CSG Law Alert: New Jersey Governor Signs Comprehensive Data Privacy Bill Into Law

On January 16, 2024, New Jersey Governor Phil Murphy signed New Jersey’s first comprehensive consumer privacy law (S332/A1971) into law, which shall become effective following the enactment date. The New Jersey law grants New Jersey residents more control over their “personal data,” and imposes significant obligations on businesses in connection with the collection and processing of such data. The New Jersey law is similar to other state privacy laws, such as California, though with certain differences adding to the patchwork of state privacy laws in effect across the country.

The New Jersey law applies to “controllers” that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year control or “process” (a) the personal data of at least 100,000 “consumers,” excluding personal data processed solely for the purpose of completing a payment transaction; or (b) the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the “sale” of “personal data.” As it relates to “processors,” the New Jersey Law requires processors to, among other things, comply with instructions of the controller and assist the controller to meet its obligations under New Jersey law.

Similar to California and certain other states, the New Jersey law grants New Jersey consumers certain rights with respect to their personal data, including the right to know; the right to correct; the right to delete; the right to obtain a copy of their personal data; and the right to opt-out. The New Jersey law also require a controller to provide a reasonably accessible, clear, and meaningful privacy notice detailing the rights enumerated above, and the means by which a consumer can opt-out. The New Jersey law also prohibits a controller from discriminating against a consumer for exercising their rights protected under the New Jersey law.

If a consumer were to exercise its rights under the proposed law, the controller must respond to any “verified request” within a response period and comply with any “authenticated” request.  If a controller is unable to authenticate a request, it must notify the consumer and grant the consumer an appeal.

In addition to honoring the rights of consumers and providing adequate notice and opt-out, the New Jersey law requires a controller to (i) limit the collection of personal data to what is “adequate, relevant, and reasonably necessary”; (ii) take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data; and (iii) not process “sensitive data” concerning a consumer without first obtaining the consumer’s consent.