NJ Data Privacy Legislation SB 332: Everything You Need to Know
When most Americans think of New Jersey, it seems “Jersey Shore” is always top of mind. Until now: New Jersey is the thirteenth state to pass a consumer data privacy law.
The New Jersey legislature passed Senate Bill 332 on January 8, 2024, and was signed by the New Jersey Governor Phil Murphy on January 16, 2024. The law will go into effect one year after it is enacted on January 16, 2025.
What is NJ Data Privacy Law SB 332?
New Jersey SB 332 is a comprehensive data privacy law enacted by the state of NJ. It aims to protect the personal information of New Jersey residents and ensure businesses adopt robust data protection measures to safeguard sensitive data. By setting clear guidelines and requirements, the NJ S332 seeks to enhance transparency, accountability, and consumer rights.
What Businesses Need to Know
The NJ SB 332 places significant importance on protecting the privacy of NJ residents. The law empowers individuals by granting them rights over their personal information and requiring businesses to be transparent about data collection, processing, and usage. With enhanced privacy measures in place, consumers will have more control over their personal data.
The NJ SB 332 introduces several essential provisions that strengthen data privacy and security within New Jersey. Here are some critical aspects of the law:
Who Must Comply?
NJ SB332 applies to businesses that collect, use, or share the personal information of New Jersey residents. Specifically, a business is subject to the NJ SB332 if it:
Conducts business in New Jersey or produces products or services to residents of New Jersey, and during a calendar year, either:
- Controls or processes the personal information of at least 100,000 NJ consumers, excluding personal data processed for the purpose of completing a transaction; or
- Controls or processes the personal data of at least 25,000 NJ consumers, and the controller gains revenue from the sale of personal information, or receives a discount on the price of any goods or services, from the sale of personal data.
The law excludes the data of nonprofits, government entities, and certain regulated entities.
It is vital for organizations to understand whether they are subject to the NJ SB332 and to take the necessary actions to comply with the new legislation.
Preparing for NJ SB 332 Compliance
Compliance with the NJ SB332 is crucial for businesses operating in NJ. The law can lead to significant penalties and reputational damage if organizations fail to comply with the legislation. Here are some essential considerations to achieve compliance:
Privacy Notice
Organizations are required to provide a privacy notice that describes:
- the categories of personal data processed
- the purpose of processing
- the categories of third parties to which personal data is disclosed
- the categories of personal data shared with third parties
- how consumers may exercise their rights and appeal a data rights request decision
- how the organization notifies consumers of material changes to the privacy notice
- organizations must provide an email address or other online system (web form or portal) that the consumer may use to contact the business
Data Protection Assessments
Businesses must conduct regular data protection assessments (DPA) to identify and address vulnerabilities promptly. The law explicitly requires a DPA when processing data that presents a heightened risk of harm to consumers. The assessments must be presented to the New Jersey Attorney General upon request.
Universal Opt-Out Mechanisms (UOOM)
Universal Opt-Out Mechanisms have been an ongoing debate between different state legislatures, resulting in several disputes. While New Jersey supports UOOMs not only for targeted advertising and personal data sales— the scope is broadened to include opt-outs for user profiling, which is the first among state laws. The law authorizes the New Jersey Attorney General’s Division of Consumer Affairs to apply rules and regulations regarding UOOM technical specifications.
Additionally, under NJ SB332, a UOOM shall “not make use of a default setting that opts-in a consumer to the processing [for purposes of targeted advertising] or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumer’s affirmative, freely given and unambiguous choice to opt into any processing of such consumer’s personal data.”
Fines & Enforcement
There will be a grace period for the first 18 months after the effective date, which is a year after the bill is enacted. The NJ Attorney General will implement rules and regulations and provide additional guidance on data rights requests, request verification, data processing assessments, and opt-out mechanisms.
A violation of NJ SB332 is considered a violation of New Jersey’s Unfair Deceptive Acts and Practices (UDAP), and the Attorney General could seek penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations.
New Jersey Consumer Rights
New Jersey’s S332 would provide consumers with many of the same rights in already established state regulations, such as in California, Colorado, Connecticut, Utah, and Virginia, and in several other states with privacy laws set to go into effect in 2024 and 2025.
The NJ SB332 grants NJ residents specific rights over their personal information, including:
- The right to know what personal information is being collected and processed
- The right to access and obtain a copy of their personal information
- The right to request the deletion of personal information
- The right to opt out of the sale of their personal information, targeted advertising, and profiling
- The right to have their personal information corrected, changed, or updated
- Opt-in vs opt-out is required for children at least 13 and younger than 17
- NJ S322 aligns with the federal Children’s Online Privacy Protection Act, which applies to the personal data of a known child under 13
Businesses are required to respond to consumer data requests within 45 days, there is a possible 45-day extension if reasonably necessary.
How BigID Helps Organizations Comply with New Jersey’s SB332
Organizations that have taken a proactive approach to the CCPA and other state privacy laws will be in a better position to achieve compliance — but will still need to take the necessary actions to comply with the unique aspects of New Jersey’s consumer privacy law. BigID enables organizations to proactively prepare for the NJ SB332 to achieve compliance with its patented identity-aware privacy automation platform. With BigID, businesses can:
- Discover Data: BigID provides deep data discovery and classification to map data flows and gain complete visibility on all personal and sensitive information that is subject to NJ SB332 regulations.
- Apply Policies: Reduce policy-based risk with controls and data remediation workflows to take action on NJ SB332 requirements.
- Automate Data Rights Management: BigID enables organizations to proactively and automatically manage privacy requests, preferences, and consent, including UOOM for consumers to opt out of data sales, targeted advertising, and user profiling.
- Minimize Data: Apply data minimization principles by identifying and categorizing unnecessary or excessive personal data to manage the data lifecycle from retention to deletion.
- Implement Data Protection Controls: BigID provides automated data protection controls to enforce data access controls and other security measures, which are crucial to safeguard data and comply with NJ SB332.
- Assess Risk: BigID offers automated privacy impact assessments, data inventory reports, and remediation workflows to identify risks, report to the NJ Attorney General, and ensure compliance with NJ SB332.
Schedule a 1:1 demo to see how BigID can accelerate your compliance with NJ SB332.