New Jersey’s Privacy Law
The New Jersey Data Privacy Act (NJDPA) is the nation’s fourteenth comprehensive consumer privacy law. The NJDPA goes into effect January 16, 2025.
What You Need to Know About NJDPA
NJDPA applies to you if your business:
-
- conducts business or provides products or services to residents (“consumers”) in New Jersey, and
- control or process personal data during a calendar year, either:
- of at least 100,000 individuals (except for data processed solely for completing a payment transaction), or
- of at least 25,000 New Jersey consumers and derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data
- Exempt Data: data protected by: (a) PHI covered under HIPAA and processed by a covered entity or business associate, (b) consumers personal data by the NJ Motor Vehicle Commission, (c) FCRA covered data, and (d) the Common Rule.
- Context: New Jersey has very few exemptions, less than most other states.
- Exempt Entities: NJ offers only limited entity wide exemptions, including: (a) GLBA covered financial institutions, (b) the secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii), (c) certain insurers covered under NJ law, and (d) government agencies and divisions.
- Context: New Jersey has very few exemptions, less than most other states.
- Review and update your Privacy Notice to specify purpose for collection of personal data.
- Review whether you process sensitive personal data, including status as transgender or nonbinary. Uniquely, financial information like account numbers, login or other access information is also covered. Be sure you have appropriate consent.
- Implement or update your process for receiving and responding to Individual Rights Requests (including appeals).
- Create or update Data Protection Assessments (or Privacy Impact Assessments, if completed for GDPR).
- Ensure that your vendor contracts include appropriate privacy protections.
- Update your technology so that you can recognize universal opt-out mechanisms, such as the Global Privacy Control (GPC).
Key Components of NJDPA
New Jersey’s definition of Personal Data is relatively standard, “any information that is linked or reasonably linkable to an identified or identifiable person.” Like many other states, there is an exception for de-identified and publicly available data.
Like many of the recently enacted state privacy laws, New Jersey expands the definition of sensitive data as we previously knew it – in addition to the usual elements, such as:
- racial or ethnic origin;
- religious beliefs;
- mental or physical condition, treatment, or diagnosis;
- sex life or sexual orientation;
- citizenship or immigration status (introduced by several recent state laws);
- personal data about a known child;
- geolocation data that directly identifies the specific location of an individual with precision and accuracy within a radius of 1750 feet. It does not include the content of communications, or any data generated by or connected to advanced utility metering infrastructure system or equipment for use by a utility (note the addition of specific language and distance for what geolocation data is);
- genetic or biometric data (differing from other laws, NJ includes physical and behavioral characteristics, and data generated by “analysis” or “technological processing” such as facial mapping or facial geometry).
NJDPA adds:
- status as transgender or nonbinary; and
- financial information, which includes a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.
In a word: Yes!
Parental consent is required to process Personal Data about a known child (under 13) in accordance with COPPA, and data subject consent is required to sell the Personal Data of a person between the ages of 13 and 15 or use it for targeted advertising.
Under the new New Jersey privacy law, a Privacy Notice must include:
- list the categories of personal data that are processed;
- describe the purpose for processing personal data;
- the categories of third parties with which personal data is shared;
- the categories of personal data that are shared with third parties;
- describe how a consumer may exercise their rights (see below) and appeal a decision to not fulfill a request;
- controller’s contact information (not in every law);
- an active email address or other online way for a consumer to contact the company;
- the process by which the controller notifies consumers of material changes to their privacy notice, as well as the effective date of the notice (not in every law);
- a disclosure if the controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling, and must provide a procedure for opting out of the processing for these purposes.
New Jersey follows Oregon and many other states in defining ‘sale’ to include exchange for monetary or other valuable consideration.
Like most state laws, including Utah, Virginia, Colorado, Connecticut, Montana, Iowa, Tennessee, and Indiana, the New Jersey Attorney General has the sole enforcement authority. Under NJDPA, the Attorney General may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s); the cure period will end in July of 2026. Actions can be brought that seek injunctive relief (the company must immediately stop certain behaviors) and/or civil penalties, though dollar amount is not yet determined.
Regulations: Notably, the law calls for the Attorney General’s Division of Consumer Affairs in the Department of Law and Public Safety to promulgate implementation regulations. New Jersey is only the third state to provide for such rulemaking.
Individual Rights
The Individual Rights created under NJDPA generally align with those provided under other state laws. If NJDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data;
- Correct inaccuracies in personal data they provided;
- Delete personal data;
- Get a copy of certain personal data (data portability);
- Opt-out of the sale of personal data and processing for profiling and targeted advertising.
New Jersey requires that businesses respond to individual rights requests within 45 days of receipt (unless the business has been unable to authenticate a request), with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. If the business declines to take a requested action, the business must notify the consumer. You should provide instructions for appeal.
As we have seen with other recent state privacy laws, including Montana, Iowa, and Tennessee, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. In New Jersey, businesses must respond to appeals within 45 days of receipt and, if denying an appeal, must provide or specify information that enables the consumer to contact. In practice, communicate in the manner you already have been with the consumer (aka do not only communicate via email and then send the gov contact info via snail mail).
Unlike Virginia, Montana, Iowa, Tennessee, and Indiana, New Jersey does not mention pseudonymous data. Nonetheless, it does exempt de-identified data from the consumer rights.
Privacy Impact Assessments
Like many of the recent state privacy laws, including Virginia, Connecticut, Montana, Tennessee, and Indiana, NJDPA requires that regulated businesses conduct Data Protection or Privacy Impact Assessments. In a twist, the circumstances under which businesses must complete Assessments slightly depart from these other laws, with New Jersey requiring that such an assessment occur prior to processing data that presents a heightened risk of harm.
New Jersey requires assessments for activities created or generated after January 16, 2025, that present a heightened risk of harm, specifically including:
- Processing for targeted advertising;
- Processing sensitive data;
- Selling personal data;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, or physical injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
Like Iowa, Montana, Tennessee, Indiana, and many other state laws, New Jersey requires a contract that dictates what vendors must do with respect to processing personal data. Contracts must have instructions for processing data, the nature and purpose of processing, the type of data that is subject to processing and the duration of processing and specify the rights and obligations of both parties. In addition, the contract must require that the processor:
- ensure that each person who processes personal data is subject to a duty of confidentiality;
- delete or return all personal data at the controller’s direction or when it has completed the services, unless retention of the personal data is required by law;
- make available all information necessary to demonstrate the processor’s compliance with its obligations;
- make itself available for audits by the controller, or arrange for an independent auditor to review its policies and practices, and provide a report of the assessment to the controller; and
- pass along the same obligations to any subcontractor in a written contract.
Business Friendly Exceptions
Like the most recent state laws, including the laws in Colorado, Connecticut, Montana, Iowa, Tennessee, and Indiana, NJDPA specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
- conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- product recalls;
- identifying and repairing technical errors that impair existing or intended functionality; and
- performing internal operations.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.