The first new comprehensive data privacy law of 2024 is upon us, as yesterday, January 16, New Jersey Governor Phil Murphy signed Senate Bill No. 332 into law. New Jersey becomes the 14th state to pass data privacy regulation, and gets 2024 off to a quick start after eight states passed legislation in 2023. 

New Jersey’s law, being referred to at the moment as SB 332, passed so quickly the legislature hasn’t even set a proper name for the law yet. 

The law’s passing comes as somewhat of a surprise, as New Jersey put the text together over the course of a few weeks, resulting in a few unique and unexpected wrinkles. As more and more states pass their own data privacy regulations, we are getting farther away from Virginia’s base model that helped get numerous bills passed in 2023.

New Jersey Data Privacy Law at a Glance

The first major deviation New Jersey’s data privacy law takes is its applicability threshold, which completely eschews revenue thresholds. 

California, Utah, and Texas (and Florida) all set specific annual revenue marks companies have to exceed for their respective laws to apply, but more common among state laws is to set a bar for the percentage of company revenue made from selling personal data, typically between 20-50%.

New Jersey instead relies solely on the consumer threshold, with the law applying to companies that:

• Do business within the state or target their products/services to NJ residents AND
• Process/control the personal data of 100,000+ NJ consumers OR 
• Derive revenue or receive discounts on the price of goods/services from the sale of personal data AND processes/control the personal data of 25,000+ consumers 
  

A few things stand out here. First, given New Jersey’s sizable population, the 100,000 mark represents just 1.07% of the state’s population, making it the second most stringent consumer threshold in the country, only behind California’s. 

Secondly, the state is counting that number a bit differently than all the other current states with data privacy regulation, as data processed or controlled simply to complete a transaction does not count towards the 100,000 mark.

Following in the footsteps of all the bills passed in 2023, New Jersey’s data privacy law does not cover business-to-business or employee information (unsurprisingly, given how quickly this bill came together).

That means California remains the only state to regulate employee information.

New Jersey Data Privacy Law Exemptions

New Jersey’s list of exemptions might be the shortest one yet, with the entire section coming in under a single page of the law. Many state laws have over a dozen qualifiers for exemption, but New Jersey only exempts the following:

• “Protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules … established pursuant to the Health Insurance Portability and Accountability Act (HIPAA)
• Financial institutions or affiliates subject to the Gramm-Leach-Bliley Act
• An insurance institution subject to P.L.1985, c.179 (related to insurance fraud)
• PII related to the Drivers' Privacy Protection Act of 1994
• PII related to the Fair Credit Reporting Act
  

Much of New Jersey’s new data privacy law follows close to Oregon’s OCPA and Delaware’s DPDPA, the two most recent laws to pass (besides NJ’s law itself).

Accordingly, one interesting bit is that New Jersey does not exempt non-profits from SB 332, just as Oregon and Delaware do not. This is a stark break from the first 10 privacy laws, which all exempted non-profits, and could be something to watch in the next few bills to pass.

New Jersey Consumer Data Rights

Oregon and Delaware’s bills also established the most progressive list of data rights in the American data privacy landscape, and New Jersey–mostly–follows suit.

It’s important to note that New Jersey does not include the private right to action, still leaving California as the only state to feature the right, but other than that, New Jersey offers an extensive list of rights, including:

The new law also grants people the right to use opt-out signals (more on that below), a variable gaining momentum across the country. New Jersey also becomes just the sixth state to include the right to revoke consent (CO, CT, MT, OR, DE). 

Regarding sensitive data, New Jersey has expanded its definition to include individuals’ financial data as well as a person’s status as transgender or non-binary–becoming just the second state after Delaware to classify gender identity as sensitive data.

However, one area where this law failed to uphold the bar set by Oregon and Delaware is the lack of a right to obtain a list of 3rd parties personal data was shared with. 

Concerning data subject access requests, SB 332 offers the typical American timeline, with 45 days to respond to a DSR and a 45 day extension granted if the company files on time and justifies the extension.

New Jersey Data Privacy Law Requirements

The new law sets most of the usual requirements in place, including:

• Data protection impact assessments
• Data minimization, including provisions to only use data for the self-reported purpose of collection and/or processing
• A baseline of data security measures
• Data processing agreements
• Privacy policies free from dark patterns 
• The need to receive opt-in consent before processing sensitive data
• Additional opt-in requirements for children under 16 years of age

The two major deviations SB 332 takes are regarding DPIAs and how it treats universal opt-out mechanisms, which must be acknowledged six months after the law takes effect.

DPIAs must be completed before data processing is carried out. Jersey becomes the first state to explicitly include this detail, which should drive companies that need to comply to complete DPIAs on a more regular basis. 

New Jersey’s bill expands the scope of universal opt-out measures to support opt-outs for user profiling, whereas previous state regulations that include universal opt-out mechanisms only cover opt-outs for targeted advertising and the sale of personal data. 

This could create some friction in passing a federal standard for universal opt-out mechanisms, similar to the way various progressive elements of California’s CCPA ended up derailing the federal ADPPA several years ago. California lawmakers refused to vote for any bill that did not include provisions within the CCPA, making it dead before an official vote could even occur. 

Data privacy experts have noted how troublesome New Jersey’s universal opt-out mechanism could be, but that remains to be seen, particularly given the bill’s final major wrinkle:

New Jersey Data Privacy Law Enforcement

New Jersey’s regulation includes Attorney General rulemaking, becoming only the third state after California and Colorado to do so. 

Attorney General rulemaking makes the regulation more of a living breathing entity rather than a static law, which has been a tale of two cities in California and Colorado. 

Colorado’s bill progressed from passing to signature to entry into the law smoothly, entering into force on July 1, 2023. California, on the other hand, has had the CCPA and its CPRA amendments wrapped up in court cases for over a year, creating a bureaucratic mess that is slowing down the regulation’s impact.

There’s currently no timeline in SB 332 for when the regulation details need to be finalized, so this is going to be the key to watch for the state’s data privacy law and how its unique universal opt-out mechanism will influence the larger data privacy picture.

The regulation will enter into force one year from yesterday, when the governor signed it into law, putting the date at January 16, 2025. Again, universal opt-out mechanisms must be acknowledged six months after that, so by July 16, 2025. 

New Jersey follows Delaware’s lead by upping fines to $10,000 per violation, with a step up to $20,000 per violation for repeat offenders.

The law will be enforced solely by the Attorney General (unlike California, which set up the CPPA agency to assist in enforcement) and has a discretionary 30-day cure period for the first 18 months of the law. That puts the cure period to expire/sunset on July 16, 2026. 

Until that time, look out for more states to pass data privacy laws in the months to come, adding to the complexity of data privacy management in the U.S.