New Jersey Data Privacy Act (S332):Key Insights on the New Privacy Law

What is the New Jersey Data Privacy Act?

The New Jersey Consumer Data Privacy Bill, also known as Senate Bill 332, is the state's comprehensive data privacy act. It is similar to the consumer privacy laws of other US states, imposing similar obligations on businesses and granting comparable consumer privacy rights.

To Whom Does This Comprehensive Data Privacy Law Apply?

During a calendar year, controllers conducting business in New Jersey or producing products or services targeted at state residents are subject to the law.

• Control or process the personal data of at least 100,000 consumers, excluding data processed solely to complete a payment transaction; or
• Control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.

Exemptions include:

• Non-profits
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• Health data covered under HIPAA and HITECH
• Secondary market institutions
• Insurance companies
• Personal information covered by the FCRA

What is Personal Data Under the New Jersey State Privacy Law?

Personal data is any piece of information that is linked to an individual and could be used to identify them. This definition aligns with global data protection standards, encompassing names, email addresses, IP addresses, purchase histories, and other identifiable information.

What is Sensitive Data Under This Law?

The definition of sensitive data includes:

• Personal data revealing racial or ethnic origin, religious beliefs, or mental or physical health condition, treatment, or diagnosis
• Financial information, including a consumer’s account number, account log-in, financial account, or credit/debit card number, along with any required security code, access code, or password permitting access to a consumer’s financial account
• Sex life or sexual orientation
• Citizenship or immigration status
• Status as transgender or non-binary
• Genetic or biometric data that may uniquely identify an individual
• Personal data collected from a known child
• Precise geolocation data

Sensitive data has a specific regime under New Jersey law. If you process these categories of data, you may need to obtain consent for processing and conduct a data protection impact assessment.

What Duties Do Data Controllers Have Under the New Jersey Comprehensive Privacy Law?

Businesses that collect personal data for processing must:

• Collect only the minimum amount of data necessary for processing purposes.
• Not process personal data for purposes that are neither reasonably necessary nor compatible with the purposes disclosed to the consumer unless the controller obtains the consumer’s consent.
• Implement administrative, technical, and physical data security practices.
• Collect consent for processing sensitive or children’s data and provide mechanisms for revoking consent.
• Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
• Not process a child’s personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer’s consent, where the controller has actual knowledge or willfully disregards that the consumer is at least 13 years old but younger than 17.
• Specify the express purposes for which personal data is processed.
• Conduct a data protection impact assessment where necessary.
• Ensure that they have written agreements with service providers for the processing of data.

What are the duties of service providers?

Processors must:

• Comply with the controller’s instructions for data processing.
• Assist the controller in meeting its obligations under the law.
• Take appropriate technical and organizational measures, insofar as possible, to fulfill the controller’s obligation to respond to consumer requests.
• Help the controller meet any data security requirements.
• Provide information to the controller to conduct and document any data protection assessments.
• Keep the data confidential.
• Engage subcontractors only based on a written contract requiring that the subcontractor meets the requirements imposed on the service provider.

What Should the Contracts Between Controllers and Service Providers Contain?

A written data processing agreement between the controller and the service provider must govern data processing. The contract must include at least:

• The processing instructions to which the processor is bound, including the nature and purpose of processing New Jersey residents' data.
• The type of personal data subject to processing and the duration of the processing.
• The duty of the service provider to assist the controller in proving compliance and conducting data protection impact assessments.
• The requirement for the service provider to delete all processed personal data upon the controller's request.

What is the NJCDPB Privacy Policy?

A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes, at a minimum:

• The categories of personal data that the controller processes.
• The purpose for processing personal data.
• The categories of all third parties to which the controller may disclose a consumer’s personal data.
• The categories of personal data the controller shares with third parties, if any.
• Instructions on how consumers may exercise their rights, including the controller’s contact information and how to appeal a controller’s decision regarding the consumer’s request.
• The process by which the controller notifies consumers of material changes to the notice, along with the effective date of the notice.
• An active email address or other online mechanism that consumers may use to contact the controller.

If a controller sells personal data to third parties or processes personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller must disclose such sale or processing and how consumers may exercise the right to opt out of such sale or processing. This is the required minimum, and additional information may be added.

What is the Sale of Personal Information?

The NJCDPB defines the sale of personal information as the "sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party."

The definition does not include:

• Disclosure of personal data to a processor that processes data on the controller’s behalf.
• Disclosure of personal data to a third party to provide a product or service requested by the consumer.
• Disclosure or transfer of personal data to an affiliate of the controller.
• Disclosure of personal data that the consumer has intentionally made available to the general public through mass media and has not restricted to a specific audience.
• Disclosure or transfer of personal data to a third party as part of a merger, acquisition, bankruptcy, or other transaction where the third party assumes control of part or all of the controller’s assets.

Consumers have the right to opt out of the sale of personal information upon request. If such a request is received, the law requires compliance.

What Consumer Rights Do NJ Consumers Have, and How Can They Exercise Them?

New Jersey consumers have the right to:

• Confirm whether a controller processes their personal data and access it, excluding trade secrets.
• Correct inaccuracies in their personal data.
• Delete their personal data.
• Data portability.
• Opt out of processing personal data for: Targeted advertising. The sale of personal data. Profiling in furtherance of decisions that have legal or similarly significant effects.

Controllers must establish channels for exercising consumer rights, such as email addresses, contact forms, or toll-free numbers. Under New Jersey privacy provisions, they have 45 days to respond to a request, with a possible 45-day extension if necessary.

What Is the Right to Opt-Out?

The right to opt-out allows consumers to require a controller to:

• Not sell their personal information.
• Not process their data for targeted advertising.
• Not profile them or use their data for automated decision-making.

The Division of Consumer Affairs in the Department of Law is expected to pass rules on how consumers may opt out. Businesses must honor universal opt-out mechanisms and provide an opt-out link on their websites.

Universal Opt-Out Mechanisms

Controllers are required to respect universal opt-out mechanisms, which send signals to websites indicating the consumer's wish to opt out. Controllers must honor these signals and, once technology permits, also respect opt-outs for targeted advertising.

Data Protection Impact Assessments

Data protection impact assessments (DPIAs) evaluate the benefits and risks of processing personal data, balancing these against potential risks to consumer rights. Risks should be minimized using appropriate safeguards.

Businesses must conduct a DPIA if they:

• Sell personal data.
• Process sensitive data.
• Process data for targeted advertising or profiling.

Controllers must make these assessments available to the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety when requested. These assessments are confidential and not open to public inspection. Sharing an assessment with the Division does not waive legal protections, such as attorney-client privilege.

Enforcement and Penalties: What is the Cure Period Under the New Jersey Data Protection Act?

The New Jersey Attorney General will enforce the New Jersey consumer data privacy legislation. For the first 18 months after the law's effective date, businesses may be given a 30-day cure period for violations. After this period, each violation will be subject to penalties.