A Comparative Approach to the Data Privacy Legislation in New Jersey
New Jersey Law Journal
November 29, 2023
In an era dominated by the ever-expanding digital and data-driven business landscape, state legislators across the United States have responded with a flurry of new laws aimed at safeguarding a consumer’s personal information. As of this writing, four states have comprehensive laws in effect governing the use of personal information obtained from their respective state residents (California, Virginia, Colorado, and Connecticut), one state has a statute becoming effective at the end of 2023 (Utah), and eight states have passed similar statutes that become effective on various dates from July 1, 2024 through Jan. 1, 2026 (Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas).
In recent years, the New Jersey Legislature has considered various versions of privacy legislation but has yet to adopt and implement comprehensive privacy legislation for New Jersey residents. Among the bills currently pending are New Jersey Assembly Bill A505, titled the “New Jersey Disclosure and Accountability Transparency Act” (NJ DaTA), and New Jersey Senate Bill S332, which requires online services to notify consumers of collection and disclosure of personal information. NJ DaTA was re-introduced in the Assembly on Jan. 11, 2022 (last Session Bill Number A3283), and contains detailed provisions regarding consumer privacy protections, including a proposal to establish an Office of Data Protection and Responsible Use in the Division of Consumer Affairs. At this juncture, there has been no publicly recorded activity on the NJ DaTA bill since it was introduced, and it appears to be stalled in the Assembly Science, Innovation and Technology Committee. However, S332 has seen significantly more progress, having passed in the Senate on Feb. 2, 2023, and being reported out of the Assembly Science, Innovation and Technology Committee with amendments as a Fourth Reprint on May 11, 2023.
The various privacy statutes—whether already enacted, or like New Jersey still in the legislative process—include provisions that have a direct (and often dramatic) impact on the scope of application, protections afforded to the respective state residents, and effect on businesses operating in the state. For example, such provisions relate to the following issues: (i) the threshold for application; (ii) the scope of an individual’s rights with respect to the personal information collected; (iii) the scope of any opt-in/opt-out rights for the collection and processing of personal information; (iv) the existence of any private right of action; and (v) the exceptions to application of the statute. As the New Jersey Legislature continues to evaluate, revise, and amend the terms of proposed comprehensive privacy legislation, a review of these key provisions in the current version of S332 and comparison to existing statutes offers guidance on what privacy rights and obligations may look like in New Jersey if and when the proposed legislation is ultimately enacted.
Threshold for application
The current version of S332 will apply to an operator that collects personal information of a resident of New Jersey through the operator’s online service. The definition of “operator” is not limited to commercial businesses; it includes any person who operates an online service. Also, unlike all the other state statutes currently in effect, S332 does not establish a threshold for application based on the operator’s annual gross revenue, volume of annual consumer data processed, or percent of revenue from selling consumer personal information. The absence of such a threshold for application creates a very broad definition of “operator” and dramatically increases the scope of the businesses and individuals subject to statutory compliance obligations.
In addition, it appears that S332 is not intended to apply to non-profit organizations. While this mirrors some of the other state statues in effect, it is inconsistent with the otherwise far-reaching scope of S332, particularly given the potentially extensive personal information that a non-profit may collect and process from donors, stakeholders, and potential beneficiaries. It is also inconsistent with New Jersey’s breach notification statute, which requires all businesses—including non-profits—to provide notice to individual consumers of the unauthorized disclosure of their personal information in the event of a security incident.
Scope of consumer rights regarding personal information collected
The current version of S332 provides a New Jersey resident with limited rights to request two categories of information from an online operator that discloses—by sale or otherwise—personal information to a third party: (i) the categories of personal information that were disclosed, and (ii) the categories of third parties that received the consumer’s personal information. In a separate provision, S332 requires that an online operator provide notice and a description of the process for an individual to review and request changes to any personal information that is collected. These provisions once again contrast with other state statutes, which often provide broader consumer rights, including the right to know the specific personal information collected, the right to correct any errors in the personal information collected, the right to delete the personal information collected (subject to certain exceptions), and the right to obtain a portable copy of the personal information collected. Most states also include the right to opt-out of certain types of targeted advertising and profiling decisions. These additional rights are an important consumer protection made available to residents of other states that does not appear to be available to New Jersey residents.
Opt-in/Opt-out rights for individuals
To date, each state that has passed comprehensive privacy laws requires a mechanism that allows an individual to “opt-out” of the sale of their personal information; absent opting-out, the sale of personal information (which in some states includes exchanges that do not involve monetary consideration) is permitted. As noted above, the opt-out may also extend to profiling and targeted advertising. In stark contrast, the current version of S332 expressly requires an operator to obtain a consumer’s “opt-in” consent for sale of that consumer’s personal information. Although an “opt-in” requirement may have initial appeal, it is readily apparent that this distinction would establish New Jersey as an outlier, creating immediate compliance and processing problems for an online operator and requiring the over-collection of data (e.g., precise geolocation data and other tracking information) by all operators for all consumers in all circumstances to identify New Jersey consumers requiring unique treatment. Note that the prior version of S332 that passed in the Senate contained an “opt-out” requirement consistent with the existing laws in all other states.
It is also worth noting that the current version of S332 does not contain any provision regarding the collection, processing, or limitation on use of sensitive personal information (e.g., personal information that reveals or infers racial or ethnic origin, religious beliefs, sexual orientation, health condition or diagnosis, biometrics, etc.). The majority of state laws that address sensitive personal information require an online operator to obtain “opt-in” consent before sensitive personal information can be processed, which would appear to significantly advance the privacy interests of their state residents.
Private right of action
As of this writing, California remains the only state providing its residents with a private right of action for certain violations of the privacy statute. The current version of S332 aligns with all the other states by foregoing such a remedy, explicitly stating that nothing in the bill shall be construed as providing the basis for a private right of action for violations of the statute.
Exceptions to application of the statute
Consistent with many other existing state privacy laws, S332 would not apply to protected health information under the Health Insurance Portability and Accountability Act, entities subject to the Gramm-Leach-Bliley Act, certain secondary market institutions, certain insurance entities, the sale of personal information permitted by the Drivers’ Privacy Protection Act of 1994, and data within the scope of the Fair Credit Reporting Act. Also, S332 would not apply to personal information that is collected and used “in a commercial or employment context,” which is consistent with the laws currently in effect except in California.
Navigating the ever-evolving legal terrain of data privacy rights and obligations often requires consideration of the (at times) unique approach taken by different states. Although the 2022-2023 legislative session in New Jersey will end in the coming weeks, the current version of S332 offers an initial blueprint for a comprehensive consumer privacy statute in New Jersey, whether adopted now or later. In addition, the issues raised by the current version of S332 offer insights into the potential rights and obligations of businesses and individuals collecting and processing personal information of New Jersey residents. At this juncture New Jersey stands at a crossroad, with the Legislature facing important choices on the scope and terms of comprehensive privacy legislation that will have a dramatic impact on business operations as well as the individual rights of New Jersey residents. By keeping a watchful eye on the legislative landscape, businesses and individuals can ensure they remain compliant and responsive to the evolving needs and expectations of consumers in the digital age.
John T. Wolak chairs the Gibbons privacy & data security team and has extensive experience with a broad range of privacy and security issues, providing advice and counsel on compliance with the ever-evolving local, national, and global regulatory regimes. He also assists clients with incident response activities, third-party contracting, cyber insurance coverage, best practices to mitigate cyber risks and exposures, and data security training for employees. Reach him at email@example.com.
William C. Martinez is an associate in Gibbons’ real property group and a member of the privacy & data security team. He also has a significant background in issues related to privacy compliance and data breach incident response. Reach him at firstname.lastname@example.org.
Reprinted with permission from the April 24, 2023 issue of the New Jersey Law Journal. © 2023 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or email@example.com or visit www.almreprints.com.