The scope of the NJDPA was expanded significantly from prior versions. As late as December 17, 2023, the bill only applied to a person or entity that operated 'any service provided over the internet that collects and maintains personally identifiable information from a consumer.' The NJDPA enacted less than one month later, however, is not limited to the collection of data over the internet and applies to all personal data, regardless of how it is obtained by the controller – i.e., online, in-person, electronic, hard copy, etc. By expanding the scope of the NJDPA to apply to all consumer personal data, New Jersey has joined the growing national trend of strengthening consumer data protection laws at the state level. 

What is the threshold for application? 

As a threshold matter, the NJDPA applies to controllers who conduct business in New Jersey or produce products or services targeting New Jersey residents and, during a calendar year, either:

• control or process the personal data of 100,000 or more New Jersey consumers (excluding personal data processed solely for completing a payment transaction); or
• control or process the personal data of at least 25,000 New Jersey consumers and derive a financial benefit from the sale of personal data.

Unlike privacy laws in most other states, the NJDPA does not provide a threshold for the percent of total revenue a controller must derive from the sale of data. In addition, the NJDPA does not have any overall revenue threshold for application.

What data is covered? 

The NJDPA governs the collection, processing, disclosure, and sale of a New Jersey resident's personal data, which is defined as 'any information that is linked or reasonably linkable to an identified or identifiable person.' The NJDPA also includes requirements that apply to sensitive data, which is defined more broadly than other states by including a range of consumer financial information and status as transgender or non-binary, along with data typically identified as sensitive personal data like racial or ethnic origin, religious beliefs, mental or physical condition, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocation data.

What data is exempted? 

The definition of consumer in the NJDPA is expressly limited to a New Jersey resident 'acting only in an individual or household context.' The definition specifically excludes 'a person acting in a commercial or employment context,' which would appear to exempt all data of employees, job applicants, and business contacts from the scope of the NJDPA. 

The definition of personal data specifically excludes de-identified data and publicly available information. Any controller with de-identified data must publicly commit to keeping the data de-identified and must contractually obligate any recipients of the de-identified data to do the same. Also, the definition of publicly available information includes information lawfully made available from government records and widely distributed media, as well as information that a controller 'has a reasonable basis to believe that a consumer has lawfully made available to the public and has not restricted to a specific audience.' 

The NJDPA, like many other state data privacy statutes, exempts several types of entities and data classifications from the scope of application, including: 

• any state agency or political subdivision;
• financial and market institutions regulated by the Gramm-Leach-Bliley Act;
• protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH);
• secondary market institutions identified in 15 U.S.C. sec. 6809(3)(D) and 12 C.F.R. sec. 1016.3(l)(3)(iii);
• certain insurance institutions;
• sales of personal data by the New Jersey Motor Vehicle Commission (as permitted by the federal Driver's Privacy Protection Act);
• personal data collected by consumer reporting agencies and governed by the Fair Credit Reporting Act; and
• certain scientific research conducted in accordance with federal policy under 45 C.F.R. Part 46 or 21 C.F.R. Parts 50 and 56.

Notably, the NJDPA does not provide an exemption for non-profit institutions, institutions of higher education, and educational data subject to the Family Educational Rights and Privacy Act (FERPA). 

What is required in the controller's privacy notice?

Similar to other state data privacy laws, controllers must provide consumers with 'a reasonably accessible, clear, and meaningful privacy notice' that includes at least the following: 

• the categories of personal data processed; 
• the purpose for processing personal data; 
• the categories of third parties to whom the personal data is disclosed; 
• the categories of personal data shared with third parties; 
• how consumers may exercise their rights; 
• the process for notifying consumers of changes to the privacy notice; and
• an active email address to contact the controller. 

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must also 'clearly and conspicuously' disclose such sale or processing, as well as the method for opting out of such sale or processing. Controllers are prohibited from discriminating against a consumer for exercising the right to opt out, including increasing the cost or limiting the availability of the product or service based solely on a consumer exercising this right. This does not, however, prohibit the controller from offering consumer discounts, loyalty programs, or other incentives for the sale of a consumer's personal data.

What other obligations does a controller have? 

The NJDPA imposes various other obligations on a controller, including the following: 

• limiting the collection of personal data to what is adequate, relevant, and reasonably necessary;
• only processing personal data for purposes that are necessary to and compatible with the purposes disclosed to consumers, unless specific consent is obtained; 
• implementing and maintaining reasonable administrative, physical, and technical data security practices to safeguard personal data; 
• providing an effective mechanism for a consumer to revoke their consent and terminating the processing of that personal data no later than 15 days after receipt of the request;
• conducting and documenting Data Protection Assessments (DPAs) (see the section on this below) in the event that processing personal data presents a 'heightened risk' of harm to a consumer, specifically for targeted advertising, profiling that may cause discriminatory or unfair treatment or other substantial injury to consumers, selling personal data, and processing sensitive data; and
• ensuring that agreements with processors (such as service providers and vendors) include appropriate data protection requirements and obligations.

Are there consent requirements for processing? 

The NJDPA expressly requires that controllers obtain opt-in consent from consumers before processing their sensitive personal data.

Controllers must also process the personal data of a known child in accordance with the Children's Online Privacy Protection Act (COPPA), which (with limited exception) requires parental consent for processing the personal data of children under the age of 13. In addition, a controller who has actual knowledge (or willfully disregards) that a consumer is between 13 and 16 years old must obtain consent to process personal data for targeted advertising, the sale of personal data, or profiling. 

What obligations does a processor have? 

Under the NJDPA, a processor has various requirements, including: 

• adhering to the instructions of the controller; 
• assisting the controller with:
  • technical and organizational measures to facilitate a response to a consumer rights request;
  • the security of processing personal data and notification in the event of a breach of security; and
  • conducting and documenting any DPAs;
• ensuring that confidentiality is maintained by all persons processing personal data; 
• implementing technical and organizational measures to ensure an appropriate level of security; and
• entering into a contract with the controller for the processing of personal data including processing instructions, the nature and purpose of processing, the type of data to be processed, and the duration of the processing. 

If a processor is not limited to processing personal data pursuant to a controller's instructions or fails to adhere to the instructions, the processor shall be deemed a controller subject to all the corresponding requirements of the NJDPA.

What rights do consumers have? 

Like most other existing state privacy laws, the NJDPA grants consumers certain rights with respect to their personal data, as follows:

• confirm processing and access by a controller; 
• correct inaccuracies;
• delete personal data;
• obtain a copy of personal data in a portable and readily usable format; and
• opt out of processing for purposes of:
  • targeted advertising;
  • the sale of personal data; or
  • profiling for certain decision-making relating to that consumer. 

A controller must respond to a verified consumer rights request within 45 days of receipt, with the potential for a 45-day extension under certain circumstances. Note that opt-out requests, unlike other consumer rights requests, are not required to be authenticated by a controller, but an opt-out request may be denied if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. A controller must also establish a process for a consumer to appeal any refusal to take action on the consumer rights request, respond to the appeal within 45 days, and if the appeal is denied, provide a method for the consumer to contact the Division of Consumer Affairs to file a complaint. 

What is the requirement for a universal opt-out mechanism? 

The NJDPA requires a controller to allow consumers to exercise the right to opt out of any targeted advertising or the sale of personal data through a user-selected universal opt-out mechanism. This must be implemented by a controller no later than July 15, 2025 (six months after the effective date of the NJDPA), and the Division of Consumer Affairs may adopt regulations that detail the technical specifications for one or more universal opt-out mechanisms. 

What are the DPA requirements? 

The NJDPA requires that any DPAs identify and weigh the benefits to all stakeholders that may result from the processing of personal data against the potential risks to the rights of the consumer associated with that processing. The assessment must also incorporate the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer. The assessment is deemed confidential and exempt from public inspection but must be made available to the Division of Consumer Affairs upon request. 

Who can enforce the NJDPA? 

The NJDPA specifically states that the New Jersey Attorney General has the 'sole and exclusive authority' to enforce the provisions and requirements of the NJDPA, and further states that nothing in the statute 'shall be construed as providing the basis for, or subject to, a private right of action.' Notably, for the first 18 months after the effective date, a controller receiving a notice of non-compliance from the Division of Consumer Affairs has a 30-day cure period to remedy the alleged non-compliance. If the controller fails to cure the alleged violation within 30 days, an enforcement action may be commenced by the New Jersey Attorney General. 

Also, unlike most other states, the Director of the Division of Consumer Affairs has been empowered with rule-making authority in order to effectuate the purposes of the NJDPA. 

What are the penalties for a violation? 

The NJDPA does not include any specific statutory fines or penalties for non-compliance. However, the statute expressly states that non-compliance will constitute a violation of the New Jersey Consumer Fraud Act, which can result in fines of up to $10,000 for the first violation and $20,000 for subsequent violations. 

Conclusion 

All persons and entities that collect or process personal data of New Jersey residents and meet the thresholds for applicability should take proactive steps to develop a plan for compliance. For controllers who already have compliance programs in place (or in process) for existing state data privacy laws (e.g., California, Virginia, Connecticut, Colorado, and Utah), compliance with the NJDPA will likely be limited to identifying and addressing the unique requirements and obligations of the New Jersey statute. For controllers who do not have existing compliance obligations with similar data privacy laws, a plan for compliance should include: 

• specifically identifying the personal data actually collected and processed, and determining the specific purposes for processing, where that data is located, and who has access to it; 
• developing a data privacy and protection program and procedures (or reviewing and updating any existing program) to incorporate compliance measures that meet the unique requirements and obligations of the NJDPA; 
• performing data privacy assessments if and as necessary for the processing of personal data that presents a 'heightened risk' of harm to a consumer;
• reviewing contracts with service providers and vendors to ensure that selection and contracting include the necessary representations and commitments with respect to vendor access, use, and processing of personal data on behalf of the organization; and
• identifying and implementing the process to be used for accepting, responding to, and completing consumer rights requests consistent with statutory requirements. 

John T. Wolak Partner
[email protected]
Gibbons P.C., New Jersey