New Jersey has passed a new comprehensive privacy law, known as S332. The bill has been passed to the state’s governor for a signature. Even if left unsigned, the bill will become law within 45 days, making New Jersey the 13th US state with a comprehensive privacy law.
S332 will impose new privacy requirements on thousands of companies operating in New Jersey. While many of these obligations are similar (or identical) to those in other states, New Jersey’s new privacy law has some interesting characteristics.
Here are five reasons to pay attention to New Jersey’s S332.
1. S332 has changed dramatically since it was introduced
The final version of S332 looks very different from the bill that was introduced to New Jersey’s senate in November 2022.
S332 was originally drafted as a modest internet privacy law, requiring operators of commercial websites to disclose how they collect and use “personally identifiable information”.
Over two years later, the bill has been modified beyond recognition and is now a relatively strict and broadly applicable “Virginia-style” comprehensive privacy law.
2. The law applies relatively broadly
S332 applies to any controller that:
- Conducts business in New Jersey, or
- Produces products or services targeted at New Jersey residents, and
- During a calendar year either:
- Controls or processes the personal data about 100,000 or more New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- Controls or processes personal data about 25,000 or more New Jersey consumers, and
- Derives (any amount of) revenue or receives a discount on the price of any goods or services from the sale of personal data.
This makes New Jersey one of the most broadly applicable comprehensive privacy laws in the US.
But like in all other states (except California), S332 does not apply to the processing of personal data about employees, contractors, job applicants, or individuals acting in a commercial context (i.e., business-to-business data)
3. It has an expansive “sensitive data” definition
S332 defines “sensitive data” as any of the following types of information.
- Personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition, treatment, or diagnosis
- Financial information, including a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any information required to access the account
- Sex life or sexual orientation
- Citizenship or immigration status
- Status as transgender or non-binary
- Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Precise geolocation data (within a radius of 1,750 feet)
Note that New Jersey is the only state (besides California) to include financial information as a type of “sensitive data”.
As in most other states, New Jersey’s law requires controllers to get consent before processing sensitive data.
4. S332 includes all the ‘Virginia-style’ obligations
Virginia-style comprehensive privacy laws (so called because Virginia was the first state to pass such a law, diverging from California’s privacy model) generally look quite similar.
When drafting such a law, state legislators can choose which obligations to place on controllers and processors. New Jersey has chosen to implement all the “usual” obligations, meaning that the law includes some provisions that other states have chosen to leave out.
Some of the requirements under New Jersey’s S332 include:
- Facilitating requests from consumers to access, correct, and delete their personal data (and processing consumers’ appeals if they are unhappy with your response)
- Enabling consumers to opt out of:
- Targeted advertising,
- The sale of their personal data,
- Certain forms of “profiling” with potentially serious effects
- Configuring your website to respect “universal opt out” signals from consumers’ browsers
- Conducting a “data protection assessment” before undertaking certain risky processing activities
- Ensuring you have contracts in place with processors who process personal data on your behalf
- Abiding by the principles of “data minimization” and “purpose limitation”
- Implementing a “reasonable” level of data security
It’s likely that a company compliant with certain other state privacy laws, such as those in Colorado or Connecticut, will be able to meet New Jersey’s requirements without too much extra work.
5. There will be regulations
S332 includes a provision enabling New Jersey’s Division of Consumer Affairs to make rules and regulations under the law.
Rulemaking enables state authorities to specify how legal provisions should be interpreted and can introduce some interesting and important compliance requirements. Authorities in California and Colorado have also made rules under those states’ privacy laws.
As such, New Jersey’s law will continue to evolve after it is enacted. So, keep an eye on the state’s regulations if you’re covered by S332.