Latest Posts
Search for:
In Data Privacy

Lucky 13: the Garden State Cultivates the Privacy Landscape

by , , , , and 8 Mins Read

New Jersey is the 13th US State to Pass Comprehensive Consumer Privacy Legislation

Consistent with our prediction that 2024 will bring a significant crop of new state consumer privacy laws, the New Jersey legislature recently became the 13th state to pass a comprehensive privacy statute. On January 8—the final day of its 2022-2023 legislative session—the Senate passed bill S332. Once enacted—either with Governor Phil Murphy signing the bill or after 45 days if he takes no action—S332 will take effect one year later.

Although S332 aligns in some ways with the 12 other consumer privacy laws in the United States, it has a number of notable features, including a definition of “sensitive data” that includes financial information, a requirement that controllers recognize universal opt out signals with respect to targeted advertising and sales of personal data, and restrictions on certain data processing activities where the controller has actual knowledge (or willfully disregards) that the consumer is between 13 and 16 years of age. The new law also grants broad rulemaking authority to the New Jersey Division of Consumer Affairs (DCA), so businesses will need to keep an eye on how the DCA expands upon the law.

Scope and Exemptions under S332

The new legislation will apply to controllers who either annually: (a) control or process the personal data of at least 100,000 consumers (defined to mean identified New Jersey residents acting only in an individual or household context), or (b) control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of data.

With regards to the second category of controllers, unlike many states which require a controller to derive a certain portion of its revenue from the sale of personal data, any revenue from a sale will suffice to bring a controller processing personal data of at least 25,000 consumers into the scope of the law. It should also be noted that S332 defines sale broadly to include disclosures of personal data for monetary or other valuable consideration.

Like many other consumer privacy laws, S332 includes a number of exemptions for data and controllers not in scope, such as:

  • Commercial (B2B) data
  • Employment data
  • Protected health information collected by a covered entity or business associate subject to the Health Insurance Portability and Accountability Act (HIPAA)
  • Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA);
  • Insurance institutions; and
  • Personally identifiable information collected by a consumer reporting agency in accordance with the Fair Credit Reporting Act (FCRA) or state agencies.

Consumer Rights

S332 grants consumers a familiar medley of rights, including the rights to request:

  • confirmation of whether the controller processes their data and to access such data;
  • correction of inaccuracies in the data;
  • deletion of their personal data;
  • a copy of their data in a portable and readily usable format; to opt out of the processing of their personal data for (a) targeted advertising; (b) the sale of personal data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects.

Universal opt out mechanisms: Controllers that process personal data for the purposes of targeted advertising or the sale of personal data must implement universal opt out mechanisms within 6 months of the effective date of the new law (as a reminder, the effective date will be a year after the date on which the law is formally enacted). With this requirement S332 joins a handful of existing state privacy laws with universal opt out requirements coming into effect over the next few years. The universal opt out mechanism must not permit its manufacturer to disadvantage other controllers, must not make use of default settings that opts in a consumer to processing (unless the consumer has unambiguously selected such a default setting), must be consumer-friendly, should be consistent with other mechanisms required by law, and should enable the controller to accurately determine whether the consumer is a New Jersey resident and has made a legitimate opt out request. The DCA has rulemaking authority to detail the technical requirements of the universal opt out mechanism.

Privacy Notice

The controller must provide an accessible and clear notice that includes:

  • the categories of personal data the controller processes;
  • the purpose of the processing; the categories of third parties with whom personal data is shared;
  • the categories of personal data shared with third parties;
  • how consumers can exercise their rights;
  • and an online mechanism (or active email address) for contacting the controller.

Controllers that sell personal data to third parties or process personal data for targeted advertising, the sale of personal data or profiling must also disclose such sale or processing as well as how a consumer may opt out.

S332 also requires that the privacy notice describe the process by which the controller notifies consumers of material changes to the privacy notice, along with the effective date of the revised notice. Although this marks the first time such a requirement has been codified in a state comprehensive privacy statute, it isn’t entirely novel; California’s Online Privacy Protection Act as well as FTC guidance include similar provisions.

Controller Obligations

S332 imposes obligations and restrictions on controllers,  including that they:  

  • limit processing to that which is necessary for the stated purposes of the processing;
  • only process personal data for purposes that are compatible with such disclosed purposes; and
  • adopt and maintain reasonable data security practices;
  • obtain a consumer’s prior opt-in consent before processing their sensitive data (which is defined quite expansively to include data about racial or ethnic origin, religious beliefs, health, financial information (which is generally not found in other state consumer privacy laws except the CCPA), sex life or sexual orientation, citizenship or immigration status, status as transgender or non-binary, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, personal data collected from a known child under 13, or precise geolocation data);
  • avoid processing the personal data of consumers known  (or willfully disregarded) to be between 13 and 17 years old, for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling without their consent; and
  • Undertake a data protection assessment before engaging in processing that carries a “heightened risk, which includes processing for the purpose of targeted advertising or profiling, selling personal data, or processing sensitive data.”

Data Processing Agreements

New Jersey’s S332 will require data processing agreements to be governed by a contract setting forth:

  • processing instructions, including the nature and purpose of the processing;
  • the type of personal data involved, as well as the duration of the processing;
  • requirements that the processor maintain the confidentiality of the personal data, imposes equivalent restrictions on sub-contractors, and implement appropriate security measures; and
  • a requirement that a processor delete or return personal data as requested at the end of the provision of service under the contract.

Enforcement

The New Jersey Attorney General will have sole enforcement authority and S332 expressly disclaims a private right of action. For the first 18 months from the act’s effective date, the Division of Consumer Affairs must give alleged violators 30 days’ notice before enforcement action may be taken, giving the controller an opportunity to cure  the alleged violations. After 18 months, the right to cure provision will expire.

The DCA also has broad authority to promulgate rules “necessary to effectuate the purposes of [the new law].” Unlike the California Consumer Privacy Act and Colorado Privacy Act, which require state agencies to engage in rulemaking prior to fixed dates, S332 does not bind the DCA’s rulemaking authority to any particular timeline.

Suggested Actions & Takeaways

Organizations grafting this newest law to their privacy governance program will want to take a few actions within the next few months:

  1. Determine whether the new law applies given S332’s unique scope and exceptions.
  2. Document the steps taken to assess scope and application of this new law.
  3. Map data that may be subject to the new law.
  4. Update vendor assessments, data protection assessments and management workflows.
  5. Implement mechanisms to ensure compliance with the law if it applies, including protocols to give effect to New Jersey residents’ rights requests, controls that prevent the processing of sensitive data without opt-in consent, and age assurance mechanisms and privacy settings to comply with New Jersey’s youth protection requirements.
  6. As the law will come into force only a year after enactment and features certain requirements absent from many other laws, in scope controllers should not delay in taking steps to bring their privacy programs into compliance.
Categories:
Tags:
Author

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.

Related Posts