New Jersey Data Protection Act: What You Need to Know

New Jersey Governor Phil Murphy Signs New Data Protection Act into Law

On January 16, 2024, New Jersey Governor Phil Murphy made a significant move by signing the New Jersey Data Protection Act into law, making New Jersey the thirteenth state to implement a comprehensive state privacy law. This new law places various obligations on businesses and nonprofits that collect and utilize personal data of New Jersey residents, including requirements to notify consumers about the collection and disclosure of their personal data.

Similar to the data privacy laws in California and Colorado, the New Jersey Data Protection Act empowers the Director of the Division of Consumer Affairs in the Department of Law and Public Safety to establish rules and regulations necessary to enforce the Act’s objectives. The law is set to take effect on January 16, 2025.

The Act will apply to entities conducting business in New Jersey or targeting products or services to New Jersey residents. It specifically targets controllers processing the personal data of 100,000 or more consumers annually, or organizations that control or process the personal data of at least 25,000 consumers and derive revenue from the sale of personal data.

One key aspect of the Act is the regulation of practices involving cookies, pixels, and tracking technologies, which could inadvertently subject an entity to the Act under the sales threshold. The definition of “sale” is broad and includes sharing, disclosing, or transferring personal data for monetary or valuable consideration to a third party.

Controllers are required to limit the collection of personal data to what is necessary for processing purposes, disclose their information practices to consumers, and establish data security practices. Consent is mandatory for processing sensitive data, and controllers must provide consumers with a clear and accessible privacy notice.

The Act also mandates written agreements with third parties processing data on behalf of the controller, data protection assessments for high-risk data processing, and grants consumers rights to confirm, correct, delete, and opt-out of processing their personal data.

Enforcement of the Act will be overseen by the New Jersey Division of Consumer Affairs, with fines of up to $10,000 for initial violations and up to $20,000 for subsequent violations. While there is no private right of action under the Act, organizations will need to update their compliance to meet New Jersey-specific requirements.

Overall, the New Jersey Data Protection Act signifies a significant step towards enhancing consumer privacy rights and data protection in the state, requiring organizations to adapt their practices and policies to comply with the new law.