As a follow up to our earlier blog, on January 16, 2024, New Jersey officially enacted its privacy law, designed to protect resident consumer personal information. The adoption of the New Jersey Data Protection Act ("New Jersey Privacy Law" or "NJDPA") makes New Jersey the 13th jurisdiction with a comprehensive state privacy law. The New Jersey Privacy Law will take effect on January 16, 2025.
New Jersey Privacy Law
The NJDPA regulates entities that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and during a calendar year either: (1) control or process the personal data of at least 100,000 consumers; or (2) control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Although similar to data protection laws in other states, New Jersey's Privacy Law broadens the definition of "sensitive personal data" to include a range of consumer financial information and consumers' status as transgender or nonbinary. The New Jersey Privacy Law grants consumers certain rights, including the right to obtain a copy of their personal data in a portable format, allowing consumers to transmit the data without hindrance. Upon receiving a consumer rights request, businesses must respond within 45 days of receipt of such request. If a business sells consumer personal data to third parties or processes personal data for the purposes of targeted advertising or profiling, the business must provide a clear and conspicuous disclosure of such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing. The business must honor the opt-out request within 15 days of receipt.
The NJDPA requires entities to obtain consumer consent in order to process "sensitive data" (e.g., race, religion, health, financial information, citizenship). The NJDPA also requires businesses to provide consumers with a privacy notice describing the categories of personal data collected, the purposes for collection, and the categories of personal data shared with third parties. Beginning July 15, 2025, businesses must allow consumers to revoke their consent to the processing of their personal data for targeted advertising, sale, or profiling through a universal opt-out mechanism.
The Office of the Attorney General is vested with sole and exclusive authority to enforce New Jersey's Privacy Law. Notably, there is no private right of action under the NJDPA. Violation of the NJDPA is punishable by penalties of up to $10,000 for first offenses and up to $20,000 for subsequent violations.
Lack of Privacy Law Uniformity Can Create Confusion
The lack of federal regulation in this space has led to a patchwork of intricate data privacy laws that differ from state to state. Because there is no uniformity among the various state data privacy laws, businesses may easily find themselves confused, which can be very costly if such confusion results in a regulatory violation. Compliance with state privacy laws will get even more difficult in the near future, given that at least 8 other states are poised to soon pass consumer data privacy legislation.
Similar Blog Posts:
West Virginia's Proposed State Privacy Law
Do Your Privacy Policy Changes Require Consumer Notice And Consent?
Newly-Passed Florida Privacy Law Bill
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
