Yesterday, New Jersey Governor Phil Murphy signed S332, the state’s first comprehensive consumer privacy law. In doing so, New Jersey joins thirteen other U.S. states in passing a comprehensive consumer privacy law. Such laws are already in effect in California, Connecticut, Colorado, Utah and Virginia, with similar laws in Florida, Montana, Oregon and Texas to take effect later this year. Delaware, Iowa and Tennessee have laws slated to take effect in 2025, followed by Indiana in 2026. Here’s what you should know:
Applicability
S332 regulates entities that conduct business in New Jersey or produce products or services that target New Jersey residents and that (1) control or process personal data of at least 100,000 consumers (excluding personal data processed exclusively to payment transactions) or (2) control or process personal data of at least 25,000 consumers and receives revenue or discounted goods or services for the sale of personal data. Unlike many state privacy laws, the law applies to nonprofit entities.
The law contains familiar exceptions for personal data collected in business-to-business and employment contexts and contains data-level exemptions for personal data regulated by the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.
Familiar requirements for regulated organizations
The law contains familiar requirements for organizations that collect personal data, referred to as “controllers,” that are largely based on the never-passed Washington Privacy Act, which has become the standard framework for many state privacy laws, beginning with the Virginia Consumer Data Protection Act. These include obligations to provide a detailed and comprehensive privacy policy, a suite of data subject rights—including rights to know/access, correct, delete and opt-out—and express contract provision for data exchanges between controllers and processors.
Controllers must conduct data protection assessments for any processing activities that present a “heightened risk of harm” to the consumer, such as selling personal data, processing personal data for targeted ads, profiling that presents a “reasonably foreseeable” risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, offensive intrusion upon the solitude, seclusion, or the private affairs of consumers, or other substantial injury to the consumer.
Opt-in and opt-out rights
Controllers will be required to obtain opt-in consent before engaging in the following processing activities:
- processing sensitive data, which is defined to include data that reveals racial or ethnic origin, religious beliefs, financial information, mental or physical health condition, treatment or diagnosis, sex life or sexual orientation, transgender/non-binary status, citizenship or immigration status, genetic or biometric data, data of children under 13, and precise geolocation;
- collecting personal data for any reason other than the reasons disclosed to the consumer; and
- selling, processing for targeted advertising, or processing for profiling for decisions that produce “legal or similarly significant effects” the personal data of children ages 13-17.
As has quickly become the norm, consumers may opt-out of the sale of personal data and the sharing of personal data for targeted advertising purposes. The law also provides consumers the right to opt-out of any processing for profiling for decisions that produce “legal or similarly significant effects.” This includes decisions concerning the provision or denial of financial or lending services, housing, insurance, education, employment, health care services, or access to essential goods and services.
Controllers will have until July 16, 2025—six months after the law goes into effect—to implement the ability to detect and honor universal opt-out privacy signals submitted via the browser controls of website visitors, such as the Global Privacy Control.
Enforcement
The New Jersey Attorney General has exclusive enforcement authority and the law does not include a private right of action.
S332 authorizes the New Jersey’s Director of Consumer Affairs to promulgate rules and regulations, following a trend of requiring more detailed regulations that began with California and Colorado. Such rules may provide, among other things, technical specifications for mechanisms to process opt-out requests.
What’s next?
S332 will take effect on January 16, 2025. As has been increasingly prevalent in recent years, regulated organizations will be asked to harmonize their privacy compliance and governance programs across S332 and the thirteen other comprehensive state privacy laws, as well as laws imposing further requirements on specified datasets such as consumer health data and children’s data. Businesses must take care to identify material differences between these laws, particularly where such differences impact core business practices and legacy datasets. Manatt will continue to monitor and offer additional guidance along the way.
For more information and resources about Manatt's Privacy and Data Security Practice, please visit here.