On Jan. 16, 2024, New Jersey Gov. Phil Murphy signed into law the first comprehensive state privacy law of 2024 (SB 332). As states wait for federal privacy legislation to materialize, New Jersey’s legislation becomes the 13th comprehensive state privacy law in the U.S. (in addition to certain other sector- or data-specific legislation at the state level). Given the law’s applicability thresholds, organizations can expect to fall subject to the New Jersey law more easily than other state privacy laws. The law will take effect Jan. 15, 2025, just one year from the governor’s signature on the bill.

Until now, state privacy legislation outside of the California Consumer Privacy Act (CCPA) has largely followed the model presented in the Virginia Consumer Data Protection Act (the Virginia model). Each state has included its own variations in obligations and scope—causing businesses and industry bodies alike to continually reevaluate their current practices and best practices for, in many instances, unresolved requirements. Although it includes many of the same requirements concerning privacy notices, consumer rights, and data protection assessments as other state laws following the Virginia model, the New Jersey law contains notable differences in several areas that may present challenges to organizations as they continue to adapt their privacy compliance strategies at the state level.

Applicability