On January 16, 2024, Governor Philip D. Murphy signed into law the New Jersey Data Privacy Act (the “Privacy Act”), which goes into effect on January 15, 2025.
Scope
The Privacy Act applies to controllers of personal data that conduct business in New Jersey, or who produce products or services targeted to New Jersey residents, and who, during a calendar year, either: (1) control or process the personal data of at least 100,000 New Jersey residents (excluding personal data processed solely for the purpose of completing a payment transaction); or (2) control or process the personal data of at least 25,000 New Jersey residents and derive revenue, or receive a discount on the price of any goods or services, from the “sale” of personal data.
Comparison to Comprehensive State Privacy Laws
The Privacy Act is very similar to the recent wave of privacy laws passed in other states. Of note, however, is that the Privacy Act has a broader definition of sensitive data than other states. In addition to other common categories of sensitive data observed in state privacy laws, the Privacy Act includes within its scope financial information, which includes a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. While the California Privacy Rights Act also includes such financial information within its definition of sensitive personal information, it does not require obtaining consent before processing sensitive data, similar to the Privacy Act. With a growing number of states passing privacy laws—14, including Florida’s narrower law—US companies should review their existing policies and procedures to address compliance in a harmonized manner to operate at scale.
We have developed a comprehensive chart that provides a side-by-side comparison of the Privacy Act with other state privacy laws.
[View source.]