New Jersey and New Hampshire are the latest states to pass comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, and Delaware. Below is a summary of key takeaways.
On January 8, 2024, the New Jersey state senate passed S.B. 332 (“the Act”), which was signed into law on January 16, 2024. The Act, which takes effect 365 days after enactment, resembles the comprehensive privacy statutes in Connecticut, Colorado, Montana, and Oregon, though there are some notable distinctions.
- Scope and Applicability: The Act will apply to controllers that conduct business or produce products or services in New Jersey, and, during a calendar year, control or process either (1) the personal data of at least 100,000 consumers, excluding personal data processed for the sole purpose of completing a transaction; or (2) the personal data of at least 25,000 consumers where the business derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. The Act omits several exemptions present in other state comprehensive privacy laws, including exemptions for nonprofit organizations and information covered by the Family Educational Rights and Privacy Act.
- Consumer Rights: Consumers will have the rights of access, deletion, portability, and correction under the Act. Moreover, the Act will provide consumers with the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. The Act will require controllers to develop a universal opt out mechanism by which consumers can exercise these opt out rights within six months of the Act’s effective date.
- Sensitive Data: The Act will require consent prior to the collection of sensitive data. “Sensitive data” is defined to include, among other things, racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or immigration status, status as transgender or non-binary, and genetic or biometric data. Notably, the Act is the first comprehensive privacy statute other than the California Consumer Privacy Act to include financial information in its definition of sensitive data. The Act defines financial information as an “account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”
- Opt-In Consent for Certain Processing of Personal Data Concerning Teens: Unless a controller obtains a consumer’s consent, the Act will prohibit the controller from processing personal data for targeted adverting, sale, or profiling where the controller has actual knowledge, or willfully disregards, that the consumer is between the ages of 13 and 16 years old.
- Enforcement and Rulemaking: The Act grants the New Jersey Attorney General enforcement authority. The Act also provides controllers with a 30-day right to cure for certain violations, which will sunset eighteen months after the Act’s effective date. Like the comprehensive privacy laws in California and Colorado, the Act authorizes rulemaking under the state Administrative Procedure Act. Specifically, the Act requires the Director of the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate rules and regulations pursuant to the Administrative Procedure Act that are necessary to effectuate the Act’s provisions.
On January 18, the New Hampshire legislature passed SB255 (“the Act”). The Act, which will take effect on January 1, 2025, resembles similar statutes in Connecticut and other states with a few distinctions.
- Scope and Applicability: The Act applies to controllers that conduct business in New Hampshire or to businesses who produce products or services that target New Hampshire residents and, in the course of a year, control or process either (1) the personal data of at least 35,000 unique consumers, excluding personal data controlled or processed solely to complete a payment transaction, or (2) the personal data of at least 100,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data. The Act includes many exemptions present in other state comprehensive privacy laws, including exemptions for nonprofits, government entities, financial institutions, and protected health information under HIPAA, among others.
- Consumer Rights: The Act provides consumers with various rights found in many other state comprehensive privacy laws. These rights include access, correction, deletion, portability, and opt-outs from targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions. However, the access, correction, deletion, and portability rights do not extend to pseudonymized data, so long as certain reidentification, storage, and access standards are met.
- Sensitive Data: Like other state comprehensive privacy laws, the Act requires a business to obtain a consumer’s opt-in consent prior to processing sensitive data. Sensitive data is defined to include, among other things, racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.
- Implementation and Enforcement: The Act empowers the New Hampshire Secretary of State to develop minimum standards for privacy notices and establish secure and reliable means for consumers to exercise their rights under the statue. The New Hampshire Attorney General will have authority to enforce the Act. The Act also grants the Attorney General the authority to require controllers to disclose data protection assessments relevant to investigations conducted by the Attorney General. The Act provides a sixty-day cure period for violations that sunsets a year after the law goes into effect.