Published:

Updated:

NJ SB 332 Compliance Guide 

Privacy Policy

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

NJ SB 332 Compliance Guide

On January 16, 2024, the Governor of New Jersey signed NJ SB 332, making New Jersey the 14th state to pass a privacy law that provides individuals with comprehensive privacy protections. This law will take effect 365 days from enactment (on January 16, 2025) and will provide privacy rights to residents of New Jersey, as well as require certain businesses to have a comprehensive Privacy Policy and to follow the requirements set forth below. In this Compliance Guide, we will discuss the important aspects of New Jersey’s privacy law, including: 

  • Who needs to comply with NJ SB 332; 
  • How the law defines personal data; 
  • The privacy rights provided to residents of New Jersey; 
  • The Privacy Policy requirements of New Jersey’s new privacy law; 
  • The penalties for non-compliance; and 
  • How Termageddon will handle Privacy Policy updates for its customers. 

Who does NJ SB 332 apply to? 

New Jersey’s privacy law applies to controllers who conduct business in New Jersey or that produce products or services targeted to residents of the State and that during a calendar year:

  • Control or process the personal data of at least 100,000 residents of New Jersey; or 
  • Control or process the personal data of at least 25,000 residents of New Jersey and derive revenue or receive a discount on the price of any goods or services from the sale of personal data. 

The law defines “controller” as an individual or a legal entity that determines the purposes and means of processing personal data. For example, if your website collects names and email addresses and you determine when to send those individuals email marketing, you would be considered a “controller.” If you meet the thresholds cited above, you will need to comply with this privacy law, including having a comprehensive Privacy Policy and the honoring of consumer privacy rights. 

How does the law define “personal data”? 

Since you will need to collect the personal data of New Jersey residents for the law to apply to you, it is important to determine how the law defines personal data. NJ SB 332 defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable person.” This means that information commonly collected through websites such as names, email addresses, phone numbers, physical addresses and IP addresses will be considered as personal data by this law. 

The privacy rights provided to residents of New Jersey

New Jersey’s privacy law provides the following rights to residents of the State: 

  • Confirm whether the consumer’s personal data is being processed; 
  • Access the personal data that is being processed; 
  • Correct inaccuracies in personal data; 
  • Delete personal data; 
  • Obtain a copy of the personal data in a format that allows a consumer to transmit that data to another entity; 
  • Opt out of the processing of personal data for targeted advertising; 
  • Opt out of the sale of personal data; 
  • Opt out of the processing of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects; 
  • Not be discriminated against based upon the exercise of privacy rights;
  • Appeal a decision made regarding a privacy rights request.

Businesses that need to comply with this law will have 45 days to respond to a privacy rights request. It is important to note that not later than six months following the enactment of the law, businesses will also need to provide an opt-out mechanism that will allow consumers to opt out of the sale of their data and the use of their data for targeted advertising. 

The Privacy Policy requirements of New Jersey’s privacy law 

Businesses that need to comply with New Jersey’s privacy law are also required to provide a comprehensive and up to date Privacy Policy that includes the following disclosures: 

  • The categories of personal data processed; 
  • The purpose for processing the personal data; 
  • The categories of all third parties to whom personal data may be disclosed; 
  • The categories of personal data shared with third parties, if any; 
  • How consumers can exercise their privacy rights; 
  • The process by which consumers will be notified of material changes to the Privacy Policy; 
  • The effective date of the Privacy Policy; 
  • An active email address or other online mechanism through which the controller may be contacted; 
  • Whether the controller sells the collected personal data, as well as how to opt out of such sales; 
  • Whether the controller uses the personal data for profiling, as well as how to opt out of such use; 
  • Whether the controller uses the personal data for targeted advertising, as well as how to opt out of such use. 

Other requirements

It is important to note that New Jersey’s privacy law also has a few other requirements for businesses such as: 

  • The controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary to achieve the purposes for which it is being collected; 
  • The controller cannot process personal data for purposes which were not disclosed to the consumer; 
  • The controller is required to take reasonable measures to ensure the security of data; 
  • The controller must obtain consent prior to processing the data of a child; 
  • The controller is required to conduct a data protection assessment prior to processing personal data in a way that presents a heightened risk of harm to the consumer. 

Controllers must also ensure that any processors that they use to process the personal data follow the requirements of this law. 

Enforcement

New Jersey’s privacy law will be enforced by the New Jersey Attorney General. At this time, the law does not state what penalties will be applied for violations. However, this will most likely change with amendments or with the issuance of regulations. 

How will Termageddon handle updates for this privacy law?

Prior to this privacy law going into effect, Termageddon will release an update to its Privacy Policy questionnaire that will help customers determine whether this privacy law applies to them. If NJ SB 332 does apply, Termageddon will also release updates to the Privacy Policy text prior to the law going into effect. Lastly, Termageddon will track any amendments, guidance and regulations and will update policies accordingly.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.