Blog

New Jersey passes comprehensive privacy law

The bill was signed into law on January 16, becoming the first comprehensive state privacy law to pass in 2024

Alexis Kateifides
Center of Excellence Program Director
January 18, 2024

Who does the New Jersey privacy bill apply to?
Key requirements of the privacy bill in NJ
Enforcement and rulemaking
What’s next and how to prepare

Comprehensive US Privacy Law Book

Stay on top of US privacy acts and regulations with our comprehensive law book

On January 16, 2024, Senate Bill 332 was signed by New Jersey Governor Philip D. Murphy, becoming the first comprehensive state privacy law to pass in 2024 and adding to the 13 existing state laws already in place. The law will now enter into effect 365 days after enactment.

The bill was first introduced in 2022 and has seen several rounds of amendments before passing through the Assembly and Senate. The bill bears much similarity to other state privacy laws – data minimization, purpose limitation, notices, consumer rights, data protection assessments, and vendor management are all key provisions. However, the bill does have some notable differences, for example, regarding scope of applicability and rulemaking.

Who does the New Jersey privacy bill apply to?

The New Jersey privacy bill will apply to controllers that conduct business in the state of New Jersey or produce products or services that are targeted to residents of New Jersey. Covered organizations must also meet certain thresholds during a calendar year, including:

controlling or processing the personal data of at least 100,000 consumers, (excluding payment transactions);

controlling or processing the personal data of at least 25,000 consumers and deriving revenue or receiving a discount on the price of any goods or services, from the sale of personal data.

On the latter provision, while most other states include a threshold in relation to revenue, New Jersey seems to follow Colorado in this respect.

Key requirements of the privacy bill in NJ

Notice

Transparency is a key requirement of the bill and controllers will be required to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice”. Such notice must include the following information at a minimum:

The categories of the personal data processed;
The purpose for processing personal data;
The categories of the third parties that a consumer’s personal data may be disclosed to;
The categories of personal data that the controller shares with these third parties;
Information relating to how consumers may exercise their consumer rights and how to appeal a decision;
The controller’s contact information;
Details for how the controller will notify the consumer when changes are made to the notice; and
An active email address or other online mechanism that the consumer can contact the controller when required

When a controller either sells personal data to others or uses it for things like targeted advertising or profiling for decisions that have a major impact on their customers, they must clearly disclose to their customers that they are doing this. They also need to explain how customers can opt out of this selling or processing of their data.

Consumer rights

As with other states, consumers in New Jersey have several rights regarding personal data when it comes to how organizations handle it:

Right to access
Right to correction
Right to deletion
Right to data portability
Right to opt-out of the processing of personal data for:
- Targeted advertising;
- Sale of personal data; or
- Profiling for decisions that have significant impacts on you

Controllers must respond to verified requests within 45 days. This can be extended by another 45 days if needed, based on complexity or number of the consumer’s requests. However, consumers need to be informed of this extension and the reasons why. Information should be provided free of charge once per consumer in any 12-month period.

Data protection assessments

Under the bill, a controller must not carry out any processing that presents a “heightened risk of harm to a consumer” without conducting a detailed data protection assessment.

A balancing exercise between the benefits and risks of processing the personal data must be done and which should consider:

How the processing benefits the controller, consumer, others involved, and the public.
The potential risks to consumer rights, and how these risks can be minimized.
The use of de-identified data, what consumers would normally expect them to do with their data, the context in which they're processing it, and their relationship with their consumers.

As for what is defined as “heightened risk”, the bill notes the following activities would be considered high risk:

Using personal data for targeted ads or profiling that could lead to unfair treatment, financial or physical harm, invasion of privacy, or other significant injuries.
Selling personal data.
Processing sensitive data.

The bill does note that if the controller has several similar processing activities, these may be covered in a single assessment.

Enforcement and rulemaking

Cure Period

For the first 18 months after the law takes effect, if the Division of Consumer Affairs (DCA) in the Department of Law and Public Safety identifies a potential violation, they will first notify the controller if a cure to resolve the issue is deemed possible. A period of 30 days is granted to address and correct the violation. If the issue isn't resolved within this period, the DCA can then proceed with formal enforcement actions.

Similar to Colorado again, the Director of the Division of Consumer Affairs is responsible for creating rules and regulations to implement the purposes of this law. Enforcement of this law falls exclusively to the Office of the Attorney General, and the bill does not create a basis for private individuals to sue companies for violations.

What’s next and what can your organization do to prepare?

New Jersey is the next state law to formalize their privacy regulations in an ever-growing list in the United States. The bill mentions that it will go into effect 365 days after it’s signed by the Governor, giving companies time to prepare for compliance measures. Start keeping your data processes privacy compliant with the OneTrust Privacy & Data Governance Cloud. With data mapping and data governance solutions to identify where your data lives, what regulations you need to be compliant, and automating processes to ensure compliance across your organization, OneTrust helps organizations go beyond compliance with regulations around the world.

To keep track of all the current privacy regulations in the US, download our comprehensive US privacy law book today.

Your partner in trust transformation

Privacy Matters

Our privacy center makes it easy to see how
we collect and use your information.

Your privacy

When we collect your personal information, we always inform you of your rights and make it easy for you to exercise them. Where possible, we also let you manage your preferences about how much information you choose to share with us, or our partners.

Blog

New Jersey passes comprehensive privacy law

Table of contents

Comprehensive US Privacy Law Book

Who does the New Jersey privacy bill apply to?

Key requirements of the privacy bill in NJ

Notice

Consumer rights

Data protection assessments

Enforcement and rulemaking

Cure Period

What’s next and what can your organization do to prepare?

You may also like

Privacy Management

From legislation to operation: How to prepare for the new wave of US Privacy laws

Prepare your organization for the new wave of US privacy laws.

June 06, 2024

Privacy Management

Federal US privacy bill on the horizon? Exploring the draft APRA & new state privacy legislation

Join OneTrust DataGuidance and expert contributors for an overview of the Kentucky Consumer Privacy Act (KCPA), Maryland's Senate Bill 0541, and the draft American Privacy Rights Act and explore how a federal bill could shape the US privacy landscape.

April 23, 2024

Privacy Management

US state privacy laws timeline

View our timeline to understand the progression of current US state privacy laws and key dates.

April 23, 2024

Privacy Management

Spring into action! Navigating CPRA: Ensuring compliance and protecting privacy

Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.

March 21, 2024

Privacy Management

The road to 50 states: New Jersey and New Hampshire join the US privacy landscape

oin OneTrust DataGuidance for a webinar highlighting the key requirements within the new US laws, New Jersey Senate Bill 332 and New Hampshire Senate Bill 255.

February 01, 2024

Privacy Automation

Embedding Privacy by Design through PIA Automation

Join us for a webinar on Embedding Privacy by Design through PIA Automation.

January 11, 2024

Privacy Management

Automating fulfillment of subject rights requests in the US

Learn how Privacy Rights Automation helps to fully automate privacy rights requests.

December 06, 2023

Privacy Management

December's deadline: Ensuring compliance with Utah's privacy regulation

Join us for a webinar as we explore the impending implementation of the Utah Privacy Law, set to take effect on December 31, 2023.

November 14, 2023

Privacy Management

The road to privacy compliance: A spotlight on Oregon & Delaware legislation

We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.

September 14, 2023

Privacy Management

Utah Consumer Privacy Act law book

Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.

September 04, 2023

Privacy Management

The road to 50 states: Delaware and Oregon join the US privacy landscape

Get in-depth analysis on two upcoming US Privacy laws, the Oregon Consumer Privacy Act (OCPA) and the Delaware Personal Data Privacy Act (DPDPA), with OneTrust DataGuidence and a panel of experts.

August 10, 2023

Privacy Management

EU-US Data Privacy Framework resource kit

Download our EU-US Data Privacy Framework resource kit to better understand the new aggreement for cross-border personal data transfers and how to educate your stakeholders.

July 20, 2023

Privacy & Data Governance

US privacy resource kit

Download our US privacy resource kit designed to access a range of materials to help you understand how the US privacy landscape is evolving.

July 13, 2023

Privacy Management

Now in effect: Colorado and Connecticut privacy laws

In this free webinar, our privacy experts delve into the new Colorado and Connecticut privacy laws and how they differ from other US state regulations.

July 12, 2023

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Consent & Preferences

Navigating Google's new CMP requirements

Adapt to Google's June 2023 CMP requirements with this infographic and confidently engage your audience while staying compliant.

June 20, 2023

Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.