Last week on the 16^th of January the New Jersey Governor signed into law S332 the bill outlining the state’s Consumer Data Privacy. Here is what you need to know about the new law taking effect on January 15^th, 2025.

Who will need to comply with this new law, well controllers that conduct business in the state or produce products or services that are targeted to NJ residents and during a calendar year either:

• Control or process the personal data of at least 100K consumers (excludes personal data for the sole purpose of completing a payment transaction)
• Control or process the personal data of at least 25K consumers and receive revenue or a discount on goods or services from the sale of personal data.

Consumers will have the following rights:

• Right to know and access
• Right to correct
• Right to delete
• Right to data portability
• To opt out of:
  • targeted advertising
  • the sale of personal data
  • decision profiling

New Jersey consumers are to be informed in a clear, meaningful, and reasonably accessible privacy policy that includes:

• Categories of personal data the controller processes.
• The purpose of processing the personal data.
• Categories of all third parties controllers may disclose consumer’s personal data.
• Categories of personal data that the controller shares with third parties, if any.
• How a consumer may exercise their rights, appeal a decision, and include the controller’s contact information.
• How the controller will alert the consumer to material changes in the policy and the effective date.
• Active email address or other online option the consumer may use to contact the controller.
• If a controller sells personal data to third parties or processes data for the purposes of targeted advertising, sale, or decision profiling then the controller must clearly and conspicuously disclose this to the consumer along with how the consumer can opt out of these practices.

A controller can have a consumer validate their request through an existing account, however, they cannot require a consumer to create a new account. This should be a given but a controller cannot decrease the availability of products or services or increase cost due to a consumer exercising their rights.

Similar to most states the controller has 45 days to respond to a consumer request and may extend by an additional 45 days so long as it is reasonably necessary and informs the consumer within the initial 45-day response period. If the controller declines to take action on the consumer’s request they must respond without delay and within 45 days of the request, along with instructing the consumer on how to appeal the decision.

Consumers can make a request free of charge once every 12 months. A controller may charge reasonable fees if requests from a consumer are considered to be manifestly unfounded, excessive, or repetitive. The burden of showing the consumer’s request are excessive or repetitive will lay with the controller.

Controllers do not have to comply with requests they are unable to authenticate through reasonable efforts and must inform the consumer they are unable to take action until the consumer can provide additional information to authenticate the request. If the controller has reason to believe the request is fraudulent, they can deny the request but they must notify the requestor of this belief, why they believe it to be fraudulent, and inform the consumer they are not required to act on the request because of this.

Controllers must establish an appeal process for consumers whose requests are denied. The process must be conspicuously available and similar to the process for submitting a consumer request. Within 45 days of an appeal request, the controller must inform the consumer in writing of the action taken or not taken and the decision behind those actions. If the appeal is denied the controller shall provide an online mechanism, if available, or other methods the consumer may contact the Division of Consumer Affairs to submit a complaint.

New Jersey is a bit more specific when it comes to the universal opt-out mechanism. No later than six months after the effective date, a controller that processes personal data for the purposes of targeted advertising or the sales of personal data must allow a consumer the ability to exercise the right to opt-out through a user-selected universal opt-out mechanism. The platform, technology or mechanism must:

• Its manufacture to unfairly disadvantage another controller.
• A default setting cannot be used to opt-in consumers unless the controller has determined the consumer selected a clearly represented, affirmative, freely given, and unambiguous choice defaulting to opt into any processing of consumer’s personal data.
• Be consumer-friendly, clearly described, and easy to use.
• Be consistent with other similar platform, technology, or mechanism required by federal or state law.
• Enable the controller to accurately determine if the consumer is a resident, if the consumer made a legitimate request to opt out of processing of personal data.

A controller must:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose disclosed to the consumer
• Put in place reasonable measures to establish, implement, and maintain administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure during both use and storage.
• Provide an effective mechanism for a consumer to revoke consent as easily as it was to provide the consent, upon revocation data processing must stop within 15 days.
• Specify the express purpose personal data will be processed.

A controller cannot:

• Process personal data for purposes that are not reasonably necessary or compatible with the purpose that was disclosed to the consumer, unless you obtain consumer consent.
• Process sensitive data without obtaining consumer consent and personal data of known children must be processed in accordance with COPPA.
• Process personal data to discriminate against consumers.
• Process personal data of a consumer for the purpose of targeted advertising, sale, or decision profiling without the consumer’s consent where a controller has knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 17 years of age.
• Conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment for each processing activity that involves personal data.

In the definition of consent, there is a clear description of what consent is and what is not considered consent. It will be extremely important to ensure that consumers have a clear understanding of what they are reading and ultimately consenting to. The definition reads: “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.

The new data privacy law offers a few exemptions, outlines the controller’s and processor’s obligations, will be enforced by the state’s AG, and does not offer a private right of action. Be sure to read the full bill HERE.