New Jersey Data Privacy Act: First Look & Summary

On January 16th, 2024, the New Jersey governor signed Senate Bill 332, the New Jersey Data Privacy Act (NJDPA) into law, which outlines privacy protections and rights for state residents.

New Jersey was the first U.S. state to pass a consumer data privacy law in 2024.

In this guide, I’ll explain what the NJDPA entails, how it impacts businesses and consumers, and what steps you must take to prepare for compliance.

Table of Contents

What Is the New Jersey Data Privacy Act (NJDPA)?
NJDPA Key Terms and Definitions
What Does the New Jersey Data Privacy Act Cover?
Requirements of the New Jersey Data Privacy Act
New Jersey’s Data Privacy Law vs. Other States: Similarities and Differences
How Will Consumers Be Impacted by the NJDPA?
Who Does the NJDPA Apply To?
How Will Businesses Be Impacted by the NJDPA?
Who Must Comply With New Jersey’s New Data Privacy Law?
How Can Businesses Prepare for the NJDPA?
How Will the NJDPA Be Enforced?
Fines and Penalties Under the New Jersey Data Privacy Act
How Will Termly Help With NJDPA Compliance?
Are There Other Privacy Related Laws in New Jersey?
Summary

What Is the New Jersey Data Privacy Act (NJDPA)?

The New Jersey Data Privacy Act is a state-level comprehensive consumer data privacy law.

It protects the personal information of people in the state and describes obligations, requirements, and guidelines commercial entities must follow to collect and use that data.

It also outlines the penalties and repercussions for violating the law.

NJDPA Effective Date

The NJPDA is scheduled to enter into effect on January 15, 2025, giving organizations one year to prepare for the law.

NJDPA Key Terms and Definitions

To help your business prepare for compliance read the following list of key terms and definitions exactly as they appear in the NJPDA text.

Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.
- Consent shall not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.
Consumer: An identified person who is a resident of this State acting only in an individual, job-seeking, or household context.
- “Consumer” shall not include a person otherwise acting in a commercial or employment context.
Controller: An individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
Disclose: To release, transfer, share, disseminate, make available, or otherwise communicate orally, in writing, or by electronic or any other means by an operator to a third party a consumer’s personally identifiable information.
- Disclose shall not include the disclosure of a consumer’s personally identifiable information by an operator to a third party under a written contract authorizing the third party to use the personally identifiable information to perform services on behalf of the operator, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying consumer information, processing payments, providing financing, or similar services, but only if the contract prohibits the third party from using the personally identifiable information for any reason other than performing the specified service on behalf of the operator and from disclosing personally identifiable information to additional third parties unless expressly authorized by the consumer;
- The disclosure of personally identifiable information by an operator to a third party based on a good-faith belief that disclosure is required to comply with an applicable law, regulation, legal process, or court order;
- The disclosure of personally identifiable information by an operator to a third party that is reasonably necessary to address fraud, risk management, security, or technical issues, to protect the operator’s rights or property, or to protect a consumer or the public from illegal activities as required by law; or
- The disclosure of personally identifiable information by an operator to a third party in connection with the proposed or actual sale or merger of the operator, or sale of all or part of its assets, to a third party.
Personal data: Any information that is linked or reasonably linkable to an identified or identifiable person.
- - Personal data shall not include de-identified data or publicly available information.
Personally identifiable information: Any information that is linked or reasonably linkable to an identified or identifiable person.
- Personally identifiable information shall not include de-identified data or publicly available information.
Process or processing: An operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.
Processor: A person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.
Sale: The exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party’s discretion to additional third parties.
- Sale shall not include the following: the disclosure of personally identifiable information to a service provider that processes that information on behalf of the operator;
- the disclosure of personally identifiable information to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personally identifiable information to the operator;
- the disclosure or transfer of personally identifiable information to an affiliate of the operator; or
- the disclosure or transfer of personally identifiable information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the operator’s assets.
Sensitive data: Personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

These terms will be used throughout the rest of this guide with these definitions in mind.

What Does the New Jersey Data Privacy Act Cover?

The New Jersey Data Privacy Act covers the personal information of New Jersey residents and does not apply to anyone in the state acting in an employment context.

Requirements of the New Jersey Data Privacy Act

Let’s go over the main business requirements outlined by New Jersey’s new data privacy law.

Lawful Purposes for Processing Personal Data

Under the NJDPA, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the processing purposes disclosed to the consumer.

The controller must obtain consumer consent to collect information that falls outside this scope and to collect and process sensitive personal information.

Consent

According to the NJDPA, consent must be:

Clear
Affirmative
Freely given
Specific
Informed

In other words, the law requires opt-in consent, which can include a written statement by electronic means.

However, consent cannot include acceptance of a general or broad terms of use or other similar document or rely on dark patterns, which aim to manipulate user autonomy and choice by techniques such as hovering over a button, muting, pausing, or closing any piece of content.

Verifiable Consumer Requests

Under the NJDPA, organizations must provide two or more ways for individuals to submit verifiable consumer requests to act on their data privacy rights.

You can use any method you want but cannot require a consumer to create an account.

Once you receive a data privacy rights request, you have 45 days to respond to the consumer. Depending on the complexity of the request, this may be extended by an additional 45 days where reasonably necessary.

The response must be provided to the consumer free of charge. However, you are not obligated to respond to repeated identical requests within a 12-month window.

Businesses must also establish a process so consumers can appeal the controller’s decision based on their requests.

Honoring Universal Opt-Out Mechanisms

The NJDPA includes provisions that allow consumers to submit verified requests to follow through on their privacy rights using a technology, Internet website link, browser setting or extension, or global setting on an electronic device.

In other words, organizations under this law must ensure their websites can receive and honor user consent preferences set using universal opt-out mechanisms (UOOMs) like Global Privacy Control (GPC).

The UOOM requirements become effective no later than six months following the effective date of the new law.

Contractual Obligations Between Controllers and Processors

Controllers and processors under the NJDPA must both sign contracts outlining the following:

Sets forth the processing instructions to which the processor is bound, including the nature of and purpose for the processing.
Lists the types of personal data subject to processing and the durations for the processing.
States the requirements imposed by the NJDPA.
Mandates the processor to delete or return all data at the end of the services at the controller’s discretion.
Mandates that the processor will make all information available to the controller as necessary to demonstrate compliance with the law.
Mandates the processor to allow for and contribute to reasonable assessments and inspections by the controller or a designated assessor.

Data Protection Assessments

Portions of the NJDPA require covered businesses to perform data protection assessments or DPAs when processing information that may present a heightened risk of harm to consumers.

In particular, the assessment identifies and weights the risks and benefits of collecting and processing this information and factors in:

The use of de-identified data
Reasonable expectations of consumers
The context of the processing
The relationship between the controller and the consumer

All DPAs must be made available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request.

Safety and Security Requirements

The NJDPA outlines requirements for controllers to take reasonable measures to establish, implement, and maintain technical, administrative, and physical data security practices.

The safety measures must consider the volume of data collected and the sensitivity of the information itself.

New Jersey’s Data Privacy Law vs. Other States: Similarities and Differences

New Jersey joins several other U.S. states with comprehensive consumer data privacy laws in place, which include:

California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
Kentucky Consumer Data Protection Act (KCDPA) — effective January 1, 2026
Maryland Online Data Protection Act (MODPA) — effective October 1, 2025
Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
New Hampshire Data Privacy Law (NHDPL) — effective January 1, 2025
Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
Tennessee Information Protection Act (TIPA) — effective July 1, 2025
Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

Compare the NJDPA to these other U.S. state-level laws in the table below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
NJDPA	✓	✓	✓	✓	✓		✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
FDBR		✓	✓	✓	✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
KCDPA	✓	✓	✓	✓	✓
MCDPA		✓	✓	✓	✓		✓
MODPA	✓	✓	✓	✓	✓		✓
NHDPL	✓	✓	✓	✓	✓		✓
OCPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the NJDPA?

The New Jersey Data Privacy Act gives consumers the right to:

Confirm if a controller is collecting their data
Access the personal data collected about them.
Correct inaccuracies in their personal data.
Delete their personal data.
Obtain a portable copy of their personal data.
Opt-out of the processing of their data for targeted advertising
Opt out of the sale of their information.
Opt-out of profiling.
Nondiscrimination for acting on their privacy rights.

Consumers can submit verifiable requests to follow through on their rights using an authorized agent, which includes universal opt-out mechanisms like Global Privacy Control (GPC).

Who Does the NJDPA Apply To?

The New Jersey Data Privacy Act applies to the personally identifiable information of New Jersey residents.

However, it does not apply to:

Publicly available and de-identified data.
Health information protected by the U.S. Department of Health and Human Services.
Personally identifiable information used by specific consumer reporting agencies.
Data collected and used as part of research that complies with the Federal Policy for the protection of human subjects.

How Will Businesses Be Impacted by the NJDPA?

Along with the security requirements, contractual obligations, and data protection assessment guidelines, New Jersey’s data privacy law also impacts privacy and cookie policies.

How Will the NJPDA Affect My Privacy Policy?

New Jersey’s new data privacy law will affect your privacy policy.

Under the NJPDA, operators that collect personally identifiable information through an online service must provide an online service notification (aka., privacy policy) to consumers that includes but is not limited to:

The categories of personally identifiable information collected through the online service.
The categories of all third parties the operator may disclose the information to.
If the third party collects personally identifiable information over time across different online services.
A description of how individuals can review or change their collected information.
How the operator will notify users about changes to the policy and an effective date.

Additionally, the law requires businesses to include a separate section in their privacy policies that explains one or more methods consumers can use to submit verifiable requests to follow through on their privacy rights.

How Will the NJDPA Affect My Cookie Policy?

The NJDPA affects cookie policies because users under the law have the right to opt out of targeted ads and the sale of their data, which includes data collected using internet cookies.

You must disclose all cookies your website uses in a transparent cookie policy and as a clause in your privacy policy.

Ensure you explain how users can opt out of having cookies that are sold or used for targeted advertising deployed onto their browsers.

Who Must Comply With New Jersey’s New Data Privacy Law?

Businesses that conduct business in New Jersey or produce products and services targeted to residents of the state and who meet one of the following thresholds in a calendar year are subject to following the NJDPA:

Controls or processes the personal data of 100,000 individuals, not including data processed solely for the purpose of completing a payment transaction.
Controls or processes the personal data of at least 25,000 individuals and derives revenue from or receives a discount for selling the information.

Who Is Exempt From the NJDPA?

The following entities and organizations are exempt from the NJDPA:

Covered entities or business associates processing protected health information (PHI) that are subject to the “Health Insurance Portability and Accountability Act (HIPAA)
Financial institutions subject to following the Gramm-Leach Bliley Act (GLBA)
Secondary market institutions, as identified in the United States Code as institutions chartered by Congress that engage in transactions but don’t transfer or sell personal information to third parties.
Insurance institutions that are subject to the Insurance Information Practices Act.
The sale of personal information by the New Jersey Motor Vehicle Commission as permitted by the federal Drivers’ Privacy Protection Act.
Any state agencies, political subdivisions, divisions, boards, bureaus, offices, commissions, or other instrumentalities created by a political subdivision.

How Can Businesses Prepare for the NJDPA?

To prepare for complying with the NJPDA, businesses should update their privacy and cookie policies to meet all notification requirements outlined by the law.

Obtain adequate consumer consent to process sensitive personal data and perform data protection assessments as needed.

Also, provide two or more ways for your users to opt out of the sale of their data, targeted advertising, and profiling and follow through on their other privacy rights.

For example, you can add a Data Subject Access Request (DSAR) form to your site.

Finally, prepare your website to respond to UOOMs like GPCs before the 2025 deadline.

How Will the NJDPA Be Enforced?

The New Jersey Office of the Attorney General has the sole and exclusive authority to enforce violations of New Jersey’s new data privacy law.

For the first 18 months the law takes effect, controllers in violation of the law will receive a notice and a 30-day cure period.

No penalties will be imposed as long as the violation is cured within that time frame.

Fines and Penalties Under the New Jersey Data Privacy Act

Currently, no information is available outlining the fines and penalties for violating the NJDPA.

However, the text clarifies that consumers have no private right of action.

How Will Termly Help With NJDPA Compliance?

To help businesses comply with the NJDPA, we plan to update our Privacy Policy Generator before the law enters into action so it includes all necessary clauses and information.

Backed by our legal team and data privacy experts, the generator asks simple questions about your business and data processing activities.

It then makes a compliant policy for you based on your answer.

We also offer a consent management platform (CMP) that you can configure to meet to opt-out requirements outlined by New Jersey’s upcoming data privacy law.

The NJDPA is the first comprehensive data privacy law in New Jersey, but a few other privacy-related laws exist in the state, for example:

New Jersey Identity Theft Prevention Act: This law protects residents from identity theft and requires the secure disposal of personal data.
New Jersey Data Breach Notification Law: This act requires businesses to notify individuals about data breaches that may have impacted their information.

Once it becomes effective, the NJDPA will work alongside these other laws, introducing more privacy protections across the state.

Summary

If your business meets the legal thresholds for the New Jersey Data Privacy Act, start preparing for compliance now.

Update your cookie and privacy policies to meet all notification requirements outlined by the law.
Set up your website to acknowledge UOOMs before the July 2025 deadline.
Add a DSAR form to your website.
Use appropriate contracts with any data processors or third parties you work with.
Perform data protection impact assessments as needed.

Give yourself a head start and use our Privacy Policy Generator and CMP, which will be ready to help you comply with the NJDPA before the law officially becomes enforceable.

More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Impressum Template: Free Download and Real Life Examples

What Is Consent Management? Simplified For Businesses

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites