New Jersey has established itself as a privacy trailblazer. On January 16th, Governor Phil Murphy signed the state’s first comprehensive consumer data privacy law into effect. With this new Act, New Jersey becomes the 13th state with an omnibus privacy statute and the first to pass such a law in 2024.
The New Jersey privacy law shares similarities with other state privacy regimes like providing consumer rights around data access, deletion, correction and opt-outs from data sales and targeted advertising. However, it also contains some unique provisions that make it one of the more far-reaching state privacy laws to date.
Some key provisions that make the New Jersey law stand out:
- Broad applicability with limited exemptions – The law applies to for-profit and nonprofit entities that meet data processing thresholds, with fewer carved-out exemptions than many other states.
- Financial data treated as sensitive – Financial account numbers and login credentials are classified as “sensitive data” requiring opt-in consent to process.
- Data protection assessment mandate – Companies must conduct data protection impact assessments before high-risk data processing like targeted ads or analytics.
- Honoring opt-out preference signals – Within 6 months of the effective date, companies must allow opt-outs via “universal opt-out mechanisms” like browser plugins.
- No revenue threshold – Unlike laws in Virginia, Connecticut, and others, there is no revenue threshold for the law to apply.
- Rulemaking authority – The NJ Division of Consumer Affairs is empowered to establish regulations fleshing out parts of the law.
Companies have over 10 months to prepare for compliance, but the law’s stringent provisions mean those efforts should begin promptly. Privacy and legal professionals would be wise to closely study this latest law for potential impacts.