Written by Haim Ravia and Dotan Hammer
The Governor of New Jersey recently signed into law the Consumer Privacy Protection Act, set to take effect in January 2025. New Jersey now becomes the fourteenth state in the U.S. to enact a state privacy law, specifically targeting the protection of individuals’ privacy in personal capacities (to the exclusion of individual’s roles as employees or representatives of a business). The law will apply to businesses operating within New Jersey or providing products and services to state residents, where they annually process personal data of 100,000 or more New Jersey residents, or 25,000 or more New Jersey residents while generating revenue from selling this data.
Key aspects of the New Jersey Consumer Privacy Protection Act include:
- Requiring businesses to furnish clear privacy notices outlining personal data collection and processing purposes.
- An obligation to obtain explicit consent for processing sensitive data.
- Granting consumers rights to access, correct, and delete their personal data, as well as to receive it in a portable format. Consumers can also opt out of having their data used for targeted advertising, sold, or profiled in specific ways.
- Limiting business data collection to what is necessary for the disclosed purposes and prohibiting processing beyond these boundaries without consumer consent, except as allowed by law.
- Mandating businesses to implement reasonable security measures to protect personal data.
- Requiring businesses to conduct data protection assessments for activities posing a high risk of consumer harm.
- Prohibiting discrimination against consumers who exercise their privacy rights.
The Act provides greater flexibility in using de-identified data and publicly available data, by exempting them from the stringent requirements of the Act.
Click here to read the New Jersey Consumer Privacy Protection Act.