New Jersey Steps Up: A Closer Look at the State's Comprehensive Privacy Law

In a big move to protect people's online privacy, New Jersey has now joined 13 other states in adopting a thorough state privacy law. Governor Phil Murphy signed Bill 332 into law on January 16, 2024, making it a significant moment for the state. This new law, set to kick in from January 2025, positions New Jersey as the 14th state to have a robust system in place for safeguarding the personal information of its residents.

The law applies to businesses operating in New Jersey or offering products/services to its residents, and it has specific criteria for its scope. Companies covered by the law must either handle the personal data of at least 100,000 New Jersey consumers or, as an alternative, process data from at least 25,000 consumers while making money from selling personal data. The definition of "sale" aligns with other state privacy laws, highlighting disclosure for cash or other valuable considerations.

One standout aspect of this law is its wide-ranging application, including individual consumers in a household context. However, it does make an exception for individuals acting in a commercial or employment context. Notably, there is no exemption for non-profit organizations, emphasizing the law's inclusivity.

The law sets out various responsibilities for businesses, encouraging responsible handling of data. It stresses the importance of minimizing data and specifying its purpose, requiring firms only to collect necessary data and disclose the specific reasons for processing personal information. Additionally, the law mandates a clear and easy-to-understand privacy notice, covering details such as data categories, processing purposes, third-party disclosures, and ways for consumers to exercise their privacy rights.

Businesses are also required to get consumer consent for processing sensitive data and for purposes not reasonably necessary to the original data processing. This ensures that individuals have control over the use of their sensitive information and prevents processing that could have significant legal or other consequences for individuals aged 13 to 17.

A significant aspect of the law is its focus on data security. Businesses must implement measures appropriate to the volume and nature of personal data, ensuring the confidentiality, integrity, and accessibility of such data. Additionally, the law requires businesses to conduct and document a data protection assessment for processing that poses a heightened risk of harm, showing a proactive approach to protecting consumers.

Consumers are given standard privacy rights, including access, correction, deletion, data portability, and the ability to opt out of targeted advertising, sales, and profiling for significant decisions. The law establishes a reasonable response time of 45 days for businesses to address consumer rights requests.

Enforcement of the law rests with the New Jersey Office of the Attorney General, with no provision for private action. A 30-day cure period for violations allows businesses to correct non-compliance within a specified timeframe, showing a commitment to education and correction before punitive measures are taken.

Slated to take effect on January 15, 2025, the law is a commendable step toward enhancing digital privacy in New Jersey. With its comprehensive provisions, the legislation aligns with evolving privacy concerns in the digital age, prioritizing transparency, security, and individual control over personal data. As New Jersey residents eagerly await the implementation of this law, it stands as a commendable move towards a more privacy-conscious future.