Keypoint: New Jersey is the thirteenth state to pass consumer data privacy legislation with a bill that is generally based on the Washington Privacy Act model but with some notable differences.
On January 8, 2024, the New Jersey legislature passed Senate Bill 332. Subject to the procedural formalities in the legislature, the bill will move to New Jersey Governor Phil Murphy for consideration.
Assuming the bill becomes law, New Jersey will become the thirteenth state to pass a consumer data privacy law. The bill was passed on the last day of New Jersey’s two-year legislative cycle.
As reflected in the bill’s redline, the bill underwent significant revisions since it was first introduced in January 2022. The bill initially passed the New Jersey Senate in February 2023. At that time, we observed the bill was “narrow, perhaps most similar to the Nevada Online Privacy Protection Act.” At one point, the bill was amended to require consumers to opt into the sale of their personal data rather than opt out, but that requirement was removed. Ultimately, the bill was amended to be based on the Washington Privacy Act (WPA) model, but it does not always track the structure of typical WPA variants and contains some notable differences as we discuss below.
As with prior bills, we have added the New Jersey bill to our chart providing a detailed comparison of the laws enacted to date.
The below article provides a summary of the bill and some of its more notable provisions and differences from other bills. It is not intended to provide a full analysis of the bill.
Finally, when reviewing the current version of the bill available on the New Jersey legislature’s website, it is important to note that the first seven-and-a-half pages of the bill were removed through a December 18, 2023, committee amendment. The text of the passed bill begins on page eight. Also, a final clean version of the bill has not been published and it is possible, given the manner in which the bill was passed, that the final bill could contain some differences to the currently available version. For additional insight into the bill’s provisions, see Keir Lamont’s analysis here.
The bill contains the following unique definitions.
The bill’s definition of biometric data is broader than those typically found in the WPA model definitions. The definition includes data generated by “technological processing” or “analysis.” It also includes not only biological characteristics but physical and behavioral characteristics. In addition, the definition specifically references facial mapping, facial geometry, and facial templates.
Designated Request Address
The bill includes a definition of “designated request address” that is not found in other WPA variants. The term is defined to mean “an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided” pursuant to bill’s provisions. That said, the term does not appear in the text of the bill itself. It appears this may be a holdover definition from when the bill was in its prior form before being amended to be a WPA variant.
The definition of process is the same as typically found in WPA variants except that it concludes with the phrase “and also includes the actions of a controller directing a processor to process personal data.”
The definition of sale does not include the same exceptions as found in other WPA variants. Missing from the exceptions is the phrase “the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.”
The bill contains a unique definition of sensitive data. Specifically, it includes the category: “financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” This is the first WPA variant that adds financial information to the definition of sensitive data. The California Consumer Privacy Act’s (CCPA) definition of sensitive personal information contains similar language; however, the CCPA does not require consent to collect sensitive personal information.
The bill’s definition also includes “mental or physical health condition, treatment or diagnosis.” This is similar to some of the other WPA variants although the phrasing is not identical, including through the use of the word “treatment.” Further, the bill’s definition includes “status as transgender or non-binary” which category also is found in the Oregon and Delaware laws.
Finally, the definition does not include consumer health data (as found in Connecticut) or status as victim of a crime (as found in Connecticut and Oregon).
Click here, for a chart comparing the definitions of sensitive data in the currently enacted WPA variants.
The bill includes a definition of verified request, which is not found in other WPA variants although the definition is not particularly notable. The term is defined to mean “the process through which a consumer may submit a request to exercise a right or rights established in [the law] and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means.”
The New Jersey bill mirrors the traditional applicability standard found in the WPA variants – i.e., a controller that annually processes the personal data of 100,000 or more state residents. However, the bill uses Colorado’s standard of applicability for the sale of personal data – i.e., “control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.” Other states (excluding Texas’ unique approach) require a 25% or 50% of gross revenue threshold for this applicability standard.
Consumer is defined as an “identified person who is a resident of [New Jersey] acting only in an individual or household context.” It does not include “a person acting in a commercial or employment context.”
The bill’s exemptions are narrower than found in other WPA variants. For example, the bill only contains a data level exemption for protected health information, and not a covered entity exemption. The bill also does not contain exemptions for non-profits, institutions of higher education, or a FERPA exemption. The bill does contain entity and data level exemptions for GLBA financial institutions. It also exempts state agencies and related institutions.
As with the other WPA variants, the bill requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. This bill’s privacy notice language is closer to the wording in the Delaware and Oregon laws insofar as they all require the privacy notice to disclose both the categories of all third parties to which the controller may disclose a consumer’s personal data and the categories or personal data that the controller shares with third parties. The bill also requires controllers to describe “the process which the controller notifies consumers of material changes” to the privacy notice.
The bill provides New Jersey consumers with the typical set of privacy rights found in WPA variants and mirrors the Connecticut law in this regard. The bill does not provide for additional rights with respect to third parties as found in the Delaware and Oregon laws passed last year.
Notably, the bill does not contain a requirement that controllers must provide a link on their websites that enables a consumer to opt out of the targeted advertising or sale of the consumer’s personal data.
The bill also does not contain an exemption for pseudonymous data. New Jersey joins Oregon in not exempting this data.
Finally, the bill does not a provision stating that the controller does not have to comply with authenticated requests when, among other requirements, the controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data.
The bill’s language around authorized agents is arguably imprecise insofar as it states that a “consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of the processing and sale of the consumer’s personal data.” (Emphasis added) The phrase “opt out of the processing” is not directly linked to the bill’s opt out provisions as is the case with other WPA variants and could be read to suggest a larger right to opt out of processing perhaps similar to GDPR. This is likely just a drafting ambiguity as no other parts of the bill suggest such a right. The bill further provides that authorized agents can be used to opt out of the sale of personal data, opt out of targeted advertising or, “when such technology exists,” for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Universal Opt-Out Mechanisms
The bill requires controllers to recognize universal opt out mechanisms (UOOMs) no later than six months after the bill’s effective date. New Jersey joins Colorado, Connecticut, Montana, Oregon, Delaware, and Texas as WPA variants with this requirement. This requirement extends to targeted advertising and sales of personal data. The requirement would have extended to profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, but that language was removed.
The bill’s UOOM language is worth a close read. For example, one provision discusses that the UOOM shall not “make use of a default setting that opts-in a consumer to the processing or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumer’s affirmative, freely given and unambiguous choice to opt into any processing of the consumer’s personal data pursuant to” the bill. (Emphasis added.) The phrasing of that section seems inconsistent with the purpose of a UOOM which is to signal an opt out, not an opt in, request. However, it may be a remnant of the prior version of the bill, which was an opt-in model.
As is the case with Colorado’s privacy law, the bill authorizes the New Jersey Division of Consumer Affairs in the Department of Law to adopt rules and regulations that detail the technical specifications for one or more UOOMs.
The bill prohibits the processing of the personal data of a consumer for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer’s consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age.
This provision is somewhat similar to the children’s privacy provisions enacted last year in Delaware and Oregon. The Oregon law includes profiling but only goes up to age 15. The Delaware law goes up to and including age 17 but does not include profiling.
The bill requires controllers to specify the express purpose for which personal data are processed. A similar requirement is found in Colorado and Oregon.
Heightened Risk of Harm and Data Protection Assessments
In a break from the structure of other WPA variant laws, the bill states that controllers cannot “conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment.” The way this requirement is phrased could be interpreted to create a prior restraint on this processing activity, raising First Amendment issues. The definition of heightened risk of harm also does not include reputational injury.
Data Processing Agreements
The bill requires controllers to enter into data processing agreements with processors. The requirements are similar to those found in other WPA variants.
The Director of the Division of Consumer Affairs in the Department of Law and Public Safety is required to promulgate rules and regulations necessary to “effectuate the purposes” of the bill. However, this provision does not provide a time frame for when such rules and regulations must be promulgated.
Violations are enforceable by the Division of Consumer Affairs in the Department of Law and Public Safety. The bill contains a 30-day right to cure that expires 18 months after the bill’s effective date.
The bill takes effect 365 days following its date of enactment.