On January 8, 2024, New Jersey’s legislature passed a comprehensive privacy bill, Senate Bill 332, on the final day of the 2023 session. If it is signed by Governor Phil Murphy, it will be the thirteenth state to enact a comprehensive data privacy law. While New Jersey’s law is largely similar to existing privacy laws, certain aspects set it apart, and should be considered by companies as they embark on privacy compliance efforts going into the new year and beyond:

Universal Opt-Out Mechanisms (UOOMs)

New Jersey joins states like Colorado, Connecticut, and Oregon in mandating controllers to recognize UOOMs within six months of the bill’s effective date. UOOMs are a browser preference signal that allows consumers to opt out of the sale of their personal data or its use in targeted advertising across websites. The New Jersey law is unique in that it mandates that an opt-in for processing or selling personal data cannot be the UOOM’s default setting. Instead, it necessitates an explicit, affirmative action by the consumer to opt into such processing. This aspect of the law ensures a higher degree of consumer consent and agency, and is a distinctive feature compared to the approaches of some other states​​​​.

Pseudonymous Data

Unlike many state privacy laws, New Jersey’s does not exempt pseudonymous data (e.g., data that does not directly identify an individual, but can be used to deduce an individual’s identity when combined with other data). This means that pseudonymous data is fully covered under the New Jersey law. By including pseudonymous data within its scope, New Jersey takes a broader and more comprehensive approach to what constitutes “personal data,” echoing the more protective stance of states like Oregon and setting it apart from those that offer exemptions for such data​​.

Children’s Data Protection

Data protection for minors, especially those aged 13 to 17, is set to be an area of heavy regulatory focus nationwide in 2024. New Jersey’s law furthers this trend, specifically for minors aged 13 to 17. It requires explicit, clear, and affirmative opt-in consent for processing personal data of such minors for targeted advertising or data sales. This reflects a careful approach towards the privacy of minors and is in line with similar laws in states like Delaware and Oregon.

Data Processing Agreements

Under New Jersey’s law, controllers are required to enter into agreements with data processors, or service providers. These agreements must clearly define the scope of data processing activities and require that processors comply with privacy laws. This requirement is similar to the overarching trend among state privacy laws, emphasizing the need for formal, documented agreements between controllers and processors to maintain data privacy and security standards. Unlike the California Privacy Rights Act, however, the New Jersey law does not provide detailed guidance on the exact clauses or requirements for these agreements​​. It is likely that contracts that satisfy California’s requirements will work for New Jersey as well.

Other Key Provisions

The New Jersey law shares many requirements with other states, which should be familiar by now to entities in the digital space:

  • Opt-Out Rights: Consumers have the right to opt-out of the sale of their personal data and its use in targeted advertising.
  • Rights to Access, Correction, and Deletion: Consumers can access, correct, or delete their personal data held by businesses.
  • Data Security Requirements: Businesses must implement reasonable security measures to protect personal data.
  • Enforcement and Penalties: The New Jersey Division of Consumer Affairs is responsible for enforcement, with provisions for penalties for non-compliance.
    • There is no private right of action.
  • Effective Date: Once signed, the law will take effect after 365 days. The governor has 45 days from January 8, 2024 to sign the law.

Takeaways

New Jersey’s consumer data privacy law represents another step forward in data protection in the United States. As part of their comprehensive privacy compliance efforts in 2024 and beyond, companies should heed the following key takeaways, which will soon apply in New Jersey and a growing number of states:

  • Implement Universal Opt-Out Mechanisms: Companies must recognize and act on universal opt-out signals from consumers regarding the sale of their personal data and its use in targeted advertising. This requires updating privacy policies and technical capabilities, often with the assistance of a privacy vendor, to ensure that websites are configured to listen for and process UOOMs.
  • Ensure Compliance for Pseudonymous Data: Businesses should treat pseudonymous data with the same level of privacy and security as personally identifiable information. This expands the scope of data protection responsibilities, requiring a comprehensive review of how such data is collected, processed, and stored.
  • Establish Comprehensive Data Processing Agreements: It’s essential for companies to have formal agreements in place with all data processors. These agreements should clearly outline the responsibilities and expectations for data processing in accordance with the new law, ensuring that both controllers and processors are aligned in their data protection practices.