January 2024

1. Governing Texts

On January 16, 2024, the Governor of New Jersey, signed the New Jersey the Act concerning commercial Internet websites, online services, consumers, and personally identifiable information ('the Act'). The Act provides the New Jersey Office of Attorney General ('AG') with exclusive authority to enforce its provisions.

This Act shall take effect on the 365th day following the date of enactment, except that the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of the same.

1.1. Key acts, regulations, directives, bills

• the Act

1.2. Guidelines

The AG has not issued any guidelines on the Act.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Act applies to controllers that during a calendar year either:

• control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

However, the Act clarifies that it does not apply to, amongst others:

• protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the US Department of Health and Human Services ('HHS'), established pursuant to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA');
• a financial institution or affiliate subject to the Gramm-Leach Bliley Act of 1999 ('GLBA');
• an insurance institution;
• the sale of a consumer's personally identifiable information by the New Jersey Motor Vehicle Commission that is permitted by the Drivers Privacy Protection Act of 1994;
• personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency, if the collection, processing, sale, or disclosure of the personally identifiable information is limited by the Fair Credit Reporting Act of 1970 ('FCRA');
• any State agency, any political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision; or
• personal data that is collected, processed, or disclosed, as part of research.

2.2. Territorial scope

The Act applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey.

2.3. Material scope

The Act applies to the control or processing of personal data. Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable person. This does not include de-identified data or publicly available information.

The following information is also exempt from the scope of the Act is certain circumstances:

• protected health information;
• a financial institution data;
• personal data collected, processed, sold, or disclosed by a consumer reporting agency; and
• personal data collected, processed, or disclosed, as part of research.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The AG is the regulator for the Act.

3.2. Main powers, duties and responsibilities

The Office of the AG has sole and exclusive authority to enforce the provisions of the Act.

The Director of the Division of Consumer Affairs in the Department of Law and Public Safety ('the Division of Consumer affairs') shall promulgate rules and regulations necessary to effectuate the Act.

The Division of Consumer Affairs may also adopt rules and regulations that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data.

In addition, the Director of the Division of Consumer Affairs will promulgate rules and regulations necessary to effectuate the purposes of Act.

4. Key Definitions

Data controller: Is defined as an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.

Data processor: Is defined as a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.

Personal data: Is defined as any information that is linked or reasonably linkable to an identified or identifiable person. This does not include de-identified data or publicly available information.

Sensitive data: Is defined as personal data revealing:

• racial or ethnic origin;
• religious beliefs;
• mental or physical health condition, treatment, or diagnosis;
• financial information, which includes a consumer's account number, account log-in, financial account, or credit or debit card number in combination with any required security code, access code, or password that would permit access to a consumer's financial account;
• sex life or sexual orientation;
• citizenship or immigration status;
• status as transgender or non-binary;
• genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
• personal data collected from a known child; or
• precise geolocation data.

Health data: Is not specifically defined under the Act but may fall under the definition of 'sensitive data' above.

Biometric data: Is defined as data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological physical, or behavioral patterns or characteristics that are used or intended to be used, singularly, or in combination with each other or with other personal data, to identify a specific individual. Biometric data does not include:

• digital or physical photographs;
• audio or video recordings;
• any data generated from a digital or physical photograph or an audio or video recording, unless such data is generated to identify a specific individual.

Pseudonymization: Is not defined under the Act. However, de-identified data is defined as data that cannot be reasonably used to  infer information about, or otherwise be linked to, an identified or  identifiable individual, or a device linked to such an individual, if the controller that possesses the data:

• takes reasonable measures to ensure that the data cannot be associated with an individual;
• publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data; and
• contractually obligates any recipients of the information to comply with the requirements of this paragraph.

5. Legal Bases

5.1. Consent

'Consent' pursuant to the Act, is defined as a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, any other unambiguous affirmative action.

Consent does not include:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
• hovering over, muting, pausing, or closing a given piece of content; or
• agreement obtained through the use of dark patterns.

Controllers must not process the sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of a known child, without processing such data in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA'). In addition, controllers must not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer's personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer's consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age.

Controllers must also not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.

In line with the above, controllers must also provide an effective mechanism for consumers to revoke consent in a way that is at least as easy as the mechanism by which the consumer provided the consumer's consent. Controllers must then cease to process the data as soon as practicable, but not later than 15 days after receipt of the request.

5.2. Contract with the data subject

The Act does not specifically provide that personal data can be processed for the performance of a contract with a data subject.

However, the Act outlines that nothing may restrict the ability of a controller or processor to:

• provide a product or service specifically requested by a consumer;
• perform a contract to which a consumer is a party, including fulfilling the terms of a written warranty; and
• take steps at the request of a consumer before entering into a contract.

Similarly, the Act provides that the obligations on controllers or processors under the Act, should not restrict the controller's or processor's ability to collect, use, or retain data for internal use to perform internal operations reasonable aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

5.3. Legal obligations

The Act does not specifically provide that personal data can be processed based on legal obligations.

However, the Act does provide that nothing may restrict the ability of a controller or processor to:

• comply with federal or State law or regulations;
• comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, State, municipal or other governmental authorities;
• cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State or municipal ordinances or regulations; and
• investigate, establish, exercise, prepare for, or defend legal claims.

5.4. Interests of the data subject

The Act does not specifically provide that personal data can be processed based on the interests of data subjects.

However, the Act does provide that nothing may restrict the ability of a controller or processor to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis.

5.5. Public interest

The Act does not specifically provide that personal data can be processed based on the public interest.

However, the Act does provide that nothing may restrict the ability of a controller or processor to process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is:

• subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
• under the responsibility of a professional subject to confidentiality obligations under federal, State, or local law.

In addition, the Act provides that its requirements do not restrict a controller or processor's ability to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines, or similar independent oversight entities that determine:

• whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
• the expected benefits of the research outweigh the privacy risks; and
• whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

5.6. Legitimate interests of the data controller

The Act does not expressly provide that personal data can be processed based on the legitimate interest of the data controller.

However, the Act does provide that its requirements do not restrict a controller or processor's ability to prevent, detect, protect against or respond to security incidents identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action.

Likewise, the Act provides that the requirements imposed on controllers and processors under the Act must not restrict their ability to collect, use, or retain data for internal use to:

• conduct internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall; or
• identify and repair technical errors that impair existing or intended functionality.

5.7. Legal bases in other instances

The Act provides that its requirements do not restrict a controller or processor's ability to assist another controller, processor, or third party with any obligations under the Act.

Data controllers or processors are not required to comply with the provisions of the Act if doing so would violate evidentiary privilege. The Act also stipulates that nothing under its requirements shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of New Jersey as part of a privileged communication.

6. Principles

The Act outlines the following principles for the processing of personal data:

Data minimization: limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

Purpose limitation: not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent. In addition, controllers must specify the express purposes for which personal data is processed.

Confidentiality and integrity: take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. Data security practices are specified to be appropriate to the volume and nature of personal data at issue.

7. Controller and Processor Obligations

7.1. Data processing notification

The Act does not specifically provide for data processing notification.

7.2. Data transfers

The Act does not specifically address cross-border data transfers.

However, the 'sale' is defined as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. 'Sale' does not include:

• the disclosure of personal data to a processor that processes the personal data on the controller's behalf;
• the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or
• the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

7.3. Data processing records

The Act does not explicitly provide for data processing records.

7.4. Data protection impact assessment

Data controllers must not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment ('DPA') of each of its processing activities that involve personal data acquired on or after the effective data that present a heightened risk of harm to a consumer.

DPA must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller may employ to mitigate risks.

Controllers must factor into DPAs:

• the use of de-identified data;
• the reasonable expectations of consumers; and
• the relationship between the controller and the consumer whose personal data will be processed.

The Act provides that 'heightened risk' includes:

• processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on the consumer;
  • financial or physical injury to consumers;
  • a physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or other substantial injuries to consumers;
• selling personal data; and
• processing sensitive data.

DPAs must be made available to the Division of Consumer Affairs on request.

Notably, a single DPA may address a comparable set of processing operations that includes similar activities.

7.5. Data protection officer appointment

The Act does not expressly address data protection officer appointments.

7.6. Data breach notification

The Act does not provide for breach notification requirements.

However, pursuant to §56:8-163 of the N.J. Stat. Ann., a business conducting business in New Jersey or a public entity that maintains computer records that include personal information must disclose any breach of security of those computerized records (N.J. Stat. Ann. §56:8-163(a)).

7.7. Data retention

The Act does not expressly address data retention.

7.8. Children's data

The Act does not specifically define 'child' but provides that it has the same meaning under COPPA, which considers a child as an individual younger than 13 years of age. Specifically, the Act stipulates that controllers must not process the personal data of a known child without processing such data in accordance with COPPA.

In addition, the personal data collected from a known child is considered a category of 'sensitive data'. Therefore, personal data collected from an individual the controller knows is under 13 years old must be processed in accordance with such requirements.

7.9. Special categories of personal data

Controllers must not process the sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of a known child, without processing such data in accordance with COPPA.

7.10. Controller and processor contracts

Processors under the Act, must adhere to the instructions of the controller and assist the controller in meeting their obligations.

Taking into account the nature of processing and the information available to the processor, the processor must assist the controller by:

• taking appropriate technical and organizational measures, for the fulfilment of the controller's obligations to respond to consumer requests to exercise their rights;
• helping to meet obligations relating to the security of processing of personal data and in relation to the notification of a breach of the security of the system; and
• providing information to the controller necessary to enable the controller to conduct and document any DPAs.

Taking into account the context of processing, the controller and processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

The processing by a processor must be governed by a contract between the controller and processor, setting forth:

• the processing instructions to which the processor is bound, including the nature and purpose of the processing;
• the type of personal data subject to the processing and the duration of the processing;
• the requirements imposed by the above information; and
• the following requirements that;
  • at the discretion of the controller, the processor deletes or returns all personal data to the controller as requested at the end of the provision of services, unless retention of personal data is required by law;
  • processors make available to the controller, all information necessary to demonstrate compliance with obligations under the Act; and
  • processors allow, and contribute to, reasonable assessments and inspections by the controller or controller's designated assessor. Processors may, with the controller's consent, arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligation under the Act, using an appropriate and accepted control standard or framework for the assessment. Processors must provide a copy of the assessment to the controller on request.

Notwithstanding the instructions of a controller, processors must also:

• ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
• engage a subcontractor pursuant to a written contract in accordance with the contractual requirements for engaging a processor above, that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

Determining whether a person is acting as a controller or processor with respect to specific processing of data is a fact-based determination dependent upon the context in which personal data is to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, shall be deemed a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, they shall be deemed a controller with respect to the processing.

8. Data Subject Rights

Response time

Controllers that receive a verified request from a consumer must provide a response to the consumer within 45 days of the controller's receipt of the request. Controller's may extend the response period by 45 additional days where reasonably necessary, considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period and the reason for the extension and shall provide the information for all disclosures of personal data that occurred in the prior 120 months.

Information provided in response to a consumer request must be provided by a controller, free of charge, once per consumer during any 12-month period. Where requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.

Authentication

If a controller is unable to authenticate a request to exercise any of the rights provided under the Act using commercially reasonable efforts, the controller will not be required to comply with a request to initiate an action but must provide notice to the consumer that they are unable to authenticate the request to exercise such right(s) until the consumer provides additional information reasonably necessary to authenticate the consumer and their request to exercise such right(s).

Similarly, controllers may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. Where a controller denies an opt-out request because the controller believes the request is fraudulent, the controller must send a notice to the person who made such request disclosing that the controller believes the request is fraudulent, why such controller believes this, and that the controller does not have to comply with the request.

Declining requests and appeals

When a controller declines to take action regarding the consumer's request, the controller must inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

Controllers must establish a process for consumers to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 45 days after receipt of an appeal, controllers must inform consumers, in writing, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, controllers must provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Division of Consumer Affairs to submit a complaint.

8.1. Right to be informed

Data controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice including:

• the categories of the personal data that the controller processes;
• the purpose for processing personal data;
• the categories of all third parties to which the controller may disclose a consumer's personal data;
• the categories of personal data that the controller shares with third parties, if any;
• how consumers may exercise their consumer rights, including 14 the controller's contact information and how a consumer may appeal a controller's decision with regard to the consumer's request;
• the process by which the controller notifies consumers of material changes to the notification required to be made available in the privacy notice, along with the effective date of the notice; and
• an active email address or other online mechanism that the consumer may use to contact the controller.

If controllers provide personal data to third parties or process personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.

8.2. Right to access

Consumer rights under the Act include the right to confirm whether a controller is processing the consumer's personal data and access the personal data, provided nothing would require the controller to reveal a trade secret.

8.3. Right to rectification

Consumers under the Act also have the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of processing.

8.4. Right to erasure

Consumers under the Act also have the right to delete personal data concerning the consumer.

Controllers that have obtained personal data about a consumer other than the consumer, must in order to be compliant with requests to delete such personal data, retain a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained information for any purpose.

8.5. Right to object/opt-out

Consumers under the Act have the right to opt-out of the processing of personal data for the purposes of:

• targeted advertising;
• the sale of personal data except where exceptions apply as outlined below; or
• profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Consumers may designate another person to serve as their authorized agent and act on their behalf to opt out of the processing and sale of the consumer's personal data. Consumers may also designate an authorized agent using technology, including a link to an internet website, an internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt-out of the collection and processing for the purpose of any sale of data or for the purpose of targeted advertising or, when such technology exists, for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Controller shall comply with an opt out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

Beginning not later than six months following the effective date of the Act, a controller that processes personal data for the purposes of targeted advertising or sale of personal data should allow consumers to exercise the right to opt out of such processing through a user-selected, universal opt-out mechanism.

Importantly, a controller shall be prohibited from discriminating against a consumer if the consumer chooses to opt out of the processing for sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects of the consumer's personal data. However, this will not prohibit the controller's ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer's personal data, or to provide different services to consumers that are reasonably related to the value of the relevant data, provided that the controller has clearly and conspicuously disclosed to the consumer that the offered discounts, programs, incentives, or services include the sale or processing of personal data that the consumer otherwise has a right to opt out of.

8.6. Right to data portability

Under the Act, consumers have the right to obtain a copy of their personal data processed by a controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, provided that nothing requires the controller to provide the data to the consumer in a manner that would reveal the controller's trade secret.

8.7. Right not to be subject to automated decision-making

The Act specifies that consumers have the right to opt-out of the processing of personal data for the purposes of profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Under the Act 'profiling' is defined as any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

8.8. Other rights

Not applicable.

9. Penalties

The New Jersey AG has the authority to enforce the Act.

Notably, 18 months after the enactment of the Act, prior to bringing an enforcement action, the Division of Consumer Affairs may issue a notice to the controller if a cure is possible. Where the controller fails to cure the alleged violation within 30 days after receiving notice of the alleged violation of non-compliance, an enforcement action may then be brought. In addition, data protection assessments must be made available to the Division of Consumer Affairs on request.

Nothing in the Act should be construed as providing the basis for, or be subject to, a private right of action for violations of the Act.

9.1 Enforcement decisions

Not applicable.