On 16 January 2024 the Governor of New Jersey signed into law the state’s Data Privacy Act (the “Act“), marking its entry as the 13^th state in the US to enact a comprehensive legislation safeguarding consumer personal information.

The new Act will enter into force one year after its enactment – on 16 January 2025.

Scope of Application

The Act applies to controllers conducting business in New Jersey or targeting New Jersey residents and:

• Controlling or processing personal data of at least 100,000 consumers (1.07% of state’s 9.3 million population), excluding data processed solely for the purpose of completing a payment transaction; or

• Controlling or processing personal data of at least 25,000 consumers and deriving any revenue or receiving any discounts from selling personal data.

Business-to-business contacts or employees’ information are excluded from the Act’s applicability. So are state entities and certain entities and data subject to federal laws such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. De-identified information and publicly available information – defined as information that was “lawfully made available from federal, State, or local government records, or widely-distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience” – are also excluded from the Act.

Controller Obligations

Similarly to other US state privacy laws, the Act requires controllers to provide a detailed privacy notice, that includes information regarding data processing purposes, third-party disclosures, consumer rights and how to exercise them, and more.

Unlike other state privacy laws, the new Act specifically requires the privacy notice to indicate the process by which the controller notifies consumers of material changes to the notice, the effective date of the notice, and an email address or other electronic mechanism, for contacting the controller.

Data processing assessments are required before processing for activities posing “heightened risk”, such as targeted advertising, profiling, selling personal data, and processing sensitive data.

Processing personal data by a processor shall be governed by a binding contract, which must include certain provisions set forth in the Act.

Consumer Rights

The Act offers an extensive list of consumer rights in their personal information, including the right to access it, deletion, portability, correction, non-discrimination, and a right to revoke consent. Consumers can request to exercise their rights with a response time of 45 days (extendable by another 45 days for justified reasons).

Consumers have also the right to opt-out of targeted advertising, sale of personal data, and profiling activities that has a legal or similar effect such as the denial of financial service, education enrollment, employment, health care services and more. For children between 13-16 years, as well as certain processing of sensitive personal data, opt-in rather than opt-out is required. Interestingly, the definition of “sensitive information” under the Act was expanded to include consumers’ financial data as well as a status as transgender or non-binary.

Universal opt-out mechanisms (UOOMs) are tools or systems designed to allow consumers to easily opt-out of certain data practices across multiple platforms or services. According to the new Act, within 6 months of the effective date of the Act (i.e., 16 July 2025), controllers must recognize UOOMs for opting out of targeted advertising and sale of personal data.

Enforcement

New Jersey’s data protection Act will be enforced by the NJ Attorney General, with a 30-day cure period for controllers found to be in violation of the Act in the first 18 month (i.e. until July 16, 2026). There is no private right of action, and the Attorney General retains exclusive enforcement authority.

Interestingly, the Act provides the Division of Consumer Affairs with authority to promulgate rules and regulations necessary to effectuate the purpose of the Act. The only two other states providing such rulemaking authority are California and Colorado.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in New Jersey. Feel free to contact us if you have any questions regarding the new Act ‎and its practical implications.