The last couple of years have seen a wave of state privacy law proposals across the United States. As of 2018, only California had passed a comprehensive privacy law. By 2022, the federal government and 29 states were playing the game, with even more getting in line. Among this deluge of legislation and bills is New Jersey Assembly Bill A505, titled the New Jersey Disclosure and Accountability Transparency Act, also known as the NJ DaTA.
It is uncertain if the New Jersey data privacy law will pass in its current version. However, it is important to note that a NJ entity that engages consumers in the five states that have already enacted state privacy legislation must comply by those state-mandated requirements. Compliance with other state laws will significantly simplify compliance with a NJ data privacy law, if and when it goes into effect.
Federal Privacy Law on the Table, But Uncertain
In Washington DC, there is a continued push on lawmakers to protect consumer’s data privacy rights on a federal level, but the complexity of such a law likely will take a long time before the fog is cleared on political, economic, and legal grounds. New Jersey entities would be smart to prepare for the advent of new privacy and security obligations by updating data collection, processing, and storage policies to ease compliance with new laws that may come along soon.
Why Didn’t the ADPPA Pass?
The ADPPA (American Data Protection Privacy Act) which was voted out in July, 2022 and has been clinging to life since, has left US consumers agitated at the stagnant nature of such a historic, bipartisan initiative for consumer protection. One plausible explanation for the non-progres is that the most recent version of the ADPPA states that it would preempt any state laws that are “covered by the provisions” of the statute or its regulations. The preemption issue is at the crux of the battle for federal privacy laws, and state attorneys, including New Jersey, are strongly opposed to such a provision.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
What Does the Proposed NJ Privacy Bill Cover?
The New Jersey privacy law includes requirements for the disclosure and processing of personally identifiable information (PII) and shares common ground with the laws that are effective in five other states.
Following is a list of the main points stated in the bill:
- A controller that collects PII may lawfully process the personally identifiable information only if at least one of the following applies:
- the consumer has given consent to the processing of the for at least one specific purpose
- processing is necessary for the performance of a contract to which the consumer is involved in, for compliance or legal obligation, to protect the consumer’s vital interest, and other necessary provisions.
- A controller that collects the personally identifiable information of a consumer is to notify a consumer concerning the processing of the information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
- The processing of personally identifiable information revealing racial or ethnic origin, political opinion, religious or philosophical belief, or trade union membership, and the processing of biometric data for the purpose of uniquely identifying a person, information concerning health or a person’s sexual history or orientation is to be prohibited except in certain circumstances provided in the bill.
- A controller that receives a verified request from a consumer concerning all disclosures of personally identifiable information is to respond to the consumer within 30 days.
- If a controller fails to oblige by this timeframe, a consumer can lodge a complaint with the Office of Data Protection and Responsible Use (office) in the Division of Consumer Affairs in the Department of Law and Public Safety, established by the bill. This office will be a clearinghouse of information, comprehensive resource for consumers, controllers, and processors, and regulatory body concerning consumer privacy.
- Consumers have the right to obtain by any means from the controller rectification of inaccurate personally identifiable information. Also, a consumer can request to erase or restrict the processing of personally identifiable information. A controller should then notify third parties that handle this information of the request to correct, erase, or restrict it.
- Businesses covered by the law will need to implement appropriate technical and measures to be able to demonstrate to the office that processing is performed in compliance with the bill.
- Processing by a processor is to be governed by a contract between a processor and controller that is to include certain provisions provided in the bill.
- In the event of a data breach resulting in the unauthorized access of personally identifiable information, the controller is to immediately and, where feasible, not later than 72 hours after the breach, in clear and plain language, notify the consumer.
- The bill requires a controller to, prior to processing personally identifiable information, conduct a data protection impact assessment.
- Violation of any part of the bill incurs a $10,000 fine for the first offense and a $20,000 for each subsequent offense.
How the ADPPA May Impact NJ Legislation
The ADPPA is similar in many respects to the laws enacted by the states but provides more robust protections for consumers in some areas.
On July 19, 2022, New Jersey Attorney General Matthew J. Platkin, signed a joint letter with nine other state attorneys general encouraging “Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights” and allowing state bodies to up the consumer protection above the standard set by the federal government. The state attorneys argued that the state level is more appropriately equipped to keep up with technology changes “that may allude federal oversight.”
Whichever way you cut it, the forecast predicts that NJ entities, as well as others, will need to update their data collection proceesess and better protect consumer information.
Steps to Start Implementing for NJ Privacy Law
- update their privacy notices and policies to inform consumers, in plain and clear language, of what personal information is being collected, disclosed, and/or sold to other parties
- review processes for tracking and identifying data to better accommodate a consumer’s request to exercise its rights
- review contract terms with relevant third parties to comply with statutory contracting obligations
- update security practices to protect personal data
These procedures will help protect New Jersey businesses from potential legal and regulatory fines and make the transition to new compliance obligations easier should the federal government, the New Jersey legislature, or another state establishes comprehensive consumer privacy regulations.
How To Stay Informed on New Jersey Privacy Legislation?
Centraleyes is committed to update its readership on the status of the NJ DaTA as well as other state privacy laws that are on the horizon. There are NJ state resources on the subject as well.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
