The New Jersey Privacy Act: What You Need to Know

Mar 14, 2024 Blog Article

Starting January 15, 2025, the New Jersey Privacy Act strengthens consumer privacy rights and imposes new obligations on businesses. Here’s what you need to know to stay in compliance.

George Janssen, Blancco Group Legal Counsel

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

The signing into law of the New Jersey Privacy Act on January 16, 2024, marked another major step in the growth of data privacy law in the United States, making New Jersey now the 14th state to have a comprehensive data protection law.   Effective as of January 15, 2025, the NPJA offers a comprehensive framework aiming to safeguard New Jersey consumers’ privacy rights in this digital era. This new regulation not only establishes data privacy consumer rights but also imposes a set of new obligations on businesses, indicating a shift toward more stringent data management practices.

To Whom Does the New Jersey Data Protection Act Apply?

The NJPA applies to controllers either conducting business in New Jersey or producing products or services targeted to New Jersey residents (consumers) and that during a calendar year either:

The broad applicability of the NJPA means that a substantial number of firms engaged in business operations in or targeting customers in New Jersey will have to reevaluate their processing of personal information. The NJPA categorizes a “controller” as any individual or legal entity that determines the objectives and means of personal data processing, either on their own or jointly.

Distinct Features of the NJPA

Unlike many state laws, including California’s, the NJPA does not set a financial threshold for controllers, thus broadening its scope.

In contrast, the definition of “consumer” is restricted to individuals or households, explicitly excluding employees and B2B contacts, in line with most state privacy regulations, but distinct from, for example, the wider scope of California’s CPRA.

Consumer Rights Under the NJPA

The NJPA stands out as a comprehensive law granting broad rights to consumers, placing them firmly in control of their personal data. Rights granted to consumers include the following:

NJPA Compliance and Enforcement Against Businesses

Unlike most data privacy laws, the NJPA does not allow individuals to sue businesses directly for violations. Instead, the New Jersey Attorney General holds the sole power to enforce the law. They can do this through the state’s Consumer Fraud Act, which considers any violation of the NJPA to be unfair and deceptive business practice.

This means the Attorney General can investigate and, if necessary, bring legal action against companies that break the law. This may decrease the risk of mass litigation, but does not diminish the importance of compliance, given the significant penalties for violations.

Businesses need to consider taking the following tasks:

Challenges for the Future of Data Privacy Regulations

The New Jersey Data Privacy Act stands as a bold precedent, further building the landscape of data privacy regulation in the United States. Its comprehensive framework, extensive consumer rights, and robust enforcement mechanisms signal a new era where individuals have greater control over their digital lives.

While challenges and uncertainties loom, the NJPA presents the following challenges:

The NJPA represents a significant step forward in consumer data protection, requiring businesses to undertake comprehensive measures to ensure compliance. Compliance with the NJPA will likely require businesses to undertake extensive data mapping and inventory, review and update privacy notices, prepare for industry-wide opt-out mechanisms, and evaluate high-risk processing activities. Clear and secure data deletion procedures are critical, as the NJPA grants consumers the right to deletion.

Businesses have until January 15, 2025, when the NJPA comes into force, to align their data privacy and protection practices with the new requirements. The NJPA lays down a comprehensive approach for businesses and services to secure information and meet consumers’ expectations for safety and security in today’s data-driven world.

How Blancco Can Help You Comply with Data Privacy Laws

The New Jersey Data Privacy Act mandates businesses to provide consumers with the right to request deletion of their personal data. Failing to comply with these requests can lead to enforcement actions from the Attorney General’s Office. This is where data erasure tools like Blancco can become invaluable assets in ensuring compliance and streamlining data deletion processes.

Here’s how Blancco can help you meet the NJPA’s data erasure requirements:

Blancco offers crucial tools for businesses complying with the New Jersey Privacy Act. Secure erasure ensures complete data elimination while providing detailed, tamper-proof records of the sanitization process. With certified erasure solutions, Blancco helps businesses confidently manage their ever-growing data obligations.

To learn more about how Blancco helps enterprises meet various privacy regulations and compliance requirements, see our full list of certifications.