{"id":479,"date":"2024-04-05T15:24:15","date_gmt":"2024-04-05T13:24:15","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=33385"},"modified":"2025-06-26T11:59:01","modified_gmt":"2025-06-26T09:59:01","slug":"new-jersey-data-privacy-act-njdpa","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/","title":{"rendered":"New Jersey Data Privacy Act (NJDPA): An Overview"},"content":{"rendered":"\n\n<h2 class=\"wp-block-heading\">Introduction to the New Jersey Data Privacy Act<\/h2>\n<p>New Jersey\u2019s data privacy law was passed from <a href=\"https:\/\/pub.njleg.state.nj.us\/Bills\/2022\/S0500\/332_R6.PDF\" target=\"_blank\" rel=\"noopener\">Senate Bill 322<\/a> in January 2024, and keeps the data privacy trend rolling in the United States. Eight state-level privacy laws were passed in 2023, and two were passed in the first month of 2024. The law doesn\u2019t have any major standout differences from the other state-level privacy regulations, but does reflect the evolving thought on privacy law, as well as ongoing changes in technology.<\/p>\n<p>The United States does not have a federal data privacy law, and as 2024 is an election year, it is unlikely for that legislation to make significant progress during the year.<\/p>\n<p>Signed into law by Governor Murphy on January 16, 2024, the New Jersey privacy regulation goes into effect one year later, on January 16, 2025. This is quite a short lead time compared to other US privacy laws. 2025 will be a busy year, as the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/tennessee-information-protection-act-tips\/\">Tennessee Information Protection Act (TIPA)<\/a>, <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/\">Delaware Consumer Privacy Act (DPDPA)<\/a>, <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/iowa-consumer-data-protection-act-icdpa\/\">Iowa Consumer Data Protection Act (ICDPA)<\/a>, and New Hampshire Privacy Act (NHPA) also come into effect.<\/p>\n<p>Like most of the other states, the Office of the Attorney General will oversee the NJDPA, though in New Jersey\u2019s case, within that office it will be managed by the Director of the Division of Consumer Affairs. Interestingly, New Jersey\u2019s data protection law includes almost all of an individual\u2019s financial information as \u201csensitive\u201d personal data.<\/p>\n\n\n<h2 class=\"wp-block-heading\">What is the New Jersey Data Privacy Act?<\/h2>\n<p>New Jersey\u2019s data privacy law protects the privacy and personal data rights of the state\u2019s nine-million-plus residents, i.e. people acting in individual or household contexts. The law also establishes data privacy responsibilities for companies conducting business in the state and\/or providing goods and services targeted to New Jersey residents.<\/p>\n<h4>Privacy notice requirements<\/h4>\n<p>Data controllers are defined under the law as \u201can individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data\u201d. The notice has to describe the organization\u2019s data processing operations, and include:<\/p>\n<ul>\n<li>categories of personal data the controller processes<\/li>\n<li>purpose(s) of processing<\/li>\n<li>categories of all third parties to which the controller may disclose consumers\u2019 personal data<\/li>\n<li>categories of personal data the controller shares with third parties, if any<\/li>\n<li>how consumers can exercise their data privacy rights<\/li>\n<li>how consumers can appeal a controller\u2019s decision (e.g. denial of a data subject access request)<\/li>\n<li>the controller\u2019s contact information, e.g. email address or other online mechanisms<\/li>\n<li>the process by which the controller notifies consumers of material changes to required notifications and effective dates of changes<\/li>\n<\/ul>\n<h4>Opt-out consent model<\/h4>\n<p>Like all other US state-level data privacy laws, the NJDPA uses an opt-out model, so controllers can collect personal data without needing data subjects\u2019 consent in many cases. Consumers do have the right to opt out of data collection and use, which includes sale, targeted advertising, or profiling \u201cin furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer\u201d, and must be provided with information about and mechanisms to do so.<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <p><strong>Learn more:<\/strong> <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/comparison-guide-to-us-state-level-data-privacy-laws\/\">Comparing US state-level data privacy laws<\/a><\/p>\n            <\/div>\n<\/div>\n\n\n\n\n<h4>Definitions in the New Jersey Data Privacy Act<\/h4>\n<p><strong>Personal data under the NJDPA<\/strong><\/p>\n<p>Refers to \u201c<em>any information that is linked or reasonably linkable to an identified or identifiable person.\u201d The law also notes that \u201c\u2018Personal data\u2019 shall not include de-identified data or publicly available information.<\/em>\u201d<\/p>\n<p>Note: personal data (also called personal information) and <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/personally-identifiable-information-vs-personal-data\/\">personally identifiable data<\/a> are not always the same thing, and distinctions are often made in data privacy laws.<\/p>\n<p><strong>Sensitive data under the NJDPA<\/strong><\/p>\n<p>Sensitive data is a category that includes types of personal data that could be embarrassing or used to do harm if unlawfully accessed or misused, and thus requires special handling and under the NJDPA cannot be collected or used without prior user consent. New Jersey\u2019s privacy law specifically refers to personal data that would reveal any of the following:<\/p>\n<ul>\n<li>racial or ethnic origin<\/li>\n<li>religious beliefs<\/li>\n<li>mental or physical health condition, treatment, or diagnosis<\/li>\n<li>financial information, including:\n<ul>\n<li>account number<\/li>\n<li>account log-in<\/li>\n<li>financial account, credit or debit card number in combination with any required security code, access code, or password<\/li>\n<\/ul>\n<\/li>\n<li>sex life or sexual orientation<\/li>\n<li>status as transgender or non-binary<\/li>\n<li>citizenship or immigration status<\/li>\n<li>genetic or biometric data that may be processed for the purpose of uniquely identifying an individual<\/li>\n<li>personal data collected from a known child<\/li>\n<li>precise geolocation data (with precision and accuracy within a radius of 1,750 feet \/ 533.4 meters)<\/li>\n<\/ul>\n<p>New Jersey\u2019s regulation is now the third state-level privacy law in the US to include transgender or non-binary status as sensitive data, along with Oregon and Delaware.<\/p>\n<p><strong>Child under the NJDPA<\/strong><\/p>\n<p>The law takes its definition of a child from the <a href=\"\/knowledge-hub\/childrens-online-privacy-protection-act-coppa\/\">Children\u2019s Online Privacy Protection Act (COPPA)<\/a>, which refers to a person under the age of 13. Prior consent must be obtained from a parent or legal guardian to process their personal data. The NJDPA also requires prior consent from people between 13 and 17 to process their personal data for the purposes of targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects.<\/p>\n<p><strong>Consent under the NJDPA<\/strong><\/p>\n<p>Like many other data privacy laws, the New Jersey data privacy law follows the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/the-eu-general-data-protection-regulation\/\">European Union\u2019s General Data Protection Regulation (GDPR)<\/a> with regards to the definition of valid consent: \u201c<em>a clear affirmative act signifying a consumer\u2019s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.<\/em>\u201d<\/p>\n<p>To provide additional clarity, \u201c<em>Consent\u201d may include a written statement, including by electronic means, or any other unambiguous affirmative action.<\/em>\u201d Under the NJDPA, consent does not include:<\/p>\n<ul>\n<li><em>acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information<\/em><\/li>\n<li><em>hovering over, muting, pausing, or closing a given piece of content<\/em><\/li>\n<li><em>agreement obtained through the use of <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/dark-patterns-and-how-they-affect-consent\/\">dark patterns<\/a><\/em><\/li>\n<\/ul>\n<p><strong>Consumer under the NJDPA<\/strong><\/p>\n<p>Refers to \u201c<em>an identified person who is a resident of this State acting only in an individual or household context<\/em>.\u201d<\/p>\n<p>For additional clarity, the law also notes the following, which is commonly included language in the other US privacy laws: \u201c<em>Consumer\u2019 shall not include a person acting in a commercial or employment context<\/em>\u201d.<\/p>\n<p><strong>Controller under the NJDPA<\/strong><\/p>\n<p>Will largely apply to companies, but the specific language refers to \u201c<em>an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data<\/em>\u201d.<\/p>\n<p><strong>Processor under the NJDPA<\/strong><\/p>\n<p>A processor is defined as \u201c <em>a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller<\/em>\u201d. It could include third parties like advertising partners or fulfillment companies.<\/p>\n<p><strong>Profiling under the NJDPA<\/strong><\/p>\n<p>Profiling is increasingly becoming a standard inclusion in data privacy laws, particularly as it can relate to \u201cautomated decision-making\u201d or the use of AI technologies. The New Jersey data protection law defines profiling as \u201c<em>any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual\u2019s economic situation, health, personal preferences, interests, reliability, behavior, location or movements<\/em>\u201d.<\/p>\n<p><strong>Targeted advertising under the NJDPA<\/strong><\/p>\n<p>This is also increasingly becoming a standard inclusion in data privacy laws, and can refer to the use of emerging technologies like AI tools.<\/p>\n<p>The New Jersey data privacy law defines targeted advertising as \u201c<em>displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer\u2019s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer\u2019s preferences or interests<\/em>.\u201d<\/p>\n<p>The following are not included in the definition of targeted advertising:<\/p>\n<ul>\n<li><em>advertisements based on activities within a controller\u2019s own Internet websites or online applications<\/em><\/li>\n<li><em>advertisements based on the context of a consumer\u2019s current search query, visit to an Internet website, or online application<\/em><\/li>\n<li><em>advertisements directed to a consumer in direct response to the consumer\u2019s request for information or feedback<\/em><\/li>\n<li><em>processing personal data solely to measure or report advertising frequency, performance or reach<\/em><\/li>\n<\/ul>\n<p><strong>Sale under the NJDPA<\/strong><\/p>\n<p>Refers to \u201c<em>the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party<\/em>\u201d.<\/p>\n<p>Exclusions to the definition of sale include disclosures of personal data:<\/p>\n<ul>\n<li>to a processor that only processes the personal data on the controller\u2019s behalf<\/li>\n<li>to a third party for purposes of providing a product or service requested by the consumer<\/li>\n<li>or transfer of personal data to an affiliate of the controller<\/li>\n<li>that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience<\/li>\n<li>or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller\u2019s assets<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\">What is covered in the New Jersey Data Privacy Act?<\/h2>\n<p>The NJDPA mainly affects commercial companies, but it can potentially apply to any organization processing personal data that meets the compliance threshold criteria.<\/p>\n<h4>Who has to comply with the New Jersey data privacy law?<\/h4>\n<p>The New Jersey privacy law\u2019s compliance thresholds are fairly standard compared to other fairly populous states\u2019 laws. The NJDPA continues a trend in US state-level privacy laws in having no revenue-only threshold for compliance, i.e. a company making X amount of revenue has to comply, solely based on that dollar amount and no other factors.<\/p>\n<p>The compliance thresholds are for the preceding calendar year if an organization:<\/p>\n<ul>\n<li>controls or processes the personal data of at least 100,000 New Jersey residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction<\/li>\n<\/ul>\n<p>or<\/p>\n<ul>\n<li>controls or processes the personal data of at least 25,000 New Jersey residents and derives revenue or receives a discount of any amount on the price of goods or services from the sale of personal data<\/li>\n<\/ul>\n<h4>Exemptions to New Jersey Personal Data Privacy Act compliance<\/h4>\n<p>The NJDPA\u2019s exemptions are fairly standard, and include health information protected by federal law, like the Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH), or financial information handled by financial institutions or affiliates subject to the Gramm-Leach-Bliley Act (GLBA).<\/p>\n<p>Further exempted institutions include insurance institutions, secondary market institutions, and consumer reporting agencies. Additional exempted regulations include the Fair Credit Reporting Act (FCRA) and New Jersey\u2019s Motor Vehicle Commission under the Driver\u2019s Privacy Protection Act (DPPA).<\/p>\n<p>Nonprofit organizations are not exempt under the NJDPA as they are under some other states\u2019 laws, nor can the Family Educational Rights and Privacy Act (FERPA) be used for exemption purposes.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Consumers\u2019 rights under the New Jersey consumer protection law <\/h2>\n<p>Consumers\u2019 rights under the NJDPA are fairly standard compared to other comprehensive privacy laws in the US:<\/p>\n<ul style=\"list-style-type: square;\">\n<li><strong>Right to access<\/strong>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data and information about third parties it\u2019s shared with, with exceptions<\/li>\n<li><strong>Right to disclosure<\/strong>: a list of the categories of third parties to which the controller has disclosed the consumer\u2019s personal data<\/li>\n<li><strong>Right to correction<\/strong>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><strong>Right to delete<\/strong>: any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li><strong>Right to portability<\/strong>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><strong>Right not to be<\/strong> discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><strong>Right to opt out<\/strong>: of sale of personal data, targeted advertising, or profiling \u201cin furtherance of decisions that produce legal or similarly significant effects concerning a consumer\u201d<\/li>\n<\/ul>\n<p>Consumers can designate an authorized agent to opt out of personal data processing for them. This is particularly relevant as the NJDPA includes a requirement for controllers to recognize the universal opt-out signal.<\/p>\n<h4>Coverage for children under the NJDPA<\/h4>\n<p>Parents or legal guardians can exercise the rights of children, defined as under 13 years of age, whose data is considered sensitive by default. The NJDPA uses COPPA for its definition of a child.<\/p>\n<p>Controllers are also required to obtain prior consent for the processing of personal data belonging to people between 13 and 17 years of age if it\u2019s for the purposes of targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects.<\/p>\n<h4>Consumer requests under the NJDPA<\/h4>\n<p>Consumers can make one free request to a controller to exercise their rights, e.g. getting a copy of their data, every 12 months. A controller can deny requests from a consumer that are \u201cmanifestly unfounded, excessive or repetitive\u201d, or they can charge the consumer a reasonable fee to cover the administrative costs of complying with such a request. The controller is responsible for demonstrating that request is unfounded, etc., however.<\/p>\n<p>Reasonable reasons to deny a request could also include if the consumer\u2019s identity cannot reasonably be verified, or if too many requests are received in a 12-month period.<\/p>\n<p>An organization has 45 days from receiving a consumer\u2019s request to respond, though they have the option to extend that by another 45 days if reasonably necessary., e.g. if fulfilling the request would be very complex or the controller has a great many requests to fulfill. If the controller extends the response period for a request, they must notify the consumer that they will do so before the original 45-day response period has expired, and must provide a reason for the extension.<\/p>\n<h4>Private right of action under the NJDPA<\/h4>\n<p>California continues to be the only US state that enables privacy right of action under their data privacy law. That means that consumers can sue controllers in the event of a violation of the law. New Jersey\u2019s law does not include private right of action, and enforcement falls under the state\u2019s Office of the Attorney General.<\/p>\n\n\n<h2 class=\"wp-block-heading\">How does the new New Jersey Data Privacy Act affect businesses?<\/h2>\n<p>The NJDPA is fairly similar to other US privacy law requirements regarding notifications, data access, use, and security. The law also includes particular responsibilities for data processors, particularly relating to complying with controllers\u2019 requirements, assisting with enabling consumers to exercise their rights, e.g. with access requests, and ensuring adequate safeguards for collected data.<\/p>\n\n\n<div id=\"uc-cta_69d1eb93550f2\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Find out how Usercentrics can help you achieve compliance with NJDPA<\/div>\n                                                                                <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"cd34727c-24aa-409b-a586-607b5856c5ca\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/book-a-consultation\/\" target=\"\"><span>Contact sales<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69d1eb93550f2\"));\n    <\/script>\n\n\n<h4>How to comply with the New Jersey Data Privacy Act<\/h4>\n<p>The compliance requirements for the NJDPA are largely the same as those for other comprehensive US data protection laws. Accurate notifications for consumers are a significant requirement, and while data controllers do not need to obtain prior consent for data collection and processing in most cases, they do need to enable users to opt out. Prior consent is required for processing sensitive data or that of children.<\/p>\n<p><strong>Notifications defined by the NJDPA<\/strong><\/p>\n<p>Controllers must provide a privacy notice that is \u201caccessible, clear, and meaningful\u201d, and includes:<\/p>\n<ul>\n<li>categories of personal data that the controller processes<\/li>\n<li>purpose(s) for processing personal data<\/li>\n<li>categories of all third parties to which the controller may disclose a consumer\u2019s personal data<\/li>\n<li>categories of personal data that the controller shares with third parties, if any<\/li>\n<li>how consumers may exercise their consumer rights, including:\n<ul>\n<li>the controller\u2019s contact information<\/li>\n<li>how a consumer may appeal a controller\u2019s decision concerning their request<\/li>\n<li>the process by which the controller notifies consumers of material changes to required notifications and the effective date of the notice<\/li>\n<li>email address or other online mechanism the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<li>if the controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, sale, or profiling, the controller must clearly and conspicuously disclose the sale or processing, as well as how a consumer may exercise the right to opt out<\/li>\n<\/ul>\n<p><strong>Restrictions on controller requirements for consumers exercising their rights<\/strong><\/p>\n<p>A controller can\u2019t require a consumer to create a new account in order to exercise their rights, however, controllers can require reasonable verification of a consumer\u2019s identity for security purposes. To this end, the controller can require a consumer to use an existing account to verify themselves and submit their request.<\/p>\n<p>A controller can\u2019t increase the cost or availability of a product or service based solely on the consumer exercising a right (right to nondiscrimination).<\/p>\n<p><strong>Purpose limitation defined by the NJDPA<\/strong><\/p>\n<p>Controllers can process personal data for the purpose(s) that they have communicated, as long as they limit the processing to \u201c<em>the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer<\/em>\u201d.<\/p>\n<p>Controllers may not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.<\/p>\n<p>Controllers may not process personal data for purposes that are \u201c<em>neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer<\/em>\u201d unless the controller obtains the consumer\u2019s consent.<\/p>\n<p>If the purposes for processing change, the controller must provide new notification, and, where relevant, obtain new data subject consent. In some cases, like with children\u2019s data, consent must be obtained from a parent or guardian before processing, rather than enabling opt-out later.<\/p>\n<p><strong>Data security defined by the NJDPA<\/strong><\/p>\n<p>Controllers must \u201c<em>take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue<\/em>\u201d.<\/p>\n<p>The law doesn\u2019t specify any specific security measures, like encryption, so those policy and infrastructure best practices and decisions will be left up to data controllers.<\/p>\n<p>Processors working with\/for controllers are also responsible for safeguarding personal data they have access to, and obligations should be established contractually before processing. However, the ultimate responsibility for the protection of collected personal data and its appropriate use lies with the controller.<\/p>\n<p><strong>Data protection assessments (DPA) defined by the NJDPA<\/strong><\/p>\n<p>Data protection assessments are meant to identify and weigh the risks of data processing and ensure consumers whose data is processed are adequately protected. They are also intended to ensure that controllers factor in the potential use of de-identified data, consumer expectations, and relationships between controller and consumers.<\/p>\n<p>Controllers are required to perform data protection assessments (DPA), also known as data protection impact assessments, for \u201c<em>processing that presents a heightened risk of harm to a consumer<\/em>.\u201d Such activities include:<\/p>\n<ul>\n<li>processing personal data for the purposes of targeted advertising<\/li>\n<li>profiling, if it presents a reasonably foreseeable risk of negative impact on consumers<\/li>\n<li>processing sensitive personal data<\/li>\n<li>sale of personal data<\/li>\n<\/ul>\n<p>The Attorney General can require a data controller to conduct or disclose a DPA and share the results of one in the course of an investigation. The AG can also weigh a DPA to determine if it is sufficient for compliance purposes.<\/p>\n<p><strong>Consent requirements defined by the NJDPA<\/strong><\/p>\n<p>For many circumstances, user consent is not required by New Jersey\u2019s privacy law before personal data is collected or processed. Prior consent is required to access sensitive data or children\u2019s data, for example, or if the organization\u2019s data processing purposes change. Controllers must provide clear notification about what data is collected and processed, purposes for use, who it\u2019s shared with, consumers\u2019 rights, and how to exercise them, etc. to ensure that consumers are reasonably informed and able to make requests or opt out of data processing.<\/p>\n<p><strong>Requirements to change or revoke consent as defined by the NJDPA<\/strong><\/p>\n<p>In addition to providing information about how consumers can opt out, controllers must provide information so consumers know that they can change or revoke previous consent later.<\/p>\n<p>Revoking consent must be \u201c<em>at least as easy as the mechanism by which the consumer provided the consumer\u2019s consent<\/em>\u201d. Once a consumer has revoked consent, the controller must cease processing the data \u201c<em>as soon as practicable, but not later than 15 days after the receipt of such request<\/em>\u201d.<\/p>\n<p><strong>Nondiscrimination defined by the NJDPA<\/strong><\/p>\n<p>Like other US privacy laws, New Jersey\u2019s regulation prohibits discrimination against consumers, including discrimination for exercising their rights under the NJDPA, or processing personal data if it would violate other state or federal laws governing discrimination.<\/p>\n<p>For example, if a consumer opts out of data processing on a website, that individual cannot be blocked from accessing the site or its functions. There are, however, some web or app features and functions that will not work without certain cookies or trackers being activated, so if a consumer opts out and they no longer work optimally, this is not discriminatory. Additionally, the use of some cookies does not require consent if they are \u201cstrictly necessary\u201d to enable a website to work correctly, like the shopping cart functions on an ecommerce site.<\/p>\n<p>Controllers can offer voluntary incentives to consumers for their participation in activities that collect personal data, for example, subscribing to a newsletter, completing a survey, or joining a loyalty program. However, such incentives must be proportionate and reasonable to the request, as well as to the type and volume of personal data collected, and the purpose for its collection. It cannot reasonably look like payment for consent.<\/p>\n<p>Consumers who decline incentive offers also cannot be discriminated against, e.g. by not having access to comparable services or offers, or being charged a different (especially higher) price.<\/p>\n<p><strong>Third-party contracts defined by the NJDPA<\/strong><\/p>\n<p>Processors need to assist controllers in meeting their obligations under the law, which include restricting processes to publicized purposes, safeguarding personal data, and providing information enabling data protection assessments, breach notifications, or data subject access requests.<\/p>\n<p>There needs to be a contract in place between the controller and processor prior to data collection. Such contracts are binding on both sides and need to include:<\/p>\n<ul>\n<li>duty of confidentiality<\/li>\n<li>information about appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing<\/li>\n<li>clear instructions for processing data, including:\n<ul>\n<li>nature and purpose of the processing<\/li>\n<li>type of data that is subject to processing<\/li>\n<li>duration of the processing<\/li>\n<\/ul>\n<\/li>\n<li>rights and obligations of both parties with a clear allocation of responsibilities to implement the required measures<\/li>\n<li>the processor must delete or return the personal data to the controller at the controller\u2019s direction or at the end of the provision of services unless there are superseding legal requirements for the processor<\/li>\n<li>the processor must provide the controller (upon request) all information needed to verify that the processor has complied with all of their contractual obligations to the controller<\/li>\n<li>if the processor engages any subcontractors, they must have contracts in place as well to ensure they comply with all requirements of the controller<\/li>\n<\/ul>\n<p><strong>Universal opt-out mechanism<\/strong><\/p>\n<p>Not all US state-level privacy laws include requirements for a universal opt-out mechanism, aka global opt-out signal or <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-global-privacy-control\/\">Global Privacy Control<\/a>, however, it\u2019s becoming more common with some of the more recently passed data privacy laws. New Jersey\u2019s law is slightly different from some other state-level privacy laws to date, as controllers are also required to recognize a universal opt-out mechanism for user profiling if it\u2019s \u201c<em>in furtherance of decisions that produce legal or similarly significant effects concerning a consumer<\/em>\u201d.<\/p>\n<p>The New Jersey Data Privacy Act does include this mechanism, and includes language that more than one such mechanism may be employed to \u201c<em>clearly communicate a consumer&#8217;s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data<\/em>\u201d. Controllers will need to recognize the universal opt-out mechanism by July 16, 2025.<\/p>\n<p>This mechanism enables consumers to set and communicate their preferences with regards to the processing of their personal data once, e.g. in their web browser, and then they\u2019re communicated to all websites or other platforms or services that the consumer uses that can detect the signal.<\/p>\n\n\n<h2 class=\"wp-block-heading\">What happens if you violate the New Jersey data privacy regulation?<\/h2>\n<p>New Jersey\u2019s Management, education, enforcement, and evolution of the NJDPA will be centralized under the Office of the Attorney General and managed by the Director of the Division of Consumer Affairs. The Consumer Affairs division also has the power to make and publicize rules to carry out the NJDPA\u2019s purposes. Only California, Colorado, and Florida\u2019s laws currently allow for this.<\/p>\n<h4>New Jersey Data Privacy Act enforcement<\/h4>\n<p>The Division of Consumer Affairs under the Attorney General will handle enforcement of the law when it comes into force in January 2025. Consumer complaints about controllers\u2019 data processing or denial of consumer requests can be submitted to the Attorney General, which will notify an organization of any complaint and if an investigation is launched. The Attorney General can require data protection assessments and other information from controllers in the course of the investigation or to ensure they are being done compliantly.<\/p>\n<h4>Consumer complaints under New Jersey\u2019s privacy law<\/h4>\n<p>Controllers have to provide information and a process to consumers not only to exercise their rights, but also justification for denying a request if they choose to do so, along with information on how to lodge an appeal if the controller refuses to take action on a request. This appeal process must be similar to the process to make a request and just as easy to do.<\/p>\n<p>The controller has 45 days from receiving an appeal to reply to the consumer about any action taken (or not taken), including a written explanation of the reasons for the decision. Controllers also have to provide consumers with an online mechanism, if possible, or another way to contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a further complaint if the controller does not resolve issues with the consumer.<\/p>\n<p>The Attorney General\u2019s Office can decide to initiate an investigation or issue a notice of violation to a controller, e.g. resulting from a complaint. As previously noted, consumers do not have private right of action under the NJDPA.<\/p>\n<h4>Cure period and sunset provision under the NJDPA<\/h4>\n<p>The NJDPA requires that the Attorney General\u2019s Office provide controllers with notice of violation and give 30 days to cure violations if it\u2019s agreed that a cure is possible. The cure provision sunsets on July 16, 2026 (18 months after the law comes into effect). After that providing a cure period would be at the discretion of the Attorney General\u2019s Office.<\/p>\n<p>If the controller fails to cure the violation within 30 days, the Attorney General\u2019s Office may initiate enforcement proceedings. Factors that may influence such decisions include the number and severity of violations, nature and extent of the processing activities, likelihood of injury to the public, etc.<\/p>\n<h4>Fines and penalties<\/h4>\n<p>The NJDPA doesn\u2019t provide a specific amount for fines, however, violating the NJDPA will constitute a violation of the <a href=\"https:\/\/www.njconsumeraffairs.gov\/statutes\/consumer-fraud-act.pdf\" target=\"_blank\" rel=\"noopener\">New Jersey Consumer Fraud Act<\/a>. Fines can be up to $10,000 USD for an initial violation and up to $20,000 USD for subsequent violations.<\/p>\n\n\n<h2 class=\"wp-block-heading\">The New Jersey Personal Data Privacy Act and consent management<\/h2>\n<p>New Jersey\u2019s law is based on an opt out consent model, so consent does not need to be obtained before collecting or processing personal data in many circumstances like it does in the European Union, for example.<\/p>\n<p>Consumers do have to be informed about data collection and use, the parties with access to their data, and what their rights are and how to exercise them. This information, commonly provided in a comprehensive privacy notice, needs to be clear and easily accessible, e.g. on the organization\u2019s website.<\/p>\n<p>Consumers do need to be able to opt out of the processing of their data for several purposes or be able to change or revoke their previous consent preferences. This can be managed via a consent management platform like <a href=\"https:\/\/usercentrics.com\/website-consent-management\/\">Usercentrics CMP for Website Consent Management<\/a> or <a href=\"https:\/\/usercentrics.com\/in-app-sdk\/\">App Consent Management<\/a>.<\/p>\n<p>As of 2026, organizations must also recognize and respect consumers\u2019 consent preferences as expressed via a universal opt-out signal.<\/p>\n<p>Use of a CMP can streamline provision of information about categories of data and specific services in use by the controller and\/or processor(s), and third parties with whom data is shared. The NJDPA does require providing consumers with clear, granular information about this.<\/p>\n<p>The United States still only has a patchwork of state-level privacy laws and not a single federal one, so many companies doing business across the country, or foreign organizations doing business in the US, may need to comply with a variety of state data protection laws.<\/p>\n<p>A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user\u2019s preferred language.<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <p><strong>Learn more:<\/strong> <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/ecommerce-consent-requirements\/\">Are ecommerce businesses ready for the new consent requirements?<\/a><\/p>\n            <\/div>\n<\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\">Preparing for the New Jersey Data Privacy Act <\/h2>\n<p>Organizations doing business in New Jersey have until January 2025 to prepare for compliance with the NJDPA.<\/p>\n<p>Companies that achieve compliance with other state-level regulations, like <a href=\"https:\/\/usercentrics.com\/ccpa\/\">California\u2019s CCPA\/CPRA<\/a> have done much of the work toward NJDPA compliance. Organizations always need to be clear on specific states\u2019 laws\u2019 unique stipulations and should always consult qualified legal counsel and\/or their own data protection officer (DPO) or privacy expert. A privacy-by-design approach will also benefit an organization\u2019s operations beyond data privacy compliance.<\/p>\n<p>Being proactive about protecting user privacy is valuable in business operations. It builds user engagement and trust, improves user experiences, and strengthens customer relationships long-term. These help produce more high-quality data for marketing operations and contribute to increased revenue.<\/p>\n<p>If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, <a href=\"https:\/\/usercentrics.com\/book-a-consultation\/\">talk to one of our experts<\/a>.<\/p>\n\n\n<div id=\"uc-cta_69d1eb9355ed5\" class=\"uc-cta uc-cta--button uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Get started on NJDPA compliance with Usercentrics web and app CMP<\/div>\n                                                                                <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"a20572a0-e88a-4889-af8f-fbb433f7c0d4\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/free-trial\/\" target=\"\"><span>Free trial for web <\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69d1eb9355ed5\"));\n    <\/script>\n\n\n<p>Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>The New Jersey Data Privacy Act is the 15th state-level data privacy law passed in the United States. It was the second data privacy bill passed in 2024, after New Hampshire\u2019s, but New Jersey\u2019s governor signed it into law on January 16, 2024. It comes into effect one year from that date.<\/p>\n","protected":false},"featured_media":2248,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[13],"class_list":["post-479","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-regulations"],"acf":[],"yoast_head":"<title>The New Jersey Data Privacy Act (NJDPA) - Usercentrics<\/title>\n<meta name=\"description\" content=\"Usercentrics explains the New Jersey Data Privacy Act (NJDPA) and what the New Jersey consumer protection law means for consumers and companies.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The New Jersey Data Privacy Act (NJDPA) - Usercentrics\" \/>\n<meta property=\"og:description\" content=\"Usercentrics explains the New Jersey Data Privacy Act (NJDPA) and what the New Jersey consumer protection law means for consumers and companies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T09:59:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2024\/04\/uc_some_post_1200x630_njdpa_202402.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"New Jersey Data Privacy Act (NJDPA): An Overview\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"22 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/\",\"url\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/\",\"name\":\"The New Jersey Data Privacy Act (NJDPA) - Usercentrics\",\"isPartOf\":{\"@id\":\"https:\/\/usercentrics.com\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/04\/uc_blog_hero_500px_njdpa_overview_orange_01.png\",\"datePublished\":\"2024-04-05T13:24:15+00:00\",\"dateModified\":\"2025-06-26T09:59:01+00:00\",\"description\":\"Usercentrics explains the New Jersey Data Privacy Act (NJDPA) and what the New Jersey consumer protection law means for consumers and companies.\",\"breadcrumb\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#primaryimage\",\"url\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/04\/uc_blog_hero_500px_njdpa_overview_orange_01.png\",\"contentUrl\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/04\/uc_blog_hero_500px_njdpa_overview_orange_01.png\",\"caption\":\"NJDPA overview\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\/\/usercentrics.com\/us\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Jersey Data Privacy Act (NJDPA): An Overview\",\"item\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/usercentrics.com\/us\/#website\",\"url\":\"https:\/\/usercentrics.com\/us\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/usercentrics.com\/us\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"The New Jersey Data Privacy Act (NJDPA) - Usercentrics","description":"Usercentrics explains the New Jersey Data Privacy Act (NJDPA) and what the New Jersey consumer protection law means for consumers and companies.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"The New Jersey Data Privacy Act (NJDPA) - Usercentrics","og_description":"Usercentrics explains the New Jersey Data Privacy Act (NJDPA) and what the New Jersey consumer protection law means for consumers and companies.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T09:59:01+00:00","og_image":[{"url":"https:\/\/usercentrics.com\/wp-content\/uploads\/2024\/04\/uc_some_post_1200x630_njdpa_202402.jpg","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_title":"New Jersey Data Privacy Act (NJDPA): An Overview","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"22 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/","name":"The New Jersey Data Privacy Act (NJDPA) - Usercentrics","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/04\/uc_blog_hero_500px_njdpa_overview_orange_01.png","datePublished":"2024-04-05T13:24:15+00:00","dateModified":"2025-06-26T09:59:01+00:00","description":"Usercentrics explains the New Jersey Data Privacy Act (NJDPA) and what the New Jersey consumer protection law means for consumers and companies.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/04\/uc_blog_hero_500px_njdpa_overview_orange_01.png","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2024\/04\/uc_blog_hero_500px_njdpa_overview_orange_01.png","caption":"NJDPA overview","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"New Jersey Data Privacy Act (NJDPA): An Overview","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/479\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/2248"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=479"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=479"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=479"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=479"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}