On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”). New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.
SB 332 imposes obligations on “controllers” – entities or individuals that determine the purpose and means of processing personal data – that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey and meet one of the following thresholds: (a) controls or processes the data of at least 100,000 consumers (excluding payment transaction data); or (b) controls or processes the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services from the sale or personal data. Additionally, the statute contains and refers to obligations of “processors” – individuals or entities that process (i.e., perform any operation or set of operations on personal data, such as collection, use, storage, disclosure, analysis, deletion or modification) personal data on behalf of the controller. As described below, these obligations include the requirement to adhere to the controller’s instructions and assist the controller in meeting its obligations.
Personal data broadly “means any information that is linked or reasonably linkable to an identified or identifiable person.” Like almost every other state consumer privacy law, however, SB 332 carves out employment data. Specifically, the law states that “consumers shall not include a person acting in a commercial or employment context.” The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”), (collectively “CCPA”) remains the only comprehensive state privacy law to apply to employment data, although narrower privacy laws, such as Illinois’ Biometric Information Privacy Act (“BIPA”), apply in the employment context.
SB 332 also exempts financial institutions, data, or affiliates of financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”). Additional exemptions include personal data collected, processed or sold by consumer reporting agencies under the Fair Credit Reporting Act (“FCRA”), and protected health information (“PHI”) collected by a covered entity or business associate under the Health Insurance and Portability and Accountability Act (“HIPAA”).
SB 332 imposes the following obligations on businesses or other organizations that are “controllers” covered by the law.
Privacy Notice: Controllers must provide a “reasonably accessible, clear, and meaningful privacy notice” that describes the controller’s data collection and processing practices. Notably, SB 332 also requires that controllers include in their privacy notice the “process by which the controller notifies consumers of material changes” to the privacy notice – a requirement not found in other comprehensive state privacy laws. We have previously written that the Federal Trade Commission has alleged that a “material change” to a privacy policy without appropriate notice may be an unfair or deceptive act or practice. SB 332 appears to be following in line with this FTC logic concerning particularized notice of a change.
Data Minimization, Secondary Use Limitation, and Purpose Specification: Under SB 332, controllers have an obligation to limit the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” Controllers are further required to “specify the express purposes for which personal data are processed.” Additionally, controllers are prohibited from processing personal data for purposes that are not reasonably necessary to the purpose disclosed, unless consumer consent is obtained.
Sensitive Data: Under SB 332, controllers are prohibited from processing “sensitive data” without first obtaining consent – which means an affirmative, consensual and informed act of granting permission by the consumer, but does not include acceptance of “general broad terms of use or similar document that contains description of personal data processing along with other, unrelated information.” Sensitive data includes data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment or diagnosis; financial account numbers with security codes or access codes or passwords; sex life or sexual orientation; citizenship or immigration status, status as transgender or non-binary; genetic or biometric data that may be used to uniquely identify an individual, personal data collected from a known child, and precise geolocation data. State comprehensive privacy laws differ in their definition of “sensitive” data and the associated obligations. For example, the CCPA does not require affirmative consent to process sensitive personal information.
Data Protection Assessments: Like several other state comprehensive privacy laws, SB 332 requires that controllers perform a data protection assessment in certain circumstances. Specifically, data protection assessments are required when processing data that presents a “heightened risk of harm,” which includes: (1) targeted advertising or profiling if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact on consumers, financial or physical injury, physical or other intrusion upon seclusion that would be offensive to a reasonable person, or other substantial injury; (2) selling personal data; or (3) processing sensitive data.
Contract Requirements: Both controllers and processors are obligated under SB 332 to enter into a contract in the context of a controller-processor relationship. The contract must describe the nature and purpose of the processing; the type of personal data subject to the processing and duration of processing; a requirement that the processor delete or return personal data if requested by the controller at the end of the provision of services, unless retention is required by law; and a requirement that the processor make information available to the controller to demonstrate compliance with its obligations. The contract must also must set forth the processor’s confidentiality and subcontractor obligations, and cybersecurity obligations, described below.
Cybersecurity: Controllers and processors must take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue. These requirements are distinct from New Jersey’s data breach notification law (NJ 56:8-161 – 163). The law imposes an affirmative obligation to maintain reasonable security measures and it applies broadly to all “personal data” which is broader than the definition of “personal information” contained in the data breach law (e.g., limited to social security numbers, driver’s license numbers, account number or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual’s financial account).
Mechanism to Revoke Consent: Controllers are required to provide an “effective mechanism” for revoking consent. Under the mechanism, the controller must cease to process data as soon as reasonably practicable and no later than 15 days after receipt of the revocation.
Anti-Discrimination: SB 332 contains a prohibition against processing personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
SB 332 refers to the following obligations for processors:
Assistance to Controller: Processors must assist the controller to meet its obligations under SB 332 by: (1) taking appropriate technical and organization measures to meet consumer rights requests (consumer rights are further described below); (2) help the controller with respect to its data security obligations and data breach notification obligations; (3) provide necessary information to the controller to conduct data protection assessments.
Confidentiality and Subcontracting Obligations: Processors must, “notwithstanding the instructions of the controller,” (1) ensure that each person processing personal data is subject to a duty of confidentiality; (2) engage a subcontractor pursuant to a written contract that imposes the same obligations of the processor.
Cybersecurity Obligations: Processors must implement appropriate technical and organizational measure to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the processor and the controller to implement measures.
Contract Obligations. Both controllers and processors are obligated to enter into a contract in the context of a controller-processor relationship. The contract requirements, described above in the controller obligations section, are also applicable to processors.
SB 332 affords rights to residents of New Jersey acting only in an individual or household context. Specifically, consumers have the right to: (1) confirm whether a controller processes their personal data and “accesses” that data; (2) request the correction of inaccurate personal data; (3) request the deletion of their personal data; (4) obtain a copy of their personal data; and (5) opt out of the sale of personal data, the processing of personal data for targeted advertising, and the “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” These consumer rights mirror those found in most other state privacy laws.
Notably, SB 332 includes an express requirement, taking effect no later than six months after the effective date of the law, to allow consumers to exercise opt-out rights through a universal opt-out mechanism. The requirement to allow for a universal opt-out mechanism, sometimes referred to a “preference signal,” is found in some, but not all, state comprehensive privacy laws.
Violations of SB 332 are deemed to be unlawful practices in violation New Jersey’s Consumer Fraud Act (“CFA”). However, unlike the CFA, the New Jersey Attorney General has the sole and exclusive authority to enforce violations of SB 332, which also expressly states that there is no private cause of action. Within 18 months of the effective date, the New Jersey Division of Consumer Affairs will provide a notice and 30-day opportunity to cure before bringing an enforcement action. The law will go into effect on the 365 th day after its enactment.
Once effective, this law will have wide-ranging impact on the data privacy and cybersecurity practices of covered organizations collecting the personal information of New Jersey residents.