New Jersey Data Privacy Act
The New Jersey Data Privacy Act (NJDPA) is the nation’s fourteenth comprehensive consumer privacy law most closely follows the Washington Privacy Act model. The law provides for the creation of supporting regulations, and includes unique aspects within definitions and consent obligations for children as well limited exemptions. The NJDPA effective date is January 16, 2025.
What you need to know about the NJDPA:
NJDPA applies to entities that:
- Conduct business or provide products or services to residents of New Jersey (consumers), and
- Annually control or process the PI of either:
- 100,000 unique residents, excluding personal information used solely for completing payment transactions; or
- 25,000 unique residents and derives revenue or receives a discount on the price of any goods or services, from the sale of PI.
Exempt Entities: NJ offers limited entity-level exemptions, including:
- State government entities;
- GLBA-covered entities;
- The secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii); and
- Certain insurers.
Exempt Data: NJ also offers limited data-level exemptions, including:
- PHI covered under HIPAA and processed by a covered entity or business associate;
- Data covered by the Driver’s Privacy Protection Act.
- Various forms of credit data regulated by the Fair Credit Reporting Act;
- Data covered by the Common Rule.
Exempt Use Cases:
The NJDPA does not apply to individuals acting in an employment or commercial (B2B) context.
In addition, NJ specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- Product recalls;
- Identifying and repairing technical errors that impair existing or intended functionality; and
- Performing internal operations.
Key Components of NJDPA
The NJDPA covers “personal data,” also called personal information or PI, which New Jersey defines as “any information that is linked or reasonably linkable to an identified or identifiable person.”
The definition exempts de-identified and information made publicly available by government records, the media, or the consumer.
New Jersey’s definition of sensitive PI consists of:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical condition, treatment, or diagnosis;
- Sex life or sexual orientation;
- Citizenship or immigration status;
- PI about a known child;
- Precise geolocation data;
- Genetic or biometric dataprocessed for identification purposes;
- Notably, NJ’s definition of biometric data includes physical and behavioral characteristics, and data generated by “analysis” or “technological processing” such as facial mapping or facial geometry.
- Status as transgender or nonbinary; and
- Financial account login credentials, financial account, debit card, or credit card number in combination with any required security or access code, or password.
Where a controller processes de-identified data, New Jersey requires it to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the NJDPA.
New Jersey is one of the few states that does not exempt pseudonymous data from privacy rights requests. The practical consequences of this are not yet clear.
In a word: YES!
Parental consent is required to process PI about a known child (under 13) in accordance with COPPA and before processing PI of a minor age 13 through 16 for the purposes of targeted advertising, sale, or profiling in furtherance of decisions with significant effects.
Consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.
A privacy notice must include:
- Categories of PI processed;
- Business purpose for processing PI;
- Categories of PI shared with third parties;
- Categories of third parties with which PI is shared
- Methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision;
- Controller’s contact information (not in every law);
- An active email address or other online way for a consumer to contact the company;
- Description of the sale of PI, targeted advertising and/or profiling activities, including a procedure for opting out of the sale or processing;
- The process by which the controller notifies consumers of material changes to their privacy notice; and
- The effective date of the notice.
New Jersey defines “sale” to include exchange for monetary or other valuable consideration.
There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger.
The New Jersey Attorney General (AG) has sole enforcement authority. Under NJDPA, the AG may bring an enforcement action after providing 30 days’ notice and an opportunity for the business to cure the alleged violation(s); the cure period will end in July of 2026. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or fines, however the amount is yet to be determined.
Notably, the law calls for the Attorney General’s Division of Consumer Affairs in the Department of Law and Public Safety to promulgate implementation regulations. New Jersey is only the third state to provide for such rulemaking.
Privacy Rights
The privacy rights created under NJDPA generally align with those provided under other state laws. If NJDPA applies to your business, you must provide the following privacy rights to consumers:
- Right to know whether a business is processing your PI;
- Right to access PI;
- Right to correct inaccuracies in PI;
- Right to delete PI about them;
- Right to obtain a copy of PI (data portability); and
- Right to opt out of the sale of PI, processing for targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
New Jersey requires that businesses respond to individual rights requests within 45 days of receipt, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.
Universal Opt Out
New Jersey requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.
Privacy Impact Assessments
NJDPA requires that regulated businesses conduct data protection or privacy impact assessments. Uniquely, New Jersey specifies that such an assessment must occur prior to processing data that presents a heightened risk of harm.
New Jersey requires assessments for activities created or generated after January 16, 2025, that present a heightened risk of harm, specifically including:
- Processing for targeted advertising;
- Processing sensitive data;
- Selling PI;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, or physical injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs orconcerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
NJDPA requires that organizations have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:
- Instructions for processing PI;
- The nature and purpose of processing;
- Type of data that is subject to processing;
- The duration of processing;
- A duty of confidentiality for individuals who process the PI;
- Security obligations;
- Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
- make available all information necessary to demonstrate the processor’s compliance with its obligations;
- Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
- Compliance with audits by the controller or independent auditor; and
- Pass along obligations to any subcontractor in a written contract.
Data Minimization
New Jersey limits the collection of PI “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.
