The New Jersey Consumer Data Privacy Act (NJCDPA), was passed in January 2024, and details distinct requirements for organizations which process the data of New Jersey residents. 

The state of New Jersey has implemented a robust framework of data protection laws to safeguard the personal information of its residents. Among the key laws is the New Jersey Consumer Data Privacy Act (NJCDPA), which establishes a comprehensive set of requirements for businesses that collect, process, or store the personal data of New Jersey residents. The NJCDPA requires businesses to take specific measures to safeguard personal information and provide notification in the event of a data breach. It’s important for businesses operating in New Jersey to familiarize themselves with these laws and ensure compliance to avoid potential penalties.

The NJCDPA applies to businesses that collect personal information from New Jersey residents and meet the threshold requirements.

The New Jersey Consumer Data Protection Act (NJCDPA) is a comprehensive privacy law that applies to businesses that collect personal information from New Jersey residents and meet certain threshold requirements. The Act applies to entities that do business in New Jersey and (1) process the personal data of at least 100,000 New Jersey residents or (2) process the personal data of at least 25,000 New Jersey residents and derive revenue from the sale of personal data. Unlike many existing state comprehensive privacy laws, the NJCDPA does not impose any revenue thresholds

Businesses governed by the NJCDPA are subject to various obligations under this law.

The NJCDPA establishes a number of rights for consumers, including the right to access their personal information, the right to correct or delete their personal information, and the right to opt out of the sale of their personal information. Businesses are also required to take reasonable measures to protect consumer data from unauthorized access or use. Some of the key provisions of the NJCDPA include:

• Right to access: Consumers have the right to access their personal information that a business collects, uses, or discloses. Businesses must provide consumers with a copy of their personal information in a readily accessible format within 45 days of receiving a request.
• Right to correct or delete: Consumers have the right to correct or delete their personal information that is inaccurate or incomplete. Businesses must make reasonable efforts to correct or delete a consumer’s personal information within 45 days of receiving a request.
• Right to opt out of the sale of personal information: Consumers have the right to opt out of the sale of their personal information. Businesses must provide consumers with a clear and conspicuous mechanism to opt out of the sale of their personal information.
• Reasonable security measures: Businesses are required to take reasonable measures to protect consumer data from unauthorized access or use. These measures may include encryption, access controls, and employee training.
• Heightened Protections for Children’s Data: Input: The Act prohibits a controller from processing the personal data of a consumer for targeted advertising, sale of personal data, or specific types of profiling without the consumer’s consent where the controller has actual knowledge that the consumer is 13 to 16 years old.

The NJCDPA requires organizations to obtain explicit consent before processing sensitive data, and to conduct data protection assessments.

Like many state comprehensive privacy laws, the New Jersey law requires companies to obtain consent from consumers before processing sensitive data. Similar to the California Consumer Privacy Act (CCPA), the NJCDPA regards “financial information” as a form of sensitive data, defined as “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” The NJCDPA also mandates that companies conduct data protection assessments of “processing that presents a heightened risk of harm to a consumer” before conducting any such processing. 

The Act considers certain types of data, as well as certain types of institutions exempt.

The Act contains numerous standard comprehensive privacy law exemptions associated with data processed under federal statutes like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act), and the Fair Credit Reporting Act (FCRA). However, it omits certain common exemptions, notably those for educational data covered by Family Educational Rights and Privacy Act (FERPA) and data handled by nonprofits or higher education institutions.

The NJCDPA will be enforced by the New Jersey state attorney general, while its rules are established by the Division of Consumer Affairs.

The New Jersey Attorney General retains exclusive enforcement authority of the NJCDPA, as there is no private right to action. The Division of Consumer Affairs however, is responsible, according to the Act, for establishing rules and regulations in order to execute its objectives. Only California and Colorado have enacted comprehensive privacy laws so far, which grant such rulemaking authority. This law was recently passed on January 16th, 2024, and will come into effect 365 days later, on January 15th, 2025. 

If you have any questions about complying with the NJCDPA or other US data privacy laws, or need assistance reviewing your data privacy practices, connect with Aphaia today.