New Jersey has now joined the growing number of states that have enacted comprehensive online privacy protections for certain consumers and that have imposed requirements on companies collecting and processing consumer data in the state. In the absence of a federal law, companies continue to navigate different state requirements. These new state laws, however, are trending in a similar direction, and best practices are evolving rapidly. This week, such a bill was signed by New Jersey’s Governor Murphy.
Who will be protected? New Jersey consumers, defined as natural persons residing in New Jersey and acting in an individual or household capacity, as opposed to employees and independent contractors in an employment or commercial setting.
What information is covered? Personal data, meaning information that is linked to a specific and identifiable New Jersey consumer but excluding publicly available information and categories of data covered by other laws, such as health and financial information.
Who must comply? A company doing business in New Jersey that is a “controller” or “processor” of covered personal data. Controllers must meet a set of criteria, including, during a calendar year, either (a) controlling or processing the personal data of at least 100,000 New Jersey consumers or (b) controlling or processing the data of at least 25,000 New Jersey consumers and deriving revenue or receiving a financial benefit from the sale of the data. Processors generally must process personal data as directed by the controller and maintain the confidentiality of that data.
What do covered entities need to do? Overall, this bill strongly encourages the principle of “privacy by design,” requiring posting of a robust, accurate, and clear consumer privacy notice, including conspicuous disclosures, and an easy opt-out mechanism if personal data is sold or used to serve certain targeted ads. Special rules apply if the data is used to make decisions that have legal or other significant effects on the life of the consumer (such as lending, housing, or employment decisions) or if the data is highly sensitive (such as financial, health, or race/ethnic origin). There also are new protections for data of teenagers aged 13-16. Consumers also have the explicit right to revoke consent to processing. Notably, controllers and processors must enter into written contracts containing many provisions that are specified by the new law. The bill is comprehensive and thus contains other provisions beyond the scope of this alert.
Who will enforce? New Jersey’s Attorney General, under the state’s Consumer Fraud Act. While the bill specifically excludes private rights of action, we expect consumers will try to bring civil lawsuits, including class actions, under a variety of state law theories.
What else do I need to know? Regulations are coming from the New Jersey Division of Consumer Affairs but will take a while to draft. Watch for announcements of public hearings on the regulations and further updates from this firm.
For more information, please contact Susan Goldsmith, Scott Christie, Kim Metzger, or the McCarter & English lawyer with whom you normally work.