The landscape of privacy regulations in the United States continues to evolve, and New Jersey is now stepping into the spotlight. On January 15, 2025, the New Jersey Data Privacy Act (NJDPA) went into effect, granting residents greater control over their personal information while holding businesses to higher standards of transparency and accountability.
Joining four other states enacting new privacy laws this January, the NJDPA stands out with its broad definition of sensitive data and unique provisions that apply to a wide range of organizations, including nonprofits and higher education institutions. For businesses, this marks a pivotal moment to reevaluate data practices and embrace a new era of compliance.
The NJDPA is set to change how you approach privacy. Read on to learn what you need to know and how your organization can prepare for this important regulatory shift.
Understanding the NJDPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under New Jerseys’s Privacy Law | Enforcement of The NJDPA | How DataGrail Can Help
Understanding the NJDPA
As one of the latest additions to the growing patchwork of state privacy laws, the New Jersey Data Privacy Act (NJDPA) strikes a balance between consumer rights and business feasibility.
One of its standout features is its broad definition of sensitive data, which includes financial information—a category often excluded by other states. This approach mirrors California’s Consumer Privacy Act, setting New Jersey apart in its treatment of financial data as sensitive.
The NJDPA also imposes compliance obligations on higher education institutions and nonprofit organizations, which are typically exempt under other laws. For businesses operating in or targeting New Jersey, this means new obligations that must be met to ensure compliance.
New Jersey joins California and Colorado as one of the few states that delegates rulemaking authority to a state agency. Although regulations are expected in 2025, businesses are still waiting for guidance from the Division of Consumer Affairs. As of now, no rulemaking has been issued, so businesses must remain vigilant and watch for updates throughout the year. Additionally, businesses must complete data protection assessments before processing certain types of data, reinforcing the state’s strong focus on privacy.
Scope of Application
The New Jersey Data Privacy Act (NJDPA) is designed to protect the personal data of New Jersey residents and applies to businesses that meet specific thresholds for data processing. These include businesses that:
- Control or process the personal data of 100,000 or more unique consumers, or
- Control or process the personal data of 25,000 or more unique consumers and derive any revenue or discount on the price of goods or services from the sale of personal data.
One of the standout features of the NJDPA is its inclusion of nonprofit organizations and higher education institutions, which are often exempt from other state privacy laws. This means that even small businesses and nonprofits that process substantial amounts of personal data are not exempt from compliance.
However, the law does carve out some exceptions, including data governed by HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act (FCRA). With its comprehensive scope, businesses must carefully evaluate their data practices to ensure they meet the law’s requirements and avoid potential penalties.
Rights Granted to Consumers
Under the New Jersey Data Privacy Act (NJDPA), consumers are granted a range of rights over their personal data. Below are the key rights consumers can exercise under this new law:
- Right to Access: Consumers have the right to confirm whether a business (or “controller”) is processing their personal data and access that data. Businesses must provide clear access to information about the personal data they hold, allowing consumers to understand what data is being processed.
- Right to Correction: Consumers can request corrections to inaccuracies in their personal data. This ensures that any outdated or incorrect information is rectified by the business holding it.
- Right to Deletion: Consumers have the right to request the deletion of their personal data that has been provided to a business. However, this right is somewhat limited, focusing on data directly submitted by the consumer—different from other states where data collected from other sources can also be deleted.
- Right to Data Portability: Consumers can request a copy of their personal data in a format that is easily transferable and usable. This allows individuals to move their data across different services or platforms with ease.
- Right to Opt-Out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of their data, or profiling for decisions with significant legal or personal effects. This gives consumers greater control over how their data is used for business purposes.
In a significant step toward empowering consumers, the NJDPA requires businesses to implement universal opt-out mechanisms by July 15, 2025. This means consumers will have an easy, standardized way to manage their privacy preferences across different platforms. Additionally, businesses are required to respond to consumer requests within 45 days, with extensions only allowed in certain situations.
Key Obligations for Businesses Under New Jersey’s Privacy Law
Businesses subject to the New Jersey Data Privacy Act (NJDPA) must comply with several key obligations:
Controllers’ Responsibilities
Controllers—those who determine the purposes and means of processing personal data—are required to:
- Limit Data Collection: Controllers must ensure that the personal data they collect is adequate, relevant, and reasonably necessary for the disclosed purposes.
- Privacy Notices: Controllers must provide clear and conspicuous privacy notices to New Jersey residents, explaining the types of personal data they collect, how it will be used, shared, sold, and any third parties with whom the data is shared.
- Data Security Practices: Controllers must establish and maintain reasonable administrative, technical, and physical measures to safeguard personal data from unauthorized access and ensure its confidentiality and integrity.
- Sensitive Data Consent: Personal data categorized as sensitive (such as racial, health, or financial information) cannot be processed without explicit consumer consent. This also applies to data collected from known children, requiring compliance with COPPA. Remember, a new category of sensitive data has been added, financial information.
- Non-Discriminatory Processing: Data processing must comply with state and federal laws regarding non-discrimination, ensuring that consumers are not treated unfairly based on their personal data.
- Revocation of Consent: Controllers must allow consumers to easily revoke consent for processing personal data and cease processing it within 15 days of the revocation.
- Data Protection Impact Assessment: Controllers must conduct an impact assessment for any data processing activities that pose heightened risks to consumers, such as targeted advertising or processing of sensitive data.
- Universal Opt-Out Mechanism (UOOM): Starting July 15, 2025, controllers must implement a universal opt-out mechanism, allowing consumers to easily opt out of data processing for specific purposes, including targeted advertising and the sale of personal data.
Processors’ Responsibilities
Processors—those who handle personal data on behalf of controllers—are required to:
- Assist with Consumer Requests: Processors must support controllers in responding to consumer rights requests, such as access, deletion, and opt-out requests.
- Comply with Controller Instructions: Processors must act in accordance with the instructions of controllers and assist them in fulfilling their obligations under the NJDPA, including ensuring security and privacy compliance.
- Contractual Agreement with Controllers: Controllers and processors must have a contractual agreement that outlines the respective privacy obligations and compliance measures set forth by the NJDPA.
By meeting these obligations, businesses can foster greater trust with consumers and avoid potential penalties. As the deadline for the Universal Opt-Out Mechanism approaches later this year in July 2025, companies should begin preparing to meet these new requirements and enhance their privacy practices moving forward.
Enforcement of The NJDPA
The New Jersey Data Privacy Act (NJDPA) will be primarily enforced by the Office of the Attorney General, with the Division of Consumer Affairs within the Department of Law and Public Safety overseeing compliance and responsible for creating necessary regulations. While enforcement will fall under the Attorney General’s office, many businesses are still waiting for detailed guidance from the Division of Consumer Affairs. Despite the law now being in effect, no rulemaking has been issued as of January 2025, meaning companies must remain vigilant and monitor updates throughout the year to stay compliant.
One key aspect of the NJDPA is the 30-day “cure period,” which allows businesses to fix alleged violations after receiving notice from the Attorney General. This cure period is available for the first 18 months, so businesses have until July 1, 2026, to address violations before facing more severe penalties.
Penalties for noncompliance can be steep—up to $10,000 for the first violation and $20,000 for subsequent violations. However, there is no private right of action under the NJDPA, meaning individuals cannot sue businesses directly for violations. Instead, it’s up to the Attorney General’s office to decide whether to take enforcement action.
Businesses must also ensure that consumers can easily exercise their rights under the law, including the ability to appeal decisions on data requests. If these issues aren’t resolved within the cure period, enforcement actions can begin.
As we move into 2025, businesses need to remain vigilant, proactively monitor the NJDPA’s implementation, and prepare for enforcement as the regulatory landscape continues to unfold. Keeping up with the latest updates from the Attorney General’s office will be crucial to ensuring compliance.
How DataGrail Can Help
Navigating state privacy laws like New Jersey’s Data Privacy Act (NJDPA) can be complex, especially with varying requirements across jurisdictions. That’s where DataGrail comes in.
Our platform is designed to simplify compliance with the NJDPA and other evolving state privacy laws. Here’s how DataGrail can help your business stay compliant:
- Automate Consumer Rights Requests: Easily manage consumer requests for access, deletion, and opt-out, all while ensuring timely responses in line with NJDPA deadlines.
- Generate Privacy Notices: DataGrail helps you create privacy notices that meet NJDPA’s transparency standards, ensuring clear communication about data use, sales, and targeted advertising.
- Ensure Vendor Compliance: Stay on top of third-party compliance with NJDPA obligations, keeping all your data handling practices secure and compliant.
With DataGrail’s Request Manager, businesses can efficiently handle data subject access requests (DSARs), deletion requests, and opt-out actions. This means you’re covered not just for NJDPA, but also for other major laws like CCPA and GDPR.
By using DataGrail, your business can stay ahead of privacy laws, reduce risk, and maintain trust with your customers.
Request a demo here.
The NJDPA is now in effect, and businesses must prioritize staying compliant with its requirements. As privacy regulations continue to evolve across the U.S. in 2025, keeping up with changes in states like Delaware and New Hampshire is essential to avoid penalties and maintain consumer trust. Let DataGrail help.
Want to learn more? Check out our Guide to State Privacy Laws to discover how these regulations will impact your business and ensure your compliance strategy is up to date. Additionally, join Privacy Basecamp, our exclusive community of privacy professionals, to connect, share resources, and discuss best practices in privacy management. Stay updated on the latest privacy legislation and engage with experts in the field.
For questions, please reach out directly to your CSM or email [email protected]. If you’d like a demo of the DataGrail platform, reach out to us here.