As New Jersey joins the growing list of US states passing comprehensive privacy legislation, businesses operating in or targeting consumers in New Jersey must pay close attention to Senate Bill 332 (SB332). One key area of compliance involves cookie consent and data tracking practices. Are you ready for consent management requirements?
Senate Bill 332 took effect January 15, 2025 and established the New Jersey Data Privacy Act. It sets comprehensive requirements for businesses collecting personal data from residents of New Jersey. The law grants consumers rights over their data and requires businesses to be more transparent and responsible in how they collect, use, and share that data.
Businesses must ensure that their websites obtain clear, informed consent before collecting personal data through cookies, especially when dealing with sensitive information or targeted advertising.
To comply with SB332, businesses should:
Conduct an audit:
Perform a full audit of data collection and sharing practices.
Update privacy policy:
Update privacy and cookie policies with New Jersey-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Data subject handling:
Establish processes for handling data subject requests.
Data security:
Ensure data security measures are in place.
Review and disclose data and cookie practices:
Disclose data handling practices, including collection, storage and sharing of cookie types, purposes, etc.
Train staff:
Educate employees to ensure internal procedures align with the new rules.
NJDPA applies to businesses that process the personal data of at least 100,000 consumers or derive 25% or more of their revenue from selling data of 25,000 or more consumers. The regulation applies to any entity conducting business in New Jersey or targeting New Jersey consumers. It applies to both for-profit and certain non-profit organizations, depending on their data practices.
New Jersey consumers are granted the following rights:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Cookies that collect personal or sensitive data, including for behavioral advertising, fall under SB332. Businesses must:
Inform users about cookie use in their privacy notice.
Offer users the right to opt out of data processing for targeted advertising.
Obtain affirmative consent before processing sensitive data through cookies.
Businesses that fail to comply with SB332 face:
Enforcement by the New Jersey Division of Consumer Affairs.
A 30-day cure period to fix violations.
Civil penalties of up to 10,000 USD per violation, or 20,000 USD for subsequent violations, similar to other consumer protection laws.
Best practices to contribute to compliance with New Jersey Senate Bill 332 include:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
SB332 applies to entities that operate in New Jersey or target New Jersey residents and meet certain data processing or revenue thresholds.
Personal data includes any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information.
Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, precise geolocation, biometric/genetic data, and data concerning a known child.
The New Jersey Division of Consumer Affairs, within the Department of Law and Public Safety, is responsible for enforcing SB332.
Exemptions include entities subject to federal privacy laws like HIPAA or GLBA, nonprofit organizations in certain contexts, and employment-related data processing.
You can find the full text of the bill and ongoing updates on the New Jersey Legislature website.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
