Senior Content Marketing Manager II
August 20, 2024â˘8 min read
Understanding New Jerseyâs privacy law
New Jersey privacy law compliance checklist
New Jerseyâs privacy law (SB 332) was passed through the legislature on January 8, 2024, the final day of the legislative session. The law is set to go into full effect one year after its passage date on January 15, 2025.
The New Jersey Data Privacy Law (NJDPL) follows a similar framework to many existing state privacy laws, but does have a few unique provisions that will affect how companies approach compliance, mainly:
New Jersey's privacy law will impose new data protection requirements on New Jersey businesses that process consumer data, while also giving New Jersey residents more agency over their personal data.Â
Under this new privacy law, consumers have the right to access, delete, correct, and transfer their personal data. They can also opt-out of the sale of personal data for targeted advertising, profiling, and automated decision making (if itâs being used in a way that can significantly impact their life and livelihood). If a business refuses to fulfill one of these rights, New Jersey consumers may appeal that decision.Â
New Jerseyâs privacy law offers a 30 day discretionary cure periodâthough this provision will expire 18 months after the law comes into force. First time violations may receive fines of up to $10,000 per infraction, while repeat offenders may face fines of up to $20,000.
Before we dive into how New Jerseyâs privacy law is different from other state privacy laws, letâs quickly cover which businesses this law applies to.
Unlike many other privacy laws in force today, the New Jersey Data Privacy Law (NJDPL) doesnât have a revenue threshold. Rather, the law applies to companies that:
One slight nuance here is that, when looking at the 100k consumers clause, the bill's language excludes data processed or controlled only for the purpose of completing a transaction.
Like all privacy laws, the NJDPL does contain a few additional exceptions.Â
Though New Jerseyâs privacy law does have some exceptions, they are notably more narrow than those in other states. Exempt organizations include state-regulated insurance providers, those already regulated by the Gramm-Leach-Bliley Act, and government entities.Â
Personal health data is exempt, but thereâs no entity-level exception for organizations under the Health Insurance Portability and Accountability Act (HIPAA). Likewise, thereâs no exemption for non-profitsâa notable divergence from other state privacy laws.Â
New Jersey joined Texas in the group of states whose privacy laws donât include an applicability threshold based on revenue. Unlike Texas, however, it does contain thresholds based on consumer data collection.Â
The NJDPL's applicability threshold also exempts data collected or processed solely for the purpose of completing a payment transactionâan exception that is unique in the US state privacy law canon.
New Jersey's privacy law defines biometric data more broadly than other state privacy laws, including data that stems from âanalysisâ or âtechnological processing.â It also explicitly mentions facial mapping, geometry, and templates, and expands the purview of this definition beyond biological traits to include behavioral and physical traits as well.Â
The NJDPL includes financial information in its definition of sensitive dataâa notable divergence from how other states define this category. The lawâs text defines financial data as including:Â
âa consumerâs account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumerâs financial account.âÂ
New Jerseyâs privacy law also includes mental and physical health conditions, diagnoses, treatments, and âstatus as transgender or non-binaryâ in the definition of sensitive data.Â
Itâs also important to note here that the NJPL requires that companies obtain opt-in consent before processing sensitive data.
New Jersey is the fifth state to include language around companies' obligation to honor universal opt-out signals, such as the Global Privacy Control. Most other state privacy laws with language around UOOMs require that they allow consumers to opt-out of targeted advertising and the sale of personal data.Â
The law does, however, include language about UOOMs also helping consumers to opt-out of profilingâa move which some experts believe could negatively impact efforts to create a national UOOM standard.
The NJDPL gives New Jerseyâs attorney general rulemaking authority, meaning that office will exert significant influence on how this law is shaped, updated, and enforced. California and Colorado have similar provisions in their privacy lawsâboth having had a different experience with the rulemaking process.Â
Colorado was able to finish the process quickly and without much hoopla. California, however, has received significant pushback from businesses, with a state court delaying enforcement for its finalized rules to give businesses more time to comply.Â
No timeline has been set for New Jersey to complete the rulemaking session.
New Jerseyâs new privacy law gives consumers a variety of rights and protections when it comes to how their personal data is collected and used, including:Â
Though not necessarily couched in terms of a consumer rights, New Jersey's privacy law also requires that businesses receive opt-in consent from consumers before processing any sensitive data. It also requires businesses to get parental consent before processing the data of children age 13 or younger.Â
The first step on your New Jersey privacy law compliance checklist is to determine if the law even applies to your business. Remember, the NJDPL applies to companies that:
If your business meets these criteria, itâs time to start working towards compliance.Â
Creating a comprehensive data inventory is key to any successful privacy program.Â
Otherwise known as data mapping, this process will give you the information you need to conduct a gap analysisârevealing where your organizationâs data processing activities stand in relation to the provisions outlined in New Jerseyâs privacy law.Â
Data mapping isnât explicitly required by New Jersey's privacy law (or any other modern privacy law, except in a limited capacity by GDPR). However, itâs still a foundational step in understanding how your company collects, stores, and processes consumer data.Â
A comprehensive data inventory will include:
Many teams start out by using a manual data mapping process, but that approach can be quite time consuming and error prone. Using automated data mapping tools like Transcend Data Inventory, Silo Discovery, Structured Discovery, and Unstructured Discovery can help save time and money, as well as support a more robust compliance stance.
Under the NJDPL, companies are required to conduct data protection assessments (DPA) before engaging in a risky processing activity, including:
Though many state privacy laws have this requirement, New Jerseyâs law is slightly different in that it explicitly calls for a DPA before processing beginsâstating that businesses may not:Â
âconduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessmentâ
Similar to other DPA requirements, New Jersey's privacy law obliges businesses to consider the benefits of the process against any potential public harms.
New Jerseyâs privacy law requires that businesses obtain opt-in consent before collecting and processing sensitive data. To comply with this provision, companies will need to put a mechanism in place that enables consumers to opt-in (or not).
One of the most effective ways to manage this type of opt-in requirement is to implement a modern consent management platform.
The NJPL compels businesses to honor universal opt-out signals within 6 months of the law going into force. This provision is becoming increasingly common amongst state privacy laws, with Colorado, Montana, Texas, and California sporting similar requirements.Â
Unlike those states, New Jersey expands the role of UOOM from only managing opt-outs of targeted advertising and the sale of personal data to also include opt-outs from profiling. This may prove to be a wrench in the lawâs implementation, but time will tell how businesses choose to approach this requirement.Â
As with managing opt-in consent for sensitive data processing, a consent management platform can be extremely helpful when working to ensure compliance.
Limit your collection of personal data to what is necessary for the purposes you've disclosed. Implement data minimization and purpose limitation principles. Additionally, make sure to obtain explicit consent for collecting sensitive data or any data that goes beyond what is necessary for your stated purposes.
Ensure your privacy notices are clear, accessible, and comprehensive. Include details such as the categories of personal data processed, the purposes for processing, the third parties with whom data is shared, and how consumers can exercise their rights. Provide your contact information, details on the appeals process, and a method for notifying consumers of material changes to your privacy practices.
Transcend is an all-in-one platform for modern privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facingâincluding getting you ready for new state privacy laws like SB 332.
From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II