The New Jersey Data Privacy Act is set to take effect tomorrow, January 15. The NJDPA was signed into law by Gov. Phil Murphy (D) on January 16, 2024.

The NJDPA is similar to other state privacy laws, but with some unique caveats.

Who is subject to the NJDPA?

The NJDPA applies to certain “controllers” that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey. To be covered, the controller must do one of the following during a calendar year: 

(1) control or process the personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or

(2) control or process the personal data of at least 25,000 consumers, and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.

A “controller” is defined as an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

“Sale” means sharing, disclosing, or transferring personal data for monetary or other valuable consideration by the controller to a third party. “Third party” also has a specific definition and does not include processors.

The following are not considered “sales” under the law: Disclosures to processors; disclosures to third parties to provide a product or service that the consumer requested; disclosure or transfer to an affiliate; disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or disclosure or transfer of personal data to a third party as an asset, such as part of a transaction in which the third party assumes control of all or part of the controller’s assets.

Unlike some other state privacy laws, the NJDPA does not specify a revenue percentage threshold for the statute to apply.

Exemptions

The NJDPA exempts certain organizations and information from the statute. These include the following:

• Organizations regulated by the Gramm-Leach-Bliley Act.
• State-regulated insurance providers.
• Personal data collected, processed, sold, or disclosed by a consumer reporting agency as authorized by the federal Fair Credit Reporting Act and implementing regulations.
• The sale of a consumer’s personal data by the New Jersey Motor Vehicle Commission that is permitted by the federal Drivers’ Privacy Protection Act of 1994.
• Any State agency, political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision.
• Protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules established in the Health Insurance Portability and Accountability Act of 1996. It is important to note that this does not provide an exception for entities regulated by HIPAA. This exemption applies only to protected health information.

Unlike many other state privacy laws, the NJDPA does not contain an exemption for non-profits.

Consumer rights 

The NJDPA grants rights and protections to consumers regarding how their personal data is collected and used, including the the right to do the following:

• Confirm whether a controller processes their personal data and to access that data.
• Correct inaccuracies in personal data, taking into account the nature of the information and the purposes of processing the information.
• Delete personal data concerning the consumer.
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Content of privacy notice

The NJDPA will require controllers to provide privacy notices that are reasonably accessible, clear, and meaningful to consumers. The notices must disclose the following information:

• The categories of the personal data that the controller processes.
• The purpose for processing personal data.
• The categories of all third parties to which the controller may disclose a consumer’s personal data.
• The categories of personal data that the controller shares with third parties, if any.
• How consumers may exercise their rights, including the controller’s contact information and information regarding how a consumer may appeal a controller’s decision with regard to the consumer’s request.
• The process by which the controller notifies consumers of material changes to the notification required to be made available under the law, along with the effective date of the notice.
• An active email address or other online mechanism that the consumer may use to contact the controller.

If a controller sells personal data to third parties or engages in certain processing activities, it must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out. ”Processing activities” includes processing personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Other controller obligations

Like many other state privacy laws, the NJDPA also requires controllers to do the following:

• Limit personal data collection to what is adequate, relevant, and reasonably necessary in relation to the purposes for data processing disclosed to the consumer.
• Take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition.
• Provide consumers with mechanisms to revoke consent, including timelines for implementing a user-selected universal opt-out mechanism when required.
• Comply with obligations related to consumer requests.
• Enter into written contracts with processors with required terms and require subcontractors to do the same.
• In some circumstances, to conduct data protection assessments before processing.

Unlike many other state privacy laws, the NJDPA prohibits controllers from processing that would present a heightened risk of harm to a consumer unless the controller first conducts and documents  a data protection assessment of each personal data processing activity. Activities with heightened risks include targeted advertising; profiling with certain foreseeable risks, such as unfair and deceptive treatment, among others; and selling and processing sensitive personal data.

“Sensitive personal data” includes information about a consumer’s racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which includes a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or precise geolocation data. It also includes personal data collected from a known child.

Enforcement

Although there is no private right of action under the NJDPA, the New Jersey Division of Consumer Affairs will be able to bring enforcement actions. For the next 18 months, before bringing an enforcement action, the Division of Consumer Affairs must first issue a notice to the controller if a cure is deemed possible. The law states that an enforcement action may be brought within 30 days after the controller receives notice of alleged noncompliance from the division.

Beyond New Jersey

As of January 1, new data privacy laws took effect in Delaware (Delaware Personal Privacy Act), Iowa (Iowa Consumer Data Protection Act), Nebraska (Nebraska Data Privacy Act), and New Hampshire (currently SB 255). As noted above, New Jersey’s law will take effect on Wednesday.

Later this year, data privacy laws will take effect in Tennessee (Information Protection Act, effective July 1), Minnesota (Consumer Data Privacy Act, effective July 31), and Maryland (Online Data Privacy Act, effective October 1).

And three more data privacy laws are scheduled to take effect January 1, 2026. These are the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act.

Companies should review their privacy programs to ensure that they are in compliance with these new laws (as applicable) as well as other laws that provide consumers with personal data rights. Consumer rights may include the right to access, amend, limit, or opt out of certain uses. Companies should also ensure that they are in compliance with current versions of data privacy laws in the following states:     California, Colorado, Connecticut, Florida*, Montana, Nevada**, Oregon, Texas, Utah, and Virginia.

*Florida has a “comprehensive” data privacy law, but it applies only to a limited group of controllers.

**Nevada’s privacy law, the first of its kind in the United States, requires only privacy notices and opt-out rights.

Please note that other states have data privacy laws, but the states specifically identified in this article have “comprehensive” data privacy laws, meaning that they

• Impose compliance obligations for controllers, businesses, and data owners, and their processors, service providers, and contractors, and 
• Provide individuals with privacy rights, such as a right to access, amend or correct, delete, opt out, or transfer their data.

The Constangy Cyber Team assists business of all sizes and industries with compliance needs. If you would like additional information on how to prepare your organization for privacy compliance, including compliance with the NJDPA, please contact us at cyber@constangy.com.