New Jersey law under consideration
2023 was a record year, with lawmakers in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas passing comprehensive data privacy laws, and California, Colorado, and Connecticut. , Utah and Virginia. Lawmakers in New Hampshire (New Hampshire Privacy Act, SB 255-FN), New Jersey (New Jersey Privacy Act, SB 332), and Kentucky (HB 15) have already passed comprehensive privacy laws, and 2024 is already It is on pace to outpace the record year of 2023. .
This post provides the details and information you and your business need to know about the New Jersey Privacy Act (NJPA) signed into law by Governor Phil Murphy. A discussion of New Hampshire privacy laws can be found here.
Applicable criteria
The NJPA's applicable standards mirror the data privacy laws of Virginia and New Hampshire and apply to businesses or individuals that manufacture products or services intended for New Jersey residents and do any of the following: . (i) New Jersey consumers who control or process the personal data of at least 100,000 people; However, this excludes personal data that is processed solely for the purpose of completing payment transactions. or (ii) controls or processes the personal data of at least 25,000 New Jersey consumers and the controller derives revenue from the sale of the personal data or receives a discount on the price of goods or services;
As used in the NJPA, the term “consumer” means an individual residing in New Jersey and does not include an individual operating in a commercial or employment context. This distinction continues to be the primary approach taken by each state, with the exception of California.
Notably, like the Colorado law, the NJPA does not set a revenue standard for the percentage of revenue that companies must derive from the sale of data. Most other current state privacy laws typically apply only if a company derives a significant portion of its annual revenue from the sale of personal data. Additionally, application under the NJPA does not include any form of revenue standard. This means small businesses that process the personal data of large numbers of New Jersey consumers or that derive revenue from the sale of consumers' personal data. New Jersey consumers may be subject to this law.
exemption
NJPA does not apply to:
- New Jersey government agency (or New Jersey political department)
- Financial Institutions and Affiliates or Data Subject to Federal GLBA
- Covered Entities or Business Partners Subject to Certain Rules Under HIPAA
- Certain secondary market institutions
- Certain research data or employment-related information.and
- Information that complies with federal laws such as HIPAA, the Driver Privacy Protection Act, and the Fair Credit Reporting Act.
Specifically, the NJPA does not include an entity exemption for HIPAA-regulated entities or exempt data processed by nonprofit organizations or institutions of higher education (or educational data subject to FERPA).
The NJPA also requires businesses to obtain consent before intentionally processing the personal data of minors between the ages of 13 and 17 for targeted advertising, marketing, or profiling. .
consumer rights
Consumers who are residents of New Jersey may exercise the following rights under the NJPA:
- The right to confirmation whether your personal data is being processed (unless such confirmation or access is necessary for the controller to reveal trade secrets);
- Right to access your personal data
- Right to rectify inaccuracies in personal data
- Right to delete personal data
- Right to personal data portability
- Processing personal data for the purposes of (i) targeted advertising, (ii) selling personal data, or (iii) profiling to facilitate decisions that have legal or similarly significant consequences for a consumer's personal information. Right to opt out of data
Business obligations to consumers
The NJPA is very similar to New Hampshire's new law enacted this year and business-friendly regulations enacted in Virginia two years ago. Below are some of the compliance obligations that will apply to covered companies going forward.
- Respond to a consumer's request under the NJPA without undue delay, but not later than 45 days after receipt of the request (as reasonably necessary, so long as the controller notifies the consumer of the extension and intent to provide the information). (which may be extended for an additional 45 days)
- Providing necessary information to consumers free of charge once every 12 months
- use commercially reasonable efforts to authenticate your request;
- Establish a process for consumers to appeal denials of action on consumer requests.
Notice to consumers
- Businesses must provide consumers with a privacy notice that is “reasonably accessible, clear, and meaningful,” including, but not limited to:
- Categories of personal data processed by the company.
- Purposes for processing personal data;
- How consumers can exercise their consumer rights, including contact information for controllers and how consumers can appeal decisions by controllers regarding consumer requests.
- Categories of personal data that a company may share with third parties.
- Categories of third parties with which the company shares personal data.
- The process by which a business notifies consumers of material changes to the notice required to be published pursuant to this subsection, along with the effective date of the notice.and
- An active email address or online mechanism that consumers can use to contract business.
- Companies must “clearly and conspicuously” disclose the sale of personal data or the processing of personal data for targeted advertising (and how to opt out of such sale or processing).
- Businesses must establish (and describe in their privacy notice) one or more secure and reliable means for consumers to submit requests to exercise their consumer rights, such as:
- A clear and conspicuous link on a company's website (or other prominently accessible location) that allows consumers to opt out of targeted advertising or the sale of their personal data.and
- By no later than July 15, 2025, allow consumers to opt out of the processing of their personal data for targeted advertising purposes or the sale of such personal data.
Other business obligations
what to do:
- do Data that poses an “increased risk of harm” to consumers, such as targeted advertising, processing of sensitive data, sale of personal data, or processing or profiling where profiling poses an unreasonably foreseeable risk. Carry out and document a data protection impact assessment for processing. Deceptive treatment or undue influence on a consumer, economic or physical harm to a consumer, or intrusive attack on a reasonable consumer's “solitude or seclusion or private affairs or concerns.” Companies must provide these ratings to the New Jersey Department of Law and Public Safety, Division of Consumer Affairs upon request.
- do Limit the collection of personal data to what is appropriate, relevant and reasonably necessary in relation to the disclosed purposes for which such data is processed
- do Process personal data only for the purposes for which it was disclosed or for purposes compatible with the disclosure, unless you have the consumer's consent (note that aggregate data is excluded from the definition of personal data)
- do Establish, implement, and maintain data security practices
And what not to do:
- please do not Process personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers;
- please do not Discriminate against consumers exercising their consumer rights, including by denying goods or services, charging different prices or fees for goods or services, or providing consumers with different levels of goods or services.
- please do not Process sensitive data about a consumer without the consumer's consent or, if processing sensitive data about a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act;
“Sensitive Data” means personal data that reveals racial or ethnic origin. religious beliefs; mental or physical health conditions, treatments, or diagnoses; Financial information, including a combination of a consumer's account number, account login, financial account, or credit or debit card number and any required security code, access code, or password that authorizes access to the consumer's financial account. Sex life or sexual orientation. Citizenship or immigration status. Status as transgender or non-binary. Genetic or biometric data that may be processed for the purpose of uniquely identifying a person. Personal Data Collected from Known Children. or precise geolocation data.
Impact on vendors/data processors
Under the NJPA, vendors who are data processors must comply with instructions from data controllers, assist data controllers with their own compliance obligations, assist data controllers with data protection impact assessments, and manage necessary subcontractor flows. Take on direct duties such as down duties.
The NJPA also includes certain requirements that must be included in data processing agreements between data controllers and data processors.
private right of action
Similar to comprehensive data privacy laws in place in most other states (other than California's limited private rights with respect to data breaches), the NJPA does not provide for a private right of action. The NJPA is exclusively enforced by the Attorney General's Office and provides for a 30-day cure period in which the AG must notify the Administrator and provide an opportunity for cure before taking any enforcement action (if a cure is possible). (if considered). However, this treatment period is not permanent and will end 18 months after the law comes into force.
The Commissioner of Consumer Affairs has rulemaking authority to issue additional regulations in the future.
fines and penalties
Although civil penalties are not provided, the AG may file a violation as a violation of the New Jersey Consumer Fraud Act, with fines of up to $10,000 for a first violation and up to $20,000 for subsequent violations. there is a possibility.
Effective date of NJPA
January 15, 2025.