The Bottom Line
- New Jersey is the thirteenth state to enact a comprehensive consumer privacy law, and similar laws in other states are sure to follow.
- With the passing of each new state comprehensive consumer privacy law, the disconnects between them continue to grow. Therefore, compliance obligations for businesses continue to become more and more complex.
On January 16, 2024 Governor Phil Murphy signed into law New Jersey Senate Bill 332 (SB332). The new law will go into effect on January 15, 2025. New Jersey joins 12 other states that have passed comprehensive privacy laws.
Threshold Requirements
SB332 applies to persons or entities that conduct business in the state or produce products or services targeted to state residents and, during a calendar year, control or process the personal data of:
- 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
The exclusion of payment transactions (which can also be found in Connecticut’s, Oregon’s and Montana’s state privacy laws), benefits retailers and other small businesses that only use credit and debit card information to facilitate sales. Moreover, as with the Colorado Privacy Act, there is no threshold for revenue derived from sales of personal data. For companies that control or process the data of at least 25,000 consumers, it is sufficient that they derive any revenue or receive any discount on goods or services in return for selling personal data. As such, companies that sell personal data and are not subject to other state privacy laws because of those laws’ revenue requirements may still be subject to SB332.
Consumer Rights
Similar to other state privacy laws, SB332 provides consumers with a series of rights regarding their personal data: rights of access, correction, deletion, and data portability; and the right to opt out of targeted advertising, sales of personal data, and profiling “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” By July 15, 2025, controllers are required to recognize universal opt-out mechanisms used by consumers to exercise their right to opt out of the sale of their personal data or targeted advertising. The New Jersey Division of Consumer Affairs (the Division) is empowered to adopt rules and regulations addressing the technical specifications for such universal opt-out mechanisms. Notably, the State of Colorado has already invoked similar rulemaking authority, and as of December 2023, officially endorsed the Global Privacy Control as an approved opt-out mechanism.
Children and Teenagers
As with every state comprehensive privacy law to date, controllers under SB332 are required to process the data of children younger than 13 in accordance with the Children’s Online Privacy Protection Act (COPPA). New Jersey also joins a handful of states — California, Connecticut, Oregon and Montana — that require opt-in consent from consumers between 13 to 15 years old to sell their personal data, process it for targeted advertising, or use it for profiling in furtherance of decisions that produce legal or similarly significant effects. However, New Jersey has expanded the scope of this requirement to include children between 13 and 16, reflecting an increased legislative focus on teenage internet users.
Enforcement
SB332 is enforceable solely by the New Jersey Attorney General (Attorney General), and the law expressly states that it does not create a private right of action. Failure to follow SB332 will constitute a per se violation of the New Jersey Consumer Fraud Act, which the Division and the Attorney General currently use to investigate and prosecute privacy violations under civil law, entailing penalties of up to $10,000 per violation. For the first 18 months from the law’s effective date, the Division must issue companies a notice of violation and grant them 30 days to cure such violation before bringing an enforcement action. The law’s notice-and-cure period sunsets on July 15, 2026.
Among state attorneys general, New Jersey has historically been particularly active in its investigation and enforcement of privacy violations. Enforcement of SB332 will likely be tasked to the Data Privacy and Cybersecurity Section of the Attorney General’s Office, which has expanded to include 11 attorneys dedicated to full-time privacy enforcement. Given the resources, manpower and political will devoted to data protection in New Jersey, businesses can expect robust enforcement of SB332.