Update: On January 16, 2024, New Jersey Governor Phil Murphy stamped his approval on Senate Bill 332, officially enacting the New Jersey Data Privacy Law that will go into effect on January 15, 2025. This development mirrors the significant momentum witnessed in 2023, with multiple states enacting or planning to enact their own data privacy laws. The New Jersey Data Privacy Law grants exclusive enforcement authority to the New Jersey Office of the Attorney General, without providing for a private right of action.

New Jersey has taken a significant step in data privacy regulation with the passage of Senate Bill 332, setting the stage for New Jersey to become the thirteenth state to enact a comprehensive privacy law that, if signed by Governor Phil Murphy, will go into effect 365 days after its enactment date. The bill drew inspiration from the Washington Privacy Act, undergoing substantial revisions since its introduction in January 2022 and successfully passing on the closing day of New Jersey’s two-year legislative cycle.

Notable aspects of Senate Bill 332 include distinctive scope and applicability criteria and a nuanced definition of biometric data covering technological processing and behavioral characteristics. The inclusion of terms like “designated request address” and the absence of certain exceptions in the definition of “sale” further set New Jersey’s privacy bill apart from current privacy legislation. A focus on comprehensive privacy notice requirements, verified requests, and the introduction of Universal Opt-Out Mechanisms showcase the state’s commitment to consumer privacy in the evolving landscape of data protection laws. Here are the key elements of Senate Bill 332:

Scope and Applicability

Senate Bill 332 applies to businesses in New Jersey that control or process the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction or processes the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

Biometric Data Definition

New Jersey’s definition of biometric data is broader and includes data generated by technological processing or analysis, covering not only biological characteristics but also physical and behavioral characteristics. It specifically references facial mapping, facial geometry, and facial templates.

Designated Request Address

The inclusion of the term “designated request address” is unique to New Jersey’s law. It refers to an electronic mail address, Internet website, or toll-free telephone number that consumers can use to request information as required by the bill.

Sale Definition

The definition of “sale” lacks certain exceptions found in other state privacy laws. Notably, the exceptions for the disclosure of personal data when the consumer directs the controller or intentionally uses the controller to interact with a third party are missing.

Sensitive Data Definition

New Jersey’s law introduces a unique definition of sensitive data, including financial information (account numbers, log-ins, financial accounts, or credit/debit card numbers with security codes), mental or physical health conditions, treatments, diagnoses, and the status as transgender or non-binary.

Verified Request Definition

The inclusion of a specific definition for “verified request” sets New Jersey apart. It outlines the process through which consumers can submit requests to exercise their rights and how controllers can reasonably authenticate such requests using commercially reasonable means.

Privacy Notice

The bill requires controllers to provide a privacy notice that is clear, accessible, and meaningful. It aligns more closely with the wording in Delaware and Oregon laws, disclosing both the categories of third parties to which the controller may disclose data and the categories of personal data shared with third parties.

Universal Opt-Out Mechanisms (UOOMs)

New Jersey joins a few other states in requiring controllers to recognize UOOMs, but the language regarding default settings may differ and could be subject to interpretation.

Children’s Data

The provision regarding children’s data is similar to Delaware and Oregon laws, requiring consent for processing the personal data of consumers aged 13 to 17 for targeted advertising, sale, or profiling concerning legal decisions.

Heightened Risk of Harm

New Jersey’s law introduces a requirement that controllers cannot conduct processing presenting a heightened risk of harm to consumers without conducting and documenting a data protection assessment.

Truyo President and privacy expert Dan Clarke says, “New Jersey’s law is foundationally strong. It has a bit more of a carveout for transaction-related fulfillment but otherwise tracks with the strongest bills, including elements like a broad universal opt-out, requirements for Privacy Impact Assessments, and most notably the inclusion of all financial information in the definition of sensitive data. Additionally, it provisions rulemaking, indicating the AG will likely be active enforcement. So, what’s coming next? I anticipate New York and New Hampshire will finally be successful in passage of their respective privacy bills.”

Truyo will keep you apprised of Governor Murphy’s signature.