The New Jersey Data Privacy Act (NJDPA), enacted in January 2024, makes New Jersey one of the earliest states in the Northeast to adopt a comprehensive consumer privacy framework. Signed by Governor Phil Murphy, the law establishes broad rights for New Jersey residents and imposes detailed obligations on businesses that collect, use, or disclose personal information.
The Act takes effect on January 15, 2025.
New Jersey’s law closely follows the “Colorado/Connecticut model,” but includes several notable distinctions—particularly around sensitive data, children’s data, and universal opt‑out mechanisms.
Scope and Applicability
The NJDPA applies to controllers and processors that conduct business in New Jersey or target New Jersey residents and meet certain thresholds based on:
- The volume of personal data processed, or
- Revenue derived from the sale of personal data
The law includes exemptions for:
- HIPAA‑regulated entities and data
- GLBA‑regulated financial institutions
- FERPA‑covered educational data
- Nonprofits
- Government entities
- Certain employment‑related data
This ensures the law focuses on consumer‑facing commercial data practices.
Consumer Rights
New Jersey residents gain a comprehensive set of rights over their personal information, including:
- Right to access personal data
- Right to delete personal data
- Right to correct inaccuracies
- Right to data portability
- Right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling that produces legal or similarly significant effects
The NJDPA also requires controllers to recognize universal opt‑out mechanisms, aligning New Jersey with states like Colorado and California.
Controller Obligations
Businesses subject to the Act must implement a robust privacy program that includes:
Transparency
Controllers must provide a clear privacy notice describing:
- Categories of personal data collected
- Processing purposes
- Consumer rights and how to exercise them
- Whether data is sold or used for targeted advertising
Data Minimization & Purpose Limitation
Controllers may collect only what is reasonably necessary for disclosed purposes.
Security Measures
Reasonable administrative, technical, and physical safeguards are required.
Sensitive Data
Processing sensitive personal data requires opt‑in consent, including:
- Precise geolocation
- Children’s data
- Health information
- Biometric identifiers
Data Protection Assessments
High‑risk processing—such as targeted advertising, profiling, or handling sensitive data—requires documented assessments.
Processor Contracts
Controllers must enter into binding agreements with processors governing data handling, confidentiality, and security.
Children’s and Teens’ Data
The NJDPA includes enhanced protections for minors, requiring:
- Opt‑in consent for processing personal data of children under 13
- Opt‑out rights for teens aged 13–16 for targeted advertising, sale of data, and profiling
These provisions align New Jersey with the growing national trend toward stronger youth‑privacy protections.
Enforcement
- Enforced exclusively by the New Jersey Attorney General
- No private right of action
- A cure period may be available for certain violations, depending on enforcement posture