New Jersey recently enacted a comprehensive consumer data privacy law that imposes many obligations on controllers of personal data. The law becomes effective on January 16, 2025.
The law applies to controllers of personal data that annually control or process personal data of at least: (a) 100,000 New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or (b) 25,000 New Jersey consumers, if the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. The law exempts financial institutions, affiliates of financial institutions, and data which are subject to Title V of GLBA.
Among other things, the law requires controllers to: establish and maintain data security practices regarding personal data, including conducting data assessments; provide consumers with a reasonably accessible, clear, and meaningful privacy notice; allow consumers to opt out of certain processing through a universal opt-out mechanism; and obtain an opt-in from consumers prior to processing sensitive data, which includes financial information. The law also requires contracts between controllers and processors to address certain subjects, including confidentiality of personal data.