New Jersey Sets the Bar with the First Comprehensive State Privacy Law of 2024

Trenton, NJ – New Jersey has become the latest state to enact comprehensive privacy legislation, as Governor Phil Murphy signed SB 332 into law on January 16, 2024. This marks the 13th state privacy law in the United States and comes as federal privacy legislation remains uncertain. The new law, which will take effect on January 15, 2025, is expected to have a significant impact on organizations operating in the state.

While many state privacy laws have followed the model set by the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), New Jersey’s legislation introduces notable differences. The law aligns with the Virginia model in terms of privacy notices, consumer rights, and data protection assessments, but it deviates in key areas that may pose challenges for businesses seeking compliance.

One area of distinction is the law’s applicability. The New Jersey law applies to “controllers” who annually control or process the personal data of at least 100,000 residents or 25,000 consumers who generate revenue or receive discounts from the sale of personal data. This makes it one of the easiest thresholds to meet compared to other states with comprehensive privacy laws. Most states require a percentage of gross revenue derived from personal data sales before the law applies.

The exemptions provided in the New Jersey legislation also differ from other states following the Virginia model. While it exempts financial institutions under the Gramm-Leach-Bliley Act (GLBA), it does not extend exemptions to non-profits, institutions of higher education, or HIPAA covered entities. As a result, covered entities subject to HIPAA regulations may still need to comply with the New Jersey law at an organizational level.

Another important aspect of the law is its treatment of sensitive data. Like other states that follow the Virginia model, New Jersey requires consent for the collection and processing of “sensitive data.” However, the law’s definition of sensitive data is extensive and includes financial information such as account numbers, login credentials, and security codes. Although data solely collected for payment transactions is excluded when determining the law’s applicability, it is generally not exempt once an organization passes the threshold.

To address questions and establish compliance measures, the New Jersey Attorney General’s Division of Consumer Affairs in the Department of Law and Public Safety will undertake rulemaking. However, the law does not specify a timeline for this process, leaving organizations uncertain about the exact requirements and timing of compliance.

2023 saw a surge in state privacy legislation, with seven states passing comprehensive laws and others enacting health privacy and children’s online privacy legislation. As the privacy landscape continues to evolve, organizations need to diligently monitor and adapt their compliance efforts to ensure alignment with the distinct regulations across the country.

In conclusion, New Jersey’s comprehensive privacy law introduces unique provisions and places significant obligations on organizations operating within the state. With the law set to take effect in 2025, affected businesses should closely follow the rulemaking process and prioritize compliance to avoid potential penalties and reputational damage. As the United States awaits federal privacy legislation, the patchwork of state laws continues to shape privacy practices and requirements for businesses nationwide.