New Jersey Data Privacy Act: First Look & Summary

Covered by Termly

By: Josh Langeland, CIPM Josh Langeland, CIPM | Updated on: May 1, 2024

Generate a Free Privacy Policy
New-Jersey-Data-Privacy-Act-NJDPA-01

On January 16th, 2024, the New Jersey governor signed Senate Bill 332, the New Jersey Data Privacy Act (NJDPA) into law, which outlines privacy protections and rights for state residents.

New Jersey was the first U.S. state to pass a consumer data privacy law in 2024.

In this guide, I’ll explain what the NJDPA entails, how it impacts businesses and consumers, and what steps you must take to prepare for compliance.

Table of Contents
  1. What Is the New Jersey Data Privacy Act (NJDPA)?
  2. NJDPA Key Terms and Definitions
  3. What Does the New Jersey Data Privacy Act Cover?
  4. Requirements of the New Jersey Data Privacy Act
  5. New Jersey’s Data Privacy Law vs. Other States: Similarities and Differences
  6. How Will Consumers Be Impacted by the NJDPA?
  7. Who Does the NJDPA Apply To?
  8. How Will Businesses Be Impacted by the NJDPA?
  9. Who Must Comply With New Jersey’s New Data Privacy Law?
  10. How Can Businesses Prepare for the NJDPA?
  11. How Will the NJDPA Be Enforced?
  12. Fines and Penalties Under the New Jersey Data Privacy Act
  13. How Will Termly Help With NJDPA Compliance?
  14. Are There Other Privacy Related Laws in New Jersey?
  15. Summary

What Is the New Jersey Data Privacy Act (NJDPA)?

The New Jersey Data Privacy Act is a state-level comprehensive consumer data privacy law.

It protects the personal information of people in the state and describes obligations, requirements, and guidelines commercial entities must follow to collect and use that data.

It also outlines the penalties and repercussions for violating the law.

NJDPA Effective Date

The NJPDA is scheduled to enter into effect on January 15, 2025, giving organizations one year to prepare for the law.

NJDPA Key Terms and Definitions

To help your business prepare for compliance read the following list of key terms and definitions exactly as they appear in the NJPDA text.

These terms will be used throughout the rest of this guide with these definitions in mind.

What Does the New Jersey Data Privacy Act Cover?

The New Jersey Data Privacy Act covers the personal information of New Jersey residents and does not apply to anyone in the state acting in an employment context.

Requirements of the New Jersey Data Privacy Act

Let’s go over the main business requirements outlined by New Jersey’s new data privacy law.

Lawful Purposes for Processing Personal Data

Under the NJDPA, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the processing purposes disclosed to the consumer.

The controller must obtain consumer consent to collect information that falls outside this scope and to collect and process sensitive personal information.

Consent

According to the NJDPA, consent must be:

  • Clear
  • Affirmative
  • Freely given
  • Specific
  • Informed

In other words, the law requires opt-in consent, which can include a written statement by electronic means.

However, consent cannot include acceptance of a general or broad terms of use or other similar document or rely on dark patterns, which aim to manipulate user autonomy and choice by techniques such as hovering over a button, muting, pausing, or closing any piece of content.

Verifiable Consumer Requests

Under the NJDPA, organizations must provide two or more ways for individuals to submit verifiable consumer requests to act on their data privacy rights.

You can use any method you want but cannot require a consumer to create an account.

Once you receive a data privacy rights request, you have 45 days to respond to the consumer. Depending on the complexity of the request, this may be extended by an additional 45 days where reasonably necessary.

The response must be provided to the consumer free of charge. However, you are not obligated to respond to repeated identical requests within a 12-month window.

Businesses must also establish a process so consumers can appeal the controller’s decision based on their requests.

Honoring Universal Opt-Out Mechanisms

The NJDPA includes provisions that allow consumers to submit verified requests to follow through on their privacy rights using a technology, Internet website link, browser setting or extension, or global setting on an electronic device.

In other words, organizations under this law must ensure their websites can receive and honor user consent preferences set using universal opt-out mechanisms (UOOMs) like Global Privacy Control (GPC).

The UOOM requirements become effective no later than six months following the effective date of the new law.

Contractual Obligations Between Controllers and Processors

Controllers and processors under the NJDPA must both sign contracts outlining the following:

  • Sets forth the processing instructions to which the processor is bound, including the nature of and purpose for the processing.
  • Lists the types of personal data subject to processing and the durations for the processing.
  • States the requirements imposed by the NJDPA.
  • Mandates the processor to delete or return all data at the end of the services at the controller’s discretion.
  • Mandates that the processor will make all information available to the controller as necessary to demonstrate compliance with the law.
  • Mandates the processor to allow for and contribute to reasonable assessments and inspections by the controller or a designated assessor.

Data Protection Assessments

Portions of the NJDPA require covered businesses to perform data protection assessments or DPAs when processing information that may present a heightened risk of harm to consumers.

In particular, the assessment identifies and weights the risks and benefits of collecting and processing this information and factors in:

  • The use of de-identified data
  • Reasonable expectations of consumers
  • The context of the processing
  • The relationship between the controller and the consumer

All DPAs must be made available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request.

Safety and Security Requirements

The NJDPA outlines requirements for controllers to take reasonable measures to establish, implement, and maintain technical, administrative, and physical data security practices.

The safety measures must consider the volume of data collected and the sensitivity of the information itself.

New Jersey’s Data Privacy Law vs. Other States: Similarities and Differences

New Jersey joins several other U.S. states with comprehensive consumer data privacy laws in place, which include:

  • California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
  • Colorado Privacy Act (CPA) — currently in force
  • Connecticut Data Privacy Act (CTDPA) — currently in force
  • Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
  • Florida Digital Bill of Rights (FDBR) — currently in force
  • Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
  • Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
  • Kentucky Consumer Data Protection Act (KCDPA) — effective January 1, 2026
  • Maryland Online Data Protection Act (MODPA) — effective October 1, 2025
  • Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
  • New Hampshire Data Privacy Law (NHDPL) — effective January 1, 2025
  • Oregon Consumer Privacy Act (OCPA) — currently in force
  • Tennessee Information Protection Act (TIPA) — effective July 1, 2025
  • Texas Data Privacy and Security Act (TDPSA) — currently in force
  • Utah Consumer Privacy Act (UCPA) — currently in force
  • Virginia Consumer Data Protection Act (VCDPA) — currently in force

Compare the NJDPA to these other U.S. state-level laws in the table below.

State Law Opt-in consent for certain types of data processing Opt-out consent for certain types of data processing Must present users with a privacy policy (or notice) Requires Data Protection Assessments Outlines Contractual Obligation with Third-Party Processors Allows for civil lawsuits or private right of action Must honor Global Privacy Controls/browser privacy settings
NJDPA
CCPA/CPRA
CPA
CTDPA
DPDPA
FDBR
Indiana CDPA
Iowa CDPA
KCDPA
MN CDPA
MT CDPA
MODPA
NHDPL
OCPA
TIPA
TDPSA
UCPA
VCDPA

How Will Consumers Be Impacted by the NJDPA?

The New Jersey Data Privacy Act gives consumers the right to:

  • Confirm if a controller is collecting their data
  • Access the personal data collected about them.
  • Correct inaccuracies in their personal data.
  • Delete their personal data.
  • Obtain a portable copy of their personal data.
  • Opt-out of the processing of their data for targeted advertising
  • Opt out of the sale of their information.
  • Opt-out of profiling.
  • Nondiscrimination for acting on their privacy rights.

Consumers can submit verifiable requests to follow through on their rights using an authorized agent, which includes universal opt-out mechanisms like Global Privacy Control (GPC).

Who Does the NJDPA Apply To?

The New Jersey Data Privacy Act applies to the personally identifiable information of New Jersey residents.

However, it does not apply to:

  • Publicly available and de-identified data.
  • Health information protected by the U.S. Department of Health and Human Services.
  • Personally identifiable information used by specific consumer reporting agencies.
  •  Data collected and used as part of research that complies with the Federal Policy for the protection of human subjects.

How Will Businesses Be Impacted by the NJDPA?

Along with the security requirements, contractual obligations, and data protection assessment guidelines, New Jersey’s data privacy law also impacts privacy and cookie policies.

How Will the NJPDA Affect My Privacy Policy?

New Jersey’s new data privacy law will affect your privacy policy.

Under the NJPDA, operators that collect personally identifiable information through an online service must provide an online service notification (aka., privacy policy) to consumers that includes but is not limited to:

  • The categories of personally identifiable information collected through the online service.
  • The categories of all third parties the operator may disclose the information to.
  • If the third party collects personally identifiable information over time across different online services.
  • A description of how individuals can review or change their collected information.
  • How the operator will notify users about changes to the policy and an effective date.

Additionally, the law requires businesses to include a separate section in their privacy policies that explains one or more methods consumers can use to submit verifiable requests to follow through on their privacy rights.

How Will the NJDPA Affect My Cookie Policy?

The NJDPA affects cookie policies because users under the law have the right to opt out of targeted ads and the sale of their data, which includes data collected using internet cookies.

You must disclose all cookies your website uses in a transparent cookie policy and as a clause in your privacy policy.

Ensure you explain how users can opt out of having cookies that are sold or used for targeted advertising deployed onto their browsers.

Who Must Comply With New Jersey’s New Data Privacy Law?

Businesses that conduct business in New Jersey or produce products and services targeted to residents of the state and who meet one of the following thresholds in a calendar year are subject to following the NJDPA:

  • Controls or processes the personal data of 100,000 individuals, not including data processed solely for the purpose of completing a payment transaction.
  • Controls or processes the personal data of at least 25,000 individuals and derives revenue from or receives a discount for selling the information.

Who Is Exempt From the NJDPA?

The following entities and organizations are exempt from the NJDPA:

  • Covered entities or business associates processing protected health information (PHI) that are subject to the “Health Insurance Portability and Accountability Act (HIPAA)
  • Financial institutions subject to following the Gramm-Leach Bliley Act (GLBA)
  • Secondary market institutions, as identified in the United States Code as institutions chartered by Congress that engage in transactions but don’t transfer or sell personal information to third parties.
  • Insurance institutions that are subject to the Insurance Information Practices Act.
  • The sale of personal information by the New Jersey Motor Vehicle Commission as permitted by the federal Drivers’ Privacy Protection Act.
  • Any state agencies, political subdivisions, divisions, boards, bureaus, offices, commissions, or other instrumentalities created by a political subdivision.

How Can Businesses Prepare for the NJDPA?

To prepare for complying with the NJPDA, businesses should update their privacy and cookie policies to meet all notification requirements outlined by the law.

Obtain adequate consumer consent to process sensitive personal data and perform data protection assessments as needed.

Also, provide two or more ways for your users to opt out of the sale of their data, targeted advertising, and profiling and follow through on their other privacy rights.

For example, you can add a Data Subject Access Request (DSAR) form to your site.

Finally, prepare your website to respond to UOOMs like GPCs before the 2025 deadline.

How Will the NJDPA Be Enforced?

The New Jersey Office of the Attorney General has the sole and exclusive authority to enforce violations of New Jersey’s new data privacy law.

For the first 18 months the law takes effect, controllers in violation of the law will receive a notice and a 30-day cure period.

No penalties will be imposed as long as the violation is cured within that time frame.

Fines and Penalties Under the New Jersey Data Privacy Act

Currently, no information is available outlining the fines and penalties for violating the NJDPA.

However, the text clarifies that consumers have no private right of action.

How Will Termly Help With NJDPA Compliance?

To help businesses comply with the NJDPA, we’ve updated our Privacy Policy Generator to include all necessary clauses and information outlined by the act.

Backed by our legal team and data privacy experts, the generator asks simple questions about your business and data processing activities.

It then makes a compliant policy for you based on your answer.

We also offer a consent management platform (CMP) that you can configure to meet to opt-out requirements outlined by New Jersey’s upcoming data privacy law.

The NJDPA is the first comprehensive data privacy law in New Jersey, but a few other privacy-related laws exist in the state, for example:

Once it becomes effective, the NJDPA will work alongside these other laws, introducing more privacy protections across the state.

Summary

If your business meets the legal thresholds for the New Jersey Data Privacy Act, start preparing for compliance now.

  • Update your cookie and privacy policies to meet all notification requirements outlined by the law.
  • Set up your website to acknowledge UOOMs before the July 2025 deadline.
  • Add a DSAR form to your website.
  • Use appropriate contracts with any data processors or third parties you work with.
  • Perform data protection impact assessments as needed.

Give yourself a head start and use our Privacy Policy Generator and CMP, which can help you comply with the NJDPA before the law officially becomes enforceable.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Related Articles

Explore more resources