New Jersey Passes Comprehensive Consumer Privacy Law -- Bill Heads to Governor

If signed by the state governor, a newly passed bill in New Jersey will add the state to the ranks of those with a comprehensive consumer privacy law. The law adopts many familiar features, including minimizing personal information collected, keeping it secure, only collecting what is reasonably connected to consumer expectations for processing, providing explicit consumer notices about data practices, a controller/processor model for allocating risks and responsibilities, consumer rights to access and exercise choices about their data, ban on sale of data, opt-out of targeted advertising, and opt-in for use of sensitive data.  As in other states, the Attorney General will have enforcement power (no direct lawsuits by consumers are permitted) and must enact implementing rules to articulate clearly how covered companies must comply. Notably, the law expressly adopts a condition requiring compliance with the federal children's privacy law (COPPA).  

Why It Matters

If enacted, the New Jersey bill will take effect in one year, likely to be early 2025. That will bring the US to the point that more than a quarter of the states will have similar comprehensive privacy laws on their books. The longer the states have to pass these laws, the more focused they become on advertising opt-out and on the nature and permitted uses of “sensitive data.” Simultaneously, more and more tools are becoming available to help consumers exercise their rights automatically and easily.  This portends a change in how consumers can be tracked and marketed to online, coming quickly over the next couple of years.  

Subscribe to Taylor English Insights by topic here.