New Jersey Data Privacy Law (SB 332)

Understanding NJ SB332 & Its Key Components

New Jersey Data Privacy Law (SB 332) stands as a comprehensive data privacy law, aimed at protecting the personal information of its residents and compelling businesses to adopt data protection measures. By establishing clear guidelines and requirements, SB 332 seeks to bolster transparency, accountability, and consumer rights. Here are some essential components of NJ SB 332:

1. Controller Definition: Unlike some other U.S. State Data Privacy Laws, New Jersey’s law doesn’t stipulate a minimum revenue threshold for the law to apply.
2. Regulatory Oversight: The law authorizes the Director of the Division of Consumer Affairs in the Department of Law and Safety to establish necessary rules and regulations.
3. Utilize UOOMs: Like several other states with comprehensive data privacy laws, New Jersey requires controllers to enable consumers to communicate their privacy preferences automatically using an online User-selected Universal Opt-out Mechanism (“UOOM”).
4. Defining Sensitive Data: New Jersey’s law defines sensitive data more broadly than many other states, encompassing financial information, racial or ethnic origin, health conditions, sexual orientation, geolocation data, and more.
5. Mandatory Affirmative Consent: Controllers must obtain consent before processing sensitive data and before knowingly processing minors’ personal data aged 13-17 for targeted advertising, sale, or profiling.
6. Agreement Mandate for Data Processing: Similar to certain other U.S. State Data Privacy Laws, New Jersey’s law mandates contracts between controllers and processors, outlining processing procedures, data duration, rights, and obligations.
7. Safeguarding Compliance & Enforcement: New Jersey’s law, like most U.S. State Data Privacy Laws, lacks a private right of action. Enforcement actions fall under the New Jersey Attorney General’s purview, with a notice provision allowing time for remedy before formal action.

Who Must Comply with NJ SB332?

NJ SB332 applies to businesses engaging in the collection, use, or sharing of personal information from New Jersey residents. Specifically, a business falls under the jurisdiction of NJ SB332 if it:

Operates within New Jersey or provides goods/services to New Jersey residents, and within a calendar year meets either of the following:

• a. Handles the personal information of at least 100,000 NJ consumers, excluding data processed for transactional purposes; or
• b. Manages the personal data of at least 25,000 NJ consumers, while deriving revenue from selling personal information or receiving discounts on goods/services from such sales.

Understanding Exemptions

While the NJDPA offers several common exemptions, such as those for state agencies and data regulated by HIPAA, GLBA, and FCRA, it lacks an entity exemption for HIPAA-regulated entities or exempt data processed by nonprofits or educational institutions (including educational data under FERPA).

Additionally, the NJDPA explicitly excludes de-identified and publicly available data from its definition of personal data. In line with Virginia’s CDPA, handling de-identified data under the NJDPA requires controllers to publicly commit to maintaining its de-identified status and to ensure recipients also comply. Consequently, businesses governed by the NJDPA may need to reassess and adjust contracts about the sharing of de-identified data.

Furthermore, the NJDPA’s definition of “publicly available information” extends beyond laws like the CCPA, encompassing data not only lawfully accessible from government records but also information reasonably believed by the controller to be lawfully available to the public.

What Businesses Need to Know

NJ SB332 places a strong emphasis on safeguarding the privacy of NJ residents. The law grants individuals rights over their personal data while mandating transparency from businesses regarding data collection, processing, and usage. With these heightened privacy measures, consumers gain greater control over their personal information.

Obligations Under NJ SB332

New Jersey’s Data Privacy Law applies to “personal data,” defined as any information linked or reasonably linkable to an identified or identifiable person. Similar to other US State Data Privacy Laws, it excludes de-identified data and publicly available information. The law mandates controllers to provide consumers with a clear and accessible privacy notice, including details on the categories of personal data processed, its purpose, third-party disclosures, consumer rights, and contact information.

Controllers must:

1. Limit Data Collection: Collect only relevant data unless consent is obtained.
2. Maintain Security: Implement reasonable security measures to protect personal data.
3. Transparency: Disclose data selling, targeted advertising, and profiling, with opt-out options.
4. Sensitive Data Handling: Obtain express consent for processing sensitive data, especially for minors.
5. Non-discrimination: Process data without bias, as per state and federal laws.
6. Consent Revocation: Provide an easy mechanism for consumers to revoke consent and cease data processing within 15 days.
7. Data Impact Assessment: Conduct assessments for high-risk data processing, such as targeted advertising or profiling.

Starting six months after its effective date, controllers must allow consumers to opt out of data processing through a user-selected universal opt-out mechanism (UOOM). The law also empowers the New Jersey Division of Consumer Affairs to establish technical specifications for UOOMs.

Additionally, the law imposes obligations on processors, requiring them to collaborate with controllers to fulfill obligations under the act and adhere to privacy provisions outlined in contracts between controllers and processors.

Consumer Rights

New Jersey’s Data Privacy Law grants consumers rights similar to other US State Data Privacy Laws. Individuals residing in New Jersey, in a personal or household capacity, have the right to:

• Confirm Access: Verify if a controller accesses and processes their personal data.
• Correct Data: Rectify any inaccuracies in their personal information.
• Delete Data: Request the deletion of their personal data.
• Data Portability: Obtain a usable copy of their data from the controller.
• Opt-Out: Decline processing for targeted advertising, sale, or profiling. Consumers can designate an agent to opt-out on their behalf.

Upon receiving a request, controllers must respond within 45 days, unless an extension is necessary and communicated to the consumer. They must also establish an appeal process, similar to the initial request procedure. If denied, consumers can contact the Division of Consumer Affairs to file a complaint.

Compliance & Impact

With NJ SB332 A leading the charge, more privacy laws are expected in 2024. This means businesses must act now to comply. For those already following laws like California’s CCPA, Colorado’s CPA, or Virginia’s CDPA, efforts may overlap. But newcomers to privacy rules may need significant resources to catch up. To prepare for compliance  and avoid  future burdens, businesses should prioritize the following:

1. Data Mapping: Conduct a thorough analysis of data processing activities to understand data types, purposes, and necessity.
2. Privacy Impact Assessment: Evaluate potential privacy risks associated with data processing.
3. Engage Cybersecurity Audits: Collaborate with independent cybersecurity audit firms, particularly for high-risk data processing.
4. Policy Updates: Revise policies and procedures to align with NJDPA requirements and obligations.
5. Consumer Rights Processes: Develop mechanisms for consumers to exercise their rights efficiently.
6. Clear Privacy Notice: Ensure the organization’s privacy notice is easily accessible, clear, and compliant with NJDPA standards.
7. Third-party Relationships: Review partnerships with third-party data processors to understand roles and potential obligations.

By taking these proactive steps, businesses can navigate the evolving privacy landscape with confidence and resilience.

Privacy Notice Requirements

Organizations must furnish a privacy notice detailing the following:

• Categories of processed personal data
• Purpose of processing
• Categories of third-party recipients
• Shared personal data categories
• Consumer rights exercise and appeal process
• Notification method for privacy notice changes
• Contact information for consumer inquiries

Data Protection Measures

Businesses must conduct routine Data Protection Assessments (DPA) to swiftly identify and rectify vulnerabilities. The law mandates a DPA for processing data posing a heightened risk to consumers, subject to review by the New Jersey Attorney General.

Implementation of Opt-Out Mechanisms

New Jersey advocates for Universal Opt-Out Mechanisms, extending beyond targeted advertising and personal data sales to encompass user profiling—a unique inclusion among state laws. The Attorney General’s Division of Consumer Affairs is empowered to set technical specifications for UOOMs. Additionally, UOOMs must not default to opting consumers in for processing or sale of personal data unless the consumer expressly chooses such settings.

Penalties & Enforcement

An 18-month grace period follows the bill’s effective date, during which the Attorney General will issue guidelines on data rights requests, verification, assessments, and opt-out mechanisms. Violating NJ SB332 constitutes a breach of New Jersey’s Unfair Deceptive Acts and Practices (UDAP), potentially incurring fines of up to $10,000 for initial violations and $20,000 for subsequent infractions.

Wrapping Up

The New Jersey Data Privacy Law (SB 332) represents a significant step in protecting consumer privacy. Enacted on January 16, 2024, and enforceable from January 15, 2025, it positions New Jersey as a leader in data protection. SB 332 provides clear guidelines for transparency, accountability, and consumer rights, addressing key areas such as controller definitions, exemptions, and enforcement mechanisms. 

Compliance with SB 332 is crucial for businesses, requiring clear privacy notices, strengthened data protection measures, and respect for consumer rights to avoid substantial penalties. As businesses explore SB 332, prioritizing understanding its requirements, updating policies, and fostering transparency are essential. By taking proactive measures, businesses must comply with legal mandates and build consumer trust in an evolving privacy landscape.

How Can GetTerms Help?

Businesses that have already tackled CCPA and other state privacy laws are well-positioned for compliance, yet they still need to address New Jersey’s unique consumer privacy regulations. GetTerms assists businesses in preparing for data privacy compliance and offers the following features and services:

• Privacy Policy Generator: Create customized Privacy Policies tailored to your business needs, designed to be easily understood by your audience.
• Cookie Consent: Implement cookie consent widgets and comprehensive cookie policies on websites to enhance compliance with regulations like GDPR.
• Terms of Service: Each generated policy includes a standard Terms of Service document, simplifying the establishment of website policies.
• Acceptable Use Policy: An optional document to determine website usage policies, especially for those seeking comprehensive coverage.

GetTerms also caters to various online businesses, including mobile apps, eCommerce, SaaS/web apps, blogs, and news sites, making it a versatile tool for simplifying compliance with legal requirements. Get started today by creating an account and begin in just 5 minutes.