New Jersey Data Privacy Act (NJDPA): Basics | Osano

Garden State consumers now have comprehensive data privacy protections. But what does that mean for New Jerseyans?

Gov. Phil Murphy signed Senate Bill 332 (S332/A1971), which requires businesses and entities such as websites and online providers to notify consumers when they collect and disclose personal data to third parties. You must provide features that customers can choose from. excluded from its collection or disclosure.

in press releaseGovernor Murphy said:

In the rapidly growing digital age, our society has become increasingly dependent on the Internet to complete everyday tasks, from shopping and working to highly personal tasks such as financial management and medical care. is increasing. But too often, consumer privacy is exploited without the consumer knowing that their data is being shared and sold. This important legislation will help consumers regain control over their personal data and give them choices about sharing information that is personal to them.

Many states, including California, colorado, connecticut, Delaware, Indiana, iowa, montana, Oregon, tennessee, texas, Utahand Virginia—New Jersey has passed a similar law, joining a growing number of states to pass comprehensive data privacy laws to protect consumers where no federal law exists. For an overview of the key features of each U.S. privacy law, see U.S. Data Privacy Laws: A Guide to the 2024 Landscape.

Let’s take a closer look at the new law that expands the landscape of consumer privacy protections in the United States.

What is NJDPA?

The New Jersey Data Protection Act (NJDPA) data privacy law It puts New Jersey residents in control of their personal data and provides certain rights and obligations for those who control and process consumer data. This law applies to businesses and organizations that do business in the state or produce products or services aimed at New Jersey residents.

NJDPA Applicability and Exemptions

New Jersey’s privacy laws are consistent with other state laws in terms of applicability and exemptions. This applies to administrators who meet any of the following criteria during the calendar year:

• manage or process personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing payment transactions; or
• It controls or processes the personal data of at least 25,000 consumers, and the controller earns revenue from the sale of personal data or receives discounts on the prices of goods and services.

The law has several important definitions. The NJDPA defines “sale” as “sharing, disclosing, or transferring” data for monetary or other valuable consideration. california law. “Controller” is the natural or legal person who determines the purposes and means of processing personal data.

Similar to Colorado’s privacy law, it does not define a specific percentage of revenue that must be derived from the sale of data, although other states have introduced thresholds of 25 or 50 percent.

New Jersey Data Privacy Law Exemptions

Unlike most other data privacy laws, the NJDPA does not apply directly to processors (or those who process data on behalf of a controller), but it does impose certain requirements when acting on behalf of a controller. must be followed.

The NJDPA has many exemptions, including:

• Data covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
• Secondary market institutions.
• Insurance institutions are subject to specific laws.
• State Motor Vehicle Commission.
• Personal information subject to the Fair Credit Reporting Act.

Notably, nonprofit organizations are not exempt from the NJDPA. Like Connecticut, Delaware, Montana, and Oregon, New Jersey’s data privacy law exempts the use of personal data solely to complete payment transactions.

Consumer Rights Granted by New Jersey Data Privacy Law

Under the NJDPA, consumers are afforded certain rights that are currently considered fairly standard. These include the rights to:

• Check whether the controller processes your personal data and has access to it.
• Correct any inaccuracies in your personal data.
• Delete personal data.
• Obtain a copy of your personal data in a portable, readily available and transferable format.
• Opt out of processing of your personal data for targeted advertising and profiling.

The law is an “opt-out” model, with the exception of two subcategories: sensitive data and children’s data.

Sensitive data and children’s data

Like other consumer data privacy laws, New Jersey’s data privacy law has a separate definition and set of standards for businesses or entities that process sensitive data or children’s data.

This is where the legal model switches from opt-out to opt-in, as companies must obtain opt-in consent for both data types. If we process data from children (under 13), we must do so in accordance with the Children’s Online Privacy Protection Act (Children’s Online Privacy Protection Act).coppa). Children’s data is also considered sensitive data under the law.

Sensitive data is broadly defined and includes a long list of types of personal data, including data that reveals:

• racial or ethnic origin;
• religious beliefs.
• MENTAL OR PHYSICAL HEALTH CONDITION, TREATMENT, OR DIAGNOSIS.
• Sex life or sexual orientation.
• Citizenship or immigration status.
• Status as a transgender or non-binary person.
• Genetic or biometric data that can be used to identify an individual.
• Personal Data Collected from Known Children.
• Precise geolocation data.
• Financial information.

New Jersey’s data privacy law expands the definition of financial information to include a consumer’s account number, account login information, financial account, or combination of credit or debit card number and required security code and access. It is also important to note that A code or password that allows access to a consumer’s financial account. Although the CPRA includes a definition of such financial information, the NJDPA is the only law that classifies financial information as sensitive personal information that requires affirmative opt-in consent before processing.

NJDPA and universal opt-out mechanism

Similar to other data privacy law trends, the NJDPA requires companies to adhere to universal opt-out mechanisms. These mechanisms essentially allow users to indicate their consent preferences once, via a browser plug-in such as Global Privacy Control, rather than every time they visit a new website. Therefore, companies must pay attention to such signals if they want to be compliant.

Administrator duties

The New Jersey Data Privacy Act, like other state laws, outlines a number of obligations for controllers, requiring controllers to ensure that the collection of personal data is “appropriate, relevant, and reasonably necessary.” Must be limited. Establish, implement, and maintain administrative, technical, and physical data security practices. Secure data. Also, do not process sensitive data or data of known children without their consent.

Administrators also require consumers to post a privacy notice and link on their websites. opt out.

Data protection assessment under NJDPA

The NJDPA requires air traffic controllers to: Data protection assessment. Specifically, New Jersey law requires companies to provide evaluation results to the New Jersey Department of Consumer Affairs upon request, making this an important compliance challenge to master.

The following is an overview of activities that pose increased risk and require a data protection assessment.

• Targeted advertising or profiling may result in “unreasonable consequences” such as unfair or deceptive treatment, unlawful disparate impact on the consumer, economic or physical injury, consumer’s isolation or isolation, or physical or other intrusion into the private affairs of the consumer. presents a risk that is “foreseeable” or that would be offensive to a reasonable person.

• Sale of personal data.

• Processing of sensitive data.

What does the NJDPA mean for businesses?

Whenever new legislation, such as data privacy, is enacted, business owners and others who process data should review its provisions with their legal advisors. To determine legal requirements, it’s important to understand the context of your data: what is collected, where it comes from, and with whom it is shared and why.

If you’re feeling overwhelmed by information overload, Osano has many resources related to all things privacy, as well as solutions for managing compliance with a growing number of state data privacy laws. .

New Jersey Data Privacy Law: Frequently Asked Questions

When does the NJDPA go into effect?

This law will come into effect on January 15, 2025, one year after its implementation.

Who enforces New Jersey’s data privacy laws?

As with many other state-level data privacy laws, the New Jersey Attorney General’s Office will be responsible for enforcing violations of the NJDPA.

Does New Jersey law provide a cure period for violations?

The NJDPA has a 30-day cure period, which is on the short side for state-level data laws. This relief period will end after an 18-month grace period (i.e. July 15, 2026) during which businesses are expected to adjust.

What are the penalties for violating the NJDPA?

New Jersey’s Data Privacy Act provides rulemaking authority to the Division of Consumer Affairs within the New Jersey Department of Law and Public Safety. Although no amount is defined in the statute, a violation of the NJDPA constitutes a violation of the New Jersey Consumer Fraud Act, which can result in fines of up to $10,000 for a first violation and up to $20,000 for subsequent violations. There is sex.

Does New Jersey’s privacy law require companies to honor global opt-out signals?

Yes, New Jersey will be among the states that will require businesses to honor universal opt-out signals. Companies must recognize them within six months of the law’s effective date (i.e. July 15, 2025).