Signed into law at the beginning of 2024, colloquially known as the New Jersey Data Protection Act (NJDPA), N.J. Stat. § 56:8-166.4 et seq. will go into effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws. Businesses affected typically include large retailers with significant online presences, online advertising platforms, social media companies, insurers, and data brokers, and these businesses may want to focus on identifying their New Jersey consumers to ensure compliance, as the forgiveness period for this law expires on July 15, 2025.
Quick Hits
- The NJDPA goes into effect on January 15, 2025, with its opportunity to cure provision sunsetting six months later on July 15, 2025.
- The NJDPA’s “sensitive data” definition encompasses more than is typical in comparable laws.
- The NJDPA applies to non-profit organizations and institutions of higher education in addition to for-profit businesses.
Scope
The NJDPA applies to companies that:
- conduct business in New Jersey OR produce products or provide services targeted to New Jersey residents; and
- control or process the personal data of at least 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.
Distinct Features
The NJDPA is distinct from other comprehensive data privacy laws in several ways, including the following:
- Its definition of “sensitive data” is much broader than comparable state laws.
- It provides rulemaking authority to a state agency—the Division of Consumer Affairs.
- It lacks a gross revenue limitation from sales of consumer’s private information.
- It excludes entities that control or process personal information for the sole purpose of completing payment transactions from its threshold.
- It does not exclude nonprofit entities or educational institutions explicitly from its law’s application.
- Controllers must allow consumers the use of universal opt-out mechanisms (UOOMs).
Whose Data?
The NJDPA works to protect the data of New Jersey “consumers,” which is defined as:
“Consumer” means an identified person who is a resident of [New Jersey] acting only in an individual or household context. “Consumer” shall not include a person acting in a commercial or employment context.
Protected data does include children’s data, and their data is not exempted despite applicability to the Children’s Online Privacy Protection Rule (COPPA) or the Family Educational Rights and Privacy Act (FERPA).
While employees and applicants are not consumers, unlike in California, employers are not completely excluded from the NJDPA. Companies that are subject to this law, as set forth above, also have heightened standards for their employees’ personal data. These companies/employers might want to have their notices, data security practices, and documented purposes for processing data examined by legal counsel before January 1, 2025.
Other exemptions include those for entities in the public sector, financial institutions governed by the Gramm-Leach-Bliley Act (GLBA), and types of information like protected health information under the Health Insurance Portability and Privacy Act (HIPAA), driver’s information covered under the Drivers Privacy Protection Act (DPPA), and personal data processed by a consumer reporting agency under the Fair Credit Reporting Act (FCRA). (Note that the Consumer Financial Protection Bureau also has new guidance restricting an employer’s ability to use algorithmic scores and electronic monitoring to make employment decisions under FCRA.)
Key Requirements
Under the NJDPA, covered businesses are required to:
- Absent consumer’s consent, limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose for which the data is processed.
- Implement reasonable data security practices;
- Provide privacy notices, with a “reasonably accessible, clear, and meaningful” explanation of:
- Categories of personal data processed;
- Purposes for processing personal data;
- Categories of third parties to which the consumer’s personal data may be disclosed;
- Categories of personal data shared with third parties, if any;
- Instructions on how consumers can exercise their data privacy rights;
- Contact information for the controller (business);
- Process for notifying consumers of material changes to the privacy notice;
- Conduct data protection impact assessments for processing that presents a heightened risk of harm to consumers, including for targeted advertising, sale of personal data, processing of sensitive data, and profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment;
- Secure opt-in consent for processing purposes not reasonably necessary to or compatible with disclosed purposes and for sensitive data, including processing children’s personal data;
- Enter into contracts with data processors governing the processor’s data processing procedures; and
- Keep records of data protection assessments.
Penalties of Noncompliance
The NJDPA does not have a private right of action.
Nor does the NJDPA provide specific penalty amounts for violations of its provisions. Instead, violations of the NJDPA are considered unlawful under the New Jersey Consumer Fraud Act, which provides civil penalties based on the number of violations:
- First violation: no greater than $2,500
- Second violation: no greater than $5,000
- Third violation: no greater than $10,000
- Fourth and subsequent violations: no greater than $20,000
Further, since the Division of Consumer Affairs is entrusted with enforcing any violations, this means that violators of the NJDPA may be requested to pay investigative costs and attorneys’ fees to the division pursuant to provisions under the New Jersey Consumer Fraud Act.
Enforcement of the NJDPA is the sole responsibility of New Jersey’s Office of the Attorney General (AG). The AG oversees the Department of Law and Public Safety with the assistance of its Executive Leadership Team. The Division of Consumer Affairs sits under this department.
For the first six months after the NJDPA becomes effective, or until July 15, 2025, the Division of Consumer Affairs is required to provide notice to the controller or processor of a violation and give them thirty days to cure the noticed violation, if a cure is deemed possible. This cure provision sunsets on July 15, 2025. The director of the Division of Consumer Affairs is entrusted with the authority to promulgate regulations necessary to effectuate the purpose of the law. Consumers can complain directly to the Division of Consumer Affairs if they feel that their rights have been violated and the controller has not taken appropriate action.
Comparison to Existing Comprehensive Data Privacy Laws
By comparing these states, it is evident that New Jersey’s NJDPA offers a unique and comprehensive approach to data privacy, setting it apart from other states with its specific provisions and broader scope of applicability. As of the publication date of this article, there are nineteen states that have enacted comprehensive privacy legislation. Those states are:
- California
- Colorado
- Connecticut
- Delaware
- Indiana
- Iowa
- Montana
- Oregon
- Tennessee
- Texas
- Utah
- Virginia
Passed in 2024:
- Kentucky
- Maryland
- Minnesota
- Nebraska
- New Hampshire
- New Jersey
- Rhode Island
California. In comparison to existing data privacy laws, California stands out with its private right of action. However, New Jersey shares an uncommon similarity with California in granting authority to issue additional rules to a state agency. Besides California, only Colorado authorizes rulemaking for its comprehensive consumer protection laws. (Note: Technically, so does Florida with its Bill of Rights, but its inclusion in any list of comprehensive data privacy laws is, at best, debatable. Also, technically, so does New Hampshire, but its rulemaking provisions are solely to establish privacy notice requirements.)
Connecticut and Delaware. The NJDPA may be unique among state privacy laws in that its “sensitive data” definition includes a significant portion of a consumer’s financial information not covered by the Gramm-Leach-Bliley Act. Compared to Connecticut and Delaware, New Jersey has a lower threshold for applicability, as it does not limit gross revenue from sales.
New York. While New Jersey is often compared to New York, this time New York will have to compare itself to New Jersey, as New York lacks active or enacted comprehensive data privacy legislation. However, the Office of the New York State Attorney General published guidance in August 2024, using consumer protection laws to regulate or recommend caution when implementing website privacy controls. New York City also enacted legislation aimed at automated decision-making tools in hiring. New York joins states like Florida, Maine, Michigan, Nevada, Vermont, and Washington in enacting narrower consumer privacy guidance or laws rather than comprehensive data privacy laws.
Pennsylvania. Similarly, Pennsylvania has active legislation (HB 1201) but has not passed comprehensive data privacy consumer legislation as of the publication date of this article. Pennsylvania did amend its data breach notification law, which became effective on September 26, 2024. Other nearby states with active legislation are Massachusetts (S.25 / H.83), Michigan (SB 659), and Ohio (HB 345).