A New Statute for New Jersey: Key Things to Know About NJ’s Privacy Law

On January 16, 2024, Governor Phil Murphy signed SB 332 into law, making New Jersey the thirteenth state to pass a comprehensive consumer privacy law. SB 332 applies to those who conduct business in New Jersey or produce a product or service targeted to New Jersey residents, and either (i) control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purposes of completing a payment transaction, or (ii) control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.

The exclusion personal data used for payment transactions aligns with the privacy laws of Connecticut, Montana, and Oregon, and it is advantageous for small businesses that use financial information only for conducting sales. Additionally, like Colorado’s privacy law, there is no threshold for revenue derived from the sale of personal data, meaning that those who derive any revenue from, or receive any discount on goods and services for the sale of personal data may be subject to SB 332 if they process data on 25,000 or more New Jersey residents.

SB 332 is in line with the consumer privacy laws recently passed or effective in other states, with some distinctions. Below we outline the law’s key provisions and unique characteristics.

Effective Date: The majority of provisions under SB 332 will take effect on January 15, 2025 (see universal opt-out and cure period exceptions below).

Expanded Definitions: SB 332 has expanded some of the standard definitions that we have seen in other states’ laws for “sensitive data” and “biometric data.” It adds financial information as a category of sensitive data, and biometric data includes physical and behavioral characteristics in addition to biological characteristics. 

Consumer Rights: Like the existing privacy laws of other states, SB 332 provides consumers with the right to access, correct, and delete their personal data, as well as data portability rights and the right to opt out of the sale of their data, profiling, and targeted advertising. Consumers will also be able to appeal a business’s decisions with respect to these rights.

Universal Opt-Out Mechanism (UOOM): Beginning July 15, 2025, a business that processes personal data for targeted advertising, the sale of personal data, or profiling must honor the UOOM. This provision makes New Jersey the first in the country to require UOOMs to support the opt-out of profiling.

Minors: SB 332, like a few of the other states’ laws, requires opt-in consent from those between the ages of 13 and 16 before processing their personal data for targeted advertising, sale, or profiling.

Cure Period: From January 15, 2025, to July 1, 2026, businesses will have a 30-day cure period for violations under SB 332. 

Upcoming Regulations: New Jersey’s law provides the Director of the Division of Consumer Affairs in the Department of Law and Public Safety with rulemaking authority, so we can expect to see regulations in the coming years.

Takeaways

While SB 332’s provisions parallel the recently passed or effective privacy laws of other states, its expanded thresholds, broader definitions, and unique requirements may require businesses to take a closer look at whether they need to, and how they will, comply with the law. For those businesses who may not have been subject to other state privacy legislation but meet the threshold requirements under SB 332, it is important to begin compliance preparation well in advance of the January 15, 2025, enforcement date.

 

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.

Chloé NelsonPrivacy, New Jersey