New Jersey’s governor has signed into law the first US state comprehensive privacy law of 2024. It will go into effect January 16, 2025. For those keeping score, that puts New Jersey after Florida, Oregon, Texas (all July 1, 2024), Montana (October 1, 2024), Delaware, and Iowa (both January 1, 2025). But, before Indiana (January 1, 2026). (Visit this post for a more detailed recap).
The requirements of the New Jersey law will feel quite familiar for those who familiar with the other US state privacy laws.Key provisions include:
- Applicability. Like all states except California, New Jersey’s privacy law will apply to consumer information and not to employees. Further, the law will apply to businesses that either (1) process personal data of at least 100,000 New Jersey residents or (2) control or process personal data of at least 25,000 consumers and receives revenue or discounted goods or services for the sale of personal data. The law contains exemptions for entities that are subject to (and comply with) GLBA. There is no entity-level exception for HIPAA regulated entities, but there is an exemption for information regulated by HIPAA (similar to the California approach).
- Sensitive information. New Jersey falls into the group of states that will require consent before processing personal information. Like other state laws, sensitive information includes racial or ethnic origin, religious beliefs, mental or physical health information, sex life or sexual orientation, citizenship or immigration status, status as transgender or non-binary, personally identifying genetic or biometric data, children’s personal data, or precise geolocation. Unlike most others, New Jersey also includes financial information in its definition of “sensitive information. Companies that process sensitive information will also have to conduct a data protection assessment.
- Consumer rights. New Jersey consumers will have a familiar slate of rights as found in other states. This includes the right to access, correct, delete, and port personal information. Consumers may designate an authorized agent to act on the consumer’s behalf. Timing for processing rights is different from the typical 45 days – New Jersey businesses must respond within 60 days. Additionally, businesses will need to comply with universal online opt-out mechanisms by July 16, 2025, six months after the law takes effect.
- Targeted advertising, sale and profiling. New Jersey residents must be given notice of, and the ability to opt out of, targeted advertising (including a universal opt-out mechanism). They must also be given the ability to opt out of the sale of their data, and of certain “profiling.” Additionally, if a business engages in these activities, they will need to conduct a data protection assessment.
- Enforcement. The New Jersey law does not contain a private right of action. The NJ Division of Consumer Affairs has discretion to allow companies it believes have violated the law an opportunity to cure. This cure provision will expire after 18 months.
What’s next? Like California and Colorado, the law provides for rulemaking by the Director of the Division of Consumer Affairs. Areas for rulemaking include specifications for universal opt-out mechanisms.
Putting it Into Practice: These state privacy laws contain provisions that while familiar, have subtle nuances. Flexibility and adaptation will be key as businesses tailor their privacy programs in light of what we anticipate to be a growing number of US privacy laws at a state level.