How To Add GetTerms’ Policies To Your Website
How To Add GetTerms' Policies To Your Website
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
On January 16, 2024, New Jersey Governor Phil Murphy signed Senate Bill 332 into law, known as the “New Jersey Data Privacy Law“ placing New Jersey among the thirteenth states to implement comprehensive data privacy legislation. This milestone follows the momentum of 2023, with several similar U.S. Data Privacy Laws enacted. Effective January 15, 2025, the New Jersey Data Privacy Law grants exclusive enforcement authority to the New Jersey Office of the Attorney General, excluding private legal actions.
In this article, we will explore the specifics of NJ SB332, including its scope, impact on businesses, and more.
New Jersey Data Privacy Law (SB 332) stands as a comprehensive data privacy law, aimed at protecting the personal information of its residents and compelling businesses to adopt data protection measures. By establishing clear guidelines and requirements, SB 332 seeks to bolster transparency, accountability, and consumer rights. Here are some essential components of NJ SB 332:
NJ SB332 applies to businesses engaging in the collection, use, or sharing of personal information from New Jersey residents. Specifically, a business falls under the jurisdiction of NJ SB332 if it:
Operates within New Jersey or provides goods/services to New Jersey residents, and within a calendar year meets either of the following:
While the NJDPA offers several common exemptions, such as those for state agencies and data regulated by HIPAA, GLBA, and FCRA, it lacks an entity exemption for HIPAA-regulated entities or exempt data processed by nonprofits or educational institutions (including educational data under FERPA).
Additionally, the NJDPA explicitly excludes de-identified and publicly available data from its definition of personal data. In line with Virginia’s CDPA, handling de-identified data under the NJDPA requires controllers to publicly commit to maintaining its de-identified status and to ensure recipients also comply. Consequently, businesses governed by the NJDPA may need to reassess and adjust contracts about the sharing of de-identified data.
Furthermore, the NJDPA’s definition of “publicly available information” extends beyond laws like the CCPA, encompassing data not only lawfully accessible from government records but also information reasonably believed by the controller to be lawfully available to the public.
NJ SB332 places a strong emphasis on safeguarding the privacy of NJ residents. The law grants individuals rights over their personal data while mandating transparency from businesses regarding data collection, processing, and usage. With these heightened privacy measures, consumers gain greater control over their personal information.
New Jersey’s Data Privacy Law applies to “personal data,” defined as any information linked or reasonably linkable to an identified or identifiable person. Similar to other US State Data Privacy Laws, it excludes de-identified data and publicly available information. The law mandates controllers to provide consumers with a clear and accessible privacy notice, including details on the categories of personal data processed, its purpose, third-party disclosures, consumer rights, and contact information.
Controllers must:
Starting six months after its effective date, controllers must allow consumers to opt out of data processing through a user-selected universal opt-out mechanism (UOOM). The law also empowers the New Jersey Division of Consumer Affairs to establish technical specifications for UOOMs.
Additionally, the law imposes obligations on processors, requiring them to collaborate with controllers to fulfill obligations under the act and adhere to privacy provisions outlined in contracts between controllers and processors.
New Jersey’s Data Privacy Law grants consumers rights similar to other US State Data Privacy Laws. Individuals residing in New Jersey, in a personal or household capacity, have the right to:
Upon receiving a request, controllers must respond within 45 days, unless an extension is necessary and communicated to the consumer. They must also establish an appeal process, similar to the initial request procedure. If denied, consumers can contact the Division of Consumer Affairs to file a complaint.
With NJ SB332 A leading the charge, more privacy laws are expected in 2024. This means businesses must act now to comply. For those already following laws like California’s CCPA, Colorado’s CPA, or Virginia’s CDPA, efforts may overlap. But newcomers to privacy rules may need significant resources to catch up. To prepare for compliance and avoid future burdens, businesses should prioritize the following:
By taking these proactive steps, businesses can navigate the evolving privacy landscape with confidence and resilience.
Organizations must furnish a privacy notice detailing the following:
Businesses must conduct routine Data Protection Assessments (DPA) to swiftly identify and rectify vulnerabilities. The law mandates a DPA for processing data posing a heightened risk to consumers, subject to review by the New Jersey Attorney General.
New Jersey advocates for Universal Opt-Out Mechanisms, extending beyond targeted advertising and personal data sales to encompass user profiling—a unique inclusion among state laws. The Attorney General’s Division of Consumer Affairs is empowered to set technical specifications for UOOMs. Additionally, UOOMs must not default to opting consumers in for processing or sale of personal data unless the consumer expressly chooses such settings.
An 18-month grace period follows the bill’s effective date, during which the Attorney General will issue guidelines on data rights requests, verification, assessments, and opt-out mechanisms. Violating NJ SB332 constitutes a breach of New Jersey’s Unfair Deceptive Acts and Practices (UDAP), potentially incurring fines of up to $10,000 for initial violations and $20,000 for subsequent infractions.
The New Jersey Data Privacy Law (SB 332) represents a significant step in protecting consumer privacy. Enacted on January 16, 2024, and enforceable from January 15, 2025, it positions New Jersey as a leader in data protection. SB 332 provides clear guidelines for transparency, accountability, and consumer rights, addressing key areas such as controller definitions, exemptions, and enforcement mechanisms.
Compliance with SB 332 is crucial for businesses, requiring clear privacy notices, strengthened data protection measures, and respect for consumer rights to avoid substantial penalties. As businesses explore SB 332, prioritizing understanding its requirements, updating policies, and fostering transparency are essential. By taking proactive measures, businesses must comply with legal mandates and build consumer trust in an evolving privacy landscape.
Businesses that have already tackled CCPA and other state privacy laws are well-positioned for compliance, yet they still need to address New Jersey’s unique consumer privacy regulations. GetTerms assists businesses in preparing for data privacy compliance and offers the following features and services:
GetTerms also caters to various online businesses, including mobile apps, eCommerce, SaaS/web apps, blogs, and news sites, making it a versatile tool for simplifying compliance with legal requirements. Get started today by creating an account and begin in just 5 minutes.