News & Insights

Client Alert

January 11, 2024

New Jersey Enacts Privacy Law

On January 8, 2024, New Jersey’s State Legislature passed the Disclosure and Accountability Transparency Act (the “Data Act”). Following Governor’s signature within 45 days, the Data Act would take effect one (1) year after the date of the enactment, namely January 8, 2025.

1. Scope

Unlike many recently enacted state privacy bills, which have essentially followed two basic templates, the Data Act adopts many elements and terminology from the European Union’s General Data Protection Regulation (“GDPR”). The Data Act defines personal data very broadly, including any information that is linked or reasonably linkable to an identified or identifiable natural person (“Personal Data”). The Data Act applies to “controllers,” defined as individuals or legal entities that, alone or jointly with others, determine the purposes and means of processing Personal Data, that:

  • Conduct business in New Jersey or produce products or services that are targeted to “consumers”, defined as residents of New Jersey; and
  • During a calendar year either: (a) control or process the Personal Data of at least 100,000 consumers, excluding Personal Data processed solely for the purpose of completing a payment transaction; or (b) control or process the Personal Data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of Personal Data.

In addition to excluding Personal Data relating to persons acting in a commercial or employment context (i.e. business-to-business contact information and employee Personal Data), the Data Act also excludes certain entities and certain categories of Personal Data from its scope, including:

  • Protected health information collected by covered entities and business associates subject to Health Insurance Portability and
  • Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act);
  • Financial institutions and data subject to Gramm-Leach-Bliley Act (GLBA);
  • Secondary market institutions identified in 15 U.S.C. s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii);
  • An insurance institution subject to New Jersey’s P.L.1985, c.179 (C.17:23A-1 et seq.);
  • State agencies as defined in section 2 of P.L.1971, c.182 (C.52:13D-13);
  • Personal Data that is collected, processed, or disclosed, as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 C.F.R. Parts 50 and 56;
  • The sale of a consumer’s Personal Data by the New Jersey Motor Vehicle Commission that is permitted by the federal Drivers' Privacy Protection Act; and
  • Personal Data collected, processed, sold, or disclosed by a consumer reporting agency, as defined in Fair Credit Reporting Act (FCRA).

2. Consumer Rights

The Data Act grants consumers broad rights, including rights to:

  • Confirm whether a controller processes the consumer’s Personal Data and accesses such Personal Data;
  • Correct inaccuracies in the consumer’s Personal Data;
  • Delete Personal Data;
  • Obtain a copy of the consumer’s Personal Data held by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance; and
  • Opt out of the processing of Personal Data for the purposes of (a) targeted advertising; (b) the sale of Personal Data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

3. No Sensitive Personal Data Without Consent 

The Data Act defines “sensitive data” as:

  • Personal Data revealing racial or ethnic origin;
  • Personal Data revealing religious beliefs;
  • Personal Data revealing mental or physical health condition, treatment, or diagnosis;
  • Financial information including a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account;
  • Personal Data relating to sex life or sexual orientation;
  • Citizenship or immigration status;
  • Status as transgender or nonbinary;
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
  • Personal Data collected from a known child; or
  • Precise geolocation data.

Under the Data Act, the controller must obtain a consumer’s consent to process sensitive data. “Consent” under the Data Act means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of Personal Data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. The Data Act specifies that consent does not include:

  • Acceptance of a general or broad terms of use or similar document that contains descriptions of Personal Data processing along with other, unrelated information;
  • Hovering over, muting, pausing, or closing a given piece of content; or
  • Agreement obtained through the use of dark patterns.

The controller must also provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, the controller must cease to process the consumer’s Personal Data as soon as practicable, but not later than 15 days after the receipt of such request.

4. Key Obligations

a. Notice to Consumers

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes, at a minimum, the following information:

      • The categories of the Personal Data that the controller processes;
      • The purposes for processing Personal Data;
      • The categories of Personal Data that the controller shares with third parties, if any;
      • How consumers may exercise their consumer rights, including the controller’s contact information and how a consumer may appeal a controller’s decision with regard to the consumer’s request;
      • The process by which the controller notifies consumers of material changes to the privacy notice, along with the effective date of the notice;
      • An active email address or other online mechanism that the consumer may use to contact the controller; and
      • If a controller sells Personal Data to third parties or processes Personal Data for the purposes of targeted advertising, the sale of Personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, clear and conspicuous disclosure of such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.

b. Responding to Consumer Requests

Controllers have 45 days from their receipt of a consumer’s verified request to respond with the information requested. This period may be extended by 45 additional days where reasonably necessary, considering the complexity and number of the consumer’s requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period and the reason for the extension. The information must be provided by the controller free of charge once per consumer during any twelve-month period.

When a controller deems a consumer’s opt-out request as fraudulent and denies it, the controller must notify the consumer who made such request, disclosing that the controller believes such request is fraudulent, why the controller believes such request is fraudulent and that the controller will not comply with the consumer’s request.

A controller must also establish an appeal process for consumers whose requests the controller rejects. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.

c. Data Protection Assessments

The Data Act requires that controllers engaging in processing of Personal Data that presents a heightened risk of harm must conduct and document a data processing assessment (the “Assessment”). Under the Data Act, a heightened risk of harm is present when:

    • Controller processes Personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
    • Controller sells Personal Data; and/or
    • Controller processes sensitive data.

The Assessment must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. A controller must make the Assessment available to the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety upon request. Data protection assessments are confidential and exempt from public inspection under P.L.1963 c.3 (C.47:1A-1 et al.). Under the Data Act, the disclosure of a data protection assessment pursuant to a request from the division under this section does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.

d. Written Agreements with Data Processors

As under the GDPR and many state privacy laws, the Data Act requires a written data processing agreement (a “DPA”) in place between the controller and the processor processing Personal Data on behalf of, and for the purposes of, the controller. The DPA must, at a minimum, include:

    • The processing instructions to which the processor is bound, including the nature and purpose of the processing;
    • The type of Personal Data subject to the processing, and the duration of the processing;
    • A requirement that each person processing the Personal Data is subject to a duty of confidentiality with respect to the data;
    • A requirement that any subcontractors enter into a written contract that requires the subcontractor to meet the obligations of the processor with respect to the Personal Data;
    • A requirement that at the discretion of the controller, the processor must delete or return all Personal Data to the controller as requested at the end of the provision of services, unless retention of the Personal Data is required by law;
    • A requirement that the processor makes available to the controller all information necessary to demonstrate compliance with the obligations in the Data Act;
    • A requirement that the processor allows for, and contributes to, reasonable assessments and inspections by the controller or the controller's designated assessor.

The Data Act goes on to specify that if a processor begins, alone or jointly with others, determining the purposes and means of the processing of Personal Data, it will be deemed a controller with respect to the processing, including the liability attendant to the role of a controller.

5. Enforcement; No Private Right of Action

The Data Act will be enforced by the state’s Attorney General and it does not provide for a private right of action. Furthermore, for a period of 18 months following the effective date, the Data Act provides for a cure period, where, if a cure is deemed possible, the Division of Consumer Affairs in the Department of Law and Public Safety issues a notice to the controller prior to bringing an enforcement action, giving the controller 30 days to cure the alleged violation. In the event the controller fails to cure the violation during that period, enforcement action may be brought.