New Jersey enacted its Data Protection Act in January 2024, with the law taking effect on January 15 2025. As the most populous state after California to pass consumer privacy legislation, the NJDPA has significant reach across businesses operating in the northeastern United States.
What Is the NJDPA?
The New Jersey Data Protection Act (NJDPA) grants New Jersey residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law is enforced by the New Jersey Division of Consumer Affairs and the Attorney General.
Like Delaware and Oregon, the NJDPA applies to nonprofit organizations and institutions of higher education, expanding its coverage beyond typical for-profit businesses.
Does It Apply to Your Business?
The NJDPA applies to controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents. To be covered, a business must also meet at least one of two thresholds during a calendar year:
Threshold 1: Control or process the personal data of at least 100,000 New Jersey consumers. Personal data processed solely to complete payment transactions is excluded.
Threshold 2: Control or process the personal data of at least 25,000 New Jersey consumers AND derive revenue or receive a discount on goods or services from selling personal data.
The law does not include a revenue threshold, so small businesses meeting the data volume thresholds are covered regardless of their revenue.
Nonprofits and Higher Education
The NJDPA applies to nonprofit organizations and institutions of higher education that meet the applicability thresholds. Small businesses are also covered if they meet the thresholds or act as data processors.
Key Consumer Rights
New Jersey residents have the following rights:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for decisions with legal or significant effects
Business Obligations
Covered entities must:
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Implement reasonable data security measures
- Obtain opt-in consent before processing sensitive data
- Provide mechanisms for consumers to revoke consent
- Obtain opt-in consent for processing data of children between 13 and 17
- Provide clear privacy notices
- Maintain agreements with data processors
- Conduct data protection assessments for high-risk processing
- Honor universal opt-out mechanisms (from July 2025)
The requirement for opt-in consent from teenagers aged 13-17 is stricter than many other state laws.
Sensitive Data
The NJDPA requires consent before processing sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Personal data of known children
- Precise geolocation data
Enforcement and Penalties
The New Jersey Division of Consumer Affairs and Attorney General share enforcement authority.
Until July 1 2026, if the Division identifies a potential violation that can be remedied, it will send a notice giving the controller 30 days to fix the problem. If the issue is not resolved within 30 days, the Division can proceed with enforcement. After July 2026, this cure opportunity becomes discretionary.
Penalties can reach up to $7,500 per violation. Each affected consumer can count as a separate violation.
Recent Developments
In June 2025, the New Jersey Division of Consumer Affairs announced proposed rules to implement the NJDPA. These rules include new definitions and compliance obligations borrowed from California and Colorado regulations. The final rules may add requirements beyond what appears in the statute itself.
Key Dates
- 16th January 2024: NJDPA signed into law
- January 15 2025: NJDPA took effect
- 15th July 2025: Universal opt-out mechanism requirement took effect
- July 1 2026: 30-day cure period becomes discretionary
Where to Find Official Resources
- NJ Division of Consumer Affairs FAQ: njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx
- Full legal text: New Jersey Statutes, Title 56
Getting Started
New Jersey’s population size means the 100,000-consumer threshold can be met by businesses with moderate web traffic. The lack of a revenue threshold means even smaller businesses are covered if they meet data volume requirements.
Implement Global Privacy Control support to comply with the universal opt-out requirement. Review your consent mechanisms for sensitive data and teenager data processing. Monitor the proposed NJDPA rules, as final regulations may introduce additional requirements.
