The New Jersey legislature recently passed Senate Bill 332, a significant piece of legislation designed to enhance data privacy and protection for New Jersey consumers. SB332 shares similarities with the California Consumer Privacy Act (CCPA), particularly in terms of its consumer-centric approach.
Key features of SB332 include:
- Consumer Rights: The bill empowers New Jersey consumers with several rights, including the right to know if their personal data is being processed, correct inaccuracies, delete personal data, obtain a copy of personal data, and opt-out of specific processing activities, such as targeted advertising or the sale of personal data.
- Universal Opt-Out Mechanisms (UOOMs): A notable feature SB332 is the requirement for controllers to recognize UOOMs, extending to targeted advertising and sales of personal data. This aligns New Jersey with states like Colorado, Connecticut, and Oregon in requiring UOOMs.
- Data Controller Obligations: Controllers are obligated to provide clear and accessible privacy notices, limit data collection, ensure data security, conduct data protection assessments for high-risk processing activities, and enter into data processing agreements with processors.
- Unique Definition of Sensitive Data: SB332 uniquely defines sensitive data to include financial information, health condition, treatment or diagnosis, and status as transgender or non-binary. This is a broader scope compared to other variants like the CCPA.
- Applicability: SB332 applies to entities processing the personal data of 100,000 or more New Jersey consumers or those deriving revenue from the sale of personal data of at least 25,000 New Jersey consumers.
- Children’s Data: Special provisions apply to children between the ages of 13 and 17, with restrictions on targeted advertising and data sales.
- Enforcement: The New Jersey Office of the Attorney General has exclusive authority for enforcement, with a 30-day right to cure that expires 18 months after SB332's effective date.
SB332 marks a significant advancement in data privacy legislation in the U.S., and signifies a growing trend towards stronger data privacy regulations nationwide, emphasizing the importance of consumer rights and corporate accountability in the digital age. SB332 awaits final action from Gov. Phil Murphy, who has 45 days to approve. The law would take effect one year after its enactment date.