New Jersey Enacts Comprehensive Consumer Data Privacy Law

New Jersey Governor Phil Murphy signed Senate Bill 322 into law on January 16, 2024. This made the state the fourteenth in the US to introduce a comprehensive consumer data privacy statute. According to an article by Davis, Wright, Tremaine, the new law came into effect from January 16, 2025. It shares some similarities with existing state privacy laws but includes some unique features that make it stand out.

One of the most significant aspects of the law is that it grants the Director of the Division of Consumer Affairs in the Office of the Attorney General the power to make rules. This authority is only held by a few states.

The law introduces a Universal Opt-Out Mechanism, which allows consumers to opt out of profiling for decisions with legal consequences. This is a unique aspect compared to other state privacy laws. Controllers must obtain opt-in consent for processing personal information of children aged 13 to 17, specifically for targeted advertising, data sales, or profiling.

The Act expands the definition of biometric data to include biological, physical, or behavioral characteristics. This is different from other states.

The law defines “sensitive” data to include a broad range of financial information, which is unique among general state privacy laws. Entities subject to the law include those processing personal data of at least 100,000 New Jersey residents or 25,000 residents with associated revenue or benefits from personal data sales.

Consumer rights encompass confirmation of processing, access, correction, deletion, and portability, with the ability to opt out of various data processing activities.

The law excludes protected health information (PHI) under HIPAA and financial information regulated by the Gramm-Leach-Bliley Act. Privacy notices must be clear and accessible, detailing data processing purposes and consumer rights.

Processor contracts must include confidentiality duties, security measures, data deletion, and compliance demonstration. The law mandates universal opt-out mechanisms for controllers by July 16, 2025, emphasizing restrictions on default opt-in settings.

“Sensitive data” includes a consumer’s financial information, requiring opt-in consent. Data protection assessments are required for targeted advertising, data sales, profiling, processing sensitive data, and activities posing a heightened risk of harm.

Enforcement lies with the Office of the Attorney General, with no private right of action. The law includes a 30-day cure period for violations, expiring on July 16, 2026. The law adds complexity for businesses operating in New Jersey, necessitating thorough compliance to navigate its unique provisions and potential rulemaking.