New Jersey
New Jersey Senate Bill 332 (NJDPA)
Passed | January 16, 2024 |
Effective Date | January 15, 2025 |
Who it applies to |
Businesses that (1) control or process personal data of 100,000 or more unique consumers; or (2) controls or processes the personal data of 25,000 or more unique consumers and derives any revenue or discount on the price of any goods or services from the sale of personal data. Exempt entities include government agencies, as well as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
Penalties | Up to $10,000 per violation. |
What’s notable about it:
New Jersey’s privacy law is distinct for authorizing the director of the Division of Consumer Affairs to promulgate regulations, making it the third state to grant such rulemaking authority. This regulatory flexibility allows the law to adapt over time, ensuring businesses stay current with evolving privacy standards. Additionally, New Jersey joins California in including financial information as a new category of sensitive data, further strengthening consumer privacy protections.
The law stands out by requiring businesses to cease processing personal data within 15 days of a consumer withdrawing consent, a notably shorter time frame compared to other states' typical 30- to 45-day periods. This swift response reflects New Jersey’s emphasis on consumer control. Furthermore, starting in 2025, businesses must comply with a universal opt-out mechanism, aligning with growing trends toward empowering consumers across multiple platforms.
Importantly, New Jersey's law does not exempt nonprofits or higher education institutions, unlike some other state laws that offer exemptions to these entities. While there is a data-level exemption for protected health information under HIPAA, New Jersey’s law does not provide an entity-level exemption for HIPAA-covered entities, keeping these organizations within the scope of the state’s privacy regulations.