News and Commentary Impacting Data Privacy and Cybersecurity Programs

New Jersey Data Privacy Act (NJDPA)

Does your organization offer products or services to New Jersey consumers? On January 16, New Jersey became the 13th state to pass a comprehensive consumer privacy law. The new law will take effect January 16, 2025. The NJDPA most closely resembles its 2023 predecessors in Connecticut and Virginia. We highlight key differences:

  • While other state laws cover entities controlling or processing the personal data of 100,000 or more consumers or, alternatively, 25,000 consumers while generating a certain percentage of total revenue from the sale of their data, NJ broadens the 25,000-consumer threshold to include situations where the organization derives any revenue from the sale of personal data, regardless of relationship to overall revenues;
  • NJ joins CA and CO among the states empowering an agency, in this case the Director of the Division of Consumer Affairs, to promulgate any necessary regulations, although the law sets no specific timeline to do so;
  • Sensitive data” is broader, sweeping in consumer financial account information (e.g., payment card with PIN or password), thereby putting such data on equal footing with racial, ethnic, health, genetic, biometric information, and information collected from children;
  • Biometric data” is broader, adding facial recognition and “behavioral patterns”, with the latter term arguably encompassing cookies, pixels, and other tracking technologies that track user “clicks” and online behavior;
  • The NJDPA sets up a potential obstacle to standardizing a global opt-out preference signal or universal opt-out mechanism (“UOOM”) (such as the Global Privacy Control or GPC). The states to mandate use of a UOOM (CA, CO, MN, and TX) generally do so as one of the methods that an individual may use to opt out of two types of processing activity: personal data sales and targeted advertising. NJ’s law adds a third category of activity, requiring a UOOM for the individual to opt out of “profiling” (in short, automated decision making for loans, employment, housing, insurance, health care, and so on). If the states vary the number and types of opt-outs that may be signaled by a UOOM, it will be harder and therefore less likely for the market to develop and adopt a universal mechanism. 

(Next up: New Hampshire ’s Expectation of Privacy Act passed on January 18, 2024 and awaits the governor’s signature).

Action items before January 2025:

  • Determine whether your organization comes within the NJDPA’s broader coverage threshold.
  • Assess whether broader definitions of “sensitive data” and “biometric data” require updates to your public-facing privacy notice and internal privacy/infosec policies.
  • Monitor the development of regulations that may clarify compliance obligations.
  • Research market options for universal opt-out mechanisms.

International Data Privacy Day 2024

January 28 is International Data Privacy Day. Consider raising data protection awareness within your organization by:

  • During the days leading up to and immediately following, add an agenda item to your team meeting or your board meeting that reviews the importance of data privacy to the business or a particular privacy law that applies to the business;
  • Quiz team members on features of the companies’ privacy policy or related policies in the employee handbook;
  • E-mail employees with resources that will help them protect their own personal data, like this guide about “How to protect yourself from deepfakes”;
  • Access free Data Privacy Day materials and toolkits, including posters, quizzes, discussion topics, and other programming ideas offered by organizations like the National Cybersecurity Alliance and OneTrust.  

Privacy professionals interested in predictions for national and global data privacy regulation and enforcement in 2024, and how three global companies are tackling the increasing complexities, will enjoy this one-hour LinkedIn live discussion moderated by the International Association of Privacy Professionals.

Cyber and Privacy Liability in the Boardroom: Keeping an Eye on Caremark

As state consumer privacy laws proliferate and regulator guidance matures into actual regulation with penalties, we are monitoring court decisions on board director oversight liability. Caremark claims involve allegations that directors breach their fiduciary duty of loyalty when they make no good faith effort to implement reporting systems or controls regarding mission-critical business risks; or when having implemented such systems or controls, they consciously fail to monitor or oversee system operations and ignore “red flags” indicating that the company is violating law.

To date, courts that have examined Caremark claims related to board oversight of cybersecurity have dismissed such claims, at least in part, on the lack of evidence of any known violation of “positive law”. (See, for example, cases against the SolarWinds board in 2022 and the Marriott board in 2021.) In those cases, the courts declined to equate violations of non-binding industry standards like the Payment Card Industry Data Security Standard and regulatory guidance like former SEC cybersecurity guidance with violations of law. However, as standards and guidance become law (as we have seen with last year’s adoption of the SEC cybersecurity rule), query whether the courtroom door is open to Caremark claims where the board ignores violations of privacy and data security laws.

Takeaways: Determine whether cybersecurity and data privacy present mission-critical risks to your organization. Document that determination. Prepare the board to be able demonstrate good faith oversight. Establish and document board-level policies and systems for assessing and managing the company’s privacy and data security risks, and for reporting and responding to incidents. 

For further information or guidance on these issues, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.575.2649
syoder@carmodylaw.com

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.