New Jersey Data Privacy Act (NJDPA): An Overview

New Jersey’s data privacy law was passed from Senate Bill 322 in January 2024, and keeps the data privacy trend rolling in the United States. Eight state-level privacy laws were passed in 2023, and two were passed in the first month of 2024. The law doesn’t have any major standout differences from the other state-level privacy regulations, but does reflect the evolving thought on privacy law, as well as ongoing changes in technology.

The United States does not have a federal data privacy law, and as 2024 is an election year, it is unlikely for that legislation to make significant progress during the year.

Signed into law by Governor Murphy on January 16, 2024, the New Jersey privacy regulation goes into effect one year later, on January 16, 2025. This is quite a short lead time compared to other US privacy laws. 2025 will be a busy year, as the Tennessee Information Protection Act (TIPA), Delaware Consumer Privacy Act (DPDPA), Iowa Consumer Data Protection Act (ICDPA), and New Hampshire Privacy Act (NHPA) also come into effect.

Like most of the other states, the Office of the Attorney General will oversee the NJDPA, though in New Jersey’s case, within that office it will be managed by the Director of the Division of Consumer Affairs. Interestingly, New Jersey’s data protection law includes almost all of an individual’s financial information as “sensitive” personal data.

New Jersey’s data privacy law protects the privacy and personal data rights of the state’s nine-million-plus residents, i.e. people acting in individual or household contexts. The law also establishes data privacy responsibilities for companies conducting business in the state and/or providing goods and services targeted to New Jersey residents.

Data controllers are defined under the law as “an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data”. The notice has to describe the organization’s data processing operations, and include:

• categories of personal data the controller processes
• purpose(s) of processing
• categories of all third parties to which the controller may disclose consumers’ personal data
• categories of personal data the controller shares with third parties, if any
• how consumers can exercise their data privacy rights
• how consumers can appeal a controller’s decision (e.g. denial of a data subject access request)
• the controller’s contact information, e.g. email address or other online mechanisms
• the process by which the controller notifies consumers of material changes to required notifications and effective dates of changes

Like all other US state-level data privacy laws, the NJDPA uses an opt-out model, so controllers can collect personal data without needing data subjects’ consent in many cases. Consumers do have the right to opt out of data collection and use, which includes sale, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”, and must be provided with information about and mechanisms to do so.

Personal data under the NJDPA

Refers to “any information that is linked or reasonably linkable to an identified or identifiable person.” The law also notes that “‘Personal data’ shall not include de-identified data or publicly available information.”

Note: personal data (also called personal information) and personally identifiable data are not always the same thing, and distinctions are often made in data privacy laws.

Sensitive data under the NJDPA

Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the NJDPA cannot be collected or used without prior user consent. New Jersey’s privacy law specifically refers to personal data that would reveal any of the following:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition, treatment, or diagnosis
• financial information, including:
  • account number
  • account log-in
  • financial account, credit or debit card number in combination with any required security code, access code, or password
• sex life or sexual orientation
• status as transgender or non-binary
• citizenship or immigration status
• genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
• personal data collected from a known child
• precise geolocation data (with precision and accuracy within a radius of 1,750 feet / 533.4 meters)

New Jersey’s regulation is now the third state-level privacy law in the US to include transgender or non-binary status as sensitive data, along with Oregon and Delaware.

Child under the NJDPA

The law takes its definition of a child from the Children’s Online Privacy Protection Act (COPPA), which refers to a person under the age of 13. Prior consent must be obtained from a parent or legal guardian to process their personal data. The NJDPA also requires prior consent from people between 13 and 17 to process their personal data for the purposes of targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Consent under the NJDPA

Like many other data privacy laws, the New Jersey data privacy law follows the European Union’s General Data Protection Regulation (GDPR) with regards to the definition of valid consent: “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.”

To provide additional clarity, “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.” Under the NJDPA, consent does not include:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
• hovering over, muting, pausing, or closing a given piece of content
• agreement obtained through the use of dark patterns

Consumer under the NJDPA

Refers to “an identified person who is a resident of this State acting only in an individual or household context.”

For additional clarity, the law also notes the following, which is commonly included language in the other US privacy laws: “Consumer’ shall not include a person acting in a commercial or employment context”.

Controller under the NJDPA

Will largely apply to companies, but the specific language refers to “an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data”.

Processor under the NJDPA

A processor is defined as “ a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller”. It could include third parties like advertising partners or fulfillment companies.

Profiling under the NJDPA

Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to “automated decision-making” or the use of AI technologies. The New Jersey data protection law defines profiling as “any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.

Targeted advertising under the NJDPA

This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools.

The New Jersey data privacy law defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests.”

The following are not included in the definition of targeted advertising:

• advertisements based on activities within a controller’s own Internet websites or online applications
• advertisements based on the context of a consumer’s current search query, visit to an Internet website, or online application
• advertisements directed to a consumer in direct response to the consumer’s request for information or feedback
• processing personal data solely to measure or report advertising frequency, performance or reach

Sale under the NJDPA

Refers to “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party”.

Exclusions to the definition of sale include disclosures of personal data:

• to a processor that only processes the personal data on the controller’s behalf
• to a third party for purposes of providing a product or service requested by the consumer
• or transfer of personal data to an affiliate of the controller
• that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
• or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets

The NJDPA mainly affects commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.

The New Jersey privacy law’s compliance thresholds are fairly standard compared to other fairly populous states’ laws. The NJDPA continues a trend in US state-level privacy laws in having no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount and no other factors.

The compliance thresholds are for the preceding calendar year if an organization:

• controls or processes the personal data of at least 100,000 New Jersey residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

or

• controls or processes the personal data of at least 25,000 New Jersey residents and derives revenue or receives a discount of any amount on the price of goods or services from the sale of personal data

The NJDPA’s exemptions are fairly standard, and include health information protected by federal law, like the Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH), or financial information handled by financial institutions or affiliates subject to the Gramm-Leach-Bliley Act (GLBA).

Further exempted institutions include insurance institutions, secondary market institutions, and consumer reporting agencies. Additional exempted regulations include the Fair Credit Reporting Act (FCRA) and New Jersey’s Motor Vehicle Commission under the Driver’s Privacy Protection Act (DPPA).

Nonprofit organizations are not exempt under the NJDPA as they are under some other states’ laws, nor can the Family Educational Rights and Privacy Act (FERPA) be used for exemption purposes.

Consumers’ rights under the NJDPA are fairly standard compared to other comprehensive privacy laws in the US:

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
• Right to disclosure: a list of the categories of third parties to which the controller has disclosed the consumer’s personal data
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of sale of personal data, targeted advertising, or profiling “in furtherance of decisions that produce legal or similarly significant effects concerning a consumer”

Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the NJDPA includes a requirement for controllers to recognize the universal opt-out signal.

Parents or legal guardians can exercise the rights of children, defined as under 13 years of age, whose data is considered sensitive by default. The NJDPA uses COPPA for its definition of a child.

Controllers are also required to obtain prior consent for the processing of personal data belonging to people between 13 and 17 years of age if it’s for the purposes of targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. A controller can deny requests from a consumer that are “manifestly unfounded, excessive or repetitive”, or they can charge the consumer a reasonable fee to cover the administrative costs of complying with such a request. The controller is responsible for demonstrating that request is unfounded, etc., however.

Reasonable reasons to deny a request could also include if the consumer’s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.

An organization has 45 days from receiving a consumer’s request to respond, though they have the option to extend that by another 45 days if reasonably necessary., e.g. if fulfilling the request would be very complex or the controller has a great many requests to fulfill. If the controller extends the response period for a request, they must notify the consumer that they will do so before the original 45-day response period has expired, and must provide a reason for the extension.

California continues to be the only US state that enables privacy right of action under their data privacy law. That means that consumers can sue controllers in the event of a violation of the law. New Jersey’s law does not include private right of action, and enforcement falls under the state’s Office of the Attorney General.

The NJDPA is fairly similar to other US privacy law requirements regarding notifications, data access, use, and security. The law also includes particular responsibilities for data processors, particularly relating to complying with controllers’ requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.

The compliance requirements for the NJDPA are largely the same as those for other comprehensive US data protection laws. Accurate notifications for consumers are a significant requirement, and while data controllers do not need to obtain prior consent for data collection and processing in most cases, they do need to enable users to opt out. Prior consent is required for processing sensitive data or that of children.

Notifications defined by the NJDPA

Controllers must provide a privacy notice that is “accessible, clear, and meaningful”, and includes:

• categories of personal data that the controller processes
• purpose(s) for processing personal data
• categories of all third parties to which the controller may disclose a consumer’s personal data
• categories of personal data that the controller shares with third parties, if any
• how consumers may exercise their consumer rights, including:
  • the controller’s contact information
  • how a consumer may appeal a controller’s decision concerning their request
  • the process by which the controller notifies consumers of material changes to required notifications and the effective date of the notice
  • email address or other online mechanism the consumer may use to contact the controller
• if the controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, sale, or profiling, the controller must clearly and conspicuously disclose the sale or processing, as well as how a consumer may exercise the right to opt out

Restrictions on controller requirements for consumers exercising their rights

A controller can’t require a consumer to create a new account in order to exercise their rights, however, controllers can require reasonable verification of a consumer’s identity for security purposes. To this end, the controller can require a consumer to use an existing account to verify themselves and submit their request.

A controller can’t increase the cost or availability of a product or service based solely on the consumer exercising a right (right to nondiscrimination).

Purpose limitation defined by the NJDPA

Controllers can process personal data for the purpose(s) that they have communicated, as long as they limit the processing to “the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer”.

Controllers may not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

Controllers may not process personal data for purposes that are “neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer” unless the controller obtains the consumer’s consent.

If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children’s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.

Data security defined by the NJDPA

Controllers must “take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue”.

The law doesn’t specify any specific security measures, like encryption, so those policy and infrastructure best practices and decisions will be left up to data controllers.

Processors working with/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually before processing. However, the ultimate responsibility for the protection of collected personal data and its appropriate use lies with the controller.

Data protection assessments (DPA) defined by the NJDPA

Data protection assessments are meant to identify and weigh the risks of data processing and ensure consumers whose data is processed are adequately protected. They are also intended to ensure that controllers factor in the potential use of de-identified data, consumer expectations, and relationships between controller and consumers.

Controllers are required to perform data protection assessments (DPA), also known as data protection impact assessments, for “processing that presents a heightened risk of harm to a consumer.” Such activities include:

• processing personal data for the purposes of targeted advertising
• profiling, if it presents a reasonably foreseeable risk of negative impact on consumers
• processing sensitive personal data
• sale of personal data

The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.

Consent requirements defined by the NJDPA

For many circumstances, user consent is not required by New Jersey’s privacy law before personal data is collected or processed. Prior consent is required to access sensitive data or children’s data, for example, or if the organization’s data processing purposes change. Controllers must provide clear notification about what data is collected and processed, purposes for use, who it’s shared with, consumers’ rights, and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.

Requirements to change or revoke consent as defined by the NJDPA

In addition to providing information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later.

Revoking consent must be “at least as easy as the mechanism by which the consumer provided the consumer’s consent”. Once a consumer has revoked consent, the controller must cease processing the data “as soon as practicable, but not later than 15 days after the receipt of such request”.

Nondiscrimination defined by the NJDPA

Like other US privacy laws, New Jersey’s regulation prohibits discrimination against consumers, including discrimination for exercising their rights under the NJDPA, or processing personal data if it would violate other state or federal laws governing discrimination.

For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing the site or its functions. There are, however, some web or app features and functions that will not work without certain cookies or trackers being activated, so if a consumer opts out and they no longer work optimally, this is not discriminatory. Additionally, the use of some cookies does not require consent if they are “strictly necessary” to enable a website to work correctly, like the shopping cart functions on an ecommerce site.

Controllers can offer voluntary incentives to consumers for their participation in activities that collect personal data, for example, subscribing to a newsletter, completing a survey, or joining a loyalty program. However, such incentives must be proportionate and reasonable to the request, as well as to the type and volume of personal data collected, and the purpose for its collection. It cannot reasonably look like payment for consent.

Consumers who decline incentive offers also cannot be discriminated against, e.g. by not having access to comparable services or offers, or being charged a different (especially higher) price.

Third-party contracts defined by the NJDPA

Processors need to assist controllers in meeting their obligations under the law, which include restricting processes to publicized purposes, safeguarding personal data, and providing information enabling data protection assessments, breach notifications, or data subject access requests.

There needs to be a contract in place between the controller and processor prior to data collection. Such contracts are binding on both sides and need to include:

• duty of confidentiality
• information about appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing
• clear instructions for processing data, including:
  • nature and purpose of the processing
  • type of data that is subject to processing
  • duration of the processing
• rights and obligations of both parties with a clear allocation of responsibilities to implement the required measures
• the processor must delete or return the personal data to the controller at the controller’s direction or at the end of the provision of services unless there are superseding legal requirements for the processor
• the processor must provide the controller (upon request) all information needed to verify that the processor has complied with all of their contractual obligations to the controller
• if the processor engages any subcontractors, they must have contracts in place as well to ensure they comply with all requirements of the controller

Universal opt-out mechanism

Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or Global Privacy Control, however, it’s becoming more common with some of the more recently passed data privacy laws. New Jersey’s law is slightly different from some other state-level privacy laws to date, as controllers are also required to recognize a universal opt-out mechanism for user profiling if it’s “in furtherance of decisions that produce legal or similarly significant effects concerning a consumer”.

The New Jersey Data Privacy Act does include this mechanism, and includes language that more than one such mechanism may be employed to “clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data”. Controllers will need to recognize the universal opt-out mechanism by July 16, 2025.

This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they’re communicated to all websites or other platforms or services that the consumer uses that can detect the signal.

New Jersey’s Management, education, enforcement, and evolution of the NJDPA will be centralized under the Office of the Attorney General and managed by the Director of the Division of Consumer Affairs. The Consumer Affairs division also has the power to make and publicize rules to carry out the NJDPA’s purposes. Only California, Colorado, and Florida’s laws currently allow for this.

The Division of Consumer Affairs under the Attorney General will handle enforcement of the law when it comes into force in January 2025. Consumer complaints about controllers’ data processing or denial of consumer requests can be submitted to the Attorney General, which will notify an organization of any complaint and if an investigation is launched. The Attorney General can require data protection assessments and other information from controllers in the course of the investigation or to ensure they are being done compliantly.

Controllers have to provide information and a process to consumers not only to exercise their rights, but also justification for denying a request if they choose to do so, along with information on how to lodge an appeal if the controller refuses to take action on a request. This appeal process must be similar to the process to make a request and just as easy to do.

The controller has 45 days from receiving an appeal to reply to the consumer about any action taken (or not taken), including a written explanation of the reasons for the decision. Controllers also have to provide consumers with an online mechanism, if possible, or another way to contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a further complaint if the controller does not resolve issues with the consumer.

The Attorney General’s Office can decide to initiate an investigation or issue a notice of violation to a controller, e.g. resulting from a complaint. As previously noted, consumers do not have private right of action under the NJDPA.

The NJDPA requires that the Attorney General’s Office provide controllers with notice of violation and give 30 days to cure violations if it’s agreed that a cure is possible. The cure provision sunsets on July 16, 2026 (18 months after the law comes into effect). After that providing a cure period would be at the discretion of the Attorney General’s Office.

If the controller fails to cure the violation within 30 days, the Attorney General’s Office may initiate enforcement proceedings. Factors that may influence such decisions include the number and severity of violations, nature and extent of the processing activities, likelihood of injury to the public, etc.

The NJDPA doesn’t provide a specific amount for fines, however, violating the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act. Fines can be up to $10,000 USD for an initial violation and up to $20,000 USD for subsequent violations.

New Jersey’s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data in many circumstances like it does in the European Union, for example.

Consumers do have to be informed about data collection and use, the parties with access to their data, and what their rights are and how to exercise them. This information, commonly provided in a comprehensive privacy notice, needs to be clear and easily accessible, e.g. on the organization’s website.

Consumers do need to be able to opt out of the processing of their data for several purposes or be able to change or revoke their previous consent preferences. This can be managed via a consent management platform like Usercentrics CMP for Website Consent Management or App Consent Management.

As of 2026, organizations must also recognize and respect consumers’ consent preferences as expressed via a universal opt-out signal.

Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. The NJDPA does require providing consumers with clear, granular information about this.

The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws.

A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

Organizations doing business in New Jersey have until January 2025 to prepare for compliance with the NJDPA.

Companies that achieve compliance with other state-level regulations, like California’s CCPA/CPRA have done much of the work toward NJDPA compliance. Organizations always need to be clear on specific states’ laws’ unique stipulations and should always consult qualified legal counsel and/or their own data protection officer (DPO) or privacy expert. A privacy-by-design approach will also benefit an organization’s operations beyond data privacy compliance.

Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.