Two New States Enter the Privacy Fray

Building off of the momentum from last year's torrent of new comprehensive state privacy laws, 2024 has begun with a bang as two more states have now entered the picture. On January 16, 2024, New Jersey became the latest state to enact comprehensive privacy legislation with the New Jersey Data Privacy Act (NJDPA). 

New Hampshire's state legislature quickly followed suit by passing Senate Bill 255 and it is currently awaiting finalization before becoming law.

Similar to other omnibus state privacy laws, the New Jersey law and New Hampshire bill establish what have now become typical consumer privacy rights, including the rights of notice, access, deletion, correction, nondiscrimination, and opt-out rights for the sale of personal data, targeted advertising, and profiling. Both states require controllers to implement certain minimum data security practices, conduct and document data protection assessments before processing data that presents a heightened risk of harm to a consumer, and provide consumers a clear and meaningful privacy notice.

Critically, the NJDPA and the New Hampshire privacy bill, if enacted, will take effect in January 2025. The NJDPA also grants broad rulemaking authority to its Division of Consumer Affairs, and New Hampshire is set to grant the secretary of state limited rulemaking authority regarding privacy notice standards, so we may see regulators adopt additional obligations under both laws. Neither framework gives consumers a private right of action and both are exclusively enforced by the respective state's attorney general.

Below, we highlight some key aspects of the frameworks.

Teen Data Privacy Protections

The NJDPA and the New Hampshire bill echo a growing trend among states to increase data protections for teens. Specifically, they prohibit controllers from processing the personal data of teens (ages 13 to 17 in New Jersey and 13 to 16 in New Hampshire) for purposes of targeted advertising, profiling, or selling such personal data without consent.

Universal Opt-Out Mechanisms

New Jersey and New Hampshire join the handful of other states that require controllers to process Universal Opt-Out Mechanisms (UOOMs). Like Colorado, New Jersey provides for rulemaking authority for the Division of Consumer Affairs in the Department of Law and Public Safety to adopt rules and regulations that detail the technical specifications for UOOMs. Thus, we may see additional UOOMs required in New Jersey.

Timing and the Road Ahead

The NJDPA becomes effective on January 16, 2025, and grants a 30-day cure period until July 1, 2027. By July 16, 2025, controllers must allow consumers to exercise their opt-out rights using UOOMs.

If enacted, the New Hampshire bill will become effective on January 1, 2025, at which point controllers must allow consumers to exercise their right to opt out of the sale or processing of personal data for targeted advertising with the use of opt-out preference signals. The New Hampshire bill grants a 60-day cure period until December 31, 2025.

                                                       * * * * *

While it is not expected that the New Jersey law or New Hampshire bill will significantly increase or complicate the compliance burden for companies that are already addressing their obligations under other state privacy laws, companies should review their privacy practices—especially as it relates to processing teen data and the ability to process UOOMs—to ensure they meet specific state privacy law requirements as they come into effect.