New Jersey’s New Privacy Law: A Summary

It looks like 2024 will be another big year for data privacy. Just eight days into January, the New Jersey Legislature passed Senate Bill 332, the country’s latest comprehensive consumer privacy law. The bill was signed a week later by Governor Phil Murphy.

Operating within an increasingly complex patchwork of state privacy rules, many businesses are now wondering: What does the New Jersey law mean for privacy compliance? 

When Does S332 Go Into Effect?

The New Jersey privacy law will go into effect on January 15, 2025.

What Organizations Must Comply?

S332 applies to any person or organization that does business in the state of New Jersey or targets its products or services toward state residents, and meets at least one of the following requirements:

• Controls or processes the personal data of at least 100,000 state residents per year, OR
• Controls or processes the personal data of at least 25,000 state residents per year AND derives any revenue, or receives a discount on any goods or services, from the sale of personal data

The most notable difference from the thresholds in other states is the second option, related to the sale of personal data. There is no minimum percentage of revenue a business must receive from the sale of data for this to apply; ANY sale of personal data, in combination with controlling or processing the data of at least 25,000 consumers, will trigger this threshold. What’s more, it explicitly states that providing consumers' personal data in exchange for a discount is considered a sale. Many businesses will have to take a close look and determine if any of their data practices could be considered “selling” before dismissing S332 as not applicable. 

S332 has many (but not all) of the same exemptions as other laws, including for government bodies and personal data already regulated by federal laws such as the GLBA or HIPAA. However, nonprofit organizations do not appear to be exempt from compliance. This means New Jersey is joining the growing list of states, along with Colorado, Oregon, and Delaware, whose privacy laws apply to nonprofits.

What Rights Do Consumers Have Under New Jersey’s Privacy Law?

S332 gives consumers the following rights.

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.

• Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, businesses must delete personal data concerning the consumer.

• Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:

• The sale of their personal data
• Targeted advertising
• Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Starting six months after S332's effective date, businesses will be required to respect universal opt-out mechanisms, such as Global Privacy Control (GPC), on their websites. This means that any user with GPC enabled on their browser should be treated as if they have submitted on opt-out request.

What Is “Personal Data”?

Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits. 

Are Data Protection Assessments Required?

The New Jersey law requires organizations to perform data protection assessments for certain types of processing activities that present a “heightened risk of harm” to consumers. This includes:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity that presents a heightened risk of harm to consumers

How Much Do Violations Cost?

The statute does not provide a specific penalty for violations, but states that a violation shall be considered an unlawful practice under New Jersey’s consumer protection laws. The penalty for violating these laws is up to $10,000 for the first offense, and up to $20,000 for each subsequent offense.

Initially, the Attorney General's Office must give businesses 30 days to cure any alleged violations. This mandatory cure-period provision sunsets after 18 months.

Can Businesses Be Sued by Consumers?

S332 does not grant a private right of action to consumers, meaning they cannot sue an organization over alleged violations. Only the New Jersey Attorney General’s Office has authority to enforce the law.

Cross-Country Privacy Compliance

The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.

TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Built by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.

To learn more about how TrueVault US can help your business, contact our team today.