ATTENTION NEW JERSEY EMPLOYERS: WHAT ARE YOUR OBLIGATIONS UNDER THE NEW JERSEY DATA PRIVACY ACT?

Print Friendly, PDF & Email

Earlier this year, New Jersey became one of a dozen states to have comprehensive data privacy laws soon to go into effect. The New Jersey Privacy Act (“NJPA”), effective January 15, 2025, aims to protect the personal data of New Jersey residents by imposing obligations on certain businesses and providing consumers with rights to control their personal data. Read on to learn more about the NJPA and how it may impact your company.

Who does the NJPA aim to protect?

The NJPA covers “consumers,” defined as New Jersey residents acting in an individual or household context. Notably, the definition expressly excludes coverage of those acting in an employment or other commercial context – i.e., employees and business-to-business contacts.

Which businesses must comply with the NJPA?

The NJPA’s compliance obligations apply to companies that conduct business in New Jersey or provide services or products to New Jersey residents and act as either “controllers” or “processors” of consumer personal data.  The law defines these terms as follows: 

  • “Controllers”: Individuals or legal entities that determine the purpose and means of processing personal data. 
  • “Processors”: Individuals or entities that process personal data on behalf of a controller.

Controllers are covered if they conduct business in New Jersey or produce products or services targeted to New Jersey residents that, within the calendar year, either:

  • Control or process the personal data of at least 100,000 consumers (except personal data processed to complete payment transactions); or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on goods or services, from the sale of personal data.

The NJPA does not contain a minimum annual threshold, which means that smaller businesses may be subject to the provisions of the law. 

Controller or Processor?

The determination of whether an individual or legal entity is acting as a controller or processor will depend on the individual or legal entity’s actual conduct.  Notably, a processor will be deemed a controller if that individual or legal entity determines the purposes and means of processing personal data.

What type of information does the NJPA protect?

The NJPA protects “personal data,” defined as any information that is linked or reasonably linkable to an identified or identifiable person. De-identified data or publicly available information is excluded from coverage. 

The NJPA also protects “sensitive data,” which includes personal data that reveals:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health condition, treatment, or diagnosis;
  • Financial information combined with codes or passwords that would allow access to a financial account;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • Status as transgender or non-binary;
  • Genetic or biometric data that may identify an individual;
  • Personal data of a known child; or
  • Precise geolocation data. 

What must controllers and processors do to comply with the NJPA?

Controllers

The NJPA requires controllers to provide a privacy notice to consumers that includes, at a minimum:

  • Categories of personal data processed;
  • Purpose for processing the personal data;
  • Categories of all third parties to whom personal data may be disclosed;
  • Categories of personal data to be shared with third parties;
  • How consumers may exercise their rights, including the controller’s contact information and procedure to appeal a decision regarding a consumer’s request;
  • Process for notifying consumers of material changes to the privacy notice and effective date of the notice; and
  • An email address or other online mechanism by which consumers can contact the controller.

Controllers that process personal data for targeted advertising, sale of personal data to third parties, or profiling in furtherance of certain decisions must provide additional notice that clearly discloses any such use of personal data and includes the manner in which a consumer can opt-out. Controllers may not require a consumer to create a new account to exercise their rights, increase the cost or decrease the availability of a product or service, or discriminate against a consumer for choosing to opt-out. Controllers must respond to verified requests within 45 days unless an extension is reasonably necessary, and the consumer is informed of the reason for the extension and all personal data disclosed in the past 12 months.

Controllers also must comply with the following general requirements:

  • Data Minimization: Limit collection and processing of personal data to what is reasonably necessary and as disclosed to the consumer.
  • Data Security: Implement appropriate data security practices to protect the confidentiality of personal data and prevent unauthorized access to personal data.
  • Sensitive Data: Obtain prior consent to process sensitive data and, if the personal data concerns a known child, process the data in accordance with the Children’s Online Privacy Protection Act.
  • Non-Discrimination: Avoid processing personal data in violation of New Jersey and federal laws prohibiting unlawful discrimination against consumers.
  • Consent Revocation: Provide an effective mechanism for consumers to revoke consent and cease data processing within 15 days of receiving a revocation request.
  • Personal Data of Children Under 17: Obtain prior consent to process data for targeted advertising, sale of personal data, or certain types of profiling where the consumer is at least 13 years old but younger than 17 years old. 
  • Transparency: Specify the express purposes for which the personal data is processed.
  • “Heightened Risk” Assessment: Before processing personal data that presents a “heightened risk” of harm to a consumer, controllers must perform a data protection assessment of each processing activity that involves personal data acquired on after January 15, 2025. 

Processors

Although most obligations under the NJPA apply to controllers, it also imposes certain obligations on processors. Generally, the law requires processors to adhere to the controller’s instructions and assist the controller with its obligations by:

  • Taking appropriate technical and organizational measures to respond to consumer requests;
  • Assisting with data security and security breach notifications; and
  • Providing necessary information to conduct and document data protection assessments.

Any processing must be governed by a contract between the controller and processor that meets certain requirements of the NJPA, including:

  • Processing instructions;
  • The type of personal data to be processed, and the duration of the processing;
  • Obligations to maintain confidentiality and implement appropriate technical and organizational security measures; and
  • Obligations to delete or return all personal data to the controller when services are completed.

The NJPA also requires processors to (1) ensure that each person who processes data maintains confidentiality respecting the data, and (2) engage with subcontractors under a written agreement that requires the subcontractor to meet the processor’s obligations with respect to personal data. 

What rights do consumers have under the NJPA?

The NJPA provides consumers with certain rights to control the use and disclosure of their personal data, including the right to:

  • Confirm whether a controller processes or accesses their personal data;
  • Correct inaccuracies in their personal data;
  • Delete their personal data;
  • Obtain a copy of their personal data in a manner that is easily transmittable to another entity; and
  • Opt out of personal data processing for the purposes of targeted advertising, sale of personal data, or profiling in decisions that may have a legal or similarly significant effect on the consumer.

If a consumer requests deletion of personal data obtained by a controller from another source, the controller must comply with the request by (1) deleting the personal data, (2) retaining a record of the deletion request, and (3) ensuring the personal data remains deleted from the controller’s records. 

Are there any exceptions under the NJPA?

The NJPA provides several exemptions, including:

  • Protected health information collected by a covered entity or business associate subject to the Health Insurance Portability and Accountability Act;
  • Financial institutions or affiliates subject to the Gramm-Leach-Bliley Act;
  • Personal data sold by the New Jersey Motor Vehicle Commission in accordance with the Drivers’ Privacy Protection Act of 1994;
  • Personal data collected, processed, sold, or disclosed by a consumer reporting agency pursuant to the federal Fair Credit Reporting Act; and
  • New Jersey government entities.

What options must I provide to consumers to opt out of data processing?

By July 15, 2025, controllers that process personal data for purposes of targeted advertising or sale of personal data must provide consumers with a user-selected universal opt-out mechanism to opt out of such processing. Among the requirements, the mechanism must enable the controller to determine whether the consumer is a New Jersey resident and has made a legitimate opt-out request, be consumer-friendly and easy to use, and not make use of a default setting to opt into such processing unless the consumer clearly chooses to select the default setting.  The Division of Consumer Affairs in the Department of Law and Public Safety (“Division of Consumer Affairs”) may adopt rules and regulations regarding the technical specifications for the universal opt-out mechanisms.

What else should I know about the NJPA?

The NJPA will be enforced by the Office of the Attorney General and does not create a private right of action. Notably, the law provides a 30-day cure period and requires the Division of Consumers Affairs to issue a notice of noncompliance for curable violations prior to bringing an enforcement action. The 30-day cure period provision is temporary and will sunset on July 15, 2026.


SIGN UP

SIGN UP NOW to receive time sensitive employment law alerts and invitations to complimentary informational webinars and seminars.

"*" indicates required fields

By clicking this button and submitting information to us, you will be submitting certain personally identifiable information, or information which used together with other information, can be used to identify you and/or identify information about you, to Nukk-Freeman & Cerra, PC (“NFC”). Such information may be used by NFC to contact or identify you. Personally identifiable information may include, but is not limited to, your [name, phone number, address and/or] email address. We collect this information for the purpose of providing services, identifying and communicating with you, responding to your requests/inquiries, and improving our services. We may use your personally identifiable Information to contact you with time sensitive employment law e-alerts, marketing or promotional offers, invitations to complimentary and informational webinars and seminars, and other information that may be of interest to you. However, by providing any of the foregoing information to you, we are not creating an attorney-client relationship between you and NFC: nor are we providing legal advice to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link in any email we send. However, this will not unsubscribe you from receiving future communications from us which are based upon an independent request, relationship or act by you.