February 27, 2024

Last Updated on February 27, 2024

Signed into law on January 16, 2024, the New Jersey Data Privacy Law (NJDPL) makes New Jersey the thirteenth US state to adopt comprehensive data privacy legislation—with more to come in 2024. The new law aims to help consumers exercise control over their personal data and give them a choice to share it or not.

When the NJDPL takes effect in January 2025, many companies doing business in New Jersey will be required to notify consumers when they collect or disclose personal data, along with the ability to opt-out.

This post overviews the key points of the new law and suggests best practices to address multiple overlapping privacy guidelines.

 

Does the New Jersey Data Privacy Law apply to my business?

The NJDPL imposes a wide range of duties on for-profit and nonprofit entities that collect and use New Jersey residents’ personal data. It specifically applies to “controllers” that annually process the personal data of 100,000 or more New Jersey consumers.

The law will also apply to organizations that meet the “sales threshold” by:

  • Controlling or processing the personal data of 25,000 or more New Jersey consumers, and
  • Deriving revenue or receiving discounts by selling that personal data.

Notably, the law excludes data processed only to complete a payment transaction. It also creates exemptions for data covered by HIPAA, HITECH, GLBA, and the Fair Credit Reporting Act. Stock markets, certain insurance businesses, and the state’s Motor Vehicle Commission are exempted.

It is important to note that the NJCDPA does not contain a minimum annual revenue threshold, meaning that relatively small businesses might be subject to its provisions.

 

What rights does the New Jersey Data Privacy Law grant consumers?

The NJDPL confers consumer privacy rights similar to other US states’ data privacy laws. These include:

  • The right to confirm whether a controller handles their personal data
  • The right to have their personal data deleted
  • The right to correct inaccuracies in their personal data
  • The right to obtain from a controller a usable copy of their personal
  • The right to opt out of processing their personal data for sale, targeted advertising, and/or profiling
  • The right to appoint an authorized agent to exercise their opt-out rights

The law gives controllers 45 days to respond to consumers’ privacy rights requests, with a “reasonably necessary” extension upon notifying the consumer within the 45 days. Controllers also need to set up a “conspicuously available” process for consumers to appeal if their privacy rights request is denied.

In addition, the NJDPL empowers consumers to specify their privacy preferences automatically using an online Universal Opt-Out Mechanism (UOOM) operating at the browser level.

 

How can my company reduce its privacy compliance burden?

For some businesses, the NJDPL may be their first privacy mandate. For others, it is one more on a growing list of intersecting yet dissimilar US and possibly international privacy laws they need to comply with.

How do you reduce the complexity of managing compliance with multiple, overlapping privacy regulations like the EU’s GDPR, California’s CPRA, Virginia’s VCDPA, and the NJDPL?

At the same time, how can you demonstrate to customers, regulators, investors, and other stakeholders that you have a robust privacy program and can protect personal data?

ISO/IEC 27701:2019 “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” is an increasingly popular international standard that allows organizations to extend their existing ISO 27001 Information Security Management System (ISMS) certification to include a Privacy Information Management System (PIMS). It doesn’t just add or modify ISO 27001 controls but also changes the management system construct.

By enabling you to add privacy controls to your ISMS, ISO 27701 allows you to address information security and privacy risks with a unified management system. Support for privacy governance makes ISO 27701 unique among current privacy frameworks.

ISO 27701 is also the first certifiable extension to ISO 27001. Having an internationally recognized, independently attested privacy certification to show stakeholders can be a huge win.

 

What are the primary benefits of leveraging ISO 27701?

For organizations already ISO 27001 certified or considering ISO 27001 certification, ISO 27701 provides a trusted, comprehensive, and flexible third-party attestation regarding your privacy compliance posture.

The four most significant advantages of ISO 27001 are:

  1. ISO 27701 is globally recognized.
    While many privacy compliance frameworks are jurisdiction-specific, ISO 27701 certification demonstrates that your company’s privacy program meets many core privacy principles common to all comprehensive privacy legislation worldwide, such as GDPR.
  2. ISO 27701 is exacting and thorough.
    Like ISO 27001, ISO 27701 is exceptionally rigorous. Compliance underscores that you have robust privacy controls in place and operational that can meet a wide range of jurisdictional requirements. For example, many experts view the ISO 27701 controls as more rigorous and detailed than the SOC 2 Trust Service Criteria for Privacy, despite being less expensive to maintain.
  3. It provides third-party attestation.
    An attestation by an independently accredited auditor of compliance with a globally recognized standard is the most respected and trusted form of attestation for all stakeholders.
  4. It can accommodate jurisdictional specifics.
    Being an international standard, ISO 27701 was designed to enable businesses to maintain and demonstrate compliance with numerous jurisdiction-specific privacy requirements. While flexible enough to operate in all geographies, it also allows you to build a rock-solid foundation to address the core principles common across privacy laws.

 

Should we pursue ISO 27701 and ISO 27001 concurrently?

Because ISO 27701 is an extension to ISO 27001, you need to be ISO 27001 certified before you can be ISO 27701 certified. However, the unique relationship between the two standards allows you to be certified for both in a single audit.

If your organization is considering, pursuing, or maintaining ISO 27001 certification, and you also need to meet privacy requirements, it often makes strategic and financial sense to implement both control sets together. You can do that straightforwardly by planning your ISO 27001 implementation scope to include the ISO 27701 requirements.

There will be substantial technical, documentation, and process overlap between the two management systems, so implementing them together saves time, effort, and money. Plus, by accelerating privacy compliance, you can reduce your overall risk exposure, jumpstart your competitive advantage, and bring extra peace of mind to stakeholders.

 

What’s next?

As the NJDPL illustrates, privacy risk and compliance requirements will only increase. Companies that put off initiating their privacy programs could rapidly lose ground.

CBIZ Pivot Point Security offers proven ISO 27701 and ISO 27001 consulting services—including our ISO 27701-as-a-service offering—to help our clients strategize, build, and certify a robust and effective “Information Security & Privacy Management System (ISPMS). There is no better way to prove to key stakeholders that you have a robust privacy program.

Contact us to speak with an expert about your privacy drivers and goals