Understanding New Jersey's Privacy Law (SB 332)

• New Jersey is set to become the first state to pass a privacy law in 2024—with Senate Bill 332 (SB 332) getting final approval on January 8, 2024, the final day of the legislative cycle.

• New Jersey Gov. Phil Murphy has 45 days to sign the bill into law, but assuming it passes, SB 332 will become the thirteenth state privacy law in the US.

• To comply with SB 332, businesses must provide consumers with a reasonably clear privacy notice, conduct assessments on risky processing activities before they begin, and recognize universal opt-out mechanisms within six months of the law coming into effect.

• Implementing a modern, all-in-one privacy platform that encodes privacy at the code layer is one of the easiest ways to address the requirements laid out by SB 332. Read the full guide to learn more!

Understanding New Jersey’s privacy law

• Who's subject to SB 332?

• SB 332 vs. other state privacy laws

• Consumer rights under SB 332

New Jersey privacy law compliance checklist

• Determine if SB 332 applies to your business

• Create a data map

• Conduct a data protection assessment

• Implement opt-in mechanism for sensitive data collection

• Honor universal opt-out mechanisms

New Jersey’s new privacy law (SB 332) was passed through the legislature on January 8, 2024, the final day of the legislative session. The bill is still awaiting Gov. Phil Murphy’s signature, but once the Governor signs, New Jersey will be the 13th state to pass a consumer data privacy law in the US. SB 332 will go into full effect one year after its passage date.

SB 332 follows a similar framework to many existing state privacy laws, but does have a few unique provisions that will affect how companies approach compliance, mainly:

• The language around data processing assessments (DPA) indicates this step needs to occur before any processing occurs

• The provision for universal opt-out mechanisms (UOOM) includes profiling, whereas other states only include targeted advertising and sale of personal data 

• Broader definitions around biometric data and sensitive data

• Provisions for attorney general rulemaking

SB 332 will impose new data protection requirements on New Jersey businesses that process consumer data, while also giving New Jersey residents more agency over their personal data. 

Under this new privacy law, consumers have the right to access, delete, correct, and transfer their personal data. They can also opt-out of the sale of personal data for targeted advertising, profiling, and automated decision making (if it’s being used in a way that can significantly impact their life and livelihood). If a business refuses to fulfill one of these rights, New Jersey consumers may appeal that decision. 

New Jersey’s privacy law offers a 30 day discretionary cure period—though this provision will expire 18 months after the law comes into force. First time violations may receive fines of up to $10,000 per infraction, while repeat offenders may face fines of up to $20,000.

Before we dive into how New Jersey’s privacy law is different from other state privacy laws, let’s quickly cover which businesses this law applies to.

Unlike many other privacy laws in force today, SB 332 doesn’t have a revenue threshold. Rather, the law applies to companies that:

• Do business in New Jersey (NJ) or target their products/services to NJ residents AND

• Process or control personal data of 100,000+ New Jersey consumers OR 

• Process or control personal data of 25,000+ New Jersey consumers AND receive revenue or discounts from the sale of personal data

One slight nuance here is that, when looking at the 100k consumers clause, the bill's language excludes data processed or controlled only for the purpose of completing a transaction.

Like all privacy laws, SB 332 does contain a few additional exceptions. 

Though New Jersey’s new privacy law does have some exceptions, they are notably more narrow than those in other states. Exempt organizations include state-regulated insurance providers, those already regulated by the Gramm-Leach-Bliley Act, and government entities. 

Personal health data is exempt, but there’s no entity-level exception for organizations under the Health Insurance Portability and Accountability Act (HIPAA). Likewise, there’s no exemption for non-profits—a notable divergence from other state privacy laws. 

New Jersey joined Texas in the group of states whose privacy laws don’t include an applicability threshold based on revenue. Unlike Texas, however, it does contain thresholds based on consumer data collection. 

SB 332’s applicability threshold also exempts data collected or processed solely for the purpose of completing a payment transaction—an exception that is unique in the US state privacy law canon.

SB 332 defines biometric data more broadly than other state privacy laws, including data that stems from “analysis” or “technological processing.” It also explicitly mentions facial mapping, geometry, and templates, and expands the purview of this definition beyond biological traits to include behavioral and physical traits as well. 

SB 332 includes financial information in its definition of sensitive data—a notable divergence from how other states define this category. The law’s text defines financial data as including: 

“a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” 

New Jersey’s privacy law also includes mental and physical health conditions, diagnoses, treatments, and “status as transgender or non-binary” in the definition of sensitive data. 

It’s also important to note here that SB 332 requires that companies obtain opt-in consent before processing sensitive data.

New Jersey is the fifth state to include language around companies' obligation to honor universal opt-out signals, such as the Global Privacy Control. Most other state privacy laws with language around UOOMs require that they allow consumers to opt-out of targeted advertising and the sale of personal data. 

SB 332, however, includes language about UOOMs also helping consumers to opt-out of profiling—a move which some experts believe could negatively impact efforts to create a national UOOM standard.

SB 332 gives New Jersey’s attorney general rulemaking authority, meaning that office will exert significant influence on how this law is shaped, updated, and enforced. California and Colorado have similar provisions in their privacy laws—both having had a different experience with the rulemaking process. 

Colorado was able to finish the process quickly and without much hoopla. California, however, has received significant pushback from businesses, with a state court delaying enforcement for its finalized rules to give businesses more time to comply. 

No timeline has been set for New Jersey to complete the rulemaking session.

New Jersey’s new privacy law gives consumers a variety of rights and protections when it comes to how their personal data is collected and used, including: 

• The right to request access, delete, and correct their personal information

• The right to transfer their data in an easily transmissible format

• The right to opt-out of the sale of personal data for targeted advertising, automated decision making, and profiling

• The right to appeal

Though not necessarily couched in terms of a consumer right, SB 332 also requires that businesses receive opt-in consent from consumers before processing any sensitive data. It also requires businesses to get parental consent before processing the data of children age 13 or younger. 

The first step on your SB 332 compliance checklist is to determine if the law even applies to your business. Remember, New Jersey’s new privacy law applies to companies that:

• Do business in New Jersey (NJ) or target their products/services to NJ residents AND

• Process or control personal data of 100,000+ NJ consumers OR 

• Process or control personal data of 25,000+ NJ consumers AND receive revenue or discounts from the sale of personal data

If your business meets these criteria, it’s time to start working towards compliance. 

Creating a comprehensive data inventory is key to any successful privacy program. 

Otherwise known as data mapping, this process will give you the information you need to conduct a gap analysis—revealing where your organization’s data processing activities stand in relation to the provisions outlined in New Jersey’s privacy law. 

Data mapping isn’t explicitly required by SB 332 (or any other modern privacy law, except in a limited capacity by GDPR). However, it’s still a foundational step in understanding how your company collects, stores, and processes consumer data. 

A comprehensive data inventory will include:

• Where, when, and how you’re processing personal data

• Why you’re processing that data

• The categories of personal data being processed

• What, if any, sensitive personal information is being processed

Many teams start out by using a manual data mapping process, but that approach can be quite time consuming and error prone. Using automated data mapping tools like Transcend Data Inventory, Silo Discovery, Structured Discovery, and Unstructured Discovery can help save time and money, as well as support a more robust compliance stance.

Under SB 332, companies are required to conduct data protection assessments (DPA) before engaging in a risky processing activity, including:

• Selling personal data

• Automated profiling and decision making

• Targeted advertising

• Processing sensitive personal information 

Though many state privacy laws have this requirement, New Jersey’s law is slightly different in that it explicitly calls for a DPA before processing begins—stating that businesses may not: 

“conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment”

Similar to other DPA requirements, SB 332 obliges businesses to consider the benefits of the process against any potential public harms.

New Jersey’s privacy law requires that businesses obtain opt-in consent before collecting and processing sensitive data. To comply with this provision, companies will need to put a mechanism in place that enables consumers to opt-in (or not).

One of the most effective ways to manage this type of opt-in requirement is to implement a modern consent management platform.

SB 332 compels businesses to honor universal opt-out signals within 18 months of the law going into force. This provision is becoming increasingly common amongst state privacy laws, with Colorado, Montana, Texas, and California sporting similar requirements. 

Unlike those states, New Jersey expands the role of UOOM from only managing opt-outs of targeted advertising and the sale of personal data to also include opt-outs from profiling. This may prove to be a wrench in the law’s implementation, but time will tell how businesses choose to approach this requirement. 

As with managing opt-in consent for sensitive data processing, a consent management platform can be extremely helpful when working to ensure compliance. 

Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new state privacy laws like SB 332.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.

• New Jersey Kicks Off 2024 with New Consumer Privacy Law

• Nuances highlight New Jersey's comprehensive privacy bill

• Consumer Reports commends New Jersey Legislature for approving a comprehensive privacy bill

• Bill S332 full text