It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know.

Scope. The Act applies to (i) any person or entity who conducts business in New Jersey or provides products or services to New Jersey residents and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers, while deriving 25 percent or more of annual revenue from selling personal data.

Processing Roles. Like the GDPR and other U.S. privacy laws, any person or entity that “alone or jointly with another person, determines the purposes and means for processing personal data” is a “controller”, while any person or entity that “processes personal data on behalf of a controller” is a “processor.” Lastly, a “consumer” is “any natural person who resides in [New Jersey] and acts in any capacity other than in a commercial or employment context.”

Defining Personal Data. Personal data under the Act mirrors the definition used in most U.S. privacy laws. Under the Act, “personal data” means “any information that is linked or reasonably linkable to an identified or identifiable person.” Personal data also encompasses “sensitive data” which includes data that:

  • Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of crime or citizenship/immigration status;
  • Is a child’s personal data (with “child” being defined as any individual under the age of 13)
  • Accurately identifies, within a radius of 1,750 feet, a consumer’s present or past location, or the location of a device that links or is linkable to a consumer (e.g., GPS); or
  • genetic or biometric data.

Personal data does NOT include de-identified data or publicly available information which includes data that (a) is lawfully available through federal, state or local government records or through widely distributed media; or (b) a data controller has reasonably understood to have lawfully made available to the public by a consumer.

Exempt Organizations/Information. Like other U.S. privacy laws, the Act does not apply to certain entities or information. The following are just a few entities exempt from complying with the Act:

  • Government agencies;
  • Covered Entities or business associates that process protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
  • Consumer reporting agencies;
  • Financial institutions; and
  • Insurers subject to P.L.1985, c.179 (C.17:23A-1 et seq.).

The Act also excludes the following types of information:

  • The data of individuals “acting in a commercial or employment context;”
  • Information used for research purposes;
  • Information collected, processed sold or disclosed in accordance with the following federal laws:
    • Gramm-Leach Bliley Act (GLBA);
    • Fair Credit Report Act (FCRA);  and
    • The Driver’s Privacy Protection Act of 1994.  

Consumer Rights.The Act grants exclusive privacy rights to New Jersey residents to exercise any of the following outlined below with respect to their personal data.

  • Right to Access:Consumers may request data controllers to confirm whether the controller is processing or has processed their personal data and access such personal data.
  • Right to Correction:Consumers can require a controller to correct inaccuracies concerning their personal data (taking into account the nature of the personal data and the controller’s purpose for processing the personal data).
  • Right to Deletion: Consumers can require a controller to delete personal data about them.
  • Right to Portability: Consumers may obtain a copy of their personal data held by the controller in a “portable and to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance.”
  • Opt-Out Right: Consumers may also opt-out from a controller’s processing of their data for any of the following purposes:
    • Targeted advertising;
    • Selling the personal data; or
    • Profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.
  • Responding to Consumer Requests. The consumer request denial/grant process under the Act mirrors other U.S. privacy laws, and controllers must respond to consumer requests within 45 days of receipt of the request. Controllers may extend the period within which they respond by another 45 days if the extension is “reasonably necessary considering the complexity and number of the consumer’s requests.” For any extension, the controller must notify the consumer within the initial 45-day response period and explain the reason for the extension.
  • Associated Charges with Consumer Requests. Controllers must also provide any information that the consumer requests once during any 12-month period without charge to the consumer. A controller may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that the controller corrected inaccuracies in, or deleted, the consumer’s personal data in compliance with the consumer’s request.

Business Obligations. Controllers subject to the Act must also ensure they meet the following obligations:

  • Privacy Policy. Controllers must maintain a privacy policy describing the purposes for which the controller is collecting and processing personal data. Among other things, this policy must also provide a description of the process for New Jersey residents to exercise their rights.
  • Data Protection Assessments. Controllers are required to conduct, document and retain a data protection assessment (which shall be made available to the New Jersey Division of Consumers Affairs upon request) when engaging in processing activities that present a “heightened risk of harm” to a consumer. Such processing includes:
    • Processing personal data for the purpose of targeted advertising;
    • Processing sensitive data;
    • Selling personal data; and
    • Using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
      • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
      • financial, physical or reputational injury to consumers;
      • physical or other types of intrusion upon a consumer’s solitude, seclusion or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or
      • other substantial injury to consumers.
  • Contract Requirement. The Act also requires controllers and processors to enter written contracts with one another to govern the processing relationship between the parties (e.g., a data processing agreement).
  • Other Obligations set forth in NJ Privacy Regulations. One notable feature of the Act is the rulemaking authority provided to the New Jersey Division of Consumer Affairs. Currently, California and Colorado are the only two states that have separate privacy regulations that outline additional privacy obligations for individuals and entities subject to those laws. Once promulgated by the Division of Consumer Affairs, New Jersey will become the third state to have privacy regulations – meaning that the obligations imposed under the Act could be significantly expanded.

Enforcement. Unlike the CCPA, there is no private right of action under the Act. Only the New Jersey Attorney General has enforcement powers under this law and may bring an action in accordance with the New Jersey Consumer Fraud Act.

  • Cure period. The Act provides a 30-day cure period for entities found in violation of the Act. Entities in violation of the Act will be notified by the New Jersey Division of Consumer Affairs if a cure is deemed permissible. Failure to cure the violation within 30 days of receiving the notice of the violation may result in the Attorney General bringing enforcement action without further notice.

Looking Ahead. Following the trend of enacted state privacy legislation in 2023, we anticipate several more states will enact privacy laws this year. Some States, like New Hampshire, have a bill in the works. The New Hampshire privacy bill passed through the House of Representatives earlier this month and is now waiting for Senate approval. If enacted, New Hampshire will be the 14th state added to the privacy party. We anticipate that eventually all 50 states will adopt their own comprehensive data privacy law. To stay on top of the current enacted privacy legislation, review our previous blogs summarizing the U.S. privacy laws pending and those currently in effect. Each link in the “State” column will take you to an article written by Taft’s privacy & data security team regarding the relevant state privacy law.

For more data privacy & security-related updates, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.

 Comprehensive State Data Privacy Laws
 StatePrivacy Law NameStatus (e.g., in effect/pending)Correlating Regulations
1CaliforniaCalifornia Consumer Privacy Act as amended by the California Privacy Rights ActIn EffectCalifornia Privacy Protection Agency (CPPA) Regulations; In Effect
2ColoradoColorado Privacy ActIn EffectColorado Privacy Regulations; In Effect
3ConnecticutConnecticut Personal Data And Online Monitoring Act* (act recently amended to include consumer health data)In Effect
4DelawareDelaware Personal Data Privacy ActPending; January 1, 2025
5IndianaIndiana Consumer Data Protection ActPending; January 1, 2026
6IowaIowa Consumer Data Protection ActPending; January 1, 2025
7MontanaMontana Consumer Data Privacy ActPending; October 1, 2024
8New JerseySenate Bill 332Pending; January 15, 2025The New Jersey law grants rulemaking authority to the Division of Consumer Affairs. Once enacted, New Jersey would be only the third state to have separate privacy regulations.
9OregonOregon Consumer Privacy ActPending; July 1, 2024
10TennesseeTennessee Information Protection ActPending; July 1, 2025
11TexasTexas Data Privacy and Security ActPending; July 1, 2024
12UtahUtah Consumer Privacy ActIn Effect
13VirginiaVirginia Consumer Data Protection ActIn Effect
*Washington   (consumer health data privacy law)Washington My Health My Data ActIn Effect
*Nevada   (consumer health data privacy law)SB 370In Effect

*States with an asterisk (*) are not comprehensive data privacy laws, but statutes governing a specific type of personal data (e.g., consumer health data).