New Jersey Consumer Privacy Bill Passed by Legislature

At the end of the 2023 legislative session, New Jersey lawmakers approved a comprehensive privacy bill, Senate Bill 332. The bill, which underwent revisions in December 2023, got quick approval from both the Senate and Assembly on January 8, 2024.

The bill introduces key terms like "sale," "controller," and "processor," aligning with similar concepts in other U.S. state privacy laws. It grants rule-making authority to the attorney general and addresses children's privacy in line with the Children's Online Privacy Protection Rule.

The key takeaways include the following: 

• The law applies “to controllers that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either: a. control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or b. control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.”
• Exemptions include protected health information covered by HIPAA, financial institutions, or personal data that is collected, processed, or disclosed as part of research, among others.
• It defines ‘personal data’ as “information that is linked or reasonably linkable to an identified or identifiable person” and ‘sensitive data’ as “personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.”
• Under New Jersey’s privacy bill ‘sale’ of personal data means “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”
• Controller obligations include purpose limitation, security of the personal data within their control, transparency, displaying a privacy notice, or ensuring any data processing done on their behalf by a data processor is governed by a contract. 
• Consumer privacy rights are as follows: to know, to access, to correct, to delete, to obtain a copy of the data held by the controller, and to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 
• Consumer requests have to receive an answer within 45 days and where a consumer submits repetitive requests controllers can charge a reasonable fee starting with the second request submitted within a 12 month period. 
• Controllers have to recognize UOOMs (universal opt-out mechanisms) and this will be effective 6 months from the effective date of the privacy law, and controllers will have to allow consumers to opt-out of the processing of personal data for purposes mentioned above.
• The enforcing authority is the Attorney General who will allow for a 30 day cure period before imposing penalties which can get up to $10,000 per violation.

Now, the New Jersey privacy bill awaits Governor Phil Murphy's approval within a 45-day period. If approved, it will take effect one year after being enacted.