New Jersey Privacy Law (SB 332)

New Jersey's Senate Bill (SB) 332 is a comprehensive law that is designed to protect New Jersey consumers' privacy and provides rules for how businesses should treat consumers' personal data. The bill passed the Senate and the Assembly on January 8th, 2024 and was signed by Governor Phil Murphy on January 16th, 2024. The law should go into effect one year after enactment.

This article explains what the law is, who it applies to, how to comply with the law, and the penalties for noncompliance.

What is New Jersey's Privacy Law?

SB 332 is a privacy law that establishes rights for New Jersey residents to help protect their personal data and dictates how organizations treat New Jersey consumers' online data.

The text of SB 332 defines personal data as information that can be used to identify an individual (not including de-identified or publicly available data):

Who Does New Jersey's Privacy Law Apply to?

New Jersey's privacy law applies to data controllers that handle personal data belonging to New Jersey residents.

Entities that decide why and how to process (use) consumers' personal information are referred to as controllers in SB 332:

Controllers that meet the following criteria are subject to New Jersey's privacy law:

• Operate within New Jersey and/or
• Offer goods or services to New Jersey consumers, and
• Control or process personal data belonging to at least 100,000 consumers (not including personal data used exclusively for completing a payment) or
• Control or process personal data belonging to at least 25,000 consumers and get either revenue or discounted goods or services from the sale of personal data

SB 332 explains that the law applies to controllers that do business in New Jersey and meet its conditions:

Who is Exempt From New Jersey's Privacy Law?

New Jersey's privacy law does not apply to certain institutions and types of data that are covered by other laws.

The law does not apply to:

• Health data protected by the Health Insurance and Portability and Accountability Act (HIPAA)
• Health data protected by the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Financial institutions and data subject to the Gramm-Leach-Bliley Act
• Certain secondary market and insurance institutions
• The sale of consumers' personal information by the New Jersey Motor Vehicle Commission as regulated by the Driver's Privacy Protection Act of 1994
• Personal information that is collected, processed, sold, or shared by a consumer reporting agency that complies with the Fair Credit Reporting Act
• State agencies
• Personal data used for research that complies with the Federal Policy for protection of human subjects

SB 332 lists the types of information and entities that are exempt from the law, including certain protected health and financial data:

What Rights Does New Jersey's Privacy Law Grant to Consumers?

New Jersey's privacy law gives consumers the following rights:

• The right to know if a controller is processing their personal data
• The right to access their personal data
• The right to correct their personal data
• The right to delete their personal data
• The right to receive a copy of their personal data
• The right to opt out of the sale of their personal data or the processing of their personal data for targeted advertising or profiling purposes

SB 332 lists the rights it gives New Jersey consumers, including the rights to access, edit, and delete their personal data:

What Does New Jersey's Privacy Law Require?

New Jersey's privacy law requires applicable organizations to honor New Jersey consumers' rights and treat personal data in accordance with its rules.

New Jersey's privacy law requires applicable organizations to take the following actions:

• Maintain an SB 332-compliant Privacy Policy
• Provide mechanisms for consumers to opt out of the sale of their personal data or the processing of their personal data for targeted advertising purposes
• Only collect personal data that is necessary to fulfill their purposes, and disclose those purposes to the consumer
• Only process personal data for additional purposes if consent has been obtained from the consumer
• Implement security measures to keep personal data safe
• Get consumer consent before processing sensitive data (a special category of data that includes race, health diagnoses, financial info, and sexual orientation)
• Process children's data in accordance with the Children's Online Privacy Protection Act (COPPA)
• Refrain from discriminating against consumers
• Give consumers a way to revoke their consent that is just as easy as the method they used to provide their consent
• Respond to a consent revocation request within 15 days of receiving the request
• Get consent before selling personal data or processing personal data for targeted advertising or profiling purposes
• Refrain from data processing activities that pose a heightened risk of harm to the consumer until a data protection assessment (risk audit) has been conducted

SB 332 describes the responsibilities data controllers must fulfill in order to comply with the law, including keeping the data they collect and process safe and getting consent before processing sensitive data:

How Do You Comply With New Jersey's Privacy Law?

Let's explore some of the steps you can take to comply with New Jersey's privacy law, including maintaining a Privacy Policy, getting consumer consent before collecting personal data, and giving consumers a way to opt out of the collection and processing of their personal data.

Maintain a Privacy Policy

One of the most effective ways to ensure compliance with New Jersey's privacy law is to maintain a clearly written, regularly updated Privacy Policy on your website.

A Privacy Policy is a legal document that describes how you collect and use consumers' personal data and what you do to keep it safe.

New Jersey's privacy law requires applicable organizations to maintain a Privacy Policy on their website that contains (but is not limited to) the following clauses:

• What personal data the controller processes
• Why the personal data is processed
• What third parties the controller shares personal data with
• The types of data the controller shares with third parties
• How consumers can exercise their rights
• How the controller notifies consumers of changes to the Privacy Policy
• The controller's online contact information
• Notification if the controller sells personal data or uses it for targeted advertising

The text of SB 332 explains the clauses a Privacy Policy needs to include in order to comply with the law, including descriptions of the types of data a controller processes and how consumers can exercise their rights.

Let's take a deeper look at the clauses you should include in your Privacy Policy to make it SB 332-compliant.

What Personal Information You Collect

This clause describes the categories of personal information you collect from consumers who use your website or online service.

Kettle's Privacy Policy explains that it collects both anonymous information and data that can be used to identify an individual. It includes a link to an email address where consumers can send requests to be removed from the company's database and have their personal data deleted:

Why You Process Personal Data

You should explain your reasons for processing consumers' personal data. It's good practice to only process personal data that is necessary to fulfill your business purposes.

Groundies' Privacy Policy describes its reasons for collecting and processing consumers' personal data, including for account creation and order fulfillment purposes:

What Third Parties You Share Personal Information With

You should list any third parties you share consumers' personal information with. This clause can also explain whether a consumer's use of your website enables third parties to collect their personal information over time or from different websites.

Magna-Tiles' Privacy Policy explains that the only third parties it shares consumers' personal data with are government agencies or fraud prevention or investigation companies:

What Personal Information You Share With Third Parties

This clause explains the types of personal data you share with third parties.

Orangetheory Fitness's Privacy Policy lists the types of personal information it may share with third parties, including names, heart rate information, body scanner results, and other workout and health data:

How Consumers Can Exercise Their Rights

Your Privacy Policy should include a description of how consumers can access and/or request changes be made to their personal information.

To comply with New Jersey's privacy law, you should provide one or both of the following methods for consumers to submit requests:

• A toll-free phone number
• An email address or other online contact method

This clause should also explain how consumers can appeal any decisions made in response to their requests and should include the contact information for New Jersey's Division of Consumer Affairs in the Department of Law and Public Safety.

Finally, you can use this clause to notify consumers if you sell their personal data or use their personal data for targeted advertising purposes.

Whole Foods Market's Privacy Notice describes how consumers can unsubscribe from promotional emails, adjust targeted advertising preferences, opt out of Google Analytics, and request to access, correct, or delete their personal information:

How Consumers Will Be Notified of Changes Made to the Privacy Policy

This clause explains how consumers will be notified of updates to your Privacy Policy and should include the document's effective date.

BlackOak TV's Privacy Policy explains that it will notify consumers by email when the document is updated:

Your Contact Information

You should provide consumers with at least one way to get in contact with you, and the more ways, the better.

The New York Public Library's Privacy Policy includes an email address specifically for privacy-related concerns, a phone number, a link to its webform, its mailing address, and a link to its general contact page:

Limit Collection of Personal Data

You should use your Privacy Policy to inform consumers about your reasons for collecting their personal data, and should only collect data that is essential to fulfilling those purposes.

SB 332 requires data controllers to only collect personal data that is "adequate, relevant, and reasonably necessary" to accomplish the purposes that have been disclosed to consumers

Get Consent

You will need to get consent from consumers before engaging in the following data processing activities:

• Using consumers' personal data for purposes other than those they initially agreed to
• Processing sensitive data
• Processing children's data (you will need to get parental or guardian consent before processing children's personal data)
• Selling personal data
• Using personal data for targeted advertising purposes
• Using personal data for profiling purposes

You will also need to provide a way for consumers to revoke their consent. It must be as easy for the consumer to revoke their consent as it was for them to give it.

You must respond to a consumer's consent revocation request within 15 days of receiving it.

When users go to create an account with Apple, they are provided with information about how Apple uses their data. Apple explains that, with users' consent, it will use Apple ID information for marketing purposes, and includes a link to its Apple ID and Privacy page:

NPR's Privacy Policy contains information about how consumers can limit the use of or opt out of sharing their information or receiving marketing communications:

Keep Personal Data Safe

You should employ technical, physical, and administrative security measures to ensure the personal data you collect and process is kept safe during collection, transport, and storage.

Some security measures you might consider implementing include:

• Using firewalls, multi-factor authentication, and antivirus software
• Installing security cameras and making sure doors and filing cabinets are securely locked
• Conducting regular staff trainings and only allowing authorized staff to access personal data

SB 332 explains that data controllers must take steps to protect personal data, including physical, technical, and administrative actions:

Respond to Consumer Requests Timely

You should respond within 45 days to consumer requests to access or make changes to their personal data. You can extend your response period by an additional 45 days, as long as you notify the consumer within the initial 45 days of your reasons for the extension.

You can deny consumer requests, but only if you are legally required to keep the consumers' personal information or if you can't verify the requested changes.

If a consumer requests information about the third parties you share their data with you must respond within 60 days of the request. You must provide information about the types of data that were shared and with what third parties over the course of the previous 12 months.

Provide Opt Out Mechanisms

New Jersey's privacy law requires controllers that sell consumers' personal data or use it for targeted advertising purposes to provide a way for consumers to opt out of the sale or processing of their information.

It requires controllers to maintain a "user-selected universal opt out mechanism" that is easy to use and allows the controller to authenticate the consumer as a New Jersey resident.

You can choose the method by which consumers can opt out of the sale of their data, as long as it does not require a consumer to create an account in order to complete the process.

DICK'S Sporting Goods uses its Privacy Policy to inform consumers how they can opt out of the sale or sharing of their personal information, the use of their sensitive personal information, or the use of their personal information for targeted advertising purposes:

Conduct Data Protection Assessments

A data protection assessment is an audit of your data collection and processing systems that identifies potential risks.

To comply with New Jersey's privacy law, applicable organizations must keep a record of their data protection assessments and make them available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request.

Activities that require data protection assessments include:

• Processing personal data for targeted advertising purposes
• Processing personal data for profiling purposes (if the profiling could potentially cause harm to a consumer)
• Selling personal data
• Processing sensitive data

SB 332 lists the data processing activities that may pose a heightened risk to a consumer and explains that one data processing assessment can be used to audit similar data processing activities:

Inform Consumers if You Sell Personal Data or Use it For Targeted Advertising or Profiling Purposes

You must notify consumers if you engage in any of the following data processing activities:

• Selling personal data
• Using personal data for targeted advertising purposes
• Using personal data for profiling that could potentially have a negative impact on the consumer

The notification should be clearly written and conspicuously placed on your website and should contain information about how consumers can opt of the sale or processing of their personal data.

When users visit Bumble's website they must click on a Continue button beneath a statement informing them that their personal data may be used for marketing purposes in order to continue using the site. The statement explains what steps consumers can take to opt out of the sale or sharing of their personal data:

What are the Penalties for Not Complying With the New Jersey Privacy Law?

The Attorney General is the enforcing authority of New Jersey's privacy law. For the first 18 months after the law goes into effect, the Division of Consumer Affairs in the Department of Law and Public Safety will notify an organization if it believes the entity is violating the law.

If the organization fails to cure the alleged violation within 30 days of receiving notification from the Division of Consumer Affairs, it may be charged with a violation of P.L.1960, c.39 (New Jersey's consumer fraud law).

The Attorney General may bring an enforcement action against organizations that violate the law.

SB 332 explains that the Attorney General can bring enforcement actions against anyone who doesn't comply with the law:

Summary

SB 332 is New Jersey's comprehensive privacy law. It gives New Jersey consumers rights concerning their personal information and dictates how applicable organizations should handle consumers' personal data.

New Jersey consumers' rights under the law include:

• The right to know if their personal information is being processed
• The right to access, correct, or delete their personal data
• The right to obtain a copy of their personal data
• The right to opt out of the sale of their personal data or the processing of their personal data for targeted advertising or profiling purposes

The law applies to data controllers that do business in New Jersey or provide goods or services for residents of New Jersey and meet the following criteria:

• Control or process personal data belonging to at least 100,000 consumers, or
• Control or process personal data belonging to at least 25,000 consumers and get either revenue or discounted goods or services from the sale of personal data

The law does not apply to certain institutions or types of data that are subject to laws such as HIPAA or the Fair Credit Reporting Act.

To comply with New Jersey's privacy law, applicable organizations should take the following steps:

• Maintain a clearly written, regularly updated Privacy Policy
• Limit collection of consumers' personal information
• Get consent before collecting or processing personal data
• Keep personal data secure
• Respond to consumers' requests concerning their personal information
• Provide mechanisms for consumers to opt out of the sale or processing of their personal data
• Conduct data protection assessments for high-risk data processing activities
• Inform consumers if you sell their personal data or use it for profiling or targeted advertising purposes

An SB 332-compliant Privacy Policy should contain the following clauses:

• What personal data you collect
• Why you process personal data
• Third parties you share personal data with
• The categories of personal data you share with third parties
• How consumers can exercise their rights
• How consumers will be notified of any changes made to the Privacy Policy
• Your contact information

The Attorney General may bring enforcement actions against anyone who violates the law.