It looks like 2024 will be another big year for data privacy. Just eight days into January, the New Jersey Legislature passed Senate Bill 332, the country’s latest comprehensive consumer privacy law. The bill was signed a week later by Governor Phil Murphy.
Operating within an increasingly complex patchwork of state privacy rules, many businesses are now wondering: What does the New Jersey law mean for privacy compliance?
The New Jersey privacy law will go into effect on January 15, 2025.
S332 applies to any person or organization that does business in the state of New Jersey or targets its products or services toward state residents, and meets at least one of the following requirements:
The most notable difference from the thresholds in other states is the second option, related to the sale of personal data. There is no minimum percentage of revenue a business must receive from the sale of data for this to apply; ANY sale of personal data, in combination with controlling or processing the data of at least 25,000 consumers, will trigger this threshold. What’s more, it explicitly states that providing consumers' personal data in exchange for a discount is considered a sale. Many businesses will have to take a close look and determine if any of their data practices could be considered “selling” before dismissing S332 as not applicable.
S332 has many (but not all) of the same exemptions as other laws, including for government bodies and personal data already regulated by federal laws such as the GLBA or HIPAA. However, nonprofit organizations do not appear to be exempt from compliance. This means New Jersey is joining the growing list of states, along with Global Privacy Control (GPC), on their websites. This means that any user with GPC enabled on their browser should be treated as if they have submitted on opt-out request.
Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.
Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.
The New Jersey law requires organizations to perform data protection assessments for certain types of processing activities that present a “heightened risk of harm” to consumers. This includes:
The statute does not provide a specific penalty for violations, but states that a violation shall be considered an unlawful practice under New Jersey’s consumer protection laws. The penalty for violating these laws is up to $10,000 for the first offense, and up to $20,000 for each subsequent offense.
Initially, the Attorney General's Office must give businesses 30 days to cure any alleged violations. This mandatory cure-period provision sunsets after 18 months.
S332 does not grant a private right of action to consumers, meaning they cannot sue an organization over alleged violations. Only the New Jersey Attorney General’s Office has authority to enforce the law.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
