Ahead of the January 15 effective date of the New Jersey Data Privacy Law (S332), the Garden State’s Division of Consumer Affairs Cyber Fraud Unit released FAQs for regulated businesses. The 24 questions provide an overview of the law, explaining definitions, consumer rights, and business obligations, with some notable details for businesses.

• New Children's Privacy Standard? The FAQs state that “in New Jersey, when a controller knows or should know that a consumer is between the ages of 13 and 16, the controller must get the consumer’s consent before processing the consumer’s personal data.” This is a broader consent requirement than that of the statute, which states that “a controller shall not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer’s consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age.” Although nonbinding, the FAQs may reveal the Division of Consumer Affairs’ approach to children’s privacy, given the FAQ's constructive knowledge standard (“should know”) as compared to the statute’s higher actual knowledge or willful disregard standard.
• Rulemaking Incoming. New Jersey joins California and Colorado as the only states to delegate rulemaking authority (New Hampshire had limited authority, but it was removed via amendment during the 2024 legislative session). Since S332’s signing, there has been no indication as to when, or if, the Division of Consumer Affairs would begin the process. Here, it acknowledges that “regulations will be forthcoming in 2025,” giving businesses one more set of rules to watch for in a busy year.
• Sensitive Financial Information. The FAQs reiterate New Jersey’s unique definition of sensitive data, which includes “financial information,” or “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access.” Only the California Consumer Privacy Act also considers certain financial information sensitive. S332 exempts entities subject to the Gramm-Leach-Bliley Act, but will impose new obligations — including obtaining opt-in consent for processing and completing data protection assessments — on other businesses collecting or processing financial information.