Skip to main content
Affordable Employee Training Exclusively for NJBIA Members LEARN MORE

NJBIA said Wednesday that while it supports data privacy protections for consumers, a new law impacting how businesses market to current and future customers goes too far and makes New Jersey a national outlier with a law that is inconsistent with data privacy laws in other states. 

NJBIA Deputy Chief Government Affairs Officer Ray Cantor called for “cleanup” legislation to fix the defects in the new law, which passed on the last day of the lame duck legislative session (Jan. 8) and was signed by Gov. Phil Murphy on Tuesday night.  

“While we support comprehensive data privacy legislation, the Legislature did a great disservice to New Jersey’s IT and innovation sectors with changes to this bill that unfortunately makes New Jersey a national outlier in how it treats data privacy,” Cantor said in a statement. 

“One late change removes language previously negotiated over years, reintroducing the threat of litigation for private rights of action, as the Governor acknowledged in his signing statement,” Cantor added.  “We have been warning about this change, which will indeed encourage the filing of class action lawsuits for violations of this very technical law.” 

Cantor said other requirements in the law are inconsistent with data privacy laws in other states and will create conflicting obligations for businesses and consumers. The New Jersey law also gives its state attorney general broad rulemaking authority. 

“New Jersey had a chance with this legislation to move toward interoperability between states, ensuring that businesses can apply the same rules across all states,” Cantor said. “Unfortunately, the Legislature wasted that opportunity and added more burdens to New Jersey businesses.” 

“We call for the Legislature to work on a cleanup bill to allow this new law to work better, protect consumers and not stand in the way of New Jersey becoming the innovation state it supposedly aims to be,” Cantor said. 

The law (S-332/A-1971) takes effect in one year. It requires certain businesses, called “controllers” by the legislation, to notify consumers of the collection, disclosure, and sale of their personal information and to provide consumers with an ability to opt-out of that collection or disclosure.