In January 2024, the states of New Jersey and New Hampshire enacted comprehensive consumer privacy laws, joining the thirteen other states that have already done so: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, and Delaware.
Like many state privacy laws enacted since the passing of the California Consumer Privacy Act (CCPA), the New Jersey and New Hampshire statutes were largely structured along the same lines.
New Jersey Consumer Privacy Laws
On January 8, 2024, the New Jersey State Senate passed S.B. 332, which was quickly signed into law on January 16, 2024. This legislation, set to take effective 365 days post-enactment, resembles the comprehensive privacy statutes of Connecticut, Colorado, Montana, and Oregon, yet also features distinctive elements worthy of note:
Scope and Applicability
- Covered Entities: SB 332’s scope of coverage includes companies that do business or offer products or services in New Jersey.
- Limited Exemptions: SB 332 does not include exemptions present in certain other state privacy statutes, such as data collected by nonprofit organizations.
- Thresholds for Data Control or Processing: SB 332 applies to companies that control or process data within the following thresholds within a calendar year:
- The personal data of at least 100,000 NJ consumers, excluding data used solely for completing a transaction.
- The personal data of at least 25,000 NJ consumers if the business gains revenue or discounts from selling personal data.
Consumer Rights Under SB 332
- Access: Consumers will have the right to access their personal data.
- Deletion: Consumers can request the deletion of their personal data.
- Portability: Consumers will be able to request the transfer of their personal data.
- Correction: Consumers have the right to correct any inaccuracies in their personal data.
- Opt-out Rights:
- Targeted Advertising: Consumers can opt out of receiving targeted advertising.
- Sale of Personal Data: Consumers have the right to opt out of their personal data being sold.
- Profiling: Consumers can opt out of profiling that affects legal or significant decisions about them.
Universal Opt-out Mechanism: Data controllers must adopt a universal opt-out mechanism within six months of the Act's effective date, so that consumers can exercise their opt-out rights via a single source.
Sensitive Data Definitions
- Financial Information Inclusion: Notably, SB 332 is the first comprehensive privacy law enacted since the CCPA to consider financial information as “sensitive data.” Sensitive financial information includes such elements as financial account numbers and logins, and credit or debit card numbers when combined with required security codes or passwords enabling access to a consumer's financial account.
- Consent Requirement: SB 332 mandates obtaining consumer consent before collecting “sensitive data,” which is defined as data that falls within the following categories:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition
- Sex life or sexual orientation
- Citizenship or immigration status
- Status as transgender or non-binary
- Genetic or biometric data
Opt-In Consent for Personal Data Processing
- Requirement for Consent: SB 332 requires consumer consent before processing personal data.
- Prohibited Processing for Teens: Absent parental consent SB 332 prohibits controllers from processing personal data belonging to children aged 13-16 for the purposes of targeted advertising, sale, or profiling.
- Knowledge Requirement: Controllers are prohibited from processing personal data if they have actual knowledge or willfully disregard evidence indicating that a consumer is between 13 to 16 years old.
New Hampshire Consumer Privacy Laws
On January 18, the legislature of New Hampshire enacted SB 255, which goes into effect on January 1, 2025. SB 255 mirrors analogous statutes in Connecticut and several other jurisdictions, with some notable differences:
Scope and Applicability
1. Covered Entities: Data controllers conducting business in New Hampshire, along with businesses offering products or services to New Hampshire residents.
2. Thresholds for Data Control or Processing: Covered entities that do any of the following within a one-year period are covered:
- Control or process the personal data of at least 35,000 unique consumers, excluding data related solely to payment transactions.
- Control or process the personal data of at least 100,000 unique consumers and derive more than 25 percent of their gross revenue from selling personal data.
3. Exemptions: Similar to other state privacy laws, the following entity classifications are exempt from coverage:
- Nonprofit organizations
- Government entities
- Financial institutions
- Protected health information under HIPAA, among others.
Consumer Rights Under SB 225
- Access: Consumers have the right to access their personal data.
- Correction: Consumers can request correction of any inaccuracies in their personal data.
- Deletion: Consumers have the right to request the deletion of their personal data.
- Portability: Consumers can request the transfer of their personal data.
- Opt-Out Rights: Consumers have the right to opt out of:
- Targeted advertising;
- Sale of personal data; or
- Profiling for solely automated decisions.
Exceptions for Pseudonymized Data: The rights of access, correction, deletion, and portability do not apply to pseudonymized data. Certain standards regarding reidentification, storage, and access must be met for this exception to be valid.
Sensitive Data Definitions
- Consent Requirement: Similar to other state privacy laws, the Act mandates that businesses must obtain a consumer's express consent before processing “sensitive data,” which SB 225 defines as any of the following:
- Sensitive data encompasses various categories, including racial or ethnic origin or religious beliefs;
- Mental or physical health conditions or diagnoses;
- Sexual information, including orientation;
- Citizenship or immigration status;
- Genetic or biometric data;
- Children’s personal data; and
- Precise geolocation data.
Implementation and Enforcement Provisions:
- Development of Standards and Means: SB 225 authorizes the New Hampshire Secretary of State to develop minimum standards for privacy notices, and to establish secure and reliable methods for consumers to exercise their rights under the statute.
- Enforcement Authority: The New Hampshire Attorney General is authorized to enforce the Act, and the AG is further authorized to compel controllers to disclose data protection assessments relevant to investigations conducted by their office.
- Cure Period for Violations: For the first year after it takes effect, SB 225 includes a sixty-day time frame in which to rectify violations. After the one-year period elapses, the 60-day cure period will no longer be available.