New Jersey Privacy Law: Notices, Controllers and Processors, and Enforcement

Notice Requirements

A controller shall provide to a consumer a reasonably accessible, clear, and meaningful privacy notice that shall include but may not be limited to the following.

• The categories of the personal data that the controller processes;
• The purpose for processing personal data;
• The categories of all third parties to which the controller may disclose a consumer's personal data;
• The categories of personal data that the controller shares with third parties, if any;
• How consumers may exercise their consumer rights, including the controller's contact information and how a consumer may appeal a controller's decision with regard to the consumer's request;
• The process by which the controller notifies consumers of material changes to the notification required to be made available pursuant hereto, along with the effective date of the notice; and
• An active email address or other online mechanism that the consumer may use to contact the controller.

If a controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.

Controller Responsibilities

A controller shall do all of the following.

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
• Except as otherwise provided in the Act, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
• Take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition, and the data security practices shall be appropriate to the volume and nature of the personal data at issue;
• Not process sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without processing such data in accordance with the Children's Online Privacy Protection Act and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time;
• Not process personal data in violation of the laws of New Jersey and federal laws that prohibit unlawful discrimination against consumers;
• Provide an effective mechanism for a consumer to revoke the consumer's consent hereunder that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request;
• Not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer's personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer's consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age; 
• Specify the express purposes for which personal data are processed; and
• Not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of the Act that present a heightened risk of harm to a consumer.

"Heightened risk" includes the following.

• Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of any of the following.
  • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers;
  • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
  • Other substantial injury to consumers;

• Selling personal data; and
• Processing sensitive data.

A controller shall be prohibited from discriminating against a consumer if the consumer chooses to opt out of the processing for sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects of the consumer's personal data pursuant to the Act. The immediately preceding sentence shall not prohibit the controller's ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer's personal data, or to provide different services to consumers that are reasonably related to the value of the relevant data, provided that the controller has clearly and conspicuously disclosed to the consumer that the offered discounts, programs, incentives, or services include the sale or processing of personal data  that the consumer otherwise has a right to opt out of.

Determining whether a person is acting as a controller or processor with respect to a specific processing of data shall be a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, shall be deemed a controller and not a processor with respect to a specific processing of data. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it shall be deemed a controller with respect to the processing.

Processor Responsibilities

Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under the Act. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by doing the following.

• Taking appropriate technical and organizational measures, insofar as possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights under the Act;
• Helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to notification of a breach of the security of the system; and
• Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments, and the controller and processor are each responsible for only the measures allocated to them.

Notwithstanding the instructions of the controller, a processor shall do the following.

• Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
• Engage a subcontractor pursuant to a written contract in accordance with the "Contract Requirements" (as defined below) that requires the subcontractor to meet the obligations of the processor with respect to the personal data (the "Processor Confidentiality and Subcontractor Requirements").

Determining whether a person is acting as a controller or processor with respect to a specific processing of data shall be a fact-based determination that depends upon the context in which personal data are to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data shall remain a processor.

Security

Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures (collectively, the "Security Requirements").

Controller-Processor Contracts

Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and sets forth the following requirements (collectively, the "Contract Requirements").

• Processing instructions to which the processor is bound, including the nature and purpose of the processing;
• Type of personal data subject to the processing and the duration of the processing;
• The Contract Requirements, the Security Requirements, and the Processor Confidentiality and Subcontractor Requirements; and
• The following are requirements.
  • At the discretion of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in the Act; and
  • The processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under the Act using an appropriate and accepted control standard or framework for the assessment as applicable. The processor shall provide a report of the assessment to the controller upon request.

In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by the Act.

Data Protection Assessments

Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.

The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of the Act that present a heightened risk of harm to a consumer.

"Heightened risk" includes the following.

• Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of the following.
  • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers;
  • A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
  • Other substantial injury to consumers;
• Selling personal data; and
• Processing sensitive data.

Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under the Act. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by providing information to the controller necessary to enable the controller to conduct and document any data protection assessments, and the controller and processor are each responsible for only the measures allocated to them.

A controller shall make the data protection assessment available to the Division of Consumer Affairs in the New Jersey Department of Law and Public Safety (a New Jersey state agency under the direction of the New Jersey attorney general) upon request.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

De-identified Data

Nothing in the Act shall require a controller to do any of the following.

• Re-identify de-identified data; or
• Collect, retain, use, link, or combine personal data concerning a consumer that it would not otherwise collect, retain, use, link, or combine in the ordinary course of business.

Enforcement

It shall be an unlawful practice and violation of N.J. Stat. Ann. §§ 56:8-1 et seq. for a controller to violate the provisions of the Act.

Until the first day of the 18th month next following the effective date of the Act, prior to bringing an enforcement action before an administrative law judge or a court of competent jurisdiction in New Jersey, the Division of Consumer Affairs in the New Jersey Department of Law and Public Safety shall issue a notice to the controller if a cure is deemed possible. If the operator controller fails to cure the alleged violation of the Act within 30 days after receiving notice of alleged noncompliance from the Division of Consumer Affairs, such enforcement action may be brought.

While the Act will take effect January 15, 2025, the director of the Division of Consumer Affairs may take any anticipatory administrative action in advance as shall be necessary for the implementation of the Act.

The New Jersey attorney general shall have sole and exclusive authority to enforce a violation of the Act. 

Nothing in the Act shall be construed as providing the basis for, or subject to, a private right of action for violations of the Act.