Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
New Jersey - Data Protection Overview
August 2024
1. Governing Texts
On January 16, 2024, the Governor of New Jersey signed the New Jersey Act concerning commercial Internet websites, online services, consumers, and personally identifiable information (the Act). The Act provides the New Jersey Office of Attorney General (AG) with exclusive authority to enforce its provisions (§16 of the Act).
The Act shall take effect on the 365th day following the date of enactment, except that the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of the same (§17 of the Act).
1.1. Key acts, regulations, directives, bills
- the Act
1.2. Guidelines
The AG has not issued any guidelines on the Act.
1.3. Case law
Not applicable.
2. Scope of Application
2.1. Personal scope
The Act applies to controllers that, during a calendar year, either (§2 of the Act):
- control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.
The Act provides that it does not apply to data including, amongst others (§10 of the Act):
- protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the US Department of Health and Human Services (HHS), established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
- financial data subject to the Gramm-Leach Bliley Act of 1999 (GLBA);
- the sale of a consumer's personally identifiable information by the New Jersey Motor Vehicle Commission that is permitted by the Drivers Privacy Protection Act of 1994 (the Drivers Privacy Protection Act);
- personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency, if the collection, processing, sale, or disclosure of the personally identifiable information is limited by the Fair Credit Reporting Act of 1970 (FCRA);
- personal data that is collected, processed, or disclosed, as part of research.
2.2. Territorial scope
The Act applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey (§2 of the Act).
2.3. Material scope
The Act applies to the control or processing of personal data. Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable person. This does not include de-identified data or publicly available information (§1 of the Act).
However, the Act clarifies that it does not apply to organizations and data including, amongst others (§10 of the Act):
- protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the HHS, established pursuant to HIPAA;
- a financial institution or affiliate subject to the GLBA;
- an insurance institution;
- the sale of a consumer's personally identifiable information by the New Jersey Motor Vehicle Commission that is permitted by the Drivers Privacy Protection Act;
- personally identifiable information collected, processed, sold, or disclosed by a consumer reporting agency, if the collection, processing, sale, or disclosure of the personally identifiable information is limited by FCRA;
- any State agency, any political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision; or
- personal data that is collected, processed, or disclosed, as part of research.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The AG is the regulator for the Act.
3.2. Main powers, duties and responsibilities
The Office of the AG has sole and exclusive authority to enforce the provisions of the Act (§16 of the Act).
The Director of the Division of Consumer Affairs in the Department of Law and Public Safety (the Division of Consumer Affairs) shall promulgate rules and regulations necessary to effectuate the Act (§15 of the Act).
The Division of Consumer Affairs may also adopt rules and regulations that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data (§8(c) of the Act).
4. Key Definitions
Data controller: is defined as an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data (§1 of the Act).
Data processor: is defined as a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller (§1 of the Act).
Personal data: is defined as any information that is linked or reasonably linkable to an identified or identifiable person. This does not include de-identified data or publicly available information (§1 of the Act).
Sensitive data: is defined as personal data revealing (§1 of the Act):
- racial or ethnic origin;
- religious beliefs;
- mental or physical health condition, treatment, or diagnosis;
- financial information, which includes a consumer's account number, account log-in, financial account, or credit or debit card number in combination with any required security code, access code, or password that would permit access to a consumer's financial account;
- sex life or sexual orientation;
- citizenship or immigration status;
- status as transgender or non-binary;
- genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
- personal data collected from a known child; or
- precise geolocation data.
Health data: is not specifically defined under the Act but may fall under the definition of 'sensitive data' above (§1 of the Act).
Biometric data: is defined as data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological physical, or behavioral patterns or characteristics that are used or intended to be used, singularly, or in combination with each other or with other personal data, to identify a specific individual. Biometric data does not include (§1 of the Act):
- digital or physical photographs;
- audio or video recordings;
- any data generated from a digital or physical photograph or an audio or video recording, unless such data is generated to identify a specific individual.
Pseudonymization: is not defined under the Act. However, de-identified data is defined as data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data (§1 of the Act):
- takes reasonable measures to ensure that the data cannot be associated with an individual;
- publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data; and
- contractually obligates any recipients of the information to comply with the requirements of this paragraph.
5. Legal Bases
The Act clarifies, regarding the different legal bases for processing personal data, that if a controller processes personal data pursuant to an exemption provided under Act, the controller bears the burden of demonstrating that such processing qualifies for the exemption and is compliant (§12(e) of the Act).
In addition, personal data processed by a controller pursuant to an exemption expressly listed under the Act must (§12(d) of the Act):
- not be processed for any purpose other than a purpose expressly listed under the Act; and
- be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed under the Act.
Further, processing personal data for a purpose expressly identified under the Act does not solely make a legal entity a controller with respect to such processing if such entity would not otherwise meet the definition of a controller (§12(f) of the Act).
5.1. Consent
'Consent' pursuant to the Act, is defined as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. Consent may include a written statement, including by electronic means, any other unambiguous affirmative action (§1 of the Act).
Consent does not include (§1 of the Act):
- acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
- hovering over, muting, pausing, or closing a given piece of content; or
- agreement obtained through the use of dark patterns.
Controllers must not process the sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of a known child, without processing such data in accordance with the Children's Online Privacy Protection Act of 1998 (COPPA) (§9(a)(4) of the Act). In addition, controllers must not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer's personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer's consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age (§9(a)(7) of the Act).
Controllers must also not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent (9(a)(2) of the Act).
In line with the above, controllers must also provide an effective mechanism for consumers to revoke consent in a way that is at least as easy as the mechanism by which the consumer provided the consumer's consent. Controllers must then cease to process the data as soon as practicable, but not later than 15 days after receipt of the request (§9(a)(6) of the Act).
5.2. Contract with the data subject
The Act does not specifically provide that personal data can be processed for the performance of a contract with a data subject.
However, the Act outlines that nothing may restrict the ability of a controller or processor to (§12(a)(5)-(7) of the Act):
- provide a product or service specifically requested by a consumer;
- perform a contract to which a consumer is a party, including fulfilling the terms of a written warranty; and
- take steps at the request of a consumer before entering into a contract.
Internal use
Similarly, the Act provides that the obligations on controllers or processors under the Act, should not restrict the controller's or processor's ability to collect, use, or retain data for internal use to perform internal operations reasonable aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party (§12(b)(4) of the Act).
Personal data collected, used, or retained for internal use shall, where applicable, take into account the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data (§12(b)(4) of the Act).
5.3. Legal obligations
The Act does not specifically provide that personal data can be processed based on legal obligations.
However, the Act does provide that nothing may restrict the ability of a controller or processor to (§12(a)(1)-(4) of the Act):
- comply with federal or State law or regulations;
- comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, State, municipal or other governmental authorities;
- cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State or municipal ordinances or regulations; and
- investigate, establish, exercise, prepare for, or defend legal claims.
5.4. Interests of the data subject
The Act does not specifically provide that personal data can be processed based on the interests of data subjects.
However, the Act does provide that nothing may restrict the ability of a controller or processor to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis (§12(a)(8) of the Act).
5.5. Public interest
The Act does not specifically provide that personal data can be processed based on the public interest.
However, the Act does provide that nothing may restrict the ability of a controller or processor to process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is (§12(a)(12) of the Act).:
- subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
- under the responsibility of a professional subject to confidentiality obligations under federal, State, or local law.
In addition, the Act provides that its requirements do not restrict a controller or processor's ability to engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines, or similar independent oversight entities that determine (§12(a)(10) of the Act):
- whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
- the expected benefits of the research outweigh the privacy risks; and
- whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.
5.6. Legitimate interests of the data controller
The Act does not expressly provide that personal data can be processed based on the legitimate interest of the data controller.
However, the Act does provide that its requirements do not restrict a controller or processor's ability to prevent, detect, protect against or respond to security incidents identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action (§12(a)(9) of the Act).
Likewise, the Act provides that the requirements imposed on controllers and processors under the Act must not restrict their ability to collect, use, or retain data for internal use to (§12(b) of the Act):
- conduct internal research to develop, improve, or repair products, services, or technology;
- effectuate a product recall; or
- identify and repair technical errors that impair existing or intended functionality.
5.7. Legal bases in other instances
The Act provides that its requirements do not restrict a controller or processor's ability to assist another controller, processor, or third party with any obligations under the Act (§12(a)(11) of the Act).
Data controllers or processors are not required to comply with the provisions of the Act if doing so would violate evidentiary privilege. The Act also stipulates that nothing under its requirements shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of New Jersey as part of a privileged communication (§12(c) of the Act).
6. Principles
The Act outlines the following principles for the processing of personal data:
Data minimization: limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer (§9(a)(1) of the Act).
Purpose limitation: not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent (§9(a)(2) of the Act). In addition, controllers must specify the express purposes for which personal data is processed (§9(a)(8) of the Act).
Confidentiality and integrity: take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. Data security practices are specified to be appropriate to the volume and nature of personal data at issue (§9(a)(3) of the Act).
Non-discrimination: not process personal data in violation of the laws of New Jersey and federal laws that prohibit unlawful discrimination against consumers (§9(a)(5) of the Act).
7. Controller and Processor Obligations
Deidentified data
The Act defines 'de-identified data' as data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data (§1 of the Act):
- takes reasonable measures to ensure that the data cannot be associated with an individual;
- publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data;
- contractually obligates any recipients of the information to comply with the requirements of this paragraph.
Nothing within the Act shall require a controller to re-identify de-identified data (§11(a) of the Act). Likewise, nothing shall requires controllers to collect, retain, use, link, or combine personal data concerning a consumer that it would not otherwise collect, retain, use, link, or combine in the ordinary course of business (§11(b) of the Act).
7.1. Data processing notification
The Act does not specifically provide for data processing notification.
7.2. Data transfers
The Act does not specifically address cross-border data transfers.
However, the 'sale' is defined as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. 'Sale' does not include (§1 of the Act):
- the disclosure of personal data to a processor that processes the personal data on the controller's behalf;
- the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;
- the disclosure or transfer of personal data to an affiliate of the controller;
- the disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or
- the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
7.3. Data processing records
The Act does not explicitly provide for data processing records.
However, the Act clarifies controllers that have legally obtained personal data about a consumer from a source other than the consumer are deemed in compliance with the consumer request to delete such data by retaining a record of the deletion request and the minimum data necessary, for the purpose of ensuring the consumer's personal data remains deleted from the controller's records, and not using such retained information for any purpose (§7(b) of the Act).
7.4. Data protection impact assessment
Controllers must not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment (DPA) of each of its processing activities that involve personal data acquired on or after the effective data that present a heightened risk of harm to a consumer (§9(a)(9) of the Act).
A DPA must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller may employ to mitigate risks. Controllers must factor into DPAs (§9(b) of the Act):
- the use of de-identified data;
- the reasonable expectations of consumers; and
- the relationship between the controller and the consumer whose personal data will be processed.
The Act provides that 'heightened risk' includes (§9(c) of the Act):
- processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on the consumer;
- financial or physical injury to consumers;
- a physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or other substantial injuries to consumers;
- selling personal data; and
- processing sensitive data.
The DPAs must be made available to the Division of Consumer Affairs on request (§9(c) of the Act).
Notably, a single DPA may address a comparable set of processing operations that includes similar activities (§9(d) of the Act).
7.5. Data protection officer appointment
The Act does not expressly address data protection officer appointments.
7.6. Data breach notification
The Act does not provide for breach notification requirements.
However, pursuant to §56:8-163 of the N.J. Stat. Ann., a business conducting business in New Jersey or a public entity that maintains computer records that include personal information must disclose any breach of security of those computerized records (N.J. Stat. Ann. §56:8-163(a)).
For further information please see New Jersey - Data Breach.
7.7. Data retention
The Act does not expressly address data retention.
7.8. Children's data
The Act does not specifically define 'child' but provides that it has the same meaning under COPPA, which considers a child as an individual younger than 13 years of age. Specifically, the Act stipulates that controllers must not process the personal data of a known child without processing such data in accordance with COPPA (§9(a)(4) of the Act).
In addition, the personal data collected from a known child is considered a category of 'sensitive data.' (§1 of the Act). Therefore, personal data collected from an individual the controller knows is under 13 years old must be processed in accordance with such requirements.
7.9. Special categories of personal data
Controllers must not process the sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of a known child, without processing such data in accordance with COPPA.
7.10. Controller and processor contracts
Processors must adhere to the instructions of the controller and assist the controller in meeting their obligations. Taking into account the nature of processing and the information available to the processor, the processor must assist the controller by (§13(b) of the Act):
- taking appropriate technical and organizational measures, for the fulfilment of the controller's obligations to respond to consumer requests to exercise their rights;
- helping to meet obligations relating to the security of processing of personal data and in relation to the notification of a breach of the security of the system; and
- providing information to the controller necessary to enable the controller to conduct and document any DPAs.
Taking into account the context of processing, the controller and processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures (§13(d) of the Act).
The processing by a processor must be governed by a contract between the controller and processor, setting forth (§13(e) of the Act):
- the processing instructions to which the processor is bound, including the nature and purpose of the processing;
- the type of personal data subject to the processing and the duration of the processing;
- the requirements imposed by the above information; and
- the following requirements that;
- at the discretion of the controller, the processor deletes or returns all personal data to the controller as requested at the end of the provision of services, unless retention of personal data is required by law;
- processors make available to the controller, all information necessary to demonstrate compliance with obligations under the Act; and
- processors allow, and contribute to, reasonable assessments and inspections by the controller or controller's designated assessor. Processors may, with the controller's consent, arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligation under the Act, using an appropriate and accepted control standard or framework for the assessment. Processors must provide a copy of the assessment to the controller on request.
Notwithstanding the instructions of a controller, processors must also (§13(c) of the Act):
- ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
- engage a subcontractor pursuant to a written contract in accordance with the contractual requirements for engaging a processor above, that requires the subcontractor to meet the obligations of the processor with respect to the personal data.
Determining whether a person is acting as a controller or processor with respect to specific processing of data is a fact-based determination dependent upon the context in which personal data is to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, shall be deemed a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, they shall be deemed a controller with respect to the processing (§13(g) of the Act).
The Act clarifies that in no event may a contract relieve a controller or a processor from liabilities imposed on them by virtue of its role in the processing relationship (§13(f) of the Act).
8. Data Subject Rights
Submission format
Controllers must not require consumers to create a new account to exercise a consumer right, but may require consumers to use an existing account to submit a verified request. Likewise, controllers may not, based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service (§3(c) of the Act).
Response time
Controllers that receive a verified request from a consumer must provide a response to the consumer within 45 days of the controller's receipt of the request. Controller's may extend the response period by 45 additional days where reasonably necessary, considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period and the reason for the extension and shall provide the information for all disclosures of personal data that occurred in the prior 12 months (§4(a) of the Act).
Information provided in response to a consumer request must be provided by a controller, free of charge, once per consumer during any 12-month period. Where requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request (§4(d) of the Act).
Authentication
If a controller is unable to authenticate a request to exercise any of the rights provided under the Act using commercially reasonable efforts, the controller will not be required to comply with a request to initiate an action but must provide notice to the consumer that they are unable to authenticate the request to exercise such right(s) until the consumer provides additional information reasonably necessary to authenticate the consumer and their request to exercise such right(s) (§4(e) of the Act).
Similarly, controllers may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. Where a controller denies an opt-out request because the controller believes the request is fraudulent, the controller must send a notice to the person who made such request disclosing that the controller believes the request is fraudulent, why such controller believes this, and that the controller does not have to comply with the request (§4(e) of the Act).
Declining requests and appeals
When a controller declines to take action regarding the consumer's request, the controller must inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision (§4(c) of the Act). The timeframe for responding to a consumer request does not apply to personal data collected prior to the effective date of the Act, unless the controller continues to process such information thereafter (§4(b) of the Act).
Controllers must establish a process for consumers to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 45 days after receipt of an appeal, controllers must inform consumers, in writing, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, controllers must provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Division of Consumer Affairs to submit a complaint (§4(f) of the Act).
8.1. Right to be informed
Consumers have the right to confirm whether a controller processes the consumer’s personal data and accesses such personal data, provided that nothing shall require a controller to provide the data to the consumer in a manner that would reveal the controller’s trade secrets (§7(a)(1) of the Act).
Privacy notice
Data controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice including (§3(a) of the Act):
- the categories of the personal data that the controller processes;
- the purpose for processing personal data;
- the categories of all third parties to which the controller may disclose a consumer's personal data;
- the categories of personal data that the controller shares with third parties, if any;
- how consumers may exercise their consumer rights, including 14 the controller's contact information and how a consumer may appeal a controller's decision with regard to the consumer's request;
- the process by which the controller notifies consumers of material changes to the notification required to be made available in the privacy notice, along with the effective date of the notice; and
- an active email address or other online mechanism that the consumer may use to contact the controller.
If controllers provide personal data to third parties or process personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing (§3(b) of the Act).
8.2. Right to access
Consumer rights under the Act include the right to confirm whether a controller is processing the consumer's personal data and access the personal data, provided nothing would require the controller to reveal a trade secret (§7(a)(1) of the Act).
8.3. Right to rectification
Consumers have the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of processing (§7(a)(2) of the Act).
8.4. Right to erasure
Consumers under the Act also have the right to delete personal data concerning the consumer (§7(a)(3) of the Act).
Controllers that have obtained personal data about a consumer other than the consumer, must in order to be compliant with requests to delete such personal data, retain a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained information for any purpose (§7(b) of the Act).
8.5. Right to object/opt-out
Consumers under the Act have the right to opt-out of the processing of personal data for the purposes of (§7(a)(5) of the Act):
- targeted advertising;
- the sale of personal data except where exceptions apply as outlined below; or
- profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Authorized agent
Consumers may designate another person to serve as their authorized agent and act on their behalf to opt out of the processing and sale of the consumer's personal data. Consumers may also designate an authorized agent using technology, including a link to an internet website, an internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt-out of the collection and processing for the purpose of any sale of data or for the purpose of targeted advertising or, when such technology exists, for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer (§8(a) of the Act).
The controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf (§8(a) of the Act).
Universal opt-out mechanisms
Beginning not later than six months following the effective date of the Act, a controller that processes personal data for the purposes of targeted advertising or sale of personal data should allow consumers to exercise the right to opt out of such processing through a user-selected, universal opt-out mechanism. The platform, technology, or mechanisms must (§8(b) of the Act):
- not permit its manufacturer to unfairly disadvantage another controller;
- not make use of a default setting that opts-in a consumer to the processing or sale of personal data, unless the controller has determined that the consumer has selected or sale of personal data, unless the controller has selected such default setting, and the selection clearly represents the consumer's affirmative, freely given, and unambiguous choice to opt into any processing of consumer's personal data;
- be consumer friendly, clearly described, and easy to use by the average consumer;
- be consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and
- enable the controller to accurately determine whether the consumer is a resident of New Jersey and whether the consumer has made a legitimate request to opt out of the processing of personal data for the purposes of any sale of such consumer’s personal data or targeted advertising.
Importantly, a controller shall be prohibited from discriminating against a consumer if the consumer chooses to opt out of the processing for sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects of the consumer's personal data. However, this will not prohibit the controller's ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer's personal data, or to provide different services to consumers that are reasonably related to the value of the relevant data, provided that the controller has clearly and conspicuously disclosed to the consumer that the offered discounts, programs, incentives, or services include the sale or processing of personal data that the consumer otherwise has a right to opt out of (§5 of the Act).
8.6. Right to data portability
The consumers have the right to obtain a copy of their personal data processed by a controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, provided that nothing requires the controller to provide the data to the consumer in a manner that would reveal the controller's trade secret (§7(a)(4) of the Act).
8.7. Right not to be subject to automated decision-making
The Act specifies that consumers have the right to opt-out of the processing of personal data for the purposes of profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer (§7(a)(5) of the Act).
Under the Act 'profiling' is defined as any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements (§1 of the Act).
8.8. Other rights
Not applicable.
9. Penalties
The AG has the authority to enforce the Act (§16 of the Act).
Notably, 18 months after the enactment of the Act, prior to bringing an enforcement action, the Division of Consumer Affairs may issue a notice to the controller if a cure is possible. Where the controller fails to cure the alleged violation within 30 days after receiving notice of the alleged violation of non-compliance, an enforcement action may then be brought. In addition, data protection assessments must be made available to the Division of Consumer Affairs on request (§14(b) of the Act).
Nothing in the Act should be construed as providing the basis for, or be subject to, a private right of action for violations of the Act (§16 of the Act).
9.1 Enforcement decisions
Not applicable.