On January 16, New Jersey Governor Phil Murphy signed the New Jersey Data Protection Act, making New Jersey the 13th state to enact a comprehensive state privacy law. This law imposes broad obligations on businesses and nonprofit organizations that collect and use the personal data of New Jersey residents, including requirements to notify consumers about the collection and disclosure of personal data.
Following the examples of California and Colorado, whose data privacy laws require the promulgation of implementing regulations, the Department of Law and Public Safety’s Director of Consumer Affairs has the authority to enact rules and regulations necessary to accomplish the purposes of the law. It is given. This law goes into effect on January 16, 2025.
Applicability
This law applies to businesses that do business in New Jersey or produce products or services intended for New Jersey residents. Specifically, the law applies to controllers that process the personal data of more than 100,000 consumers each year, excluding data processed solely for the purpose of completing payment transactions.
Alternatively, the law applies to organizations that meet the “sales standard,” meaning that the organization controls or processes the personal data of at least 25,000 consumers and earns revenue or receives a discount on the price of some goods or services. Applies if there is. Sale of personal data.
Although applicability threshold requirements are fairly standard, organizations must remain vigilant about handling information that includes cookies, pixels, and similar tracking technologies. Collecting cookies can potentially (sometimes inadvertently) subject you to substandard marketing practices. Specifically, the term “sale” is broadly defined to mean “the sharing, disclosure, or transfer by a controller of personal data to a third party for monetary or other valuable consideration.”
This definition is similar to that used in the California Consumer Privacy Act. As we know from the California Attorney General’s enforcement actions, companies may be able to transfer consumers’ personal data to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies. Disclose or make available. In exchange for money or other valuable consideration, including for analytical purposes or free or discounted services. Such actions meet the definition of “sale.” See People of the State of California v. Sephora USA, Inc., Final Judgment and Permanent Injunction.
According to this Law, “controller” means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data. This means the law applies to nonprofit organizations, distinguishing it from most other comprehensive consumer privacy laws, but following in the footsteps of Colorado, Delaware, and Oregon. With respect to covered data, the Act regulates practices with respect to personal data, that is, any information that is linked or can reasonably be linked to an identified or identifiable individual. Anonymized data or publicly available information is not within the scope of this law.
Administrator duties
This law imposes several obligations on administrators. First, controllers are required to limit the collection of personal data to what is appropriate, relevant and reasonably necessary in relation to the purposes for which such data is processed. Additionally, the controller’s information handling and processing purposes must be disclosed to consumers in the privacy notice, as explained below. Controllers are also obligated to establish, implement, and maintain administrative, technical, and physical data security practices.
The law specifies that this obligation extends to protecting personal data from unauthorized access both during storage and use. Controllers should also assess and ensure that security practices are appropriate in relation to the amount and type of data that the entity is processing. Appropriate security practices may be addressed in future implementing regulations.
As a basic rule, processing of sensitive data is not allowed unless the administrator first obtains consent. Consent must be expressed as a clear affirmative act signifying freely given, specific, informed and unambiguous consent by the consumer to permit the processing of personal data about the consumer. Importantly, acceptance of general or broad terms of use does not satisfy the consent requirement, nor does consent obtained through the use of “dark patterns.”
In other words, in contrast to, for example, the California Consumer Privacy Act, this law requires an opt-in process for processing sensitive data. The definition of sensitive data is similar to that in other state laws, but includes broader categories of financial information as well as gender identity status as transgender or non-binary. Personal data collected from known children falls within the definition of sensitive data and must be processed in accordance with the Children’s Online Privacy Protection Act.
Controllers also have an obligation to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. The notice must include, but is not limited to:
- Categories of personal data processed by the controller
- Purpose of processing personal data
- All categories of third parties to which the controller may disclose the consumer’s personal data
- Categories of personal data that the controller shares with third parties
- How individuals can exercise their consumer rights
- A process by which controllers notify consumers of material changes to the privacy notice, along with the effective date of the notice.
- An active email address or other online mechanism that consumers may use to contact the administrator.
Similar to privacy laws in some other states, this law requires controllers to enter into written contracts with third parties that process data on their behalf. These agreements govern the processing procedures and this law provides a list of specific requirements that should be addressed in such data processing agreements.
The law also imposes obligations on controllers to carry out a data protection assessment before processing personal data that poses an increased risk of harm to individuals. These requirements are similar to the California Privacy Protection Agency’s draft regulations presented in December 2023.
Essentially, a risk assessment (California’s term for data protection assessment) involves a company building a robust inventory of its processing activities, and then determining the benefits and potential risks to personal privacy of such processing. You are required to compare and consider. The law cites targeted advertising, profiling, the sale of personal data, and the processing of sensitive data as examples of what constitutes a heightened risk.
consumer rights
This law gives consumers rights similar to other state privacy laws. The individual has the right to (1) confirm the processing of the consumer’s personal data, (2) correct any inaccuracies, (3) delete it, (4) determine the portability of the data, and (5) process the consumer’s personal data. You have the right to opt out of the processing of your data for marketing purposes. Personal Information, Targeted Advertising, and Profiling. Additionally, the law creates certain opt-in requirements for minors. The controller may target advertising without explicit consent from the consumer if the controller knows or intentionally ignores that the consumer is at least 13 years of age but less than 17 years of age. Personal data must not be processed for the purposes of , selling or profiling.
This law has additional requirements regarding how to opt out. Entities covered by this law and engaged in targeted advertising or sales of personal data must comply with opt-out requests delivered passively through the Universal Opt-Out Mechanism (UOOM). UOOM allows users to universally express to all sites their preference not to be tracked on the Internet.
The obligation to comply with UOOM requirements begins six months after the effective date of the law. In particular, the controller may not accept such default settings unless the controller determines that the consumer has selected such default settings and that such selection clearly represents an affirmative, freely given, and unambiguous preference of the consumer. , default settings should not be used to select consumers for the processing or sale of their personal data. This provision is interesting given that opt-in is not required when processing non-online personal data for marketing purposes, but appears to be necessary for online data.
execution
The New Jersey Division of Consumer Affairs within the Department of Law and Public Safety would have authority to enforce the law. There is a 30 day treatment period and he will expire 18 months from the effective date. The law declares that violation of its provisions is a “tort and a violation of P.L. 1960, C. 39 (C.56:8-1 et seq.)” (New Jersey Consumer Fraud Law). Masu. The first violation carries a maximum fine of $10,000 and subsequent violations carry a maximum fine of $20,000. Notably, there is no specific right of private action under this law.
conclusion
Organizations already familiar with similar data privacy laws and located within the country will need to update their compliance to meet New Jersey’s specific requirements. For some New Jersey-based organizations, this new law may be the first time they have to consider establishing a comprehensive consumer privacy program. Businesses potentially subject to New Jersey data protection laws should carefully consider their information practices, draft privacy policies, and develop comprehensive internal compliance programs. Managers subject to this law should also be aware of and prepare for implementing regulations issued by the Director of Consumer Affairs of the Bureau of Law and Public Safety.
Farmer is a partner in Wilson Elser’s New York Metro office. She is one of the leaders of the firm’s Consumer Privacy practice and a member of the firm’s Intellectual Property and Technology practice. She advises clients on emerging legal issues in the technology field, including internet law, non-fungible tokens, artificial intelligence, and blockchain technology.
Axberger, a recent law school graduate, is a co-author of this article.
