Learn everything about NJ's new privacy law S332: scope, requirements, consumer rights, and compliance deadlines. Essential guide for businesses handling NJ residents' data.
New Jersey becomes the 13th state to pass a comprehensive privacy bill among the US states. With S332, New Jersey joins other US states with data protection laws.
Explore more privacy compliance insights and best practices
The law was passed in January 2024. Once it receives the governor's signature, it will take effect 365 days later. This implies that the law will start being enforced in early 2025. In this article, we'll dive into the most important details of the law.
The New Jersey Consumer Data Privacy Bill, also known as Senate Bill 332, is the state's comprehensive data privacy act. It is similar to the consumer privacy laws of other US states, imposing similar obligations on businesses and granting comparable consumer privacy rights.
During a calendar year, controllers conducting business in New Jersey or producing products or services targeted at state residents are subject to the law.
Exemptions include:
Personal data is any piece of information that is linked to an individual and could be used to identify them. This definition aligns with global data protection standards, encompassing names, email addresses, IP addresses, purchase histories, and other identifiable information.
The definition of sensitive data includes:
Sensitive data has a specific regime under New Jersey law. If you process these categories of data, you may need to obtain consent for processing and conduct a data protection impact assessment.
Businesses that collect personal data for processing must:
Processors must:
A written data processing agreement between the controller and the service provider must govern data processing. The contract must include at least:
A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes, at a minimum:
If a controller sells personal data to third parties or processes personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller must disclose such sale or processing and how consumers may exercise the right to opt out of such sale or processing. This is the required minimum, and additional information may be added.
The NJCDPB defines the sale of personal information as the "sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party."
The definition does not include:
Consumers have the right to opt out of the sale of personal information upon request. If such a request is received, the law requires compliance.
New Jersey consumers have the right to:
Controllers must establish channels for exercising consumer rights, such as email addresses, contact forms, or toll-free numbers. Under New Jersey privacy provisions, they have 45 days to respond to a request, with a possible 45-day extension if necessary.
The right to opt-out allows consumers to require a controller to:
The Division of Consumer Affairs in the Department of Law is expected to pass rules on how consumers may opt out. Businesses must honor universal opt-out mechanisms and provide an opt-out link on their websites.
Controllers are required to respect universal opt-out mechanisms, which send signals to websites indicating the consumer's wish to opt out. Controllers must honor these signals and, once technology permits, also respect opt-outs for targeted advertising.
Data protection impact assessments (DPIAs) evaluate the benefits and risks of processing personal data, balancing these against potential risks to consumer rights. Risks should be minimized using appropriate safeguards.
Businesses must conduct a DPIA if they:
Controllers must make these assessments available to the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety when requested. These assessments are confidential and not open to public inspection. Sharing an assessment with the Division does not waive legal protections, such as attorney-client privilege.
Enforcement and Penalties: What is the Cure Period Under the New Jersey Data Protection Act?
The New Jersey Attorney General will enforce the New Jersey consumer data privacy legislation. For the first 18 months after the law's effective date, businesses may be given a 30-day cure period for violations. After this period, each violation will be subject to penalties.
