New Jersey Privacy Law: Application, Definitions, and Consumer Rights

Application and Definitions

Notwithstanding any state law, rule, regulation, or order to the contrary, the Act will only apply to controllers that conduct business in New Jersey or produce products or services that are targeted to residents of New Jersey and that during a calendar year do either of the following.

• Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or

• Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

"Consumer" means an identified person who is a New Jersey resident acting only in an individual or household context and shall not include a person acting in a commercial or employment context.

"Controller" means an individual, or legal entity, that alone or jointly with others determines the purpose and means of processing personal data.

"Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and includes the actions of a controller directing a processor to process personal data.

"Processor" means a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.

"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable person and shall not include de-identified data or publicly available information.

"De-identified data" means data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data does the following.

• Takes reasonable measures to ensure that the data cannot be associated with an individual;

• Publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data; and

• Contractually obligates any recipients of the information to comply with the foregoing requirements.

"Publicly available information" means information that is lawfully made available from federal, state, or local government records, or widely distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.

"Sale" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party and shall not include the disclosure of the following.

• Of personal data to a processor that processes the personal data on the controller's behalf;

• Of personal data to a third party for the purposes of providing a product or service requested by the consumer;

• Or transfer of personal data to an affiliate of the controller;

• Of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or

• Or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

"Third party" means a person, private entity, public entity, agency, or entity other than the consumer, controller, or affiliate or processor of the controller.

"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity and for the purposes of this definition, and "control" means the following.

• Ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a company;

• Control in any manner over the election of a majority of the directors or individuals exercising similar functions; or

• Power to exercise a controlling influence over the management or policies of a company.

"Trade secret" has the same meaning as section 2 of N.J. Stat. Ann. § 56:15-2.

"Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet websites or online applications to predict such consumer's preferences or interests and shall not include any of the following.

• Advertisements based on activities within a controller's own Internet websites or online applications;

• Advertisements based on the context of a consumer's current search query, visit to an Internet website, or online application;

• Advertisements directed to a consumer in response to the consumer's request for information or feedback; or

• Processing personal data solely to measure or report advertising frequency, performance, or reach.

"Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to essential goods and services.

"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer and may include a written statement, including by electronic means, or any other unambiguous affirmative action, but shall not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.

"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice and includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern."

"Child" shall have the same meaning as provided in the Children's Online Privacy Protection Act and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time.

"Sensitive data" means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or nonbinary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

"Biometric data" means data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual and shall not include a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

"Precise geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet and does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

Consumer Rights

A consumer shall have all of the following rights.

• Right of access. A consumer shall have the right to confirm whether a controller processes the consumer's personal data and accesses such personal data, provided that this shall not require a controller to provide the data to the consumer in a manner that would reveal the controller's trade secrets.

• Right to correction. A consumer shall have the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the information and the purposes of the processing of the information.

• Right to deletion. A consumer shall have the right to delete personal data concerning the consumer.

• Right to data portability. A consumer shall have the right to obtain a copy of the consumer's personal data held by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance, provided that this shall not require a controller to provide the data to the consumer in a manner that would reveal the controller's trade secrets.
• Right to opt out. A consumer shall have the right to opt out of the processing of personal data for the purposes of the following.
  • Targeted advertising;
  • The sale of personal data; or
  • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

If a controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.

Beginning not later than 6 months following the effective date of the Act, a controller that processes personal data for purposes of targeted advertising, or the sale of personal data, shall allow consumers to exercise the right to opt out of such processing through a user-selected universal opt-out mechanism.

The platform, technology, or mechanism shall do all of the following.

• Not permit its manufacturer to unfairly disadvantage another controller;

• Not make use of a default setting that opts in a consumer to the processing or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumer's affirmative, freely given, and unambiguous choice to opt into any processing of such consumer's personal data pursuant to the Act;

• Be consumer-friendly, clearly described, and easy to use by the average consumer;

• Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and

• Enable the controller to accurately determine whether the consumer is a New Jersey resident and whether the consumer has made a legitimate request to opt out of the processing of personal data for the purposes of any sale of such consumer's personal data or targeted advertising.

The Division of Consumer Affairs in the Department of Law and Public Safety may adopt rules and regulations that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data pursuant to the Act, including regulations that permit the controller to accurately authenticate the consumer as a New Jersey resident and determine that the mechanism represents a legitimate request to opt out of the processing of personal data pursuant to the Act. The Division of Consumer Affairs may update the rules that detail the technical specifications for the mechanisms from time to time to reflect the means by which consumers interact with controllers.