Overview
The New Jersey Data Privacy Act (NJDPA) is a comprehensive consumer privacy law that enhances data protection rights for New Jersey residents while imposing strict compliance requirements on businesses. Signed into law on January 16, 2024, the NJDPA takes effect on January 15, 2025.
New Jersey’s privacy law closely resembles Colorado’s CPA and Connecticut’s CTDPA, while introducing unique provisions, such as expanded data protections and stronger enforcement penalties.
Who Must Comply?
The NJDPA applies to businesses that operate in New Jersey or target New Jersey residents and meet one of the following criteria:
✔ Process personal data of at least 100,000 New Jersey consumers annually
✔ Process personal data of at least 25,000 New Jersey consumers and derive revenue or receive a discount from selling personal data
Exemptions:
The law does not apply to:
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities
🚫 Higher education institutions
📌 No Revenue Percentage Requirement – Unlike other state privacy laws, NJDPA does not specify a percentage of revenue derived from data sales.
Key Consumer Rights Under NJDPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Correct – Consumers can request corrections to inaccurate personal data.
✔ Right to Delete – Consumers can request the deletion of personal data.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
📌 Universal Opt-Out Mechanism Required (2025) – Businesses must recognize Global Privacy Control (GPC) signals starting on July 15, 2025.
Business Compliance Requirements
✔ Opt-In Consent for Sensitive Data – Businesses must obtain explicit consumer consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Children’s data
✔ Clear Privacy Policy & Transparency – Companies must provide detailed privacy notices explaining how data is collected, used, and stored.
✔ Data Protection & Security – Businesses must implement reasonable security safeguards to protect consumer data.
✔ Data Protection Assessments (DPA) – Businesses must conduct risk assessments for:
📌 Targeted advertising
📌 Data sales
📌 AI-driven decision-making
Real-World Enforcement Cases
The New Jersey Attorney General enforces the NJDPA, with penalties of up to $10,000 per violation.
📌 No Cure Period for Violations – Unlike other state privacy laws that allow businesses to fix violations before penalties, New Jersey immediately imposes fines for non-compliance.
Since NJDPA does not take effect until January 15, 2025, major enforcement cases have not yet occurred, but businesses failing to implement opt-out mechanisms or lacking proper security protections are likely to face early enforcement actions.
📌 Comparison with Other State Privacy Laws
The New Jersey NJDPA is one of the strongest privacy laws in the U.S. due to:
✅ No Cure Period – Businesses face immediate fines for violations.
✅ Universal Opt-Out Required (2025) – Businesses must honor automated privacy requests.
✅ Expanded Data Protection Rules – Includes biometric and AI profiling protections.
Future of NJDPA Regulation
📌 Stronger enforcement expected in 2025, particularly for AI-driven profiling.
📌 Potential expansion of consumer rights in future amendments.
📌 Possible alignment with federal privacy laws if enacted.
New Jersey’s NJDPA sets a high standard for consumer privacy, with strict enforcement, universal opt-out requirements, and broad applicability.
