New Jersey on Verge of Enacting Data Privacy Law

Editors Note: New Jersey Gov. Phil Murphy signed the privacy legislation on Jan. 16.

New Jersey lawmakers just passed a bill that would create the state’s first consumer data privacy legal framework, providing consumers with more control over their personal information and requiring businesses to make significant changes to their data practices.

Gov. Phil Murphy now has until Feb. 22 to approve or veto the bill.

1. Will the legislation apply to your business?

SB 332 applies to entities considered to be “data controllers.” These are companies that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that either:

• Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
• Control or process the personal data of at least 25,000 consumers, and the business derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

2. Does the legislation apply to employment or business-to-business entities?

As with most other states’ data privacy laws, Senate Bill 332 would not apply to employment or business-to-business data. The definition of “consumer” specifically excludes people acting in a commercial or employment context, which would also eliminate job applicants from coverage under the law. 

3. How does the legislation define personal data?

Personal data is any information that is linked or reasonably linkable to an identifiable person. It does not include de-identified data or publicly available information.

4. What rights does the legislation grant consumers?

Under Senate Bill 332, consumers will have certain rights to:

• Confirm whether a business processes the consumer’s personal data and accesses personal data.
• Correct inaccuracies in the consumer’s personal data.
• Delete personal data concerning the consumer.
• Obtain a copy of the consumer’s personal data held by the business in a portable and readily usable format that allows the consumer to transmit the data to another entity.
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

5. What type of privacy notice is required?

Businesses will need to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that shall include:

• The categories of the personal data that the business processes.
• The purpose for processing personal data.
• The categories of all third parties to which the business may disclose a consumer’s personal data.
• The categories of personal data that the business shares with third parties.
• How consumers may exercise their consumer rights, including the business’ contact information and how a consumer may appeal a business’ decision with regard to the consumer’s request.
• The process by which the business notifies consumers of material changes to the notification, along with the effective date of the notice.
• An active electronic mail address or other online mechanism that the consumer may use to contact the business.

Additionally, if a business sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, this needs to be disclosed. The business needs to clearly and conspicuously disclose the sale or processing in a manner in which a consumer may exercise the right to opt out of either practice.

6. How does the legislation compare to other states’ consumer privacy laws?

Although it conforms to most states’ treatment of employment and business-to-business entities, Senate Bill 332 differs from some other state laws. Notable comparators include:

• The law will not apply to employment situations, unlike California’s broad requirements.
• The state Attorney General will have authority to create regulations related to the law, a model shared only with California and Colorado.
• The date for opt-in consent requirements on children is higher than the Children’s Online Privacy Protection Act’s standard of 13 years of age. Similar to California, New Jersey will set the age at 16.
• The law will expressly require businesses to include the use of cookies/pixels and other tracking technology in its notice to consumers. This is similar to California, but differs from some other states’ laws that don’t specifically mention cookies.
• Businesses must conduct and document data privacy assessments prior to engaging in certain processing activities under the New Jersey bill, contrary to most other states.
• Unlike a number of other state laws, the New Jersey bill would apply to nonprofits that otherwise meet applicability standards (like Colorado’s privacy law).
• New Jersey’s legislation contains a 30-day right to cure that expires 18 months after the effective date. This is similar to the Virginia and Oregon laws, but not quite as long as Connecticut and Delaware, which have a 60-day cure periods.
• The New Jersey bill provides exemptions for regulated entities. Like California and Colorado, it does not contain an entity-level exemption for HIPAA-covered entities or business associates, although it does exclude protected health information collected by such entities. Following the trend elsewhere, both financial institutions and data subject to the GLBA are exempt from Senate Bill 332’s requirements.

7. How would the legislation be enforced?

Senate Bill 332 grants exclusive authority to enforce its provisions to the state Attorney General. Potential penalties include fines of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. If there is any good news, it’s that there is no private right of action allowing consumers to file claims against businesses.

If the governor approves it, Senate Bill 332 will take effect one year after its enactment date.

8. What should businesses do to prepare for compliance?

If your business will be subject to Senate Bill 332, your next steps may include:

• Assessing your organization’s current data collection and privacy practices.
• Conducting an inventory of data that your organization has historically collected about consumers.
• Considering the types of data that your organization will likely collect about consumers in the future.
• Identifying the information that your organization collects about minors.
• Developing policies and procedures for responding to consumer requests.
• Working with data privacy counsel to ensure that your organization is in compliance with Senate Bill 332.

Risa Boerner and Annie Ziesing are attorneys with Fisher Phillips in Philadelphia and New York City. © 2023. All rights reserved. Reprinted with permission.