Clifford Chance

On January 16, 2024, New Jersey governor Phil Murphy signed the New Jersey Data Protection Act (New Jersey Data Privacy Act or NJDPA), making the Garden State the fourteenth state in the U.S. to enact comprehensive data privacy legislation (together with the NJDPA, the State Data Privacy Laws).  The NJDPA is also notably the first law enacted in 2024, carrying last year's privacy law momentum—when eight states passed their own privacy laws—into the new year.  The NJDPA will take effect on January 15, 2025 (365 days following Governor Murray's signature).  This briefing summarizes key provisions of the NJDPA.  

Scope and Applicability

The NJDPA applies to businesses (referred to as "controllers") that conduct business in the state or produce products or services targeted to residents that meet either of two thresholds in a calendar year:

• Control or process the personal data of at least 100,000 consumers (NJ residents), excluding personal data processed solely for the purpose of completing a payment transaction
• Control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.

While this scope language looks similar in form to those of the laws that preceded the NJDPA, there are a few aspects of the statute worth noting.  First, the statute contains the payment transaction processing exception (also found in Connecticut's, Oregon's, and Montana's comprehensive state data privacy laws), which will exempt some small businesses operating primarily as brick-and-mortar stores that do not otherwise collect personal information.  On the other hand, the law's revenue-deriving threshold is one of the broadest yet, applying to controllers that derive any revenue from sale of personal data.  Every other State Data Privacy Law with a revenue-deriving threshold (so far) sets a specific minimum proportion of revenue (e.g., 50% for California; 20% for Delaware, etc.).  The NJDPA's threshold also broadly defines revenue-deriving to include receiving a discount on the price of goods or services, drawing parallels to one of the more surprising aspects of California's wave-making 2022 Sephora settlement. 

The NJPDA also includes exemptions in line with most other State Data Privacy Laws, such as for government agencies and information or data covered by other laws, including the federal Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).  In keeping with the majority of other State Data Privacy Laws, the NJDPA explicitly states that it does not apply to personal information collected from residents in the context of employment or business-to-business transactions.  The law does, however, apply to non-profits that meet the thresholds, bringing New Jersey into the minority of states whose privacy law applies to such entities. 

Controller and Processor Obligations

The NJDPA, like most other State Data Privacy Laws, contains a regulatory framework aligned to the European Union's General Data Protection Regulation, distinguishing roles and responsibilities between controllers and processors. The NJDPA defines a "controller" as a person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as a person who processes personal data on behalf of a controller.

Most of the primary privacy responsibilities fall on controllers.  The law requires controllers to provide consumers a reasonably accessible, clear, and meaningful privacy notice which, among other things, discloses:

• The categories of personal information collected and the purpose for such collection
• The categories of third parties to which the operator may disclose a consumer's personal data
• The categories of personal information shared with third parties
• Third-party collection of personal data across different online services
• A description of the process for consumer rights requests, and the request methods to use
• The process by which the controller notifies consumers of material changes to the notice.

Like other State Data Privacy Laws, the NJDPA also places limits and obligations on the personal data processing activities of controllers, including by mandating that:

• Personal data collection and processing is limited to what is reasonably necessary for the purposes disclosed (or consented to by the consumer)
• Reasonable administrative, technical, and physical measures are put in place to protect the personal data
• Controllers permit consumers to revoke consent for processing
• Consent is collected before processing sensitive data or data of a child
• Consent is collected before processing personal data of children for targeted advertising, sales, or profiling.

Additionally, the law requires controllers to perform a data protection assessment before undertaking any data processing that presents a heightened risk of harm to a consumer, including processing for targeted advertising or sales, or processing of sensitive data (see below for a definition of sensitive data).  This requirement is similar to those found in the majority of other State Data Privacy Laws.

The NJDPA also puts in place requirements for processors who process personal data to provide services to controllers.  These include:

• Requiring processors to abide by the instructions of a controller and assist controllers in meeting their obligations under the NJDPA
• Requiring controllers and processors to have contractual agreements in place that set out their respective obligations
• Requiring processors to put certain controls in place, including ensuring that employees are subject to a duty of confidentiality and having written contractual provisions in place with subcontractors.

Consumer Rights and Requests

The NJDPA provides a variety of individual consumer rights that align with those found in most other State Data Privacy Laws. The law provides consumers with the right to:

• Confirm processing (right to know)
• Correct inaccuracies
• Request deletion of personal data
• Obtain a portable copy of personal data (data portability)
• Opt out of processing for targeted advertising, sale, or profiling.

As mentioned above, the NJDPA also specifically restricts processing of sensitive data, requiring controllers to obtain consent before doing so—in effect creating an "opt-in" regime similar to that found in the majority of other State Data Privacy Laws.  While the law's categorization of certain data as "sensitive" is not new, there are some nuances unique to the state's definition.  The Act defines sensitive data to include personal data revealing:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition, treatment, or diagnosis
• financial information, including a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required code or password permitting access to the consumer's financial account
• sex life or sexual orientation
• citizenship or immigration status
• status as transgender or non-binary
• genetic or biometric data processed for the purpose of uniquely identifying a consumer
• personal data collected from a known child
• precise geolocation data (within 1,750 feet).

The categorization of financial information as sensitive is of particular note.  Data breach notification laws often focus on this data given its potential for consumer harm if fallen into the wrong hands, but thus far New Jersey is the only state whose privacy law defines such data to be sensitive—and thus requiring opt-in consent for processing. 

Children's data must be processed in accordance with the Children's Online Privacy Protection Act (COPPA), which requires consent from parents or guardians.

Controllers are not permitted to discriminate against consumers for making rights requests (although this does not restrict offering of discounts, loyalty programs, or other incentives that are reasonably related to the value of the personal data, provided the controller clearly discloses this practice).

Under the NJDPA, controllers must respond to verified requests within forty-five (45) days of receipt, with an additional forty-five (45) day extension available if reasonably necessary for complex or numerous requests.  

Right to Appeal

Like with most other State Data Privacy Laws, the NJDPA requires controllers to have a process in place that allows consumers to appeal a controller's response.  If the controller denies a consumer's request to exercise a privacy right, the controller must explain the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests.  Within forty-five (45) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal.  If the appeal is denied, the controller must provide the consumer with an online mechanism or other method through which the consumer may contact the New Jersey Department of Law and Public Safety to submit a complaint.  

Definition of "Sale"

The NJDPA defines the "sale" of personal data as "sharing, disclosing, or transferring" for "monetary or other valuable consideration."  The NJDPA also provides exceptions to the "sale" of personal data in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:

• To a processor that processes personal data on behalf of the controller
• To a third party for purposes of providing a product or service requested by the consumer
• To the controller's affiliates
• That the consumer intentionally made available to the general public and did not restrict to a specific audience
• To a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or similar transaction. 

One interesting note is that the definition of "sale" does not reference receiving a discount on the price of goods or services.  However, as discussed above, the law's applicability provision explicitly includes receiving a discount when describing what it considers to be revenue generated by the sale of personal data.  This may suggest that the legislature intended for such an exchange to be considered a "sale" for the purpose of the law.  It will be interesting to see how this plays out once enforcement begins. 

As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data.  Similar to in Connecticut and Colorado, controllers must provide an opt-out method that uses a user-selected universal opt-out mechanism six (6) months following the NJDPA's effective date.  Such an opt-out method may not unfairly disadvantage another controller, must be consumer-friendly and easy to use, and may not use a default setting (i.e., the opt-out mechanism must require that the consumer make an affirmative, freely given, and unambiguous choice to opt-out).

Definition of "Targeted Advertising"

The NJDPA defines "targeted advertising" in the same way as other State Data Privacy Laws: "displaying advertisements to a consumer where the advertisement is based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer's preferences or interests."  The definition expressly excludes certain activities such as advertisements based on:

• Activities within a controller's own web sites or online applications
• The context of a consumer's current search query or visit to a web site or online application
• The consumer's request for information or feedback
• Processing that measures or reports the performance, reach, or frequency of an advertisement.

The NJDPA imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.

De-identified and Pseudonymous Data

Like other State Data Privacy Laws, the NJDPA includes a definition for "de-identified data" that is not covered by the law and expressly excluded from "personal data."  Data is "de-identified" if it cannot reasonably be used to infer information about or otherwise be linked to an identified or identifiable individual, or a device linked to such an individual.  This definition is slightly broader than the definition in some other State Data Privacy Laws, which do not reference inferences or devices—although it is not yet clear what effect this will have.  The definition also requires that controllers have certain protections in place to ensure that de-identified data remains de-identified, including contractual obligations and public commitments not to re-identify such data.

More notably, unlike many other State Data Privacy Laws, the NJDPA does not include a definition of "pseudonymous" data, meaning that data that qualifies for certain exemptions under other State Data Privacy Laws by virtue of being pseudonymized will not enjoy similar exemptions under the NJDPA (unless such data also qualifies as de-identified). 

Enforcement and Penalties

The NJDPA will be enforced by the government, with a transitional period during which controllers will have a cure period for alleged violations.  Like its predecessors, the NJDPA does not provide for a private right of action for violations.  Rather, the New Jersey Attorney General's office will enforce the NJDPA, with the Division of Consumer Affairs in the Department of Law and Public Safety having responsibilities for promulgating rules and regulations to implement the statute.  Notably, the law contains a thirty (30) day cure provision, meaning that controllers must receive notice of an alleged violation and be provided thirty (30) days to cure such violation before an enforcement action can commence.  This cure provision sunsets on the first day of the 18th month following the NJDPA's effective date (i.e., July 1, 2026).  The law does not expressly define statutory penalty amounts; rather, violations of the NJDPA are treated as a violation of the state consumer protection statute.