Consumer privacy protection must have been tops on the New Jersey legislature’s list of New Year’s resolutions. The year was just two weeks old and New Jersey became the first State in 2024 to enact a comprehensive privacy law and is now one of over a dozen states to have its own comprehensive privacy law (together, the Privacy States”). New Jersey Governor Phil Murphy wrote in a recent press release that he is proud New Jersey is better protecting its residents with Senate Bill 332/A1971 (the “Law”). This comprehensive law aims to protect consumer privacy by creating strict requirements for how applicable companies may use and collect personal data from New Jersey consumers and provides such consumers with rights of access, modification and deletion of their personal data.
Key Definitions:
The defined terms used in the Law are essential to understanding the scope and obligations under the Law (§1 of the Law), and should look familiar with respect to the other Privacy States. Some key definitions for New Jersey consumers and businesses to understand are the following:
- Biometric data means data generated by automatic or technological processing, measurements, or analysis of an individual’s biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual. “Biometric data” shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
- Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.
- Consumer means an identified person who is a resident of New Jersey acting only in an individual or household context. "Consumer" shall not include a person acting in a commercial or employment context.
- De-identified data means: data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (1) takes reasonable measures to ensure that the data cannot be associated with an individual, (2) publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data, and (3) contractually obligates any recipients of the information to comply with the requirements of this paragraph.
- Personal data means any information that is linked or reasonably linkable to an identified or identifiable person. “Personal data” shall not include de-identified data or publicly available information.
- Sale means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. “Sale” shall not include: The disclosure of personal data to a processor that processes the personal data on the controller’s behalf; The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer; The disclosure or transfer of personal data to an affiliate of the controller; The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
- Sensitive data means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
- Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests. “Targeted advertising” shall not include: advertisements based on activities within a controller’s own internet websites or online applications; advertisements based on the context of a consumer’s current search query, visit to an internet website or online application; advertisements directed to a consumer in response to the consumer’s request for information or feedback; or processing personal data solely to measure or report advertising frequency, performance, or reach.
Applicability of the Law(§2 of the Law)
Not all businesses who collect personal information will be impacted by the Law. Instead, New Jersey’s Law will apply only to certain controllers who conduct business in New Jersey or target New Jersey residents with their products or services. Additionally, during a calendar year, a controller must either:
- control or process the personal data for at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction (the “Processing Threshold”); or
- control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data (the “Sale Threshold”).
Unlike California, the Law does not include a revenue threshold and instead may apply to any business, no matter what their gross annual revenue may be, provided that the above requirements are met. Additionally, while the Processing Threshold is similar to the processing threshold of a majority of the Privacy States, the Law’s Sale Threshold does not include a minimum revenue from such sale of personal data, which is unlike the majority of the Privacy States. Additionally, controllers should note that “consumer” only includes persons acting in an individual or household context and, unlike California (but akin with the other Privacy States), does not include employees or contractors. Additionally, like California, the definition of “sale” (included above) is broad and includes the sharing, disclosure or transfer of personal data for non-monetary valuable consideration, but is subject to a number of exclusions.
Controller Obligations (§3 of the Law)
Transparency is an important aspect of the Law. The Law requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. Such notice shall provide consumers with, among other things, information regarding what personal data will be processed by the controller, why the controller is processing such personal data, categories of third parties with whom the controller may share the consumer’s personal data, the types of personal data that may be shared with such third parties, as well as methods for consumers to contact the controller and exercise the consumer’s rights regarding their personal data.
Additionally, a controller is subject to additional requirements if the controller sells personal data to third parties or processes personal data for the purposes of targeting advertising, the sale of personal data, or profiling in furtherance of certain decisions which may have legal or similarly significant repercussions on the consumer. For example, the controller must clearly and conspicuously disclose to the consumer any such sale or processing and provide the consumer with a clear manner to opt out of such sale or processing. If a consumer chooses to opt out of processing that may have legal or similarly significant repercussions concerning the consumer, the controller is explicitly prohibited from discriminating against such consumer (§5 of the Law). However, such controller, within certain parameters, shall still be permitted to offer discounts and other incentives to consumers in exchange for the sale of the consumer’s personal data.
The Law also restricts which data may be processed by controllers. For example, controllers shall not process a consumer’s sensitive data without obtaining such consumer’s consent (§9(a)(4) of the Law). Notably, where other Privacy States such as California and Colorado only refer to a consumer’s sex life or sexual orientation, New Jersey includes within its definition of sensitive data a consumer’s “status as transgender or nonbinary.” Additionally, controllers must conduct a data protection assessment, and keep documentation regarding such assessment, before conducting any processing that presents a heightened risk of harm to a consumer (§9(b) of the Law).
Consumer Rights (§7 of the Law)
The laundry list of consumer rights under the Law are similar to those found in the other Privacy States and New Jersey has not added anything unusual. Under the Law, consumers may take an active role in controlling how their personal data is used and by whom. Consumers may review, correct and delete their personal data as well as obtain a portable and readily usable copy of their personal data held by a controller. Consumers also may opt-out of the processing of such consumer’s personal data for the purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that may have legal or similarly significant effects concerning the consumer. Controllers must send a response to a consumer within 45 days following the controller’s receipt of a verified request from the consumer (subject to certain permitted extensions) (§4 of the Law).
Enforcement Authority
New Jersey Governor Phil Murphy explicitly clarified that the Law does not include a private right of action, Instead, like the majority of Privacy States, the Law may only be enforced by the Office of the Attorney General (§16 of the Law).
While there are some deviations from the privacy laws in the other Privacy States, the overall structure of the Law is relatively consistent with other Privacy States regarding the obligations on those controlling and processing personal data and the rights of the consumers. Even though the Law will not go into effect until January 15, 2025, companies should use that time to fully understand the finer details in this comprehensive privacy law.