New Jersey became the 13th U.S. state to give its consumers a set of comprehensive data privacy protections when Senate Bill 332 was signed into law by state Governor Phil Murphy on January 16, 2024.
The state’s data privacy legislation addresses consumers’ concerns about businesses collecting, disclosing and selling their personal data by requiring owners of business websites to transparently disclose these activities and honor opt-out requests.
The New Jersey Consumer Privacy Act is enforceable from January 15, 2025 and covered entities have six months to mid-July 2025 to ensure they honor opt-out requests signaled via universal opt-out mechanisms.
Key dates: New Jersey Consumer Data Privacy Act
- January 11, 2022 – New Jersey Senators Troy Singleton, Richard Cody, Raj Mukherji, Daniel Benson and Paul Moriarty introduce Senate Bill 332: “An Act concerning online services, consumers and personal data”, which “requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.” The Bill is referred to the Senate Commerce Committee;
- August 8, 2022 – New Jersey Senate adopts an amendment to SB332 proposed by Senator Troy Singleton: “This floor amendment provides that nothing in the bill is subject to, or to be construed as providing the basis for, a private right of action for a violation of the bill or any other law”;
- November 21, 2022 – Amendments to SB332 are reviewed by New Jersey senators, such as changing the definition of “consumer” to include individuals acting within a job-seeking context, clarifying methods for consumer rights requests and including third parties that track or collect information about consumers’ use of commercial websites in the definition of “operator”;
- December 19, 2022 – New Jersey Senate adopts several amendments to the text of SB332, most of which remove the amendments proposed in November 2022;
- February 2, 2023 – New Jersey senators pass Senate Bill 332 with a vote of 27–11;
- December 21, 2023 – New Jersey Senate adopts floor amendments in the equivalent Assembly Bill 1971 proposed by Assemblyman Raj Mukherji, which revise some definitions and clarify several requirements, including that “a consumer’s option to opt-out applies to the sale of data or targeted advertising,” and “a controller is not required to authenticate an opt-out request”;
- January 8, 2024 – New Jersey Assemblymen accept Senate Bill 332 substituting the equivalent Assembly bill (A1971) and pass SB 332 with a vote of 46–27;
- January 16, 2024 – State Governor Phil Murphy signs into law SB332/A1971, New Jersey’s legislation protecting consumer data. In a press release he says: “In a rapidly growing digital age, our society has become increasingly dependent on the internet to complete day-to-day tasks from shopping and working to deeply personal tasks such as managing finances and medical care. However, far too often consumer privacy is exploited without consumers knowing that their data is being shared and sold. This important legislation will help consumers reclaim control over their own personal data, and allow them the choice to share information that is personal to them”;
- January 15, 2025 – New Jersey’s comprehensive consumer data privacy legislation goes into effect;
- Mid-July 2025 – Within six months from the New Jersey Consumer Privacy Act being effective, covered entities must honor consumers’ right to signal their opt-out rights (via universal opt-out mechanisms) to prevent their personal data from being sold or used for targeted advertising.
New Jersey Consumer Data Privacy Act: Consumer rights
A ‘consumer’ is defined in the New Jersey Consumer Privacy Act as “an identified person who is a resident of this state acting only in an individual or household context”. The definition excludes “a person acting in a commercial or employment context.”
The Act focuses on ‘personally identifiable information’ to set out consumers’ privacy rights. It defines ‘personal data’ as “any information that is linked or reasonably linkable to an identified or identifiable person” and excludes de-identified or publicly available information about a citizen of New Jersey in the definition. Personally identifiable information is defined the same.
New Jersey’s citizens now have the following consumer privacy rights:
- Right to confirm / right to know whether a controller processes their personal data, and gains access to it, with a caveat that controllers are not required to “provide the data to the consumer in a manner that would reveal the controller’s trade secret”;
- Right to correct inaccuracies in their personal data held by a controller, “taking into account the nature of the information and the purposes of the processing of the information”;
- Right to delete their personal data
Note: this right also covers personal information the controller has lawfully obtained from a third-party, other than the consumer. In these cases, the controller must delete the consumer’s personal data when requested by them, keep a record of the consumer’s deletion request including the minimum data needed to ensure the consumer’s data from the controller’s records and ensure the consumer’s personal information is not used for any other purpose. - Right to data portability / obtain a copy of their personal data held by a controller in a “readily usable format that allows the consumer to transmit the data to another entity without hindrance.” Again, this right includes the caveat about controllers not being required to “provide the data to the consumer in a manner that would reveal the controller’s trade secrets”;
- Right to opt-out of the processing of their personal data for the purposes of targeted advertising, sale or profiling (when that profiling is “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer”);
- Right to designate an authorized agent to exercise opt-out requests on the consumer’s behalf, including via a user-selected universal opt-out mechanism (such as Global Privacy Control) designed to signal opt-out preferences;
- Right not to have sensitive personal data processed by a controller, without first providing consent to the controller. In the case of a known child, controllers must process personal data in compliance with the Children’s Online Privacy Protection Act 1998 (COPPA).
Sensitive data under New Jersey Privacy Law
The New Jersey Consumer Privacy Act defines ‘sensitive data’ as personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition, treatment or diagnosis
- Financial information – which includes “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account”
- Sex life or sexual orientation
- Citizenship or immigration status
- Status as transgender or non-binary
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Precise geolocation data within 1750 feet (Note: this definition excludes communications and other data generated by or connected to “advanced utility metering infrastructure systems or equipment for use by a utility”).
Covered entities under New Jersey consumer privacy law
New Jersey’s consumer data privacy legislation applies to any controller who:
- Conducts business in New Jersey
or - Produces products or services that are targeted to residents of New Jersey.
and
During a calendar year either:
- Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction
or - Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.
The Act defines ‘sale’ as “the exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party’s discretion to additional third parties.”
Note: As the New Jersey Consumer Privacy Act does not mention a revenue threshold, it applies to any small business or nonprofit organization which processes the personal data of enough consumers to pass the above thresholds.
Unlike several other U.S. states’ data privacy and protection laws, New Jersey’s privacy law does not exempt institutions of higher education or data subject to the federal Family Educational Rights and Privacy Act.
Exempted entities and data under New Jersey Consumer Privacy Act
The requirements of New Jersey’s data privacy law do not apply to:
- Protected health information collected by a covered entity or business associate subject to the privacy, security and breach notification rules under Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH);
- Financial institutions or their affiliates subject to Title V of the federal Gramm-Leach-Bliley Act; and secondary market institutions identified in the privacy subchapters of the Gramm Leach-Bliley Act as well as regulations under 12 C.F.R. s.1016 (Privacy of Consumer Financial Information Regulation);
- Insurance institutions subject to New Jersey legislation on information sharing related to insurance fraud including P.L.1985, c.179 (C.17:23A-1 et seq.);
- The sale of a consumer’s personally identifiable information by the New Jersey Motor Vehicle Commission permitted by the federal Driver’s Privacy Protection Act;
- Personally identifiable information collected, processed, sold or disclosed by a consumer reporting agency subject to the federal Fair Credit Reporting Act;
- Any New Jersey State agency (“any political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision”) or
- Personal data that is collected, processed or disclosed as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 CFR 50 and 21 CFR 56.
New Jersey SB332 privacy law compliance
Under the New Jersey Consumer Privacy Act controllers must meet the following requirements:
- Specify the express purposes for processing personal data (see New Jersey Privacy Notice Requirements below);
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary to the purposes disclosed to the consumer; and if a controller wants to process data for any other purpose, they must first get consent from the consumer;
- Take reasonable measures to establish, implement and maintain administrative, technical and physical data security practices “to protect the confidentiality, integrity and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue”;
- Not process sensitive personal information of a consumer without first obtaining the consumer’s consent, or in the case of personal data concerning a child, without processing the personal data in accordance with COPPA;
- Not process the personal information of a consumer aged 13–17 without their consent for the purposes of targeted advertising, sale or profiling – such processing is prohibited without consent if the controller has “actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age”;
- Not process personal data in violation of New Jersey state laws and federal laws that prohibit unlawful discrimination against consumers;
- Provide an effective mechanism for consumers to revoke their consent, and when consent is revoked by a consumer, stop processing their personal data as soon as practicable within 15 days of receiving the request – the mechanism for consumers to revoke their consent must be at least as easy to use as the mechanism they used to give consent in the first place; and
- Conduct and document a data protection assessment for processes that present a heightened risk of harm to the consumer – these assessments must be compliant with a controller’s duties under the New Jersey Consumer Privacy Act and other laws, and be made available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request.
Any processor engaged by a controller must enter a binding contract with the controller, adhere to the controller’s instructions and meet compliance obligations under the New Jersey Privacy Act, such as security and confidentiality requirements.
New Jersey privacy notice requirements
Controllers must provide consumers in New Jersey a reasonably accessible, clear and meaningful privacy notice that includes:
- Categories of personal data the controller processes;
- Purpose for processing personal data;
- Categories of all third parties which may have personal data disclosed to them by the controller;
- Categories of personal data the controller shares with third parties (if any);
- Information on how consumers may exercise their consumer rights under New Jersey’s privacy law, including contact information for the controller and instructions on how consumers may appeal the controller’s decision on their consumer rights requests;
- Process for notifying consumers of material changes to the privacy notice, along with effective date;
- Method consumers can use to contact the controller, such as an active email address or other online mechanism;
- Conspicuous disclosure if the controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, sale or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; and
- Conspicuous instructions on how a consumer can exercise their right to opt-out from the sale or processing of their personal data.
Responding to New Jersey consumer rights requests
Controllers have 45 days to respond to an authenticated consumer privacy rights request with a decision. Controllers may extend this deadline by 45 days, provided they notify the consumer in the first 45 days about their reasons for needing the extra time.
If a controller cannot authenticate a consumer rights request, they must notify the consumer that they cannot initiate action until they receive additional information from the consumer needed to authenticate the consumer and the rights request.
Controllers do not need to authenticate opt-out requests but may deny them “if the controller has a good faith, reasonable and documented belief that such request is fraudulent,” though they must notify the consumer of their decision and provide an explanation.
Consumers can make one rights request in any 12 month period and not be charged by a controller.
If a controller decides a consumer rights request is unfounded or excessive, the controller can either decline to act on the request or charge a reasonable fee to the consumer to cover related administration costs of complying with the request.
In both scenarios, the controller must prove the request is unfounded or excessive. When refusing to act on a consumer request the controller must:
- Notify the consumer within 45 days from receipt of the request
- Explain the reason for inaction, and
- Provide instructions on how the consumer may appeal the decision.
Controllers cannot discriminate against New Jersey consumers for exercising their privacy rights under the Act.
New Jersey privacy law enforcement
The state Attorney General has exclusive authority to enforce violations of the New Jersey Consumer Privacy Act. Consumers do not have a private right of action.
The Director of the Division of Consumer Affairs in the Department of Law and Public Safety has the authority to make rules and regulations pursuant to the Administrative Procedure Act necessary to effect the purposes of the privacy law.
In the first 18 months of the Privacy Act being in effect, controllers alleged to be in violation if a cure is deemed possible must be issued a notice by the Division of Consumer Affairs, which gives the controller 30 days to cure a violation before an enforcement action can be brought against them. After this sunset period enforcement action can begin immediately.
The scale of penalties is not mentioned in the text of the New Jersey Consumer Privacy Act.
Nymity Research
Stay up to date on hundreds of global privacy laws, regulations, and standards.
Start todayAutomate your compliance program
Use PrivacyCentral to streamline privacy compliance across all relevant jurisdictions.
Learn more