Bill 332, now recognized as the New Jersey Data Protection Act, was recently signed into law, positioning NJ as the 13th state to implement a comprehensive framework for consumer personal information protection. The law will go into effect January 16, 2025.
Who Must Comply:
The Act will affect controllers and processors that conduct business in NJ or offer products and services to NJ residents. The law focuses on entities managing the personal data of 100,000 consumers or more, or those handling at least 25,000 consumers’ data while also deriving revenue from selling this data.
The Act provides various rights to consumers regarding their personal data, such as verification, correction, deletion, and data portability. It also introduces strict measures for processing sensitive personal data, requiring affirmative consumer consent and adherence to the Children’s Online Privacy Protection Act when the data concerns minors.
Businesses must maintain transparent privacy practices and limit data collection to what is necessary for disclosed processing purposes. Moreover, they are required to implement robust data security measures and conduct rigorous data protection assessments for activities posing heightened risks to consumer privacy.
The Office of the Attorney General has exclusive authority to enforce the Act. Violations can lead to penalties, with a 30-day cure period offered initially. The Division of Consumer Affairs is tasked with developing rules and regulations to support implementation.
Implications for Businesses:
Entities operating within the scope of the Act must reassess their data protection strategies, ensuring compliance with the Act’s provisions. The inclusion of nonprofits within the Act’s purview, absence of specific revenue thresholds, and the broader definition of sensitive data suggest a more extensive application compared to laws in other states.
- Act applies to a wider range of entities without specific revenue thresholds.
- Financial info is categorized as sensitive data, requiring consent for processing.
- Data protection assessments are mandatory for high-risk processing activities.
- Controllers must recognize universal opt-out mechanisms for certain data processing activities.
Businesses should now prioritize understanding and adapting to these requirements to ensure compliance by the effective date Jan 2025.