New Jersey and New Hampshire are the latest states to pass comprehensive privacy legislation, joining CaliforniaVirginiaColoradoConnecticutUtahIowaIndiana, Tennessee, Montana, OregonTexasFlorida, and Delaware.  Below is a summary of key takeaways. 

New Jersey

On January 8, 2024, the New Jersey state senate passed S.B. 332 (“the Act”), which was signed into law on January 16, 2024.  The Act, which takes effect 365 days after enactment, resembles the comprehensive privacy statutes in Connecticut, Colorado, Montana, and Oregon, though there are some notable distinctions. 

  • Scope and Applicability:  The Act will apply to controllers that conduct business or produce products or services in New Jersey, and, during a calendar year, control or process either (1) the personal data of at least 100,000 consumers, excluding personal data processed for the sole purpose of completing a transaction; or (2) the personal data of at least 25,000 consumers where the business derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. The Act omits several exemptions present in other state comprehensive privacy laws, including exemptions for nonprofit organizations and information covered by the Family Educational Rights and Privacy Act.
  • Consumer Rights:  Consumers will have the rights of access, deletion, portability, and correction under the Act.  Moreover, the Act will provide consumers with the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  The Act will require controllers to develop a universal opt out mechanism by which consumers can exercise these opt out rights within six months of the Act’s effective date.
  • Sensitive Data:  The Act will require consent prior to the collection of sensitive data. “Sensitive data” is defined to include, among other things, racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship or immigration status, status as transgender or non-binary, and genetic or biometric data.  Notably, the Act is the first comprehensive privacy statute other than the California Consumer Privacy Act to include financial information in its definition of sensitive data.  The Act defines financial information as an “account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”
  • Opt-In Consent for Certain Processing of Personal Data Concerning Teens:  Unless a controller obtains a consumer’s consent, the Act will prohibit the controller from processing personal data for targeted adverting, sale, or profiling where the controller has actual knowledge, or willfully disregards, that the consumer is between the ages of 13 and 16 years old.
  • Enforcement and Rulemaking:  The Act grants the New Jersey Attorney General enforcement authority.  The Act also provides controllers with a 30-day right to cure for certain violations, which will sunset eighteen months after the Act’s effective date.  Like the comprehensive privacy laws in California and Colorado, the Act authorizes rulemaking under the state Administrative Procedure Act.  Specifically, the Act requires the Director of the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate rules and regulations pursuant to the Administrative Procedure Act that are necessary to effectuate the Act’s provisions.  

New Hampshire

On January 18, the New Hampshire legislature passed SB255 (“the Act”).  The Act, which will take effect on January 1, 2025, resembles similar statutes in Connecticut and other states with a few distinctions.

  • Scope and Applicability:  The Act applies to controllers that conduct business in New Hampshire or to businesses who produce products or services that target New Hampshire residents and, in the course of a year, control or process either (1) the personal data of at least 35,000 unique consumers, excluding personal data controlled or processed solely to complete a payment transaction, or (2) the personal data of at least 100,000 unique consumers and derive more than 25 percent of their gross revenue from the sale of personal data.  The Act includes many exemptions present in other state comprehensive privacy laws, including exemptions for nonprofits, government entities, financial institutions, and protected health information under HIPAA, among others.
  • Consumer Rights:  The Act provides consumers with various rights found in many other state comprehensive privacy laws.  These rights include access, correction, deletion, portability, and opt-outs from targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions.  However, the access, correction, deletion, and portability rights do not extend to pseudonymized data, so long as certain reidentification, storage, and access standards are met.
  • Sensitive Data: Like other state comprehensive privacy laws, the Act requires a business to obtain a consumer’s opt-in consent prior to processing sensitive data.  Sensitive data is defined to include, among other things, racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.
  • Implementation and Enforcement:  The Act empowers the New Hampshire Secretary of State to develop minimum standards for privacy notices and establish secure and reliable means for consumers to exercise their rights under the statue.  The New Hampshire Attorney General will have authority to enforce the Act.  The Act also grants the Attorney General the authority to require controllers to disclose data protection assessments relevant to investigations conducted by the Attorney General.  The Act provides a sixty-day cure period for violations that sunsets a year after the law goes into effect.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Hensey A. Fenton III Hensey A. Fenton III

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development…

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development, and tax.

Another facet of Hensey’s practice involves cutting-edge legal issues in the cybersecurity space. Having published scholarly work in the areas of cybersecurity and cyberwarfare, Hensey keeps his finger on the pulse of this fast-developing legal field. His Duke Journal of Comparative & International Law article, “Proportionality and its Applicability in the Realm of Cyber Attacks,” was highlighted by the Rutgers Computer and Technology Law Journal as one of the most important and timely articles on cyber, technology and the law. Hensey counsels clients on preparing for and responding to cyber-based attacks. He regularly engages with government and military leaders to develop national and global strategies for complex cyber issues and policy challenges.

Hensey’s practice also includes advising international clients on various policy, legal and regulatory challenges, especially those challenges facing developing nations in the Middle East. Armed with a distinct expertise in Middle Eastern foreign policy and the Arabic language, Hensey brings a multi-faceted approach to his practice, recognizing the specific policy and regulatory concerns facing clients in the region.

Hensey is also at the forefront of important issues involving Diversity, Equity and Inclusion (DEI). He assists companies in developing inclusive and sustainable DEI strategies that align with and incorporate core company values and business goals.

Prior to joining Covington, Hensey served as a Judicial Law Clerk for the Honorable Judge Johnnie B. Rawlinson, United States Court of Appeals for the Ninth Circuit. He also served as a Diplomatic Fellow in the Kurdistan Regional Government’s Representation (i.e. Embassy) in Washington, DC.

Photo of Jemie Fofanah Jemie Fofanah

Jemie Fofanah is an associate in the firm’s Washington, DC office. She is a member of the Privacy and Cybersecurity Practice Group and the Technology and Communication Regulatory Practice Group. She also maintains an active pro bono practice with a focus on criminal…

Jemie Fofanah is an associate in the firm’s Washington, DC office. She is a member of the Privacy and Cybersecurity Practice Group and the Technology and Communication Regulatory Practice Group. She also maintains an active pro bono practice with a focus on criminal defense and family law.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.

Photo of John Bowers John Bowers

John Bowers is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

John advises clients on a wide range of privacy and communications issues…

John Bowers is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

John advises clients on a wide range of privacy and communications issues, including compliance with telecommunications regulations and U.S. state and federal privacy laws.

Photo of Conor Kane Conor Kane

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in…

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in digital advertising helping teams develop large consumer data collection and analytics platforms. He uses this experience to advise clients on matters related to digital advertising and advertising technology.