On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 332, marking a significant milestone for the state as it becomes the 13th in the United States to implement a comprehensive consumer data privacy law.
The legislation is set to take effect on January 16, 2025, and is designed to regulate the processing of personal data by controllers conducting business in New Jersey or targeting New Jersey residents.
Overview of Key Provisions
The law applies to controllers processing the personal data of at least 100,000 consumers or 25,000 consumers with revenue derived from the sale of personal data.
Exemptions include financial institutions under the Gramm-Leach-Bliley Act, protected health information under HIPAA, and personal data processed by consumer reporting agencies authorized by the Fair Credit Reporting Act.
2. Consumer Rights
Consumers have various rights, including the right to confirm, correct, delete, and obtain a copy of their personal data.
Opt-out rights for targeted advertising, sale of personal data, or certain profiling are also provided.
3. Sensitive Data
Controllers must obtain consumer consent before processing sensitive data, covering categories such as racial or ethnic origin, religious beliefs, health information, financial data, sexual orientation, and more.
4. Contract Requirements
Contracts between controllers and processors must outline processing instructions, data types, duration, confidentiality obligations, security measures, and provisions for data return or deletion.
5. Data Protection Assessments
Controllers must conduct data protection assessments for processing with heightened risk, including targeted advertising, selling personal data, and processing sensitive data.
The law does not create a private right of action. The Attorney General can seek injunctive relief, costs, and penalties for violations, with escalating fines for subsequent offenses.
The Attorney General, through the Division of Consumer Affairs, is responsible for promulgating rules and regulations.
This legislation, introduced in 2022, underwent significant amendments, reflecting a responsive approach to stakeholder input. The final law aligns with provisions found in laws adopted by other states, providing relief to entities incorporating these requirements into their compliance programs.
With the enactment of Senate Bill 332, New Jersey joins the ranks of states taking proactive measures to enhance consumer data privacy. Organizations operating in or targeting New Jersey should promptly review and adapt their data processing practices to ensure compliance with the new law, which will come into effect on January 16, 2025.