The last couple of years have seen a wave of state privacy law proposals across the United States. As of 2018, only California had passed a comprehensive privacy law. By late 2022, the federal government and 29 states were playing the game, with even more getting in line. Among this deluge of legislation and bills is New Jersey Senate Bill 332 (SB 332).
On January 8, 2024, New Jersey achieved a significant milestone by passing the comprehensive data protection bill, Senate Bill 332 (SB 332), marking its entry as the 13th state in the U.S. to enact legislation safeguarding consumer personal information. Governor Philip Murphy now holds a 45-day window to sign SB 332 into law, with its effective date set for one year after the date of signature.
“New Jersey has long been a leader in data privacy,” stated Brandon Pugh, CIPP/US, CIPM, R-Street Institute Policy Director for Cybersecurity and Emerging Threats. He served as a legislative counsel to the New Jersey Assembly’s minority office from 2019-2021. Pugh highlighted, “Attempts to pass a state privacy law have been years in the making, and efforts have included hearings around and movement on bills addressing a comprehensive approach, as well as a range of narrower topics such as biometrics.”
What Does the NJ Privacy Bill Cover?
The New Jersey privacy law includes requirements for the disclosure and processing of personally identifiable information (PII) and shares common ground with the laws that are effective in many other states.
Regulation Scope: Who is Affected?
The New Jersey Data Protection Act (the Act) regulates individuals or entities referred to as “controllers” or “processors” conducting business in New Jersey or offering products/services to its residents. Controllers are regulated based on these two criteria:
- Process personal data of at least 100,000 consumers (excluding data processed solely for payment transactions).
- Process personal data of at least 25,000 consumers while deriving revenue or receiving discounts from data sales.
Protected Data Types
The Act protects the personal data of New Jersey residents (“consumers”) in individual or household contexts. Notably, it broadens the scope of “sensitive personal data” by incorporating consumer financial information, transgender or nonbinary status, and other elements. Unlike other data protection laws, it excludes business contact data or personal data associated with employees residing in New Jersey.
Consumer Rights
The Act grants consumers several rights over their personal data, including the right to confirm processing, access, correct inaccuracies, delete, and obtain a portable copy of their data. Consumers can opt out of data processing for sales, targeted advertising, or profiling, and controllers must respond to verified requests within 45 days, with a possible 45-day extension.
Controller Obligations
Controllers face various obligations under the Act, such as providing consumers with clear privacy notices, limiting data collection, implementing data security practices, and conducting data protection assessments for certain data processing activities. The Act emphasizes agreements with processors, the ability for consumers to revoke consent, and the establishment of an effective mechanism for such revocation.
Universal Opt-Out Mechanism
Within six months of the Act’s effective date, controllers processing data for targeted advertising or sales must implement a user-selected universal opt-out mechanism, requiring an affirmative act by the consumer.
Enforcement: Who Oversees Compliance?
The Office of the Attorney General exclusively enforces the Act, with the Division of Consumer Affairs authorized to develop rules. There’s no provision for private civil actions, and violations can incur penalties of up to $10,000 for the first and up to $20,000 for subsequent violations. The Act includes a 30-day cure period, expiring 18 months after its effective date.
Following is a List of The Main Points Stated in the Bill:
- A controller that collects PII may lawfully process the personally identifiable information only if at least one of the following applies:
- the consumer has given consent to the processing of the for at least one specific purpose
- processing is necessary for the performance of a contract to which the consumer is involved in, for compliance or legal obligation, to protect the consumer’s vital interest, and other necessary provisions.
- A controller that collects the personally identifiable information of a consumer is to notify a consumer concerning the processing of the information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
- The processing of personally identifiable information revealing racial or ethnic origin, political opinion, religious or philosophical belief, or trade union membership, and the processing of biometric data to uniquely identify a person, information concerning health or a person’s sexual history or orientation is to be prohibited except in certain circumstances provided in the bill.
- Consumers can obtain by any means from the controller rectification of inaccurate personally identifiable information. Also, a consumer can request to erase or restrict the processing of personally identifiable information. A controller should then notify third parties that handle this information of the request to correct, erase, or restrict it.
- Businesses covered by the law will need to implement appropriate technical measures to be able to demonstrate to the office that processing is performed in compliance with the bill.
- Processing by a processor is to be governed by a contract between a processor and controller that includes certain provisions provided in the bill.
- The bill requires a controller to conduct a data protection impact assessment before processing personally identifiable information.
- Violation of any part of the bill incurs a $10,000 fine for the first offense and a $20,000 for each subsequent offense.
How Does New Jersey’s Comprehensive Data Privacy Bill Stand Out?
New Jersey’s recent passage of Senate Bill 332 (SB 332) brings a unique flavor to the landscape of comprehensive state privacy laws in the U.S., diverging from common trends observed in other states. The bill, pending approval from Governor Phil Murphy, stands out in several key aspects:
- Scope
- SB 332’s scope covers entities processing data of at least 100,000 individuals or 25,000 individuals with revenue generated from data. Data processing “solely for completing a transaction” is excluded.
- Unlike other states, there’s no specified percentage requirement for revenue to lower the coverage threshold.
- Unique Definitions and Requirements:
- The bill features a broader definition of biometric data than other state laws.
- It introduces a distinctive requirement for a general notice when using cookies, pixels, or other tracking technology.
- Universal Opt-Out Mechanisms (UOOMs):
- Unlike some states that limit UOOMs to advertising and data sales, New Jersey extends this control to include profiling activities. Users can influence how their online profiles impact critical aspects of their lives, such as financial services, housing, education, and employment.
Understanding UOOMs:
Universal Opt-Out Mechanisms (UOOMs) serve as a means for individuals to exercise control over the usage of their personal data online. These mechanisms allow users to opt out of targeted advertising, the sale of their data, and, uniquely in New Jersey, profiling activities that can significantly influence decisions with legal or similar ramifications.
New Jersey’s comprehensive data protection bill introduces innovative elements and potential challenges, contributing to the evolving landscape of state privacy laws in the United States. The diverse features set it apart from conventional state frameworks, reflecting the state’s proactive stance on data privacy issues.
Impact of NJDPA on Small Businesses
The New Jersey Data Privacy Act (NJDPA) introduces significant compliance requirements that could particularly impact small and medium-sized businesses. Unlike other state privacy laws that often include revenue thresholds, NJDPA applies based solely on the volume of personal data processed. This means that even smaller enterprises with substantial amounts of consumer data may find themselves subject to its regulations.
For small businesses, the NJDPA’s broad applicability could present both operational and financial challenges. Companies that handle a large volume of personal data but have lower revenue may not have the same resources as larger firms to meet the law’s stringent requirements. Specifically, the need for:
- Detailed privacy notices outlining data processing practices.
- Data protection assessments for activities that pose a heightened risk.
- Explicit consent mechanisms for sensitive data processing.
can impose additional burdens on small businesses. These requirements necessitate updates to privacy policies and potentially costly investments in compliance systems and employee training.
To prepare, small businesses should consider:
- Conducting thorough data audits to understand their data processing activities and identify compliance gaps.
- Investing in affordable privacy management tools to streamline compliance efforts.
- Seeking advice from legal experts on how to efficiently meet NJDPA’s requirements without overextending their resources.
Federal Privacy Law on the Table, But Uncertain
In Washington DC, there is a continued push on lawmakers to protect consumer’s data privacy rights on a federal level, but the complexity of such a law likely will take a long time before the fog is cleared on political, economic, and legal grounds. New Jersey entities would be smart to prepare for the advent of new privacy and security obligations by updating data collection, processing, and storage policies to ease compliance with new laws that may come along soon.
Why Didn’t the ADPPA Pass?
The ADPPA (American Data Protection Privacy Act) which was voted out in July, 2022 and has been clinging to life since, has left US consumers agitated at the stagnant nature of such a historic, bipartisan initiative for consumer protection. One plausible explanation for the non-progres is that the most recent version of the ADPPA states that it would preempt any state laws that are “covered by the provisions” of the statute or its regulations. The preemption issue is at the crux of the battle for federal privacy laws, and state attorneys, including New Jersey, are strongly opposed to such a provision.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Steps to Start Implementing NJ Privacy Law
- Organizations should update their privacy notices and policies to inform consumers, in plain and clear language, of what personal information is being collected, disclosed, and/or sold to other parties
- Covered entities should review processes for tracking and identifying data to better accommodate a consumer’s request to exercise its rights
- Review contract terms with relevant third parties to comply with statutory contracting obligations
- Update security practices to protect personal data
These procedures will help protect New Jersey businesses from potential legal and regulatory fines and make the transition to new compliance obligations easier should the federal government, the New Jersey legislature, or another state establishes comprehensive consumer privacy regulations.
How To Stay Informed on New Jersey Privacy Legislation?
Centraleyes is committed to update its readership on the status of the NJ DaTA as well as other state privacy laws that are on the horizon. There are NJ state resources on the subject as well.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days