On January 16, 2024, New Jersey’s Governor signed Senate Bill (SB) 332, which establishes a consumer data privacy law for the state. New Jersey becomes the 13th state to pass a comprehensive data consumer privacy law. The law would take effect one year after its enactment, on January 15, 2025.
To whom does the law apply?
The law applies to controllers defined as an individual or legal entity that alone or jointly with others determines the purpose and means of processing personal data that do business in New Jersey or produce products or services targeted at New Jersey residents and that during a calendar year either:
- Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction; or
- Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.
Who is protected by the law?
Under the law covered consumer is defined as a person who is a resident of New Jersey acting only in an individual or household context. Like several other states, excluding California, the consumer does not include a person acting in a commercial or employment context.
What data is protected by the law?
The law will protect data that qualifies as “personal data” which is information that is linked or reasonably linkable to an identified or identifiable person. It does not include de-identified data or publicly available information.
What are the rights of consumers?
Under the law, a consumer has the following rights:
- To confirm whether a controller processes the consumer’s personal data and access such personal data.
- To correct inaccuracies in the consumer’s personal data.
- To delete personal data concerning the consumer.
- To obtain a copy of the consumer’s data.
- To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
What obligations do businesses have?
A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that shall include but may not be limited to:
- The categories of the personal data that the controller processes.
- The purpose of processing personal data.
- The categories of all third parties to which the controller may disclose a consumer’s personal data.
- The categories of personal data that the controller shares with third parties, if any
- How consumers may exercise their consumer rights.
- The process by which the controller notifies consumers of material changes to the notification.
- An active e-mail address or other online mechanism that consumers may use to contact the controller.
If the controller sells personal data to third parties or processes personal data for purposes of targeted advertising, the sale of personal data, or profiling on a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may opt out of the sale or processing.
A controller must respond to a verified consumer rights request from a consumer within 45 days of the controller’s receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary considering the complexity and number of the consumer’s requests.
How is the law enforced?
The attorney general shall have sole and exclusive authority to enforce a violation of the statute.
If you have questions about New Jersey’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.