Skip to main content

New Jersey Data Privacy Act

The New Jersey Data Privacy Act grants residents access, correction, deletion, and opt-out rights, requires consent for broadly defined sensitive data, and adds protections for teens aged 13 to 17. It is enforced by the New Jersey Division of Consumer Affairs.

Jurisdiction
New Jersey

New Jersey Data Privacy Act

The New Jersey Data Privacy Act (NJDPA), enacted as Senate Bill 332, is New Jersey's comprehensive consumer privacy statute. It took effect on January 15, 2025. The NJDPA blends elements of the Connecticut and Colorado models and adds notable protections for minors and a broad definition of sensitive data.

Who It Applies To

The NJDPA applies to controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents and that, during a calendar year, control or process the personal data of either 100,000 or more consumers (excluding data processed solely to complete a payment), or 25,000 or more consumers while deriving revenue or receiving a discount from the sale of personal data. There is no revenue percentage threshold for the second tier, broadening coverage. The law exempts HIPAA and Gramm-Leach-Bliley data.

Key Requirements

Controllers must provide a privacy notice, minimize data collection, and maintain reasonable security. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and significant profiling. Sensitive data, broadly defined to include financial account information, requires opt-in consent. Controllers must obtain consent before processing the data of consumers known to be between 13 and 17 for targeted advertising, sale, or profiling. Universal opt-out mechanisms must be honored, a requirement effective from mid-2025. Data protection assessments are required for high-risk processing.

Penalties for Non-Compliance

The New Jersey Division of Consumer Affairs, within the Office of the Attorney General, enforces the law; there is no private right of action. Violations are treated as unlawful practices under the Consumer Fraud Act. A cure period of up to 30 days was available for the first 18 months after the effective date.

How to Comply

Review whether the broad thresholds capture your business. Publish a clear privacy notice and build consumer-request handling within 45 days. Implement opt-in consent for sensitive data, including financial account data, and special consent flows for teens. Recognize universal opt-out signals and conduct documented data protection assessments. Update vendor and processor contracts.

Relationship to Other Laws

New Jersey's threshold structure is broader than most peers because its second tier has no revenue-percentage floor: deriving any revenue or even a discount from selling data can trigger coverage at 25,000 consumers. Its inclusion of financial account information within sensitive data, requiring opt-in consent, is stricter than many states. Teen protections for ages 13 to 17 echo emerging design-code trends. Organizations should treat New Jersey as one of the more demanding states when building consent and age-handling flows.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.