A Primer on the New Jersey Data Privacy Act

The New Jersey Data Privacy Act (NJDPA, N.J. Stat. Section 56.8-166.4 et seq.), went into effect this past Jan. 15. Signed into law Jan. 16, 2024, the NJDPA represents New Jersey’s entry into the burgeoning field of data privacy laws, as it joins 18 other states that have passed such laws.

The NJDPA primarily affects large retailers, particularly those with substantial online operations. It also affects online advertising platforms, insurers, data brokers, and social media companies. The NJDPA clearly derives from its predecessors in the privacy field, but it also ventures beyond them in several ways.

For one, the NJDPA applies to a broader range of entities than many earlier privacy laws, including small businesses, educational institutions, and nonprofits, primarily by omitting revenue thresholds from its applicability. In addition, the NJDPA is in the minority of data privacy statutes by expressly including nonprofits, while providing no exemptions for education institutions or data regulated under the federal Family Educational Rights and Privacy Act. In other words, the NJDPA has fewer straightforward exceptions, including narrow Fair Credit Reporting Act and Health Insurance Portability and Accountability Act exceptions.
Here are the most salient provisions of the NJDPA.

How the NJDPA Regulates Data Privacy

As to be expected, at the center of the NJDPA is its definition of the terms “personal data” and “sensitive data.” The statute defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable person,” and does not include “de-identified data” or publicly available information.

The statute defines “sensitive data” as: personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or nonbinary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
It then imposes duties on controllers and processors of personal data. Controllers are individuals or legal entities “that, alone or jointly with others, determine the purpose and means of processing personal data.” A processor, on the other hand, is a “person, private entity, public entity, agency, or other entity that processes personal data on behalf of” a controller.

Complying With the NJDPA

• The NJDPA applies to controllers that conduct business in the State of New Jersey and target New Jersey residents with their products or services if they control or process:
• The data of at least 100,000 N.J. consumers, or
• The data of at least 25,000 N.J. residents and derive revenue (or receive a discount) from the sale of personal data.

Controllers must give consumers a reasonably accessible, clear, and meaningful privacy notice that must include, but not be limited to:

• The categories of personal data the controller processes;
• The purpose(s) for processing that personal data;
• The categories of all third parties with whom the processor may share a consumer’s personal data;
• The categories of personal data controllers may share with third parties;
• Instructions for consumers to exercise their consumer rights, including the controller’s contact information and how a consumer may appeal a controller’s decision regarding a consumer’s request;
• The process by which the controller will notify consumers of material changes to the privacy notice along with its effective date; and
• An active email address or other online mechanism consumers may use to contact the controller.

If a controller sells the personal data of consumers to third parties or processes it for the purposes of targeted advertising, the sale of personal data, or profiling consumers, the controller must clearly and conspicuously disclose those facts as well the manner in which a consumer may opt out. Controllers must also limit the collection of personal data in relation to the purpose for which it is collected or processed. Further, controllers may not process personal data for purposes that are unnecessary or incompatible with the reasons for which it is collected or processed.

Additionally, controllers may not process sensitive data without first receiving the consumer’s consent to such processing. The data of children under 13 years old cannot be processed until the controller receives consent and processes it in accordance with the Children’s Online Privacy Protection Act. If the controller has actual knowledge or willfully disregards that the consumer is at least 13 years old but younger than 17 years old, the controller may not process, without consent, the personal data of that consumer for purposes of targeted advertising, personal data sales or profiling.
Controllers must establish, implement, and maintain data security practices to protect the confidentiality, integrity, and accessibility of personal data, and to protect that data from unauthorized acquisition during both storage and use. To verify the effectiveness of the data security practices, the controller will need to conduct periodic data protection assessments that will test:

• The processing of personal data for targeted advertising;
• The processing of personal data for profiling that presents a reasonably foreseeable risk to the consumer;
• The sale of personal data;
• The processing of sensitive data; and
• Any processing activities involving personal data that present a heightened risk of harm to consumers.

When controllers enter into contracts with processors, the contracts must include instructions for processing data, the nature and purpose of processing to be performed, the type of data subject to processing, the duration of the processing, and the manner in which the processor must assist the controller.

Finally, controllers may not violate state and federal laws prohibiting discrimination against consumers, or discriminate against consumers who choose to opt out of the processing.
Processors (i.e., entities that process personal data on behalf of controllers) have more limited obligations. They must assist controllers, maintain the confidentiality of personal data, implement security measures appropriate to their risk, and establish a clear allocation of responsibilities between the processor and the controller. Finally, processors must enter into written contracts with controllers and ensure that any subcontractors they use are also subject to the same obligations.

Consumers’ Rights, Exemptions and Enforcement

The NJDPA gives consumers the following rights:

• The right to know whether a controller is processing the consumer’s personal data;
• The right to obtain access to their personal data and a copy of it in a readily transmittable form;
• The right to correct inaccuracies in their personal data;
• The right to delete their personal data and;
• The right to opt out of processing of personal data for targeted advertising, sale of personal data, or profiling.

As I alluded to at the beginning of this article, the NJDPA includes several exemptions. As a threshold matter, the statute exempts from the definition of “consumer” those people “acting in a commercial or employment context.”

Certain health information collected by an entity that is subject to the Health Insurance Portability and Accountability Act is exempt from the NJDPA’s requirements, as are financial institutions, affiliates, and data regulated by the Gramm-Leach-Bliley Act. So too are certain insurance institutions; sales of consumer data by the New Jersey Motor Vehicle Commission that are permitted by federal law; and personal data collected, processed, sold, or disclosed by a consumer reporting agency if the actions are authorized by the Fair Credit Reporting Act. State agencies and political subdivisions are exempted, as is certain clinical health research.
Finally, the New Jersey Attorney General can enforce the NJDPA with civil actions and by seeking injunctive relief under the New Jersey Consumer Fraud Act (CFA). The CFA carries penalties of up to $10,000 for the first offense and up to $20,000 for subsequent violations. However, the NJDPA provides a 30-day cure period (at least until July 2026). And, importantly, the NJDPA provides no direct private right of action under it. The New Jersey Division of Consumer Affairs will promulgate rules and regulations necessary to carry out the NJDPA.
That being said, the NJDPA states that a violation of it will constitute a violation of the CFA. The CFA does have a private right of action for which a successful plaintiff can recover treble damages, reasonable attorneys’ fees, and the fees and costs associated with filing suit. But it is too early to tell how successful consumers will be using this connection to create a back-door-type private action under the NJDPA, or bringing negligence-based claims stemming from violations of the NJDPA. It appears New Jersey is unique among other states in that while its privacy act does not have a direct private right of action, the act shares a close nexus with a state consumer fraud statute that does have one.

New Jersey Joins the Data Privacy Parade

With the NJDPA, New Jersey has stepped into the data privacy regulation world, finally offering its residents consumer privacy protections that some of its sister states have offered for years. Only time will tell how aggressive the New Jersey Attorney General will be with enforcing the NJDPA’s provisions, whether organizations that have implemented privacy compliance programs in response to other states’ data privacy laws are well-positioned to comply with the NJDPA, and how victorious consumers will be when bringing private claims against violators under alternative theories, such as through the CFA or common law negligence.