The New Jersey Data Protection Act took effect on January 15 2025. The law covers New Jersey’s nearly 9 million residents, making it one of the most significant state privacy laws by population covered after California.
How NJDPA Enforcement Works
The New Jersey Division of Consumer Affairs and Attorney General share enforcement authority under the NJDPA. Consumers cannot bring private lawsuits for violations.
Until July 1 2026, businesses receive a 30-day cure period when the Division identifies a potential violation that can be remedied. If the issue is not fixed within 30 days, enforcement can proceed. After July 2026, offering a cure opportunity becomes discretionary.
Penalties can reach up to $7,500 per violation. Each affected consumer can represent a separate violation, so penalties can accumulate for widespread non-compliance.
Enforcement Status
As of January 2026, the New Jersey Division of Consumer Affairs has not publicly announced enforcement actions or fines under the NJDPA. The law has been in effect for approximately one year.
The 30-day cure period means many potential violations may be resolved through notice and remediation rather than formal enforcement proceedings. This pattern is consistent with other states during initial enforcement periods.
Enforcement Expectations
Based on the NJDPA’s requirements and enforcement patterns in other states, businesses should anticipate attention in these areas:
Universal opt-out compliance. Since July 2025, businesses must honor opt-out preference signals like Global Privacy Control. This is an easily verifiable requirement that could be checked at scale.
Teenager consent. The NJDPA requires opt-in consent before processing personal data of children between 13 and 17. This is stricter than many other state laws and may be an enforcement priority as teen privacy receives increasing attention.
Sensitive data consent. Processing sensitive data without proper opt-in consent is a clear violation. Health data, precise geolocation, and biometric data are common categories where consent may be missing.
Nonprofit compliance. Unlike most state laws, New Jersey covers nonprofits that meet the thresholds. Nonprofits may be less prepared for privacy compliance.
Regulatory Developments
In June 2025, the Division of Consumer Affairs proposed rules implementing the NJDPA. These proposed rules include requirements borrowed from California and Colorado regulations that go beyond the statute itself.
Key additions in the proposed rules include new definitions and compliance obligations that may affect how businesses interpret their obligations. Businesses should monitor the final rules, as they could create additional enforcement grounds.
Penalty Structure
New Jersey’s $7,500 per-violation penalty matches the standard across most state privacy laws. However, New Jersey’s population of nearly 9 million means more consumers could be affected by any given violation, increasing potential aggregate exposure.
A violation affecting 10,000 New Jersey consumers could theoretically result in penalties up to $75 million, though actual enforcement would likely not reach such levels.
What This Means for Your Organization
New Jersey’s population size and active regulatory environment create meaningful enforcement risk. The Division of Consumer Affairs’ proposed rulemaking suggests an intent to actively enforce the NJDPA.
Businesses should:
- Implement Global Privacy Control support for the universal opt-out requirement
- Review consent mechanisms for processing teenager data (ages 13-17)
- Ensure sensitive data processing has proper opt-in consent
- Monitor the final NJDPA rules for additional requirements
- Prepare for the discretionary cure period after July 2026
Proactive compliance is advisable given the combination of a large covered population and an active regulatory approach to rulemaking.
