their personal data for purposes of (a) targeted advertising; (b) the sale of personal data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. This opt-out feature ensures that individuals have the autonomy to decide who has access to their personal data.
- Opt-in Requirements: Controllers must obtain consent to process the sensitive data of consumers and any personal data concerning a known child to the extent required under the federal Children’s Online Privacy Protection Act (COPPA).
- Enhanced Data Security Requirements: Applicable business entities managing personal information are now obligated to implement reasonable security measures and to set and maintain administrative, technical, and physical data security practices to protect against unauthorized access, disclosure, and destruction of data.
- Consumer Non-Discrimination Feature: Businesses are prohibited from treating consumers who exercise their privacy rights differently from those consumers who do not exercise such rights. This feature of the law ensures that consumers opting for enhanced privacy protection are not penalized with inferior service or higher prices.
Impact on Affected Businesses:
While the NJDPA places additional responsibilities on businesses to protect consumer privacy, it also fosters a culture of accountability. Companies must adapt their data handling practices complying with the new law in order to avoid potential legal and financial consequences. Below are some steps that companies can take to move toward compliance:
- Update Privacy Notices and Policies: Companies subject to the NJDPA are required to provide a privacy notice that describes the categories of personal data being processed, the purpose of processing, the categories of third parties to which personal data is disclosed, the categories of personal data shared with third parties, how consumers may exercise their rights and appeal a data rights request decision, how the company notifies consumers of material changes to the privacy notice, and to provide an email address or other online contact such as a web form or portal that the consumer may use to contact the business.
- Risk Assessments: Companies must conduct regular data protection assessments to identify and address vulnerabilities. The NJDPA explicitly requires such assessments when processing data that presents a heightened risk of harm to consumers. Such assessments must be on hand and ready to be presented to the New Jersey Attorney General upon request.
- Universal Opt-Out Mechanisms: The NJDPA prohibits a business from a default opt-in of consumers to the processing of personal data collected through such consumers’ interactions with the business for purposes of targeted advertising or sale of personal data. The consumer needs to be offered an affirmative option and an unambiguous choice to opt into or out of any processing of the consumer’s personal data. The NJDPA supports universal opt-out mechanisms for targeted advertising and consumer personal data sales. In addition, the new law broadens opt-outs to include user profiling, which is notably a first among state laws.
- Enforcement and Penalties: To ensure compliance, the NJDPA empowers the New Jersey Attorney General's office to enforce the law. Non-compliance can result in significant penalties, providing a strong incentive for businesses to adhere to the new privacy standards. The penalties serve as a deterrent, reinforcing the importance of prioritizing consumer privacy in today's data-driven landscape. A violation of is the new law permits the NJ Attorney General to impose financial penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. There is a 30-day right for businesses to cure violations.
Conclusion:
The NJDPA marks a significant milestone in New Jersey’s consumer privacy. The new law places additional responsibilities on companies collecting personal data while conducting business in New Jersey in an effort to protect New Jersey residents in an increasingly interconnected and data-centric world. Companies that come under the new law should consider updating their privacy policies, engage in regular independent data privacy assessments and risk assessments, ensure their privacy notice is compliant with the requirements of the new law, and review third party data processor contracts to see if revisions are required. The NJDPA joins an ever-growing state enacted patchwork of privacy laws. Therefore, businesses should initiate steps to ensure compliance in order to avoid potential financial and business-related pitfalls.