Skip to content

New Jersey Data Privacy Act (NJDPA) Checklist

Our NJDPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.
Resources / Checklists / New Jersey Data Privacy Act (NJDPA) Checklist
Published by Usercentrics
4 mins to read
May 29, 2025

The New Jersey Data Privacy Act (NJDPA), effective from January 16, 2024, aims to protect the personal data of New Jersey residents by imposing compliance responsibilities on businesses operating in the state. 

These businesses must provide clear notices about data collection practices and offer opt-out options for data processing, emphasizing the need for a reliable compliance solution to mitigate risks and focus on core operations. 

The NJDPA includes various thresholds and consumer rights, such as the right to opt out of data sales and targeted advertising, access, correct, and delete personal data, and data portability. The NJDPA mandates opt-in consent for processing sensitive data and personal data of children.

Compliant data is a critical business resource

Compliance is crucial for companies to avoid fines, data loss, and reputational damage while leveraging privacy practices to build user trust, enhance engagement, and boost revenue. The NJDPA’s comprehensive approach underscores the growing importance of privacy compliance in today’s data-driven market.

These steps will help you achieve compliance with the New Jersey Data Privacy Act (NJDPA), which applies to and protects residents of New Jersey. The checklist also includes recommended best practices for data privacy-related user experience.

Step 1: Determine if your company is required to comply

If your for-profit organization:

  • Controls or processes personal data of 100,000 or more consumers, excluding data for the purpose of completing payment transactions

or

  • Controls or processes personal data of 25,000 or more consumers

and

  • Derives revenue or receives a discount on the price of any goods or services from the sale of personal data

Step 2: Create a comprehensive Privacy Policy

  • Purpose: Inform consumers at or before the point of data collection:
    • Categories of personal data processed
    • Purposes for which data is processed
    • Categories of personal data that the controller shares with third parties, if any
    • Categories of third parties the controller shares personal data with, if any
    • Whether a third party may collect personally identifiable information about a consumer’s online activities over time and across different commercial Internet websites or online services using third-party cookies or trackers
       
  • Rights: Inform website visitors of their privacy rights and how to exercise them, including contact information and how a consumer may appeal a controller’s decision with regard to the consumer’s request.
  • Language: Ensure the Privacy Policy is clear and easy to understand.
  • Implementation: Make information about privacy and user options, like consent opt-out, available via a banner or popup for when users visit your site, e.g. with a Consent Management Platform.

Step 3: Inform users about their rights

Consumers’ rights under the NJDPA:

  • Right to access
    • Request and receive a copy of their personal data
  • Right to disclosure
    • A list of the categories of third parties to which the controller has disclosed the consumer’s personal data
  • Right to correction
    • Updates or corrections to inaccuracies in personal data collected
  • Right to deletion
    • Personal data that has been collected about them (with exceptions)
  • Right to data portability
    • Copy of personal data must be provided in a portable and readily useable format
  • Right to opt out
    • Of processing of personal data for the purposes of sale, targeted advertising, or profiling for decisions that would affect the consumer in a legal or similarly significant way
  • Right to nondiscrimination
    • For exercising privacy rights
  • Right of minors
    • Consent must be obtained from a parent/guardian before children’s (under age 13) personal data is collected, or directly from individuals if they are between the ages of 13 and 17
  • Right to restrict use of sensitive personal information
    • Limit or refuse the collection or use of personal data the law classifies as sensitive

Step 4: As a best practice, review and update your Privacy Policy or Notice every 12 months

  • Review your operations and potential changes in the law every 12 months. Updating your Privacy Policy information and the effective date. Effective date should be updated even if you don’t make any other changes to the Policy.
  • Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
  • Data sold: List all the categories of personal information that your business has sold in the past 12 months.
  • When: If the personal data collected is sensitive or that of a child.
  • Availability: Easily accessible on your website.
  • Method: Via the use of a Consent Management Platform (CMP).
  • Sensitive Personal Data: Provide clear options to opt-out and store preferences for processing sensitive personal data.
  • Consent for Children: Obtain consent from a parent or legal guardian for collection of personal data if the data subject is 13 or younger, or from the individual directly if they are between the ages of 13 and 17.

Step 7: Enable consumers to make Data Subject Access Requests (DSARs)

  • Provide one or more contact options, e.g. toll-free phone number, web form, email.
  • Set up a system to enable submission of DSARs.

Step 8: Set up a system to verify Data Subject Access Requests (DSARs)

  • Enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency.
  • Set up a system to enable submissions for verification requests.
  • If your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.

Step 9: Keep track of Data Subject Access Requests (DSARs)

  • Set up a system to track all requests.
  • Time period: keep records of all requests and your business responses for 2 years after the last consumer interaction.

Step 10: Fulfill Data Subject Access Requests (DSARs)

  • Standard time period: within 45 days.
  • Extended time period: up to 90 days.

Get all the details about the New Jersey Data Privacy Act (NJDPA) in our comprehensive overview.