Comprehensive consumer privacy protections have arrived in the Garden State and appear to be coming soon to the Granite State. With Governor Phil Murphy's signing of Senate Bill 332 on January 17th, New Jersey became the thirteenth state – and the first state to pass a new law in 2024 – to enact a comprehensive consumer privacy law. New Hampshire is poised to become the fourteenth, with the state legislature sending a bill to Governor Chris Sununu’s desk on January 19th. Both of the new laws in New Jersey and New Hampshire are largely consistent with data privacy legislation enacted in other states, with the notable exception of California’s significantly more stringent law. However, the New Jersey and New Hampshire laws do diverge from the majority approach in several notable ways.
New Jersey
New Jersey’s new privacy law, which goes into effect January 17, 2025, applies to businesses that operate in the state or target residents with their products or services and either
-
control or process the personal data of at least 100,000 New Jersey consumers (excluding personal data processed solely for the purpose of completing a payment transaction), or
-
control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount from the sale of personal data.
While part (i) of the foregoing is largely consistent with other states’ privacy laws, with regard to part (ii), it is notable that New Jersey does not place a threshold on the percentage of gross revenue earned from the sale of personal data, meaning that an entity generating even a very small amount of revenue from data sales could be subject to the law. The New Jersey law defines “sale” consistently with most other states, to mean exchanging personal information with a third party for monetary consideration.
Notably, the New Jersey law contains only a data-level exemption for health information covered by the Health Insurance Portability and Accountability Act (HIPAA), meaning that health care providers covered by HIPAA may still have compliance obligations under the new law. Additionally, unlike a number of other states’ privacy laws, the New Jersey law does not contain exemptions for non-profit organizations or educational entities regulated by the federal Family Educational Rights and Privacy Act. It does provide for an entity-level exemption for financial institutions subject to the Gramm-Leach-Bliley Act (the GLBA).
As is the case under every other state data privacy statute with the exception of California’s, New Jersey’s privacy law does not create a private right of action. Instead, it provides the Attorney General with exclusive jurisdiction over enforcement of violations. However, for the first 18 months after the law goes into effect, companies will have a 30-day grace period to cure alleged violations.
With regard to rulemaking, New Jersey joins only two other states – California and Colorado – in authorizing rulemaking to implement the new privacy statute, including rules and technical specifications for honoring “universal opt-out mechanisms” for allowing consumers to opt out of targeted advertising and sales of their data. The rules issued by California and Colorado under those states’ privacy laws have added very significant nuance and granular compliance requirements to their respective laws, so we expect a rulemaking in New Jersey to be similarly consequential for companies seeking to understand how the law will be interpreted and enforced.
New Hampshire
New Hampshire’s pending privacy bill is also largely consistent with the majority of other states’ comprehensive privacy laws. One notable difference, however, is New Hampshire’s low applicability threshold: the law will apply to entities that control or process the personal data of only 35,000 New Hampshire residents, or 10,000 residents if the entity derives more than 25% of its gross revenue from the sale of personal data.
The exemptions provided by the New Hampshire bill appear to be slightly broader than those of New Jersey’s: state bodies, non-profits, and institutions of higher education are not required to comply. However, New Hampshire's bill only affords data-level exemptions to information regulated by HIPAA and FERPA, potentially making health care providers and educational institutions subject to the forthcoming law. As with NJ’s law, the New Hampshire bill creates an entity-level exemption for financial institutions regulated by the GLBA.
The New Hampshire Attorney General has exclusive enforcement jurisdiction, and the bill explicitly disavows the creation of a private right of action. As is the case with New Jersey’s law, the New Hampshire bill requires the Attorney General to offer companies a chance to cure alleged violations, although New Hampshire's cure period lasts only 12 months. The bill calls for the New Hampshire Secretary of State to establish means by which a consumer can exercise their rights as well as standards for required privacy notices. Apart from these narrow categories, there is no rulemaking contemplated by the bill.
If signed by the governor, New Hampshire’s law will go into effect on January 1, 2025.
Looking Forward
With active legislation in twelve states, 2024 promises to be another banner year for data privacy. While many of these laws follow the pattern favored by most states thus far, the specifics of both New Jersey and New Hampshire should serve as a reminder that, even if a statute is similar to those that preceded it, companies should pay close attention to the idiosyncrasies of each.