Author: Priyasha Purkayastha, Global Content Manager, TJC Group
Compared with other countries, the USA takes a unique stance when it comes to data privacy. Its vastness as a continent means that some states have created their own local laws to protect consumers. In this blog, we explore the data protection law of one of the most sought-after states of the United States: New Jersey. Read on to learn more!
Table of contents
- Introduction
- What is the scope of the New Jersey Data Privacy Act (NJDPA)?
- Four interesting aspects of the NJDPA
- Obligations for controllers and processors
- Data controller obligations under NJDPA
- Classification of sensitive data under NJDPA
- Understanding obligations for data processors
- Some important aspects of New Jersey’s data privacy law
- How will the NJDPA be enforced?
- Final word
- Data privacy series
Introduction
As of today, 14 US states have their own data privacy regulations. This includes New Jersey, which unveiled its own legislation, the New Jersey Data Protection Act (New Jersey Data Privacy Act or NJDPA), on 16th January 2024. This was in response to a flurry of announcements made by eight other US states in 2023, which passed their own privacy laws.
New Jersey’s legislation will become fully effective on 15th January 2025, and it is important for companies to be aware of their obligations, whether directly or indirectly affected by it. This article explains the key provisions of the NJDPA and highlights how it differs from other data privacy laws. Read on to know more!
What is the scope of the New Jersey Data Privacy Act (NJDPA)?
Organisations that meet any of the two following conditions must adhere to the regulations of the NJDPA:
- Any organisation that conducts business in the state of New Jersey
- Organisations that produce products or services targeted to New Jersey residents that meet either of two thresholds in any calendar year:
- Controls or processes personal data of at least 100,000 consumers and New Jersey residents, excluding personal data processed solely for the purpose of completing a payment transaction
- Controls or processes personal data of at least 25,000 consumers and derives revenue or receives a discount on the price of any goods or services from the sale of personal data
Four interesting aspects of the NJDPA
There are some interesting points to note about this data privacy law, namely,
- Small businesses that operate as brick-and-mortar stores and that do not otherwise collect personal information are exempt from complying with the regulation.
- The revenue-deriving threshold of this law is very broad and applies to any business that generates revenues from selling personal data or that receives a discount on the price of goods or services. In other US states, their data protection laws include a minimum revenue-deriving threshold for their compliance regulations to apply.
- The NJPDA exempts government agencies and information, or data covered by other laws like the federal Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA). It also excludes personal information collected from residents in the context of employment or business-to-business transactions.
- Another important aspect of the NJPDA is that it applies to non-profits that meet the conditional thresholds, whereas many other states do not treat “not-for-profit” organisations in the same way as commercial entities.
Obligations for controllers and processors
The NJDPA is similar to other data privacy regulations, including the GDPR, because it defines the various ‘actors’ involved with the various data handling activities as controllers and processors. For the unversed, a “controller”, alone or jointly with others, determines the purpose and means of processing personal data; on the other hand, a “processor” processes personal data on behalf of a controller. A company that collects data for marketing purposes would be a controller, and an agency that creates marketing campaigns acting on behalf of the controller would be a processor.
Data controller obligations under NJDPA
Most of the primary privacy responsibilities within NJDPA fall on controllers to adhere to. According to this law, controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which discloses:
- Categories and intended purpose for the personal information collected
- Categories of any third parties that may be exposed to the consumer’s personal data
- Categories of the personal information shared with any third parties
- Any third-party collection of personal data from different online services
- Details of how consumers can request access to or correct their personal information
- The process consumers can follow to request access to their information
- The process is to be followed by a controller needing to notify consumers of any changes to the legislation.
The NJDPA also stipulates limits and obligations on personal data processing activities followed by controllers. This includes the following mandates:
- Personal data collection and processing is minimal and limited to what is necessary or consented to by the consumer.
- A range of administrative, technical, and physical measures are implemented to protect the data
- Consumers have the right to revoke previously given consent to controllers
- Consumers also have the right to obtain a portable copy of personal data
- Consent must be obtained before any processing of sensitive data or data pertaining to a child, which includes targeted advertising, sales, or marketing profiling
- Responses to any requests to access data must be made within forty-five (45) days of receipt, with the chance to include a forty-five (45) day extension for complex or multiple requests.
Classification of sensitive data under NJDPA
The way sensitive data is defined according to NJDPA is quite extensive and includes:
- Racial, ethnic origin, religious beliefs, sexual orientation, identification as transgender/non-binary
- Health conditions with any treatment or diagnostic information
- Financial information, including account numbers, logins, credit or debit card numbers, customer codes or password data
- Citizenship or immigration status
- Genetic or biometric data
- Precise geographical location.
Although the majority of US states classify all these information categories as sensitive and require consumers to opt in for any data processing activities, the inclusion of financial information is exclusive to the NJDPA.
In fact, this law goes a step further because it requires controllers to perform an extra data protection assessment if their data processing activities may result in a risk or harm to the consumer.
Understanding obligations for data processors
According to the NJDPA, data processors must also meet strict obligations when they process personal data on behalf of controllers. These include:
- Complying with any instructions given by a controller and helping them to meet their legal obligations under the NJDPA
- Having a contract in place that specifies their individual obligations
- Controls in place to protect the controller that includes ensuring that any employees or sub-contractors working for a processor maintain client confidentiality.
Some important aspects of New Jersey’s data privacy law
Special considerations for children’s data
Children’s data is governed by additional protection and must always be processed in line with the Children’s Online Privacy Protection Act (COPPA). This has an extra caveat: consent for any data collection or processing must be obtained from parents or guardians.
Considerations for “de-identified” and “pseudonymous” data
Just like other data privacy rules, there is a special consideration for “de-identified data” within the NJDPA. According to this law, data can only be treated as “de-identified” if it cannot be linked to an identifiable individual or a device linked to an individual. This is another difference in the state rules because other regions do not extend their legal requirements to include devices. Controllers need protections in place to ensure that de-identified data remains de-identified, including contractual obligations and public commitments not to re-identify such data.
Interestingly, the NJDPA doesn’t mention a definition of “pseudonymous” data that has been artificially anonymised. This means that unless the data also qualifies as being “de-identified”, the usual exemptions will not apply.
Link to: https://www.tjc-group.com/resource/durr-group-sap-ilm-and-data-deletion-case-study/
How will the NJDPA be enforced?
The New Jersey Attorney General’s office will enforce the NJDPA. In addition, the Division of Consumer Affairs within the Department of Law and Public Safety has the responsibility for ensuring that businesses understand and can comply with its rules and regulations.
Notably, the NJDPA contains a thirty (30) day’ cure provision’, which gives controllers the timeframe to rectify or correct any violations before an enforcement action can commence. However, this provision will be effective until 1st July 2026, after which no further grace period will be available. Unlike other data privacy laws, no set penalty amounts have been defined in advance and will be judged individually by the enforcers.
Final word
- Data privacy, whether in the EU, India, or the US, aims the same thing – protecting the confidentiality of consumers’ personal data.
- Under the NJDPA, the definition of sensitive data is comprehensive, including health information, financial information, data pertaining to racial and ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, and more.
- It is imperative that processors oblige to the rules of the New Jersey data protection laws when processing the data on behalf of the data controllers.
- Data processors must comply with any instructions that a controller gives, helping them to meet their legal obligations under the data privacy regulations.
- There must be controls in place that helps protect the controllers; this includes ensuring that employees or even sub-contractors working the data processor maintain and protect the confidentiality of clients.
- The New Jersey Data Privacy Act also has a special provision for children’s data. They are governed by and must always be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).
TJC Group takes data privacy and protection extremely seriously and ensures user data is collected only if consented by the consumer. Additionally, we have strong policies in place that are on par with the GDPR to protect the confidentiality of our clients and consumers.
Data privacy series
We also educate our readers through our data privacy blogs. If you would like to learn more about international data privacy regulations, here’s the series for you.
- All about South Korea data protection law (PIPA): Everything you need to know (coming soon)
- Data protection laws in the Middle East (coming soon)