Current through L. 2024, c. 87.
Section 56:8-166.7 - [Effective 1/15/2025] Personal data; controller, verified request, consumer, response perioda. A controller that receives a verified request from a consumer shall provide a response to the consumer within 45 days of the controller's receipt of the request. The controller may extend the response period by 45 additional days where reasonably necessary, considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period and the reason for the extension and shall provide the information for all disclosures of personal data that occurred in the prior 12 months.b. This section shall not apply to personal data collected prior to the effective date of P.L. 2023, c. 266 (C.56:8-166.4 et seq.) unless the controller continues to process such information thereafter.c. If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.d. Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any twelve-month period. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.e. If a controller is unable to authenticate a request to exercise any of the rights afforded under section 5 of P.L. 2023, c. 266 (C.56:8-166.8) using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request.f. A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 45 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.Added by L. 2023, c. 266, s. 4, eff. 1/15/2025.