New Jersey on Track to Be the First State to Enact Comprehensive Privacy Legislation in 2024 – Technologist
New Jersey’s S332/A1971 is set to enact the nation’s 13th comprehensive state privacy law (or 14th, depending on how you feel about the Florida Digital Bill of Rights). While the initial bill included a variety of novel provisions, it underwent significant changes during the legislative process. Much of the bill now follows existing U.S. state privacy laws, such as the Colorado Consumer Privacy Act and Connecticut Data Privacy Act, with a few notable exceptions.
-
The bill includes broader definitions of “sensitive data” and “sales.” Unlike the majority of states with comprehensive privacy laws, New Jersey explicitly includes “financial information” as a category of sensitive data. Previously, California was the only state to explicitly recognize specific categories of financial data, such as an individual’s account and credit/debit card numbers, as sensitive. The bill also does not include an exception for disclosures directed by consumers to its “sale” definition, resulting in a potentially broader opt-out right.
-
The bill grants the attorney general broad investigative and rulemaking authority. In particular, the bill requires controllers to make data protection assessments available to the attorney general’s office upon request, without requiring the request to be tied to an ongoing investigation. The bill also grants the attorney general’s office broad authority to issue rules it deems necessary to effectuate the bill, which may require controllers to further update their compliance programs.
-
The bill requires opt-in consent to process the personal data of consumers aged 13-16 for targeted advertising, the sale of personal data, or profiling. Opt-in consent age ranges for teens vary across states. For example, the age range in California is 13-15. Like Oregon, the bill also requires opt-in consent for profiling of youth data, something other states (like Colorado and Connecticut) do not do.
-
The bill does not expressly exempt certain data subject to federal laws. For example, the bill does not exempt educational data subject to the Family Education Rights and Privacy Act, or data that is deidentified in accordance with the Health Insurance Portability and Accountability Act. Many state laws exempt this data to avoid conflicts with federal laws.
-
The bill requires controllers to delete data obtained from sources other than the consumer upon request. Generally, other state laws permit a controller that has obtained personal data about a consumer from a source other than the consumer to comply with a consumer’s deletion request if the controller (i) maintains a record of the request and the minimum data needed to ensure the data remains deleted or (ii) opts the consumer out of the processing of such personal data for any purpose except as permitted by the law. However, New Jersey specifically requires controllers to delete such data rather than opt individuals out of non-exempt processing.
Next steps
If signed by Governor Murphy, the bill will go into effect one year after enactment. Six months after the effective date, controllers must accept requests to opt-out of targeted advertising or sale of personal data through a universal opt-out mechanism. The NJ Division of Consumer Affairs has discretion to allow (or not) an opportunity to cure during the first 18 months, after which the opportunity to cure will expire.
Authored by Mark Brennan, Sophie Baum, Harsimar Dhanoa, and Jay Mills.