On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).

The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope to examine their compliance obligations with respect to those provisions.

Applicability and Scope

  • Unlike California and Utah, but similar to most other state comprehensive data privacy laws, the NJDPA does not have a revenue threshold.
  • The NJDPA applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that during a calendar year either: (1) control or process the personal data of at least 100,000 New Jersey residents, excluding personal data processed solely for the purpose of completing a payment transaction; or (2) control or process the personal data of at least 25,000 New Jersey residents and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.
  • The NJDPA will apply to nonprofit organizations that meet the applicability thresholds.
  • Unlike California, but similar to most other state comprehensive data privacy laws, the NJDPA does not apply to employees or business-to-business contacts.
  • The NJDPA contains data-level exemptions for de-identified data, personal health information (PHI) regulated by HIPAA, an entity-level exemption for financial institutions regulated under Gramm-Leach-Bliley (GLBA), and some exemptions seen in other state data privacy laws.  However, the NJDPA does not include certain other common exemptions, such as those for educational data subject to the Family Educational Rights and Privacy Act (FERPA), or data processed by nonprofit institutions.

Privacy Policy for Controllers

  • Similar to other data privacy laws, the NJDPA requires the controller to provide an accessible, clear, and meaningful privacy notice that outlines various categories of information regarding the controller’s data collection, use and disclosure practices, as well as rights that New Jersey residents can exercise.
  • Interestingly, the NJDPA also requires that the privacy policy provide:
    • The express purpose for the processing of the personal data; and
    • The process by which the controller notifies consumers of material changes to the privacy notice.  Most states with comprehensive data privacy laws do not have this express requirement.

Processors

  • Processing by a processor must be governed by a contract between the controller and the processor.
  • Among other things, processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations.

Consumer Rights.

  • Similar to other laws, New Jersey residents have various rights.  Subject to certain exceptions, they include:
    • Confirming whether a controller processes and has access to the consumer’s personal data;
    • Correcting inaccuracies in the consumer’s personal data;
    • Deleting the consumer’s personal data;
    • Obtaining a copy of the consumer’s personal data; and
    • Opting out of the processing of the consumer’s personal data for the purposes of targeted advertising, sale of personal data or profiling.
  • After a short grace period, the NJDPA allows consumers to use universal opt-out mechanisms to exercise their opt out rights.

Sensitive Personal Data

The NJDPA requires that a controller not process sensitive data (e.g., race, religion, health, financial information, citizenship and children’s data) concerning a consumer without first obtaining the consumer’s consent.  In the case of the processing of personal data concerning a known child, the controller must process such data in accordance with the federal Children’s Online Privacy Protection Act.

Data Protection Assessments

  • The NJDPA prohibits the processing of personal data that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment.
  • Heightened risk of harm includes processing personal data for targeted advertising, selling personal data and processing personal data for profiling.

Enforcement

  • The Office of the Attorney General will have sole and exclusive authority to enforce a violation of the NJDPA.
  • Importantly, there is no private right of action available to consumers.