New Jersey's Privacy Law Explained: What Businesses Need to Know

By Morgan Sullivan

Senior Content Marketing Manager II

August 20, 2024•8 min read

Share this article

At a glance

  • On January 16, 2024, New Jersey Governor Phil Murphy signed Senate Bill 332 into law, making New Jersey the thirteenth state to adopt comprehensive data privacy legislation in the U.S.
  • Set to take effect on January 15, 2025, this new law continues the momentum of 2023’s wave of state privacy regulations.
  • To comply with SB 332, businesses must provide consumers with a reasonably clear privacy notice, conduct assessments on risky processing activities before they begin, and recognize universal opt-out mechanisms within six months of the law coming into effect.
  • Implementing a modern, all-in-one privacy platform that encodes privacy at the code layer is one of the easiest ways to address the requirements laid out by SB 332. Read the full guide to learn more!

Table of contents

Understanding New Jersey’s privacy law

New Jersey privacy law compliance checklist

Understanding New Jersey’s privacy law

New Jersey’s privacy law (SB 332) was passed through the legislature on January 8, 2024, the final day of the legislative session. The law is set to go into full effect one year after its passage date on January 15, 2025.

The New Jersey Data Privacy Law (NJDPL) follows a similar framework to many existing state privacy laws, but does have a few unique provisions that will affect how companies approach compliance, mainly:

  • The language around data processing assessments (DPA) indicates this step needs to occur before any processing occurs
  • The provision for universal opt-out mechanisms (UOOM) includes profiling, whereas other states only include targeted advertising and sale of personal data 
  • Broader definitions around biometric data and sensitive data
  • Provisions for attorney general rulemaking

New Jersey's privacy law will impose new data protection requirements on New Jersey businesses that process consumer data, while also giving New Jersey residents more agency over their personal data. 

Under this new privacy law, consumers have the right to access, delete, correct, and transfer their personal data. They can also opt-out of the sale of personal data for targeted advertising, profiling, and automated decision making (if it’s being used in a way that can significantly impact their life and livelihood). If a business refuses to fulfill one of these rights, New Jersey consumers may appeal that decision. 

New Jersey’s privacy law offers a 30 day discretionary cure period—though this provision will expire 18 months after the law comes into force. First time violations may receive fines of up to $10,000 per infraction, while repeat offenders may face fines of up to $20,000.

Before we dive into how New Jersey’s privacy law is different from other state privacy laws, let’s quickly cover which businesses this law applies to.

Who's subject to New Jersey's privacy law?

Unlike many other privacy laws in force today, the New Jersey Data Privacy Law (NJDPL) doesn’t have a revenue threshold. Rather, the law applies to companies that:

  • Do business in New Jersey (NJ) or target their products/services to NJ residents AND
  • Process or control personal data of 100,000+ New Jersey consumers OR 
  • Process or control personal data of 25,000+ New Jersey consumers AND receive revenue or discounts from the sale of personal data

One slight nuance here is that, when looking at the 100k consumers clause, the bill's language excludes data processed or controlled only for the purpose of completing a transaction.

Like all privacy laws, the NJDPL does contain a few additional exceptions. 

Exemptions

Though New Jersey’s privacy law does have some exceptions, they are notably more narrow than those in other states. Exempt organizations include state-regulated insurance providers, those already regulated by the Gramm-Leach-Bliley Act, and government entities. 

Personal health data is exempt, but there’s no entity-level exception for organizations under the Health Insurance Portability and Accountability Act (HIPAA). Likewise, there’s no exemption for non-profits—a notable divergence from other state privacy laws. 

New Jersey's privacy law vs. other state privacy laws

Applicability threshold

New Jersey joined Texas in the group of states whose privacy laws don’t include an applicability threshold based on revenue. Unlike Texas, however, it does contain thresholds based on consumer data collection. 

The NJDPL's applicability threshold also exempts data collected or processed solely for the purpose of completing a payment transaction—an exception that is unique in the US state privacy law canon.

Biometric data definition

New Jersey's privacy law defines biometric data more broadly than other state privacy laws, including data that stems from “analysis” or “technological processing.” It also explicitly mentions facial mapping, geometry, and templates, and expands the purview of this definition beyond biological traits to include behavioral and physical traits as well. 

Sensitive data definition

The NJDPL includes financial information in its definition of sensitive data—a notable divergence from how other states define this category. The law’s text defines financial data as including: 

“a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” 

New Jersey’s privacy law also includes mental and physical health conditions, diagnoses, treatments, and “status as transgender or non-binary” in the definition of sensitive data. 

It’s also important to note here that the NJPL requires that companies obtain opt-in consent before processing sensitive data.

Expanded role for universal opt-out mechanisms

New Jersey is the fifth state to include language around companies' obligation to honor universal opt-out signals, such as the Global Privacy Control. Most other state privacy laws with language around UOOMs require that they allow consumers to opt-out of targeted advertising and the sale of personal data. 

The law does, however, include language about UOOMs also helping consumers to opt-out of profiling—a move which some experts believe could negatively impact efforts to create a national UOOM standard.

Attorney General rulemaking

The NJDPL gives New Jersey’s attorney general rulemaking authority, meaning that office will exert significant influence on how this law is shaped, updated, and enforced. California and Colorado have similar provisions in their privacy laws—both having had a different experience with the rulemaking process. 

Colorado was able to finish the process quickly and without much hoopla. California, however, has received significant pushback from businesses, with a state court delaying enforcement for its finalized rules to give businesses more time to comply. 

No timeline has been set for New Jersey to complete the rulemaking session.

Consumer rights provided by New Jersey's privacy law

New Jersey’s new privacy law gives consumers a variety of rights and protections when it comes to how their personal data is collected and used, including: 

  • The right to request access, delete, and correct their personal information
  • The right to transfer their data in an easily transmissible format
  • The right to opt-out of the sale of personal data for targeted advertising, automated decision making, and profiling
  • The right to appeal

Though not necessarily couched in terms of a consumer rights, New Jersey's privacy law also requires that businesses receive opt-in consent from consumers before processing any sensitive data. It also requires businesses to get parental consent before processing the data of children age 13 or younger. 

New Jersey privacy law compliance checklist

1. Determine if the NJDPL applies to your business

The first step on your New Jersey privacy law compliance checklist is to determine if the law even applies to your business. Remember, the NJDPL applies to companies that:

  • Do business in New Jersey (NJ) or target their products/services to NJ residents AND
  • Process or control personal data of 100,000+ NJ consumers OR 
  • Process or control personal data of 25,000+ NJ consumers AND receive revenue or discounts from the sale of personal data

If your business meets these criteria, it’s time to start working towards compliance. 

2. Create a data map

Creating a comprehensive data inventory is key to any successful privacy program. 

Otherwise known as data mapping, this process will give you the information you need to conduct a gap analysis—revealing where your organization’s data processing activities stand in relation to the provisions outlined in New Jersey’s privacy law. 

Data mapping isn’t explicitly required by New Jersey's privacy law (or any other modern privacy law, except in a limited capacity by GDPR). However, it’s still a foundational step in understanding how your company collects, stores, and processes consumer data. 

A comprehensive data inventory will include:

  • Where, when, and how you’re processing personal data
  • Why you’re processing that data
  • The categories of personal data being processed
  • What, if any, sensitive personal information is being processed

Many teams start out by using a manual data mapping process, but that approach can be quite time consuming and error prone. Using automated data mapping tools like Transcend Data Inventory, Silo Discovery, Structured Discovery, and Unstructured Discovery can help save time and money, as well as support a more robust compliance stance.

3. Conduct data protection assessments

Under the NJDPL, companies are required to conduct data protection assessments (DPA) before engaging in a risky processing activity, including:

  • Selling personal data
  • Automated profiling and decision making
  • Targeted advertising
  • Processing sensitive personal information 

Though many state privacy laws have this requirement, New Jersey’s law is slightly different in that it explicitly calls for a DPA before processing begins—stating that businesses may not: 

“conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment”

Similar to other DPA requirements, New Jersey's privacy law obliges businesses to consider the benefits of the process against any potential public harms.

4. Implement opt-in mechanism for sensitive data collection

New Jersey’s privacy law requires that businesses obtain opt-in consent before collecting and processing sensitive data. To comply with this provision, companies will need to put a mechanism in place that enables consumers to opt-in (or not).

One of the most effective ways to manage this type of opt-in requirement is to implement a modern consent management platform.

5. Honor universal opt-outs

The NJPL compels businesses to honor universal opt-out signals within 6 months of the law going into force. This provision is becoming increasingly common amongst state privacy laws, with Colorado, Montana, Texas, and California sporting similar requirements. 

Unlike those states, New Jersey expands the role of UOOM from only managing opt-outs of targeted advertising and the sale of personal data to also include opt-outs from profiling. This may prove to be a wrench in the law’s implementation, but time will tell how businesses choose to approach this requirement. 

As with managing opt-in consent for sensitive data processing, a consent management platform can be extremely helpful when working to ensure compliance.

6. Limit data collection and processing to what’s strictly necessary

Limit your collection of personal data to what is necessary for the purposes you've disclosed. Implement data minimization and purpose limitation principles. Additionally, make sure to obtain explicit consent for collecting sensitive data or any data that goes beyond what is necessary for your stated purposes.

7. Update privacy notices

Ensure your privacy notices are clear, accessible, and comprehensive. Include details such as the categories of personal data processed, the purposes for processing, the third parties with whom data is shared, and how consumers can exercise their rights. Provide your contact information, details on the appeals process, and a method for notifying consumers of material changes to your privacy practices.


About Transcend

Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new state privacy laws like SB 332.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.


References


By Morgan Sullivan

Senior Content Marketing Manager II

Share this article