New Jersey sets a new standard in data privacy with its latest legislation
New Jersey has stepped into the data protection arena with the introduction of the New Jersey Data Privacy Act (NJDPA). This legislative move amplifies the state's commitment to safeguarding personal information and establishes a new benchmark in data privacy across the United States. As the 13th state to enact privacy legislation, New Jersey’s move could accelerate the push for similar laws in other states, potentially culminating in a unified federal privacy law.
With the NJDPA set to be enforced by 2025, the clock begins for businesses operating within the state or handling data of New Jersey residents.
What you need to know about the NJDPA
The NJDPA distinguishes itself through its comprehensive coverage and robust provisions aimed at enhancing consumer privacy. It encompasses a wide range of personal data and extends protections to include non-profit organisations.
Key features of the law include:
Consumer consent for sensitive data: A cornerstone of the NJDPA, it requires explicit consent from consumers before their sensitive data can be processed.
Data protection assessments: Businesses must conduct assessments to ensure compliance and mitigate risks in data processing activities.
Opt-out preference signals: Consumers can opt out of data processing, which boosts user control over personal information.
Children’s data protection: The NJDPA provides enhanced safeguards for the youngest digital users, aged 13-17.
No private right of action: Notably, the NJDPA does not allow individuals to sue businesses for violations directly - a significant contrast to some other states' laws.
Rulemaking authority: The Division of Consumer Affairs will ensure the law's effective implementation through specific rules and regulations.
Consumer rights: Standard rights such as access, correction, deletion, data portability, and opting out of certain data processing activities are affirmed under the NJDPA.
The NJDPA stands out against other US state privacy laws because of its inclusive definition of sensitive data, which encompasses financial information among other categories. The law also applies to non-profits and does not specify a revenue threshold. Unlike California’s CCPA, which allows for a private right of action in certain breaches, the NJDPA does not allow this, offering a different enforcement avenue through the New Jersey Attorney General who may conduct enforcement action. Before any action can be made, the Division of Consumer Affairs must provide notice to the controller or processor, giving 30 days to cure the noticed violation if possible.
Impact on businesses and consumer benefits
Consumers are at the forefront of this legislation. There are clear expanded protections for children’s data and explicit consent, so that consumers have more control over their personal information.
Businesses both in and out of the New Jersey state have to ensure they comply with the NJDPA - even if they already operate under data privacy laws. For example, businesses in California (who already used to following CCPA laws) need to update their privacy practices to also meet the NJDPA's new rules. This includes checks on how they protect data and letting people opt out of their data being used.
For New Jersey businesses, they need to update privacy policies, implement stronger data security measures, and ensure mechanisms for consumer consent are in place. These proactive steps involve training staff on the nuances of the NJDPA and revising contracts with data processors to meet the new law's requirements.
As we anticipate the enforcement of the NJDPA, businesses in New Jersey and beyond are expected to significantly ramp up their privacy and data protection efforts. This movement towards stricter data privacy standards reflects a growing awareness and demand for consumer privacy protections. With New Jersey being another contender in the field of US states with data privacy laws, we anticipate further privacy initiatives both at the state and federal levels.
Businesses cannot afford to be complacent. This is a critical moment for businesses to reassess their privacy frameworks, and ensure they are prepared for not just the NJDPA, but a future where data privacy is paramount.