Understanding the New Jersey Data Protection Act (NJDPA) Compliance

Enacted in January 2024, the New Jersey Data Protection Act (NJDPA) is a legislation focused on safeguarding the personal data of New Jersey residents, granting them authority over its usage. It imposes obligations on businesses that control and process consumer data. This act makes New Jersey the 14th state to adopt a comprehensive privacy law.

With many fresh regulations addressing the handling of personal information coming up worldwide, it is imperative for businesses to remain vigilant regarding the variety of privacy and security regulations that may be applicable to them. Facilitating this process, Auritas data experts have highlighted in this blog important components of NJDPA and how to ensure compliance.

Application

The jurisdiction of this law extends to companies and entities engaged in business activities within New Jersey or offering products and services to its residents. It pertains to organizations that, during the previous calendar year, satisfy one of the following criteria:

• Control or process the personal data of at least 100,000 consumers, or
• Control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.

Personal Data & Sensitive Data

But how does the regulation define “personal data?” According to the NJDPA, personal data refers to information that can be directly linked or reasonably linked to an identified or identifiable individual. This definition explicitly excludes de-identified data and publicly available data.

The act also outlines the concept of “sensitive data.” This category encompasses financial information, such as “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” Unlike the CCPA, the New Jersey law mandates that businesses obtain consent prior to processing and collecting sensitive data.

Obtain Consent

Businesses must obtain explicit consent (via an opt-in) before processing sensitive data or personal data of minors under age 13 (in compliance with the federal COPPA regulations), and ages 13-16. This is applicable when the purpose of processing includes targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Privacy Notices

The NJDPA requires businesses to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, mirroring the requirements set forth by other state privacy legislations. Similar to the privacy laws of Oregon and Delaware, New Jersey’s stipulates that privacy notices must detail the categories of personal data shared with third parties. Additionally, organizations must outline the procedure through which consumers are informed of significant alterations to the privacy notice.

Universal Opt-Out Mechanism

Beginning in June 2024, any controller that processes personal data for purposes of targeted advertising, the sale of personal data, or profiling will be required to allow consumers to opt-out of such processing through a user-selected universal opt-out mechanism.

Data Protection Assessments

The NJDPA requires businesses to conduct a data protection assessment and make it available to the New Jersey Department of Consumer Affairs upon request.

The regulation does not allow companies to process personal data that presents a “heightened risk of harm” to consumers without first conducting and documenting a data protection assessment of these processing activities.

Processing activities identified as harmful include actions like targeted advertising, the sale of personal data, profiling that may lead to foreseeable consumer risks, and the handling of sensitive data.

The law goes into effect on January 15, 2025, one year after its enactment. And, although no monetary amount is explicitly defined, a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.

The enactment of this act shows that government agencies are attentive to data privacy and security concerns. Business should be too. Establishing a thorough data management plan that aligns with regulatory requirements is essential for averting the dangers of noncompliance and reducing potential financial penalties. The initial step involves evaluating your current data environment, comprehensively understanding how data is currently managed, and identifying the necessary procedures to guarantee adherence to compliance standards.