New Jersey Consumer Data Privacy Bill S332

New Jersey becomes the 13th state to pass a comprehensive privacy bill among the US states. With the S332, New Jersey joins the other twelve US states with data protection laws.

The law was passed in January 2024. Once it receives the governor's signature, it will come into effect 365 days later. It means that enforcement would begin in early 2025. In this article, we'll get into the most important details of the law.

What is S332—the New Jersey Consumer Data Privacy Bill, NJCDPB?

The New Jersey Consumer Data Privacy Bill, also known as Senate Bill 332, is the state's comprehensive data privacy act. It is similar to the consumer privacy laws of other US states. It imposes the same obligations on businesses and grants the same consumer privacy rights.

To Whom Does the NJCDPB Apply?

The law applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of the state, and that during a calendar year either:

• Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction; or
• Control or process the personal data of at least 25,000 consumers, and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

There are some exemptions, such as:

• Non-profits
• Financial institutions covered by the Gream-Leach-Bliley Act (GLBA)
• Health data is covered under HIPAA and HITECH.
• Secondary market institutions
• Insurance companies
• Personal information covered by the FCRA

What is personal data under the New Jersey State Privacy Law?

Personal data is any piece of information that is linkable to an individual and could identify them. This definition is aligned with any other data protection worldwide and includes everything from personal names and email addresses all the way to IP addresses, purchase history, and other information that could identify a person.

What Is Sensitive Data Under This Law?

The definition of sensitive data includes:

• Personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis;
• Financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account;
• Sex life or sexual orientation
• Citizenship or immigration status;
• Status as transgender or non-binary;
• Genetic or biometric data that may be processed to uniquely identify an individual;
• Personal data collected from a known child; or
• Precise geolocation data.

Sensitive data has a specific regime under the New Jersey law. If you process these categories of data, you may need to collect consent for the processing and conduct a data protection impact assessment.

What Duties Do Data Controllers Have Under the New Jersey Comprehensive Consumer Data Privacy Law?

Businesses that collect personal data for processing must:

1. Collect only the minimum amount of data necessary for processing purposes;
2. Not process personal data for purposes that are neither reasonably necessary nor compatible with the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent;
3. Implement administrative, technical, and physical data security practices;
4. Collect consent for the processing of sensitive or children's data and provide mechanisms for revoking consent;
5. Not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;
6. Not process the personal data of a child for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer’s consent, where the controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;
7. Specify the express purposes for which personal data are processed;
8. Conduct a data protection impact assessment where necessary, and
9. Ensure that they have written agreements with service providers for the processing of data.

What are the duties of service providers?

Processors must:

• Comply with the instructions of the controller for data processing.
• Assist the controller in meeting its obligations under the law.
• Take appropriate technical and organizational measures, insofar as possible, for the fulfillment of the controller's obligation to respond to consumer requests;
• Help the controller meet any data security requirements.
• Provide information to the controller to conduct and document any data protection assessments;
• Keep the data confidential, and
• Engage subcontractors only based on a written contract prescribing that the subcontractor must meet the requirements imposed on the service provider.

What Should the Contracts Between Controllers and Service Providers Contain?

A written data processing agreement between the controller and the service provider must govern the data processing. The contract must contain at least:

1. The processing instructions to which the processor is bound, including the nature and purpose of the processing;
2. The type of personal data subject to the processing and the duration of the processing;
3. The duty of the service provider to assist the controller in proving compliance and to assist in conducting data protection impact assessments;
4. The requirement for the service provider to delete all the processed personal data upon the controller's request.

What is the NJCDPB Privacy Policy?

A controller shall provide to a consumer a reasonably accessible, clear, and meaningful privacy notice that shall include, at the very minimum:

1. The categories of personal data that the controller processes;
2. The purpose for processing personal data;
3. The categories of all third parties to which the controller may disclose a consumer’s personal data;
4. The categories of personal data that the controller shares with third parties, if any;
5. How consumers may exercise their consumer rights, including the controller’s contact information, and how a consumer may appeal a controller’s decision about the consumer’s request;
6. The process by which the controller notifies consumers of material changes to the notification required to be made available under this subsection, along with the effective date of the notice; and
7. An active electronic mail address or other online mechanism that the consumer may use to contact the controller.
8. If a controller sells personal data to third parties or processes personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller must disclose such sale or processing, as well as how a consumer may exercise the right to opt out of such sale or processing.

This is the required minimum. You are free to add more information.

What is the sale of personal information?

The NJCDPB defines the sale of personal information as "sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party".

Then it proceeds to clarify that it does not include:

1. The disclosure of personal data to a processor that processes the personal data on the controller’s behalf;
2. The disclosure of personal data to a third party to provide a product or service requested by the consumer;
3. The disclosure or transfer of personal data to an affiliate of the controller;
4. The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or
5. The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Consumers have the right to opt out of the sale of personal information upon request.

What Consumer Rights Do NJ Consumers Have and How to Exercise Them?

New Jersey consumers have the right to:

1. Confirm whether a controller processes the consumer’s personal data and accesses such personal data, trade secrets excluded;
2. Correct inaccuracies in the consumer’s personal data;
3. Delete their own personal data;
4. Data portability; and
5. Opt out of the processing of personal data for:
   undefinedundefinedundefined

Controllers need to determine channels for exercising consumer rights, such as email addresses, contact forms, or toll-free numbers. Under the New Jersey privacy provisions, they have 45 days to respond to a request. The deadline could be prolonged for 45 more days if necessary.

What Is the Right to Opt-Out?

The right to opt-out means that consumers can require a controller to:

• Not sell their personal information;
• Not process their data for targeted advertising, and
• Not profile them or use their data for automated decision-making.

The Division of Consumer Affairs in the Department of Law is expected to pass rules on how consumers could opt out.

For now, we know that honoring universal opt-out mechanisms will be obligatory and that businesses should provide an opt-out link on their websites.

Universal Opt-Out Mechanisms

Controllers will be obliged to respond positively to universal opt-out mechanisms.

These tools send signals to websites that the consumer wants to exercise the right to opt out. Should the controller, receive such as request, they must honor it.

On top of opting out from the sale of data, the NJ new law also requires controllers, once the available technology allows, to respect opt out of targeted advertising as well.

Data Protection Impact Assessments

Data protection assessments are evaluations that balance the benefits and risks of processing personal data. They consider how processing can benefit the controller, consumer, and others, against any potential risks to consumer rights. These risks should be minimized by the controller using appropriate safeguards.

Businesses must, in any case, conduct a DPIA if they:

• Sell personal data;
• Process sensitive data, or
• Process data for targeted advertising or profiling.

Controllers must make these assessments available to the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety when asked. The Division can review these assessments to ensure they comply with this law and other relevant laws. These assessments are confidential and not open to public inspection. Sharing an assessment with the Division does not waive any legal protections like attorney-client privilege.

Enforcement and Penalties

The New Jersey Attorney General will enforce the provisions of the New Jersey consumer data privacy legislation. For the first 18 months following the coming into effect of this law, businesses may be given a 30-day cure period.

Upon the expiration of these 18 months, every violation will be subject to a penalty.