New Jersey enacts comprehensive privacy law

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

New Jersey Enacts Comprehensive Privacy Law

New Jersey S332 passed both houses of the state’s legislature and was signed by the governor, making New Jersey the thirteenth state to pass a comprehensive privacy law.

The law will go into effect January 16, 2025. 

TAKEAWAY

The New Jersey law mostly borrows and combines elements from several existing state privacy laws, but it may uniquely impact certain sectors.

For example, the definition of “sensitive data” (which requires prior consent) includes certain financial information (although entities and data regulated by the Gramm-Leach-Bliley Act are exempt).

Additionally, although data regulated by HIPAA is exempt, entities regulated by HIPAA are not exempt, meaning that they must comply with respect to any non-HIPAA regulated data.

There is also no exemption for nonprofit organizations. 

Read more:

Guide to US State Privacy Laws

Comparing U.S. state privacy laws: Sensitive Data

Hearst VPPA Class Action Overcomes Motion to Dismiss

A Massachusetts District Court judge held (case 1:23-cv-10998-RGS) that a class action against Hearst Television adequately pled violations of the Video Privacy Protection Act based on allegations that Hearst disclosed identifiable video viewing records with third parties through integration with Braze and Doubleclick APIs on Hearst’s local news apps.

TAKEAWAY

Notably, the district judge held that the plaintiff’s provision of her email address and agreement to enable geolocation services and push notifications when she downloaded the app was sufficient consideration for her to constitute a “subscriber” under the VPPA.

The judge also held that Hearst’s receipt of analytics allowing it to provide advertisements to specific users was sufficient to demonstrate that Hearst knew it was collecting data from users that identified personalized information about them, and that the application of the VPPA in this context does not violate the First Amendment. 

Read more:

Mitigating risk under the Video Privacy Protection Act (VPPA)

VPPA class actions continue, with more targeted approach

EUROPE

noyb Strikes at Meta’s Pay or Ok Model From a Different Angle

Advocacy group noyb announced a second complaint filed with the Austrian data protection authority against Meta’s new paid subscription model offered by Meta as an alternative to consenting to personalised ads on Facebook and Instragram.

This time, noyb alleges that, by requiring users to buy an annual subscription as a condition of withdrawing consent, Meta is violating the GDPR by not making it as easy to withdraw as to give consent.  

TAKEAWAY

noyb‘s previous complaint, filed in December 2023, alleged that Meta’s new subscription model violates GDPR by not obtaining consent that is “freely given”, arguing that the subscription fee of up to €251.88 / year for access to both platforms is out of proportion with Meta’s estimated €62,88 / year annual revenue per user in Europe.

Read more:

noyb alleges Meta subscription model violates GDPR

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.