new-jersey-dpa

New Jersey Data Privacy Act (NJDPA)

Overview

The New Jersey Data Privacy Act (S332/A1971), signed into law on January 16, 2024, and effective January 15, 2025, establishes comprehensive consumer data privacy rights for New Jersey residents. The NJDPA applies to controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents and that during a calendar year either (a) control or process the personal data of at least 100,000 consumers (excluding data processed solely for completing a payment transaction), or (b) control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data.

Key Provisions

Consumer Rights (Section 6)

Right	Description	Response Period
Right to access	Confirm processing and obtain a copy of personal data	45 days (extendable by 45)
Right to correction	Correct inaccurate personal data	45 days
Right to deletion	Delete personal data provided by or obtained about the consumer	45 days
Right to data portability	Obtain personal data in a portable, readily usable format	45 days
Right to opt out of sale	Opt out of the sale of personal data	15 business days
Right to opt out of targeted advertising	Opt out of processing for targeted advertising purposes	15 business days
Right to opt out of profiling	Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects	15 business days
Right to non-discrimination	Not be discriminated against for exercising rights	Ongoing

Sensitive Data (Section 2)

The NJDPA defines sensitive data broadly, including:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition, treatment, or diagnosis
• Financial information (account number, credit/debit card number with required security code)
• Sex life or sexual orientation
• Citizenship or immigration status
• Status as transgender or non-binary
• Genetic or biometric data processed to identify an individual
• Personal data of a known child under 13
• Precise geolocation data

Consent requirement: Controllers must obtain consumer consent before processing sensitive data. The inclusion of financial information and immigration status as sensitive data categories distinguishes the NJDPA from many other state privacy laws.

Universal Opt-Out Mechanism (Section 8)

Controllers must recognize and comply with universal opt-out mechanisms (such as the Global Privacy Control) by July 15, 2025 (six months after the law's effective date). This applies to opt-out of sale and targeted advertising.

Controller Obligations (Section 9)

1. Data minimisation: Limit collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose.
2. Purpose limitation: Do not process personal data for purposes not reasonably necessary to or compatible with the disclosed purposes without consent.
3. Security: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
4. Non-discrimination: Do not process personal data in violation of state or federal anti-discrimination laws.
5. Privacy notice: Provide a clear, accessible, and meaningful privacy notice disclosing categories of personal data processed, purposes, consumer rights, categories of third parties with whom data is shared, and categories of data shared.
6. DPIA requirement: Conduct and document a data protection assessment for processing activities that present a heightened risk of harm (targeted advertising, sale of personal data, profiling, processing of sensitive data, processing that presents a heightened risk of harm to consumers).

Cure Period (Section 14)

The NJDPA provides a 30-day right to cure period before the AG may bring an enforcement action. This cure period sunsets 18 months after the effective date (July 15, 2026), after which the AG has full discretion on enforcement without providing a cure opportunity.

Enforcement (Section 13)

• Exclusive enforcement by the New Jersey Attorney General and Division of Consumer Affairs.
• No private right of action.
• Violations treated as unlawful practices under the New Jersey Consumer Fraud Act.
• Civil penalties up to $10,000 per initial violation and $20,000 for subsequent violations.

Comparison with Other State Privacy Laws

Feature	NJDPA	CCPA/CPRA	CPA (Colorado)	VCDPA (Virginia)
Financial data as sensitive	Yes	No	No	No
Immigration status as sensitive	Yes	No	No	No
Transgender/non-binary status as sensitive	Yes	No	No	No
Universal opt-out mechanism	Required	Required	Required	Not required
Cure period	30 days (sunsets)	30 days (expired)	60 days (sunsets)	30 days (permanent)
Private right of action	No	Limited	No	No
DPIA requirement	Yes	Yes	Yes	Yes
Applicability to nonprofits	No (exempt)	No (exempt)	No (exempt)	No (exempt)

Enforcement Precedents and Regulatory Guidance

Since the NJDPA became effective in January 2025, the New Jersey AG has signaled active enforcement priorities including:

• Targeting data brokers that sell personal data without honouring opt-out requests.
• Focusing on companies processing sensitive data (particularly health and financial data) without proper consent.
• Coordination with other state AGs through the National Association of Attorneys General (NAAG) privacy working group.