Following in the footsteps of thirteen (13) other states, New Jersey and New Hampshire appear to be the next two jurisdictions that will enact state privacy laws. As readers of this blog know, there are at least eight other states also considering similar legislation.
New Jersey Privacy Law
On January 8, 2024, the New Jersey Legislature passed the New Jersey Privacy Act (“NJDPA”). All that is left for the NJDPA to become law is for Governor Murphy to sign the measure. Please note that the New Jersey Privacy Law will be effective 365 days from the date of enactment.
The major difference between the NJDPA and majority of other state privacy laws, is the fact that there is no gross revenue percentage threshold for applicability. This means that more businesses will meet the definition of “controller” and be subject to the NJDPA.
The NJDPA does, however, contain many similarities to the majority of other state privacy laws. For example:
- The NJDPA applies to businesses that control or process the personal data of: (1) 100,000 or more persons in New Jersey; or (2) at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
- The NJDPA does not contain a private right of action and may only be enforced by the Division of Consumer Affairs.
- The NJDPA requires that consumers be provided with an option to opt-out of the sale/sharing of their personal data.
New Hampshire Privacy Law
On January 4, 2024, the New Hampshire House of Representatives passed SB 255 (the “Bill”), following amendments. The Bill is now making its way through the Senate, where it is expected to pass. In the event that the Bill is approved by the Senate, it will go to the Governor for signature and become effective on January 1, 2025.
SB 255 applies to “persons that conduct business in New Hampshire or that produce products or services that are targeted to residents of the state that during a one year period: (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data or processed solely for the purpose of completing a payment transaction; or (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.”
Similar to other states, SB 255 does not contain a private right of action and may only be enforced by the Attorney General. Additionally, SB 255 contains broad exemptions for certain types of entities, including: nonprofit organizations, institutions of higher education, and financial institutions.
Future of Privacy Law
New Jersey and New Hampshire will not be the last two states to enact privacy laws. As there is no uniformity among states, each new privacy law that is passed on the state level creates more confusion. While the enactment of a federal statute would be beneficial to businesses trying to navigate the patchwork of state regulations, it does not appear that one is forthcoming in the near future.
This blog discusses only a few of the many provisions contained in the New Jersey and New Hampshire privacy laws. As such, it is critical that businesses hire experienced counsel to ensure that they are up to date on the latest state privacy law developments.
If you need assistance with consumer data privacy law compliance, please email us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: