On January 16, 2024, Senate Bill 332 was signed by the Governor of New Jersey, following its passage by the General Assembly and the State Senate on January 8, 2024. The bill provides for its entrance into effect 365 days following its enactment.

The Governor of New Jersey, Philip D. Murphy, clarified in their Signing Statement that amendments to the bill should not be construed as providing the basis for a private right of action for violations of the bill.

Definitions

The bill defines, amongst others, 'business,' 'consumer,' 'de-identified data,' 'commercial internet website,' 'operator,' 'personally identifiable information,' 'sale,' 'verified request,' 'consent,' 'sensitive data,' and 'targeted advertising.'

Scope

The bill applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that during a calendar year either:

• control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

However, the bill clarifies that it does not apply to:

• protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services (HHS);
• a financial institution or affiliate subject to the Gramm-Leach Bliley Act of 1999 (GLBA); and
• personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency.

Obligations

The bill outlines a range of obligations and principles for controllers, including:

• providing consumers with a reasonably accessible, clear, and meaningful privacy notice, with specified contents;
• purpose limitation;
• data minimization;
• taking reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
• not processing consumers' sensitive data without first obtaining consent, alongside providing a mechanism to revoke consent; and
• not conducting processing which presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment, with such assessments required to identify heightened risks.

Notably, the bill clarifies processing that presents a 'heightened risk.'

In addition, the bill stipulates that processors must adhere to the instructions of controllers and help controllers meet their obligations under the bill, pursuant to a contract with specified contents. Requirements are also noted regarding the use of sub-processors, including the need for a written contract about meeting obligations.

Consumer rights

The bill also details consumer rights, including those to:

• be informed;
• access;
• rectification;
• deletion;
• data portability; and
• opt out of the processing of personal data for the purposes of targeted advertising, sale, or profiling.

The bill prescribes timeframes within which controllers must respond to consumer requests and grounds for the extension of such timeframe. Information provided in response to consumer requests must be done free of charge, though the bill clarifies that controllers may charge for requests that are manifestly unfounded, excessive, or repetitive.

Authority

Finally, the bill determined that the Office of the Attorney General has sole and exclusive authority to enforce its provisions.

You can read the press release here, the Governor's Signing Statement here, the bill here, and track its progress here.