The privacy plot thickens: New Jersey just became the first state in 2024 – and (by my count) the fourteenth overall – to enact a comprehensive data privacy law. Bill S332, formally titled "An Act concerning online services, consumers, and personal data and supplementing Title 56 of the Revised Statutes" (the Act), was signed on Tuesday by Governor Phil Murphy.
At the federal level, sadly, there has been little news to report in well over a year. Consequently, each additional state that forges its own unique path further muddies the waters, creating more chaos for consumers and more compliance nightmares for companies.
The Act establishes a number of familiar consumer rights with respect to personal data: to confirm its collection and processing, to correct, to delete, to receive a portable copy, to opt out of its processing for targeted advertising as well as its sale, and to opt in to the processing of "sensitive data."Not surprisingly, however, the Act includes several provisions that distinguish it from other state privacy statutes – and thereby unduly complicate nationwide compliance efforts. For one, it does not set a minimum-revenue threshold for covered companies. For another, its definition of "sensitive data" includes certain types of financial information.
The New Jersey Department of Law and Public Safety's Division of Consumer Affairs is tasked with adopting regulations implementing the Act. The New Jersey Attorney General has exclusive enforcement authority. For the first year and a half, companies will enjoy a 30-day cure period.
The Act does not create a private right of action, However, an eleventh-hour amendment deleting the phrase "under any other law" did prompt Governor Murphy to note in his Statement Upon Signing that:
I understand that concerns have been raised that removing that language thereby establishes a private right of action under other laws for violations of this bill. However, nothing in this bill expressly establishes such a private right of action, and the provision as amended states that the bill shall not be "construed as providing the basis for … a private right of action for violations of [the bill]."
The bulk of the Act will go into effect on January 15, 2025. The obligation to abide universal opt-out mechanisms (such as web browser-based privacy signals) will kick in six months later.