New Jersey Data Protection Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP

On January 16, 2024, New Jersey became the first state to enact a comprehensive data privacy law in the new year, with Gov. Phil Murphy (D-NJ) signing the New Jersey Privacy Act (NJPA) (SB 332) into law. The New Jersey law will go into effect on January 15, 2025.

The NJPA is similar to other state privacy laws such as the Connecticut Data Privacy Act (CTDPA) and Colorado Privacy Act (CPA), demanding more from companies then the more business-friendly Utah Consumer Privacy Act (UCPA) and Iowa Consumer Data Protection Act (ICPA).

Key Provisions

• Controller Requirements – obligations for controllers include: data minimization, data security, opt in consent for sensitive data, nondiscrimination, mechanism to revoke consent, opt in consent for child between the ages of 13 and 17, privacy notices, agreements with processors and data protection assessments.
• Processor Requirements – obligations for processors include: ensuring a duty of confidentiality for each person processing data, written contracts with subcontractors, as well as assisting controllers with consumer requests, data security and breach notification, and conducting data protection assessments.
• Individual Rights – consumer rights include: right to access, right to correct, right to delete, right to portability and right to opt out of certain processing.
• Financial Information as Sensitive Data –the definition of sensitive data includes financial information.
• Recognizing Universal Opt-Out – controllers have six months following the effective date to allow consumers to opt-out of targeted advertising via universal opt-out mechanisms.
• Protections for Children Under 17 – the law features additional opt-in consent required for certain processing of personal data for a child between the ages of 13 and 17.
• Expanded Fraud Detection Exemption – the law allows disclosure of personally identifiable information to third parties necessary to address fraud prevention and extends beyond security to include technical issues and protection of the operator’s rights or property.
• Nonprofits Not Exempt –nonprofit organizations are largely not exempt and are required to comply with the NJPA.
• Rulemaking Powers –NJPA allows empowers the Director of the Division of Consumer Affairs to issue additional rules in the future.

Who Must Comply with the NJPA?

Similar to other comprehensive state privacy laws and the European Union (EU) General Data Protection Regulation (GDPR), the NJPA applies to “controllers” and “processors.” As with the other laws, “controllers” are entities that alone or jointly with others determine the purposes and means of processing personal data, and “processors” are entities that processes that data on behalf of the controller. The NJPA applies to controllers conducting business in New Jersey or producing products or services targeted to New Jersey residents (consumers) and that during a calendar year either:

• Control or process personal data of at least 100,000 consumers (except personal data processed solely for completing transactions)
• Control or process the personal data of at least 25,000 consumers while deriving revenue, or receiving a discount on the price of any goods or services, from selling personal data.¹

The NJCDPA does not contain a minimum annual revenue threshold, meaning that relatively small businesses might find themselves subject to its provisions.

What Information Is Covered?

The NJPA applies to “personal data,” which it defines as “information that is linked or reasonably linkable to an identified or identifiable person.” The definition explicitly excludes information that is de-identified or publicly available.²

The law has an extensive definition of “sensitive data”, which includes: data revealing racial or ethnic origin, religion, mental or physical condition, treatment or diagnosis, sex life or sexual orientation, citizenship or immigration status, transgender or non-binary status, genetic or biometric data that may be processed to uniquely identify an individual, personal data of a known child and precise geolocation data. The NJPA also includes certain “financial information” in its definition of sensitive data, which includes account numbers, account log-ins, financial accounts, or credit or debit card numbers combined with any access or security code or password that would access a consumer’s financial account.³

What Are the Notable Exemptions?

As is the case for other state privacy laws, the NJPA includes both entity- and data-level exemptions, although these exemptions are generally narrower compared to most other states.

Data-Level Exemptions

The NJPA excludes data that is de-identified or publicly available (but not aggregated data). The NJPA excludes employees and business-to-business contacts from its definition of “consumer,” noting that data collected from individuals acting in “a commercial or employment context”⁴  is not covered.

The law also exempts protected health information collected by a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA)⁵;  financial data subject to the Gramm Leach Bliley Act (GLBA); certain sales of consumer personal data covered by the Driver’s Privacy Protection Act (DPPA); and personal data collected, processed, sold or disclosed in compliance with the Fair Credit Reporting Act (FCRA).⁶   There are also exemptions for personal data collected, processed or disclosed for certain research purposes.⁷

Interestingly, the NJPA’s definition of “disclosure” contains a broad fraud exemption, enabling disclosure of personally identifiable information to third parties necessary to address fraud, risk management, security issues, technical issues, protecting the operator’s rights or property, or protecting a consumer or the public from illegal activities.⁸

Entity-Level Exemptions

The NJPA exempts a number of entities, including: financial institutions and their affiliates subject to GLBA, certain insurance institutions; certain secondary market institutions,⁹  state entities and political subdivisions of the state.¹⁰

Certain entity-level exemptions common to other state privacy laws are notably absent. For example, the law does not contain an exemption for personal data governed by the Family Education Rights and Privacy Act (FERPA). While the NJPA has a data-level exemption for protected health information under HIPAA, it does not feature an entity-level exemption for HIPAA covered entities. The law also does not exempt nonprofit organizations or institutions of higher education.

What Rights Do New Jersey Consumers Have?

Similar to other state privacy laws, the NJPA provides consumer with the right to: (1) confirm whether a controller is processing personal data and to access said data (without revealing controller trade secrets); (2) the right to correct inaccuracies in the consumer’s personal data; (3) the right to delete personal data that concerns the consumer; (4) the right to obtain a portable copy of personal data (to the extent technically feasible and without revealing controller trade secrets); and (5) the right to opt out of the processing of data for purposes of targeted advertising, sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.¹¹

The NJPA explicitly requires organizations to recognize universal opt-out mechanisms. Specifically, within six months of the law’s effective date (July 15, 2025), all organizations that control or process personal data for targeted advertising, sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer must allow consumers to opt-out of such processing through user-selected universal opt-out mechanisms.¹²   The mechanism, platform or technology used for this cannot permit the manufacturer to unfairly disadvantage another controller, nor can it use a default setting that opts the consumer in unless the controller determines that the consumer selected such a default setting as their affirmative, freely given and unambiguous choice. The method must also be consumer-friendly, easy-to-use, described clearly, as consistent as possible with mechanisms that are similar or state- or federal-required, and enable the controller to accurately determine whether the consumer is a New Jersey resident and if they have made a legitimate request to opt out of the processing of personal data.¹³

Controllers have 45 days to respond to a consumer request. This deadline may be extended by an additional 45 days when reasonably necessary, so long as the consumer is informed of the reason behind the extension and provided information for all disclosures of personal data that occurred in the previous 12 months.¹⁴   The NJPA requires that controllers establish a process for consumers to appeal the refusal to take action on requests to exercise their rights.¹⁵

What Obligations Do Controllers and Processors Have?

The NJPA contains a host of obligations for both controllers and processors, similar to other state data privacy laws and the GDPR.

Controller Requirements

• Data Minimization: Controllers must limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purpose for which the data is processed.¹⁶   Controllers may not process personal data for purposes not reasonably necessary for, nor compatible with, the disclosed purpose without obtaining consumer consent.¹⁷
• Data Security: Controllers must establish and maintain reasonable administrative, technical and physical data security practices appropriate to the volume and nature of the personal data. These practices must protect the confidentiality, integrity and accessibility of personal data and secure it from unauthorized acquisition during both storage and use.¹⁸
• Sensitive Data: Controllers must acquire consumers’ opt-in consent before processing their sensitive data. For sensitive data of a known child, processing must be done in accordance with the Children’s Online Privacy Protection Act (COPPA).¹⁹
• Nondiscrimination: Controllers must not process personal data in violation of state or federal laws against unlawful discrimination against consumers.²⁰
• Revoking Consent: Controllers are required to provide consumers with a mechanism to revoke their consent to process their data. After consent is revoked, controllers must stop processing the data as soon as possible but no later than 15 days after receipt of the request.²¹
• Children Under 17: Controllers cannot process personal data of consumers for purposes of: (1) targeted advertising; (2) sale of personal data or (3) certain types of profiling without prior opt-in consent, if they have actual knowledge or willfully disregard that the consumer is a child at least 13 but under 17 years of age.²²
• Transparency and Purpose Specification: Controllers must provide clear, meaningful and reasonably accessible privacy notices that disclose: (1) the categories of personal data processed by the controller; (2) the purpose for processing; (3) the categories of third parties with whom personal data is shared; (4) the categories of personal data shared with third parties; (5) how consumers may exercise their rights under the law including how to appeal a decision regarding a consumer request; (6) the process for notifying consumers of material changes to the privacy notice along with the effective date of the notice; and (7) an email address or other online mechanism consumers can use to contact the controller.²³
• Processor Agreements: Similar to other state laws, controllers are required to enter into binding contracts with processors that, among other things, detail the nature and purpose of the processing, instructions for the processing, and the rights and obligations of both parties. Processors under this contract have several requirements, such as deleting or returning all personal data to the controller at the controller’s request at the end of the provision of services.²⁴
• Data Protection Assessments: Controllers must conduct data protection assessments for certain data processing activities that present a “heightened risk of harm” to consumers.²⁵   The NJPA specifies that the Data Privacy Act (DPA) must be conducted before engaging in any such processing activities. These activities include: (1) processing for targeted advertising or certain types of profiling; (2) selling personal data and (3) processing sensitive data.²⁶   Controllers must provide these assessments to the New Jersey Attorney General (AG) Division of Consumer Affairs in the Department of Law and Public Safety upon request.

Processor Requirements

Similar to other state laws, processors must adhere to controller instructions and assist the controller with their obligations, including: (1) responding to consumer requests; (2) data security and breach notification and (3) conducting data protection assessments.²⁷   Processors are also required to ensure each person processing the personal data is subject to a duty of confidentiality for that data, and engage with subcontractors under a written contract requiring the subcontractor to meet the processor’s obligations with respect to the personal data.²⁸

Who Enforces the Law and Issues Regulations?

The NJPA is exclusively enforced by the office of the attorney general (AG) and does not contain a private right of action. Notably, the NJPA provides a 30-day cure period where, prior to brining an enforcement action, the AG will notify controllers and grant an opportunity to cure (if a cure is deemed possible). However, this cure period is not permanent and will sunset 18 months after the law takes effect.²⁹

Additionally, the NJPA directs the Director of the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate regulations necessary to effectuate the purpose of the law.³⁰

You can learn about the other state laws in Akin’s State Data Privacy Law Series, as well as our California Consumer Privacy Act (CCPA) Report:

1. Virginia Consumer Data Protection Act: What Businesses Need to Know | Akin (akingump.com)
2. Colorado Privacy Act: What Businesses Need to Know | Akin (akingump.com)
3. Connecticut Data Privacy Act: What Businesses Need to Know | Akin (akingump.com); Businesses and Consumers Prepare as the CTDPA Takes Effect on July 1 | Akin Gump Strauss Hauer & Feld LLP
4. Utah Consumer Privacy Act: What Businesses Need to Know | Akin (akingump.com)
5. Iowa Data Protection Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP
6. Tennessee Information Protection Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP
7. Texas Data Privacy Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP
8. Indiana Data Protection Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP
9. Key Takeaways from Akin’s CCPA Litigation and Enforcement Report | Akin (akingump.com)

^{1 P.L.2023, c.266 (New Jersey).}

^{2 Id. § 1.}

^{3 Id.}

^{4 Id.}

^{5 “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and their implementing regulations (codified at 45 C.F.R. parts 160 and 164).}

^{6 Id. § 10.}

^{7 Id. § 10(h).}

^{8 Id. § 1.}

^{9 This refers to secondary market institutions identified in 15 U.S.C. § 6809(3)(D) and 12 C.F.R. §1016.3(l)(3)(iii), namely institutions chartered by Congress to engages in secondary market sales or similar transactions “or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.”}

^{10 Id. § 10.}

^{11 Id. § 7(a).}

^{12 Id. § 8(b)(1).}

^{13 Id. § 8(b)(2).}

^{14 Id. § 4(a).}

^{15 Id. § 4(f).}

^{16 Id. § 9(a)(1).}

^{17 Id. § 9(a)(2).}

^{18 Id. § 9(a)(3).}

^{19 Id. § 9(a)(4).}

^{20 Id. § 9(a)(5).}

^{21 Id. § 9(a)(6).}

^{22 Id. § 9(a)(7).}

^{23 Id. § 2(a), 3(a).} 

^{24 Id. § 13(e).}

^{25 Id. § 9(a).}

^{26 Id.}

^{27 Id. § 13(b).}

^{28 Id. § 13(c).}

^{29 Id. § 14(b).}

^{30 Id. § 16.}