On January 16, New Jersey Governor Phil Murphy signed the New Jersey Data Privacy Act into law, making New Jersey the 14th state to adopt a comprehensive consumer data privacy law. According to the new legislation, companies subject to this law will have to adjust their compliance programs to satisfy the new requirements.
The New Jersey Data Privacy Act applies only to entities based on certain geographic and processing requirements. It leverages Colorado’s privacy law standard for the sale of personal data. Furthermore, the law exempts personal data used solely for completing payments from its applicability threshold.
Similar to other state privacy laws, the New Jersey law provides residents with comprehensive privacy protections and new rights regarding their personal data. However, the law notably provides narrower exemptions. One key feature of this law is its applicability to nonprofits and public higher education institutions, something found only in a few other states like Colorado, Oregon, and Delaware.
Another notable aspect of the NJDPA is its expanded definition of sensitive data, including financial information. The law requires controllers to obtain prior consent to process and collect sensitive data. The NJDPA also places distinct limitations on the processing of personal data of consumers between 13 and 16 years of age for targeted advertising, the sale of their data, or for profiling purposes without the consumer’s consent.
The Act also mandates covered companies to conduct and document a data protection assessment of data processing activities that present a heightened risk to consumers. The law also requires the disclosure of certain details in a privacy notice provided to consumers, as seen in Oregon and Delaware’s laws.
The New Jersey law grants the director of the Division of Consumer Affairs in the Department of Law and Public Safety rulemaking powers. It also provides companies with a period to rectify any violations after receiving notice.
The law is scheduled to become effective on January 15, 2025, giving entities almost a year to prepare for compliance.