The recent addition of New Jersey to the U.S. comprehensive state privacy law network came in sweeping fashion 8 Jan. The passage, now pending governor approval, is marked by nuances that divert from common provisional trends states have adopted from Virginia's comprehensive law and the original framework for the proposed Washington Privacy Act.
As the New Jersey Legislature's 2023 legislative session wound down, state lawmakers seized an opportunity to overhaul a bill modeled after Nevada's narrow opt-out privacy law into a full-fledged comprehensive bill with mere weeks left in the session. The small window ended up being enough time as the Senate and the Assembly passed Senate Bill 332 on the final roll call votes of the session.
"Although a privacy law has not passed through the state legislature until this year, New Jersey has long been a leader on data privacy," said R-Street Institute Policy Director, Cybersecurity and Emerging Threats Brandon Pugh, CIPP/US, CIPM, who served as a legislative counsel to the New Jersey Assembly's minority office from 2019-2021. "Attempts to pass a state privacy law have been years in the making, and efforts have included hearings around and movement on bills addressing a comprehensive approach, as well as a range of narrower topics such as biometrics."
The scope of SB 332 tracks with other enacted state laws, covering organizations that control or process data of at least 100,000 individuals or those that hold data on at least 25,000 individuals while generating any revenue from that information.
The bill's diversions from common state privacy frameworks is seen in the scope, as data processing "solely for the purpose of completing a transaction" is explicitly carved out of coverage. Additionally, most states put a certain percentage of revenue to the lower coverage threshold while New Jersey's bill does not indicate any percentage requirement.
One of the most notable differences SB 332 offers is attorney general rulemaking, which only California and Colorado have provided for previously. Other nuances include a unique definition for sensitive personal data that includes individuals' financial data; distinctive language within universal opt-out mechanism provisions; opt-in consent requirements on children 13 to 16; and completed data protection impact assessments before a processing activity is carried out.
Gordon Rees Scully Mansukhani Partner Jason Scott noted the definition of biometric data is perceived to be broader than other state laws while there a is a unique requirement for "a general notice when using cookies/pixels or other tracking technology."
"SB 332 passed by largely party lines and, notably, faced concerns from the New Jersey business community," Pugh said, noting how businesses were not in favor of the divergences from privacy laws in other states and "how multiple amendments were introduced in December without enough time to engage."
The bill awaits action from Gov. Phil Murphy, D-N.J., who has 45 days to approve or veto the bill. The bill becomes law without action once the 45 days lapse. The law would come into effect one year after enactment.
Promulgating rules
The inclusion of rulemaking authority makes SB 332 a wild card given how the processes in California and Colorado, respectively, have played out and shaped those laws.
California Consumer Privacy Act rulemaking has been a moving target since the first rulemaking by the state's attorney general and the current rulemaking conducted by the California Privacy Protection Agency under the California Privacy Rights Act. Both processes received scrutiny from businesses regarding proper time to implement rules, and the CPPA is appealing a state court ruling to delay its first finalized regulations under the CPRA.
Colorado's rulemaking was completed with much less fanfare, finalizing its rules on four topics 15 March 2023, which took effect when the law did 1 July 2023.
There's no sense for whether New Jersey's process will mirror that of California or Colorado, but Gordon Rees Scully Mansukhani's Scott noted SB 332 does not provide a firm timeline for completing the rulemaking.
"No timeline is set forth in the bill as to when these rules and regulations need to be established, which may delay implementation of the law," said Scott, who's based in Westchester, New York. "The opt-out (mechanism) rulemaking is likely to be important but the impact is to be determined. At least as drafted in the enacted bill, New Jersey rulemaking does not at all appear to be an analog to California where an entirely new agency was set up solely for the purpose of detailed rulemaking."
UOOMs curveball
Universal opt-out mechanisms used to be a point of contention in state legislative debates following their inclusion in the CCPA and the Colorado Privacy Act. But New Jersey and other states, including Montana and Texas, are showing UOOMs are becoming not only palatable, but a necessity in state privacy statutes.
However, the concept of standardizing universal opt-outs across states may not be supported by SB 332. The language around UOOMs in the bill is standard at a high level, but attention to smaller details reveals issues that may hamper a seamless opt-out standard nationwide.
Future of Privacy Forum Director for U.S. Legislation Keir Lamont, CIPP/US, called attention to a potential hurdle where SB 332 calls for UOOMs to support opt-outs for user profiling, not just targeted advertising and sales of personal data. Lamont said the additional use case is a first among state laws and "would represent a potential complication to ongoing efforts to standardize the nascent privacy device signal landscape."
Under the bill, UOOMs cover profiling "in furtherance of decisions that produce legal or similarly significant effects concerning a consumer." Examples of significant effects are also laid out in the bill, including provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods and services.
The "actual impact" of the profiling "wrinkle" might not materialize, according to Loeb & Loeb Partner Jessica Lee, CIPP/E, CIPP/US, CIPM. She said the significant effects outlined in the bill likely won't resonate with a majority of companies given they aren't likely to consider themselves as having such adverse effects on consumers. SB 332's exemptions, including those for companies adhering to the Gramm Leach Bliley Act and the Health Insurance Portability and Accountability Act, will also limit the impacts of the profiling inclusion.
The technical aspects of using UOOMs for profiling is another point of concern for Lee, who indicated the "number of steps and level of friction" that may come about while verifying requests. However, New Jersey intends to use its rulemaking to address any perceived ambiguity with universal opt-outs, following Colorado's approach.
"The statute also acknowledged the need to align with state and federal controls," Lee said. "It will benefit both business and consumers to have one harmonized standard that is sanctioned by all of the relevant authorities."