By Hao Nguyen
Chief Legal Officer
Consumer privacy continues to be a hot topic in 2024. Earlier this year, privacy laws were signed in New Jersey and New Hampshire* that will make the states become the 13th and 14th states to pass their own comprehensive privacy laws and their respective effective dates will be January 8 and January 1, 2025. These laws track those of various other states by providing consumers more rights and control over their personal information and requiring businesses to provide mechanisms to fulfill those rights and place specific disclosures to notify consumers of the categories of information that they collect (among other things). Let’s briefly discuss some of the requirements.
Business Requirements:
Privacy Notices:
Businesses need to provide a separate online privacy notice (usually a separate section on the business’s privacy policy) to notify consumers of the categories of personally identifiable information (PII) it collects on the website, the categories of third parties the to which the business may disclose the PII, whether it collects PII about a consumer’s online activity over time and across different websites, a description of the process for a consumer to review and request changes of their collected PII.
Fulfilling Consumer Requests:
The business must provide one or more methods for the consumer to submit requests including a toll-free phone number, email address, or both. Additionally, the business must post a link on its website for the consumer to opt-out of the sale of their PII.
Universal Opt-Out Mechanism (Global Privacy Control):
The business is required to allow consumers to exercise the right to opt-out of processing their PII through a user-selected universal opt-out mechanism. This requirement will become effective in New Jersey six months after the effective date of the New Jersey law, while it will become operable immediately on the date of the New Hampshire law’s effective date.
Consent to Process Sensitive Data:
New Jersey views a consumer’s financial information – account number, account log-in, financial information, or credit or debit card numbers – as “sensitive data” and requires businesses to obtain consent from consumers before processing sensitive data.
New Hampshire and New Jersey view precise geolocation data as “sensitive data” and require businesses to obtain consent from consumers before processing sensitive data.
Data Processing Agreements from Processors:
The business must have a contract with each processor that describes processing instructions, identifies the types of personal data that is subject to processing, and provides for various requirements between the business and processor, such as deleting PII upon request, an annual assessment of the processor’s technical data protection practices, and review of the processor’s policies in carrying out its duties.
Consumer Rights:
The various types of consumer requests a New Jersey or New Hampshire resident has at their disposal are similar to those of other states. These request types are:
- Categories Request.The consumer can ask the business to reveal the categories of PII that were disclosed about them and categories of third parties who received the PII.
- Opt-Out Request. The consumer can opt-out of the processing of their PII for purposes targeted advertising, sale, or profiling.
- Deletion Request. The consumer can ask the business to delete their data.
- Data Portability Request. The consumer can ask the business to deliver their personal data held by the business to them in a portable and readily accessible format.
- Correct Inaccuracies Request. The consumer can ask the business to correct inaccuracies in their PII.
No Private Right of Action:
The state attorneys general retains the authority to pursue enforcement activity.
It comes as no surprise that consumer privacy is becoming increasingly important as we move further into 2024. As the effective dates for these privacy laws come closer, ComplyAuto will provide a more comprehensive publication for each state.
Questions?
For more information on these privacy laws or any of our other suite of tools, please visit us at www.complyauto.com or send us an email at info@complyauto.com.
*The bill in New Hampshire has passed, but has not been signed as of the publication date.