The New Jersey Privacy Act: What You Need to Know

Starting January 15, 2025, the New Jersey Privacy Act strengthens consumer privacy rights and imposes new obligations on businesses. Here’s what you need to know to stay in compliance.

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

The signing into law of the New Jersey Privacy Act on January 16, 2024, marked another major step in the growth of data privacy law in the United States, making New Jersey now the 14^th state to have a comprehensive data protection law.   Effective as of January 15, 2025, the NPJA offers a comprehensive framework aiming to safeguard New Jersey consumers’ privacy rights in this digital era. This new regulation not only establishes data privacy consumer rights but also imposes a set of new obligations on businesses, indicating a shift toward more stringent data management practices.

To Whom Does the New Jersey Data Protection Act Apply?

The NJPA applies to controllers either conducting business in New Jersey or producing products or services targeted to New Jersey residents (consumers) and that during a calendar year either:

• Control or process personal data of at least 100,000 consumers (except personal data processed solely for completing transactions); or
• Control or process the personal data of at least 25,000 consumers while deriving revenue or receiving a discount on the price of any goods or services, from selling personal data.

The broad applicability of the NJPA means that a substantial number of firms engaged in business operations in or targeting customers in New Jersey will have to reevaluate their processing of personal information. The NJPA categorizes a “controller” as any individual or legal entity that determines the objectives and means of personal data processing, either on their own or jointly.

Distinct Features of the NJPA

Unlike many state laws, including California’s, the NJPA does not set a financial threshold for controllers, thus broadening its scope.

In contrast, the definition of “consumer” is restricted to individuals or households, explicitly excluding employees and B2B contacts, in line with most state privacy regulations, but distinct from, for example, the wider scope of California’s CPRA.

Consumer Rights Under the NJPA

The NJPA stands out as a comprehensive law granting broad rights to consumers, placing them firmly in control of their personal data. Rights granted to consumers include the following:

• Transparency and Confirmation: Residents have the right to confirm whether their data is being processed, by whom, and for what purposes. They can also access their personal data, receiving copies in a format readily transferable to another data controller. This enhances transparency and allows for informed decision-making regarding their data.
• Correction and Deletion: Individuals hold the power to rectify inaccuracies in their personal data and request its deletion entirely. This right of erasure helps ensure data accuracy and empowers individuals to remove unwanted information from data controllers’ systems.
• Opt-out Mechanisms: The NJPA introduces a powerful opt-out provision, permitting residents to choose not to have their data processed for targeted advertising, data sales, and profiling. This significantly impacts business practices, potentially changing how companies personalize experiences and monetize data.
• Broader “Sensitive Data” Definition: The NJPA goes beyond existing regulations by expanding the definition of “sensitive data” to include financial information. This requires businesses to obtain explicit opt-in consent before processing such data, offering robust protection for sensitive personal details.
• Children’s Data Protection: Recognizing the vulnerability of children, the act sets stricter limits on data processing for minors aged 13-16. Businesses require explicit consent before engaging in certain processing activities involving children’s data, prioritizing their privacy and safety.
• Universal Opt-out Mechanisms (UOOMs): A notable feature is the implementation of mandatory UOOMs for targeted advertising and data sales within six months of the effective date. This industry-wide opt-out system grants residents a simple way to limit data use for specific purposes, empowering them to control how their data informs advertising and commercial transactions.
• Limited Enforcement with Emphasis on Cures: Unlike some data privacy laws, the NJPA primarily relies on the Attorney General for enforcement. However, it emphasizes a “cure period” before taking action, allowing businesses 30 days to address identified violations and come into compliance. This approach encourages proactive steps towards compliance while still ensuring proper enforcement.

NJPA Compliance and Enforcement Against Businesses

Unlike most data privacy laws, the NJPA does not allow individuals to sue businesses directly for violations. Instead, the New Jersey Attorney General holds the sole power to enforce the law. They can do this through the state’s Consumer Fraud Act, which considers any violation of the NJPA to be unfair and deceptive business practice.

This means the Attorney General can investigate and, if necessary, bring legal action against companies that break the law. This may decrease the risk of mass litigation, but does not diminish the importance of compliance, given the significant penalties for violations.

Businesses need to consider taking the following tasks:

• Applicability Assessment: Determine if your business meets the thresholds and operates in New Jersey.
• Data Mapping and Inventory: Identify and inventory how you collect, process, and share personal data, particularly sensitive data.
• Privacy Notice Review and Update: Ensure your privacy notice is clear, comprehensive, and addresses NJPA-specific requirements.
• Opt-out Mechanism Preparation: Be ready to comply with industry-wide opt-out mechanisms for targeted ads and data sale.
• Data Protection Assessments: Evaluate high-risk processing activities and implement necessary safeguards.
• Data Retention & Data Disposal Procedures: Establish clear and secure procedures for fulfilling data deletion requests.

Challenges for the Future of Data Privacy Regulations

The New Jersey Data Privacy Act stands as a bold precedent, further building the landscape of data privacy regulation in the United States. Its comprehensive framework, extensive consumer rights, and robust enforcement mechanisms signal a new era where individuals have greater control over their digital lives.

While challenges and uncertainties loom, the NJPA presents the following challenges:

• Compliance Complexity: Businesses will need to overhaul their data privacy practices. This may require significant adjustments in data processing, consumer rights management, and secure data deletion practices.
• Increased Costs: Adhering to the NJPA could result in higher operational costs due to investments in technology, hiring of privacy professionals, and ongoing compliance activities.
• Enforcement Risks: The potential for enforcement actions by the New Jersey Attorney General, including fines and mandates to change practices, underscores the importance of strict compliance.
• Consumer Expectations: Businesses must adapt to heightened consumer privacy expectations, particularly regarding data access, correction, deletion, and opt-out processes.
• Technical Requirements: Implementing secure data erasure and universal opt-out mechanisms poses technological challenges, requiring robust solutions.

The NJPA represents a significant step forward in consumer data protection, requiring businesses to undertake comprehensive measures to ensure compliance. Compliance with the NJPA will likely require businesses to undertake extensive data mapping and inventory, review and update privacy notices, prepare for industry-wide opt-out mechanisms, and evaluate high-risk processing activities. Clear and secure data deletion procedures are critical, as the NJPA grants consumers the right to deletion.

Businesses have until January 15, 2025, when the NJPA comes into force, to align their data privacy and protection practices with the new requirements. The NJPA lays down a comprehensive approach for businesses and services to secure information and meet consumers’ expectations for safety and security in today’s data-driven world.

How Blancco Can Help You Comply with Data Privacy Laws

The New Jersey Data Privacy Act mandates businesses to provide consumers with the right to request deletion of their personal data. Failing to comply with these requests can lead to enforcement actions from the Attorney General’s Office. This is where data erasure tools like Blancco can become invaluable assets in ensuring compliance and streamlining data deletion processes.

Here’s how Blancco can help you meet the NJPA’s data erasure requirements:

• Secure and Certified Erasure: Blancco offers certified data erasure solutions that permanently overwrite and eliminate data from various storage devices, ensuring it’s unrecoverable even with advanced forensic techniques. This aligns with the NJPA’s requirement for secure data deletion.
• Detailed Reporting: Blancco generates tamper-proof erasure reports that document the data sanitization process, including details like device information, data types erased, and timestamps. These reports serve as evidence of compliance for audit purposes.
• Reduced Risk of Errors: Manual data deletion methods can be prone to human error, potentially leaving residual data behind. Blancco’s automated solutions eliminate this risk and ensure comprehensive data erasure.

Blancco offers crucial tools for businesses complying with the New Jersey Privacy Act. Secure erasure ensures complete data elimination while providing detailed, tamper-proof records of the sanitization process. With certified erasure solutions, Blancco helps businesses confidently manage their ever-growing data obligations.

To learn more about how Blancco helps enterprises meet various privacy regulations and compliance requirements, see our full list of certifications.