Definitions 

The Act contains definitions for terms, including 'business,' 'operator,' 'sale,' 'verified request,' 'consent,' and 'targeted advertising.'  

Notably, the Act defines consumers as any identified person who is a resident of New Jersey 'acting only in an individual or household context.' The Act specifies that a consumer does not include anyone 'acting in a commercial or employment context.' The Act also defines a controller as 'an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.' 

The Act defines an online service as 'any service provided over the internet that collects and maintains personally identifiable information from a consumer.' Importantly, the Act defines personally identifiable information as 'any information that is linked or reasonably linkable to an identified or identifiable person.' The Act specifies that personal information should not include de-identified data, which is described as 'data that cannot be linked to a consumer without additional information that is kept separately' or that has been modified so that there is a very low risk of reidentification. In addition, personal information will not include publicly available information which is data 'lawfully made available from federal, state, or local government records, or widely distributed media.' 

Notably, under the Act, sensitive data refers to the following: 

• data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition, treatment, or diagnosis, information about sex life or sexual orientation, citizenship or immigration status, or status as transgender or non-binary; 
• financial information, including account numbers and log-in information;  
• genetic or biometric information for the purpose of uniquely identifying an individual; 
• personal data collected from a known child; and 
• precise geolocation data. 

Scope 

The Act applies to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey, and that during a calendar year either: 

• control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or 
• control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data. 

However, the Act clarifies that it does not apply to: 

• financial institutions or affiliates subject to the Gramm-Leach Bliley Act of 1999 (GLBA);  
• secondary market institutions, identified in the United States Code (USC) as institutions chartered by Congress to engage in transactions but that do not sell or transfer non-public personal information to non-affiliated third parties; 
• insurance institutions subject to the Insurance Information Practices Act; 
• the sale of a consumer's personal data by the New Jersey 22 Motor Vehicle Commission that is permitted by the federal Drivers' 23 Privacy Protection Act of 1994; and 
• any state agency (meaning any political department in the Executive Branch of the New Jersey Government), political subdivision, or any division, board, bureau, office, commission, or other instrumentality created by a political subdivision. 

Certain types of information are also exempt under the Act, including: 

• protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services (HHS); 
• personally identifiable information collected, processed, sold, or disclosed by specified consumer reporting agencies; and 
• personal data collected, processed, or disclosed as part of research conducted that complies with the Federal Policy for the protection of human subjects. 

Consumer rights 

The Act details that consumers have the right to: 

• confirm whether a controller processes their personal data; 
• access their personal data that is being processed, provided it does not require a controller to reveal trade secrets; 
• correct inaccuracies in their personal data, while considering the nature and purposes for processing; 
• delete their personal data; 
• obtain a copy of their personal data in a portable, to the extent technically feasible, and readily usable format which allows the consumer to transmit the data to another entity without any problems and does not require a controller to reveal trade secrets; and 
• opt out of the processing of their personal data for the purposes of: 
  • targeted advertising; 
  • sale of personal data; or 
  • profiling in relation to decisions that have legal or similarly significant effects concerning the consumer. 

Controllers that have lawfully obtained personal data about consumers from sources other than the consumers themselves are deemed compliant with consumers' requests to delete such data. This should be done by either: 

• retaining a record of the deletion request and the minimum data necessary to ensure that consumers' data remains deleted from the controller records; or 
• deleting the personal data. 

Importantly, this section will not apply to personal data collected prior to the effective date of the Act, unless the controller continues to process such information thereafter. 

Beginning not later than six months following the effective date of the Act, a controller that processes personal data for the purposes of targeted advertising or sale of personal data should allow consumers to exercise the right to opt out of such processing through a user-selected, universal opt-out mechanism. The Act outlines specific requirements for the universal opt-out mechanism, including that it must:  

• not unfairly disadvantage another controller; 
• not make use of default settings as an opt-in method, unless the controller can ensure that the consumer can make an affirmative, freely given, and unambiguous choice to select the default settings; 
• be consumer-friendly, clearly described, and easy to use by the average consumer; 
• be as consistent as possible with other technology, platforms, or mechanisms required by federal or state laws and regulations; and 
• allow the controller to determine whether the consumer is a resident of New Jersey and whether they have made a legitimate request to opt out of the processing of their personal data for the purposes of sale or targeted advertising. 

Responding to consumer requests  

The Act clarifies that controllers must respond to consumer requests within 45 days of the controller's receipt of such requests. Controllers may extend this by an additional 45 days where necessary, considering the complexity and number of consumer requests, and as long as they inform consumers of any extension within the initial 45-day response time and the reason for extension. They must also provide information for all disclosures of personal data that occurred in the previous 12 months.  

Information provided in response to consumer requests must be provided by the controller once per consumer during a 12-month time frame. The information must also be provided free of charge, though the Act clarifies that controllers may charge for requests that are manifestly unfounded, excessive, or repetitive to cover administrative costs. However, the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request lays with the controller. Additionally, controllers are not required to comply with a request where they are unable to authenticate the request using commercially reasonable efforts and may request that the consumer provide additional information to authenticate the consumer and their request. Controllers should not require consumers to create a new account to exercise their rights and make a request, but they may have to use an existing account to submit a verified request. 

Controllers may deny an opt-out request if the controller has good faith and reasonable and documented belief that the request is fraudulent. In this case, the controller must send a notice to the person who made the request disclosing that the controller believes the request is fraudulent, a reason for this belief, and that the controller will not comply with such request. 

Where controllers decide not to take action regarding a consumer request, they must inform the consumers without undue delay and not later than 45 days of the receipt of the request, including a justification for their decision and instructions for how to appeal the decision. Controllers must also inform consumers of such a decision within 45 days of receipt of the request and must establish an appeal process in a reasonable time frame thereafter. The appeal process should be conspicuously available and similar to the process for submitting requests to initiate action. If an appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Division of Consumer Affairs in the Department of Law and Public Safety (the Division) to submit a complaint. 

Authorized agents 

Under the Act, consumers have the right to designate another individual to serve as their authorized agent and act on their behalf to opt out of the processing, disclosure, and sale of their personal data. This can be done using technology, such as through a link on a website or internet browser settings, which indicates to the controller the consumer's intent to opt out of such processing for the purposes of targeted advertising, sale of personal data, and profiling. A controller must comply with an opt-out request received from an authorized agent where the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. 

Controller obligations 

The Act outlines the controller's obligations, including the need to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which the data is collected, as disclosed to the consumer. Controllers must therefore not process personal data for purposes that are neither reasonably necessary nor compatible with the purposes for which such personal data is processed, as disclosed to the consumer unless the controller obtains the consumer's consent. In addition, controllers must not process the personal data of consumers for the purposes of targeted advertising, sale of consumer data, or profiling in relation to decisions that produce legal or similarly significant effects concerning a consumer without their consent when the controller has actual knowledge that the consumer is at least 13 years of age but younger than 17 years of age. 

Concerning consent, controllers must also provide consumers with an effective mechanism to opt out of processing and revoke their consent. This mechanism should be consumer-friendly, clearly described, and easy to use by the average consumer. Upon revocation of consent, controllers must cease processing any personal data as soon as practicable, but no later than 15 days after the receipt of such request from the consumer.  

Privacy notices 

The Act requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: 

• the categories of personal data the controller processes; 
• the purpose for processing personal data; 
• the categories of all third parties to which the controller may disclose the consumer's personal data; 
• the categories of personal data that the controller shares with third parties, if any; 
• how consumers can exercise their rights, including how to appeal a controller's decision regarding a consumer request;  
• the process by which the controller notifies consumers of material changes to the notification; and 
• the controller's contact information, such as an email address or another online mechanism. 

Importantly, a controller must clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing where it:  

• sells personal data to third parties; or  
• processes personal data for the purposes of: 
  • targeted advertising; 
  • the sale of personal data; or  
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.  

In addition, controllers must inform consumers about the opt-out choices available under the Act.  

Data security 

Under the Act, controllers must take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices. This ensures controllers can protect the confidentiality, integrity, and accessibility of personal data and secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume and nature of the personal data being processed.  

DPAs 

Controllers must not conduct processing that presents a heightened risk of harm to the consumer without carrying out and documenting Data Protection Assessments (DPAs) for each processing activity that involves personal data acquired on or after the effective date of the Act. Heightened risks include: 

• processing personal data for purposes of targeted advertising or profiling if the profiling presents reasonably foreseeable risks of: 
  • unfair or deceptive treatment of consumers; 
  • unlawful disparate impact on consumers; 
  • financial or physical injury to consumers; 
  • a physical or other intrusion upon the solitude, seclusion, private affairs, or concerns of the consumer if the intrusion would be offensive to a reasonable person; or 
  • other substantial injury to consumers; 
• selling personal data; and  
• processing sensitive data. 

A DPA may address a comparable set of processing operations that include similar activities. 

The Act also stipulates that DPAs should identify and weigh the direct and indirect benefits of the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that the controller can implement to reduce risks. The controller must include the use of de-identified data, the reasonable expectations of consumers, the context for processing, and the relationship between the controller and consumer in the DPAs.  

DPAs must be made available to the Division upon request. The Division may evaluate DPAs for compliance with the Act and other laws, but will be kept confidential and exempt from public inspection. The disclosure of a DPA pursuant to a request from the Division under the Act will not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the DPA, and any information contained therein. 

Prohibition against discrimination 

Controllers must not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Controllers are prohibited from discriminating against consumers who choose to opt out of processing for the sale of their personal data, targeted advertising, or profiling. However, this does not prohibit controllers from offering discounts, loyalty programs, or other incentives and services to consumers for the sale of their personal data, as long as they clearly and conspicuously make consumers aware of their right to opt out.  

Use of de-identified or pseudonymous data 

Under the Act, controllers must: 

• publicly commit to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data; 
• take reasonable measures (which may include legal, administrative, technical, or contractual controls) to ensure that the data cannot be associated with an individual and ensure that personally identifiable information does not include de-identified data; and 
• contractually obligate any recipients of the information to comply with these same requirements. 

Furthermore, the Act stipulates that nothing within will require controllers to reidentify de-identified data, nor must they collect, retain, use, link, or combine personal data concerning consumers that they would not do otherwise in their ordinary course of business. 

Sensitive data 

Controllers must not process sensitive data without first obtaining consent from the consumer or, in the case of processing data concerning a known child, without processing this data in accordance with the Children's Online Privacy Protection Act of 1998 (COPPA).  

Processor obligations 

Processors must adhere to the controller's instructions to ensure they meet all obligations under the Act. The processor must assist the controller by: 

• taking appropriate technical and organizational measures to ensure controllers comply with their obligations in responding to consumer requests to exercise their rights under the Act; 
• helping to meet the controller's obligations in relation to the security of processing the personal data and notification of a breach of the security of the system; and 
• providing the necessary information to the controller to ensure they can conduct and document DPAs.  

Processors must also ensure that all processing of personal data is subject to a duty of confidentiality. The controller and the processor should implement technical and organizational measures to guarantee an appropriate level of security depending on the potential risks and establish a clear allocation of the responsibilities between them to implement such measures.  

Under the Act, controller-processor relationships must be governed by a binding contract with respect to the processing of personal data conducted by the processor on behalf of the controller. This contract must include the instructions that the processor must follow, including the nature and purpose of the processing, the type of personal data being processed, and the duration of processing. It should be noted that the contract does not relieve a controller or a processor from their responsibilities outlined under the Act. Processors must also engage a subcontractor pursuant to a written contract, requiring the subcontractor to meet the obligations of the processor with respect to the personal data.  

Other requirements of the processor include: 

• deleting or returning all personal data to the controller as requested at the end of the provision of services, unless retention of the data is required by law; 
• making all necessary information available to the controller to demonstrate compliance with the Act; and 
• allowing or contributing to reasonable inspections and assessments by the controller or the controller's designated assessor. Alternatively, the processor may use a qualified, independent assessor organized by the processor (subject to the controller's consent) to assess the processor's policies and technical and organizational measures, and must provide a report of such assessments to the controller. 

Determining whether a person is acting as a controller or a processor depends on the context in which personal data is processed. A person who is not limited in their processing of personal data pursuant to a controller's instructions or who fails to adhere to those instructions will be deemed a controller. A person who does adhere to a controller's instructions will be deemed a processor. If a processor begins to determine the purposes and means of processing personal data, either alone or with others, they will be deemed a controller.  

Limitations 

The Act outlines a list of items that must not be intended as being restricted by the same, which includes a controller's or processor's ability to: 

• comply with federal or state laws and regulations; 
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other governmental authorities;  
• cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations; 
• investigate, establish, exercise, prepare for, or defend legal claims; 
• provide a product or service specifically requested by a consumer; 
• perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; 
• take steps at the request of a consumer prior to entering into a contract;  
• take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis;  
• prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any such action; 
• engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other relevant ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar oversight entity; 
• assist another controller, processor, or third party; or 
• process personal data for reasons of public interest in the areas of public health, community health, or population health, but solely to the extent that such processing is subject to safeguarding measures and under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law. 

The Act also stipulates that it does not restrict the ability of controllers and processors to collect, use, or retain data for internal use to: 

• conduct internal research to develop, improve, or repair products, services, or technology;  
• effectuate a product recall; 
• identify and repair technical errors that impair existing or intended functionality; or 
• perform internal operations that are:  
  • reasonably aligned with the expectations of the consumer; 
  • reasonably anticipated based on the consumer's existing relationship with the controller; or 
  • compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party. 

The Act notes that personal data that is collected, used, or retained to perform internal operations should consider the nature and purposes for such collection, use, or retention. It must also be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the data and reduce any risk of harm. Personal data that is processed by a controller pursuant to the exceptions provided must not be processed for any purpose other than the purposes expressly listed and must only be processed to the extent that it is necessary, reasonable, and proportionate to the specific purpose. Controllers must demonstrate that such processing qualifies for an exemption and complies with the requirements under the Act. 

The Act highlights that the controller's or processor's obligations do not apply where compliance with the provisions of the law would violate an evidentiary privilege under the laws of New Jersey. The Act does not restrict controllers and processors from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of New Jersey as part of a privileged communication. 

Enforcement 

The Office of the Attorney General has sole and exclusive authority to enforce the Act's provisions. The Director of the Division will promulgate rules and regulations in line with the Act.  

If controllers violate the Act's provisions, this will be an unlawful practice and violation. During the first 18 months of the effective date of the Act, prior to bringing an enforcement action before an administrative law judge or a court of competent jurisdiction in New Jersey, the Division will issue a notice to the controller if there is a possible cure. If the controller fails to cure the alleged violation within 30 days after receiving the notice, enforcement action may be brought.  

The Act also clarifies that nothing in this Act should be construed as providing the basis for, or subject to, a private right of action for violations of this Act.  

Isabelle Strong Editor 
[email protected]