Key Takeaways
- The New Jersey Data Privacy Act has been amended to include new data- and entity-level exemptions
- The amendment adds exemptions for certain types of data and entities, including those subject to HIPAA and human subjects research
- The definition of de-identified data has been expanded to include data de-identified in accordance with HIPAA
- The amendment took effect immediately, providing clarity and guidance for businesses and organizations operating in New Jersey
Introduction to the Amendment
On his last day in office, January 20, 2026, former New Jersey Governor Phil Murphy signed an amendment to the New Jersey Data Privacy Act, A5017. This amendment marks a significant update to the state’s comprehensive privacy law, aiming to provide clarity and guidance for businesses and organizations operating in New Jersey. The amendment’s immediate effect ensures that entities can adapt to the new regulations without delay. The New Jersey Data Privacy Act is a comprehensive law that regulates the collection, use, and disclosure of personal data in the state. The amendment to this law is a crucial step towards ensuring that the state’s privacy regulations are aligned with federal laws and industry best practices.
Data- and Entity-Level Exemptions
The amendment adds data- and entity-level exemptions to the New Jersey Data Privacy Act. These exemptions apply to specific types of data and entities, including information treated like protected health information collected, used, or disclosed by a covered entity or business associate subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This exemption is subject to certain criteria, ensuring that entities handling sensitive health information are held to high standards of privacy and security. Additionally, the amendment exempts human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. This exemption recognizes the importance of human subjects research in advancing medical knowledge and improving public health.
Expansion of De-Identified Data Definition
The amendment also expands the definition of de-identified data to include data de-identified in accordance with HIPAA. Specifically, the amendment includes data de-identified in accordance with HIPAA where any recipients of the data are contractually prohibited from attempting to reidentify the data. This expansion of the definition provides clarity on what constitutes de-identified data and ensures that entities handling such data are aware of their obligations under the law. De-identified data is data that has been modified to prevent the identification of individual data subjects. This type of data is essential for research, analytics, and other purposes, and the amendment’s expansion of the definition provides a clear framework for entities working with de-identified data.
Insurance-Support Organizations and National Securities Associations
The amendment also adds exemptions for insurance-support organizations as defined under New Jersey law and national securities associations registered pursuant to section 15A of the Securities Exchange Act of 1934 and applicable regulations. These exemptions recognize the unique regulatory frameworks that apply to these types of entities and ensure that they are not subject to unnecessary or duplicative regulations. Insurance-support organizations play a critical role in the insurance industry, providing essential services such as claims processing and risk assessment. National securities associations, on the other hand, are responsible for regulating the securities industry and ensuring that investors are protected. By exempting these entities from certain provisions of the New Jersey Data Privacy Act, the amendment ensures that they can continue to operate efficiently and effectively.
Conclusion and Next Steps
In conclusion, the amendment to the New Jersey Data Privacy Act provides clarity and guidance for businesses and organizations operating in New Jersey. The addition of data- and entity-level exemptions and the expansion of the definition of de-identified data are significant updates to the law. Entities subject to the law should review the amendment and ensure that they are complying with the new regulations. This may involve updating policies and procedures, training employees, and ensuring that data handling practices are aligned with the amended law. By taking these steps, entities can ensure that they are protecting the privacy of individuals and maintaining compliance with the New Jersey Data Privacy Act. As the privacy landscape continues to evolve, it is essential for entities to stay informed about changes to laws and regulations and to adapt their practices accordingly.
