Data Privacy Hub

After pulling a bill together within just a few weeks, New Jersey has become the first state to pass a comprehensive data privacy law in the US this year. For the most part, the law follows Oregon's OCPA and Delaware's DPDPA closely, including not exempting nonprofit organizations from compliance.

The most notable things about this law?

The biggest change is that NJ will require organizations to complete data protection impact assessments (DPIAs) BEFORE beginning data collection and processing. This is a stark difference from how DPIA requirements are written in every other state law, and should force companies to conduct impact assessments more regularly.

Other unique elements of this bill include how New Jersey has expanded universal opt-out mechanisms to cover opt-outs for user profiling. Other state regulations typically include universal opt-out mechanisms for targeted advertising and the sale of personal data, but New Jersey's inclusion of user profiling as well will likely complicate the issue going forward for both companies and future regulations.

New Jersey's data privacy law will enter into force on January 16, 2025, with a July 16, 2025 deadline to recognize universal opt-out mechanisms. The fines for violations sit at $10,000 per, with an increase to $20,000 per for repeat violators. The law includes Attorney General rulemaking capabilities, like California and Colorado, which gives the regulation a more constant heartbeat than other states' regulations.

Click here for a more detailed breakdown of the law.