The New Jersey Data Privacy Act (NJDPA) is set to take effect on January 15, 2025. As a result, New Jersey will become one of 20+ states with a comprehensive data privacy regime in the absence of a Federal framework beyond HIPAA and FTC guidance. The NJDPA will apply broadly across industries, and businesses operating in New Jersey must be cognizant of the impact this will have on them.
Determining When the NJDPA Applies
The NJDPA will apply to certain “controllers” of data, who are individuals or legal entities that determine the purpose and means of processing personal data. The applicability will be triggered if the controller conducts business in New Jersey, or produces products or services targeted to New Jersey residents, and either: (a) controls or processes personal data of at least 100,000 New Jersey consumers; or (b) controls or processes personal data of 25,000 New Jersey consumers and derives revenue (or receive discounts) from the sale of personal data. Additionally, the NJDPA will apply to “processors,” who are entities that process data on a controller’s behalf. Processing includes collection, use, storage, disclosure, analysis, deletion, or modification of personal data. If a controller meets the applicability thresholds, the processor will also be bound to the same requirements as the controller for data processing. Conceptually, the controller/processor relationship is similar to that of a covered entity/business associate relationship under HIPAA—if an organization qualifies as a covered entity, their downstream contractors who interact with their data become business associates and are governed by HIPAA as well.
Exemptions
The NJDPA includes several exemptions for certain types of entities and data that are governed by other laws. For example, the New Jersey rule will not apply to data subject to HIPAA, Gramm-Leach Bliley Act, Drivers’ Privacy Protection Act, Fair Credit Reporting Act, Federal Policy for the Protection of Human Subjects, or, more generally, to state agencies, certain secondary market institutions, and certain insurance institutions.
Key Takeaways
- NJDPA’s broad approach defines “sale” of data to mean the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. This broad definition increases the probability that stakeholders that derive revenue from personal data will trigger and be subject to the NJDPA.
- NJDPA contains a broad definition of “sensitive data” and prohibits a controller from processing sensitive data without first obtaining the consumer’s express consent, or in the case of a known child, in accordance with the Children’s Online Privacy Protection Act (COPPA). Sensitive data is defined to include personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information; account log ins; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed to uniquely identify an individual; personal data collected from a known child; or precise geolocation data.
- Beginning on July 15, 2025, controllers must allow consumers to opt-out of having their data processed through a user-selected opt-out mechanism. Importantly, the controller cannot maintain a default “opt-in.”
- Among other requirements, controllers must: (i) implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure it from unauthorized access; and (ii) conduct and document a data protection assessment on the processing of personal data that presents a heightened risk of harm to the consumer. While entities governed by HIPAA are familiar with standards for administrative and technical safeguards as well as risk assessments, other organizations may not necessarily be aware of the nuances required for these protocols.
Relevant stakeholders, including (but now not limited to) healthcare organizations, are advised to consult with legal counsel to review their current data privacy policies and procedures that impact the collection, processing, use and sharing of consumer data. In so doing, organizations who meet the triggering thresholds for NJDPA will need to pay particular attention to the manner in which they (i) provide consumers clear and meaningful privacy notices; (ii) enable consumers to consent or opt-out of targeted advertising, consumer profiling, and sales involving personal data; and (iii) allow consumers to request deletion, correct inaccuracies, and receive copies of their personal data.
How Frier Levitt Can Help
Frier Levitt attorneys remain apprised of evolving data privacy and security regulations at both a Federal and state level, as well as enforcement trends associated with these laws. Organizations with access to personal data, including sensitive data or other health data, must ensure their practices comport with applicable laws that govern how such data is accessed, used, and shared. With particular respect to organizations that maintain an online presence, such as digital health companies, it is imperative to remain cognizant of how individual state privacy regimes may impact your business. Contact Frier Levitt for assistance with evaluating what data privacy rules apply to you, and what measures you must take to ensure your compliance with forthcoming changes.
