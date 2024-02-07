Consumer privacy protection must have been tops on the New Jersey legislature's list of New Year's resolutions. The year was just two weeks old and New Jersey became the first State in 2024 to enact a comprehensive privacy law and is now one of over a dozen states to have its own comprehensive privacy law (together, the Privacy States"). New Jersey Governor Phil Murphy wrote in a recent press release that he is proud New Jersey is better protecting its residents with Senate Bill 332/A1971 (the "Law"). This comprehensive law aims to protect consumer privacy by creating strict requirements for how applicable companies may use and collect personal data from New Jersey consumers and provides such consumers with rights of access, modification and deletion of their personal data.

Key Definitions:

The defined terms used in the Law are essential to understanding the scope and obligations under the Law (§1 of the Law), and should look familiar with respect to the other Privacy States. Some key definitions for New Jersey consumers and businesses to understand are the following:

Biometric data means data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual. "Biometric data" shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

Applicability of the Law(§2 of the Law)

Not all businesses who collect personal information will be impacted by the Law. Instead, New Jersey's Law will apply only to certain controllers who conduct business in New Jersey or target New Jersey residents with their products or services. Additionally, during a calendar year, a controller must either:

control or process the personal data for at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction (the "Processing Threshold"); or control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data (the "Sale Threshold").

Unlike California, the Law does not include a revenue threshold and instead may apply to any business, no matter what their gross annual revenue may be, provided that the above requirements are met. Additionally, while the Processing Threshold is similar to the processing threshold of a majority of the Privacy States, the Law's Sale Threshold does not include a minimum revenue from such sale of personal data, which is unlike the majority of the Privacy States. Additionally, controllers should note that "consumer" only includes persons acting in an individual or household context and, unlike California (but akin with the other Privacy States), does not include employees or contractors. Additionally, like California, the definition of "sale" (included above) is broad and includes the sharing, disclosure or transfer of personal data for non-monetary valuable consideration, but is subject to a number of exclusions.

Controller Obligations (§3 of the Law)

Transparency is an important aspect of the Law. The Law requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. Such notice shall provide consumers with, among other things, information regarding what personal data will be processed by the controller, why the controller is processing such personal data, categories of third parties with whom the controller may share the consumer's personal data, the types of personal data that may be shared with such third parties, as well as methods for consumers to contact the controller and exercise the consumer's rights regarding their personal data.

Additionally, a controller is subject to additional requirements if the controller sells personal data to third parties or processes personal data for the purposes of targeting advertising, the sale of personal data, or profiling in furtherance of certain decisions which may have legal or similarly significant repercussions on the consumer. For example, the controller must clearly and conspicuously disclose to the consumer any such sale or processing and provide the consumer with a clear manner to opt out of such sale or processing. If a consumer chooses to opt out of processing that may have legal or similarly significant repercussions concerning the consumer, the controller is explicitly prohibited from discriminating against such consumer (§5 of the Law). However, such controller, within certain parameters, shall still be permitted to offer discounts and other incentives to consumers in exchange for the sale of the consumer's personal data.

The Law also restricts which data may be processed by controllers. For example, controllers shall not process a consumer's sensitive data without obtaining such consumer's consent (§9(a)(4) of the Law). Notably, where other Privacy States such as California and Colorado only refer to a consumer's sex life or sexual orientation, New Jersey includes within its definition of sensitive data a consumer's "status as transgender or nonbinary." Additionally, controllers must conduct a data protection assessment, and keep documentation regarding such assessment, before conducting any processing that presents a heightened risk of harm to a consumer (§9(b) of the Law).

Consumer Rights (§7 of the Law)

The laundry list of consumer rights under the Law are similar to those found in the other Privacy States and New Jersey has not added anything unusual. Under the Law, consumers may take an active role in controlling how their personal data is used and by whom. Consumers may review, correct and delete their personal data as well as obtain a portable and readily usable copy of their personal data held by a controller. Consumers also may opt-out of the processing of such consumer's personal data for the purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that may have legal or similarly significant effects concerning the consumer. Controllers must send a response to a consumer within 45 days following the controller's receipt of a verified request from the consumer (subject to certain permitted extensions) (§4 of the Law).

Enforcement Authority

New Jersey Governor Phil Murphy explicitly clarified that the Law does not include a private right of action, Instead, like the majority of Privacy States, the Law may only be enforced by the Office of the Attorney General (§16 of the Law).

While there are some deviations from the privacy laws in the other Privacy States, the overall structure of the Law is relatively consistent with other Privacy States regarding the obligations on those controlling and processing personal data and the rights of the consumers. Even though the Law will not go into effect until January 15, 2025, companies should use that time to fully understand the finer details in this comprehensive privacy law.

