New Jersey Data Privacy Act

What you need to know about the NJDPA:

To Whom Does NJDPA Apply?

NJDPA applies to for-profit entities that:

  1. Conduct business or provide products or services to residents of New Jersey (consumers), and 
  2. Annually control or process the PI of either:
    1. 100,000 unique residents, excluding personal information used solely for completing payment transactions; or
    2. 25,000 unique residents and derives revenue or receives a discount on the price of any goods or services, from the sale of PI.
Where Does NJDPA NOT Apply?

Exempt Entities: NJ offers limited entity-level exemptions, including:

  • Non-profits;
  • State government entities;
  • GLBA-covered entities;
  • The secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii); and
  • Certain insurers.

Exempt Data: NJ also offers limited data-level exemptions, including:

  • PHI covered under HIPAA and processed by a covered entity or business associate;
  • Data covered by the Driver’s Privacy Protection Act.
  • Various forms of credit data regulated by the Fair Credit Reporting Act;
  • Data covered by the Common Rule.

Exempt Use Cases:

The NJDPA does not apply to individuals acting in an employment or commercial (B2B) context.

In addition, NJ specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of NJDPA

What Constitutes Personal Information?

The NJDPA covers “personal data,” also called personal information or PI, which New Jersey defines as “any information that is linked or reasonably linkable to an identified or identifiable person.”

The definition exempts de-identified and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

New Jersey’s definition of sensitive PI consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition, treatment, or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data;
  • Genetic or biometric dataprocessed for identification purposes;
    • Notably, NJ’s definition of biometric data includes physical and behavioral characteristics, and data generated by “analysis” or “technological processing” such as facial mapping or facial geometry.
  • Status as transgender or nonbinary; and
  • Financial account login credentials, financial account, debit card, or credit card number in combination with any required security or access code, or password.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, Texas requires it to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the NJDPA.

New Jersey is one of the few states that does not exempt pseudonymous data from privacy rights requests. The practical consequences of this are not yet clear.

 

 

Is Consent Needed to Process Sensitive Data?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA and before processing PI of a minor age 13 through 16 for the purposes of targeted advertising, sale, or profiling in furtherance of decisions with significant effects.

Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • Categories of PI processed;
  • Business purpose for processing PI;
  • Categories of PI shared with third parties;
  • Categories of third parties with which PI is shared describe
  • Methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision;
  • Controller’s contact information (not in every law);
  • An active email address or other online way for a consumer to contact the company;
  • Description of targeted advertising and profiling activities including a procedure for opting out of the processing for these purposes;
  • The process by which the controller notifies consumers of material changes to their privacy notice; and
  • The effective date of the notice.
What Constitutes Sale of PI?

New Jersey defines “sale” to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger.

How Will the NJPDA Be Enforced?

The New Jersey Attorney General (AG) has sole enforcement authority. Under NJDPA, the AG may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s); the cure period will end in July of 2026. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or fines, however the amount is yet to be determined.

Notably, the law calls for the Attorney General’s Division of Consumer Affairs in the Department of Law and Public Safety to promulgate implementation regulations. New Jersey is only the third state to provide for such rulemaking.

Data Privacy is Just Good Business