🔁  Migrate from OneTrust seamlessly with Ketch Switch. Exclusive offer through 4/30/2025.
Regulations
NJDPA

Breaking down the New Jersey Data Privacy Act (NJDPA)

Matt George
Data Protection Officer
Last updated
March 7, 2025

The New Jersey Data Privacy Act (NJDPA), effective January 1, 2025, was signed into law (as Bill S332) by Governor Phil Murphy in 2024. The NJDPA empowers New Jersey residents with rights to access, correct, delete, and opt out of the sale or targeted use of their personal data. 

Try Ketch for Free
Request Regulatory Guidance
https://ketch.wistia.com/medias/3rpa64kvob

What is the NJDPA?

Why Was the NJDPA Passed?

What makes the NJDPA unique?

The New Jersey Data Protection Act (NJDPA), effective January 15, 2025, is unique for its 15-day opt-out processing requirement, much shorter than most state privacy laws. It also grants rulemaking authority to the New Jersey Attorney General, enabling evolving regulations. Additionally, the NJDPA applies to nonprofits and educational institutions, expanding its business coverage.

Example H2
Need an easy-to-use consent management solution?
Book a 30 min Demo

Key definitions in the NJDPA

The New Jersey Data Privacy Act (NJDPA) includes several key definitions that outline its scope and application, as outlined in Section 2 of the NJDPA:

  • Consumer: A New Jersey resident acting in an individual or household context, excluding those acting in a commercial or employment capacity.

  • Personal data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available data.

  • Sensitive data: Includes data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and certain financial information not covered by the Gramm-Leach-Bliley Act

Note that the NJDPA's definition of "sensitive data" is broader than in comparable laws, encompassing financial information alongside categories like racial or ethnic origin, health conditions, and precise geolocation.

  • Controller: An entity that determines the purpose and means of processing personal data.

  • Processor: An entity that processes personal data on behalf of a controller.

  • Sale of personal data: The exchange of personal data for monetary or other valuable consideration to a third party.

  • Targeted advertising: Displaying ads to a consumer based on personal data obtained from their activities over time and across nonaffiliated websites or applications.

These definitions establish the framework for the NJDPA's consumer rights and business obligations, ensuring clarity in its implementation.

Who must comply with the NJDPA?

The New Jersey data privacy law applies to businesses operating in New Jersey or targeting residents, if they:

  1. Process personal data of at least 100,000 consumers annually (excluding payment data used solely for transactions).
  2. Process personal data of at least 25,000 consumers and derive revenue or receive discounts from the sale of personal data.

The New Jersey Data Protection Act (NJDPA) also applies to nonprofit organizations and educational institutions, unlike many state privacy laws that exempt them. This means colleges, universities, and nonprofits handling personal data of New Jersey residents must comply with transparency, consumer rights, and data security requirements, ensuring broader data protection coverage.

“Consumer” means an identified person who is a resident of this State acting  only in an individual or household context. “Consumer” shall not include a person acting in a commercial or employment context.”

- Section 2 of the NJDPA

Who is exempt from the NJDPA?

The New Jersey Data Privacy Act (NJDPA) exempts financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA) and protected health information under the Health Insurance Porta providers.

Key provisions of the NJDPA

The New Jersey privacy law provisions ensure robust consumer data protections and promote transparency in business practices.

1. Consumer rights

  • Access personal data.
  • Correct inaccuracies.
  • Delete personal data.
  • Obtain data in a portable format.
  • Opt out of data sales, targeted ads, and profiling.

The NJDPA excludes data that is de-identified or publicly available, though it does not exempt aggregated data.

Is the NJDPA opt-in or opt-out?

The New Jersey Data Privacy Act (NJDPA) is primarily opt-out, allowing consumers to opt out of data sales, targeted advertising, and profiling. However, for sensitive data, it requires opt-in consent, meaning businesses must obtain explicit permission before processing such data.

2. Business obligations

  • Provide clear privacy notices detailing data collection, use, and sharing.
  • Obtain explicit consent for processing sensitive data (e.g., biometric, health, or geolocation data).
  • Implement robust security measures to protect personal data.

3. Sensitive data

  • Includes information such as race, ethnicity, religious beliefs, sexual orientation, health conditions, genetic or biometric data, and precise geolocation.
  • Requires consumer consent before processing.

4. Enforcement and rulemaking

The New Jersey Data Protection Act (NJDPA) grants the New Jersey Attorney General (AG) authority for both enforcement and rulemaking, making it one of the few state privacy laws with this dual regulatory power. This means the AG can issue regulations, clarify compliance requirements, and adapt the law’s application over time, ensuring it stays relevant as data privacy concerns evolve.

In terms of enforcement, the AG can investigate complaints, initiate legal action, and impose penalties for non-compliance. Businesses found violating the NJDPA may face civil penalties, injunctions, and damages, depending on the severity of the breach.

Additionally, the AG's rulemaking authority allows for expanding regulations beyond the initial scope, similar to what’s been done under California's CCPA and Colorado's CPA, creating a more dynamic and adaptive regulatory framework.

This proactive enforcement model ensures that businesses remain accountable and responsive to emerging privacy standards, positioning New Jersey as a leader in consumer protection.

Requirements for businesses under the NJDPA

Businesses under the New Jersey Data Privacy Act (NJDPA) must:

  • Manage consumer data rights: honor requests to access, correct, delete, and transfer personal data, and process opt-out requests within 15 days.
  • Ensure data security and compliance: implement strong security measures, obtain explicit consent for processing sensitive data, and limit data collection to what is necessary.
  • Maintain accountability: conduct data protection assessments, establish contracts with third-party service providers, and document data processing activities.
  • Protect children’s data: obtain opt-in consent for processing personal data of minors aged 13-17.
  • Comply with enforcement rules: address violations within 30 days after notification during the first 18 months and follow additional rules set by the new jersey attorney general.

The New Jersey Data Protection Act (NJDPA) requires businesses to process consumer opt-out requests within 15 days, making it one of the fastest timelines among U.S. privacy laws. By comparison, California (CCPA) and Virginia (CDPA) allow 30 to 45 days. This strict timeframe ensures consumers regain control of their data quickly and pushes businesses to adopt automated privacy management systems, improving data transparency and accountability.

Penalties for non-compliance

The NJDPA penalties emphasize the importance of compliance while offering businesses an opportunity to rectify issues before facing financial repercussions.

Fines

Businesses face fines of up to $7,500 per violation, enforced by the New Jersey Attorney General.

Cure period

Under the NJDPA, businesses have a 30-day cure period to address violations after receiving notice from the Attorney General. This provision is available for the first 18 months following the law's effective date of January 1, 2025, and will sunset on July 1, 2026. After this period, the opportunity to cure violations is at the discretion of the Attorney General. 

complete guide to data privacy laws

The impact of the NJDPA on businesses

By adhering to the NJDPA, businesses can mitigate risks while fostering transparency and trust with consumers:

  1. Increased compliance obligations: Businesses must update privacy notices, implement data protection measures, and create processes to handle consumer rights requests, such as access, correction, deletion, and opt-outs for data sales or targeted ads.
  2. Operational adjustments: Companies need to ensure data minimization, purpose limitation, and robust security practices, requiring investments in compliance infrastructure and staff training.
  3. Sensitive data management: Businesses must establish systems to secure explicit consent before processing sensitive data like health, biometric, and geolocation information.
  4. Penalties for non-compliance: Failure to comply can result in fines of up to $7,500 per violation, impacting financial stability and brand reputation.
  5. Opportunity to build consumer trust: Compliance with the NJDPA can enhance consumer confidence, as residents gain more control over their personal data.
  6. Alignment with multi-state laws: Businesses operating in multiple states benefit from aligning their practices with other privacy laws like those in Virginia, California, and Connecticut, reducing compliance fragmentation.

The impact of the NJDPA on consumers

The NJDPA empowers consumers with control and safeguards over their data, ensuring transparency and security in the digital age. These include:

  1. Enhanced privacy rights: Consumers gain rights to access, correct, delete, and obtain a copy of their personal data, providing greater control over how their information is used.
  2. Opt-out options: Consumers can opt out of data sales, targeted advertising, and profiling, reducing unwanted marketing and preserving personal preferences.
  3. Transparency in data practices: Businesses are required to provide clear privacy notices, ensuring consumers understand what data is collected and how it is used or shared.
  4. Protection of sensitive data: The law requires explicit consent for processing sensitive information, such as health, biometric, and geolocation data, offering added security for personal details.
  5. Increased trust in businesses: By mandating stronger protections and accountability, the NJDPA fosters consumer confidence in businesses handling personal data.
  6. Limitations: While robust, the law does not provide a private right of action, meaning consumers rely on the Attorney General for enforcement and resolution of violations.

How the NJDPA compares to other U.S. data privacy laws

The New Jersey Data Privacy Act (NJDPA) shares significant similarities with several other U.S. state privacy laws, particularly the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Connecticut Data Privacy Act (CTDPA).

NJDPA vs other state privacy laws

State Scope Effective Date Key Features Penalties for Non-Compliance
New Jersey (NJDPA) New Jersey residents January 15, 2025 Right to access, correct, delete data; opt-out of targeted advertising Up to $10,000 per violation
Connecticut (CTDPA) Connecticut residents July 1, 2023 Similar to GDPR; right to access and correct data $5,000 per violation
Colorado (CPA) Colorado residents July 1, 2023 Opt-out for targeted advertising; sensitive data consent Up to $20,000 per violation
California (CCPA/CPRA) California residents January 1, 2023 Right to access, delete, opt-out; data protection assessments Up to $7,500 per violation
Virginia (VCDPA) Virginia residents January 1, 2023 Opt-out rights, data protection assessments, consumer rights Up to $7,500 per violation
Texas (TDPSA) Texas residents July 1, 2024 Consumer rights, data protection, opt-out of data sales Up to $7,500 per violation
Oregon (OCPA) Oregon residents July 1, 2024 Strong consumer rights, opt-out options, data minimization Up to $7,500 per violation
Iowa (ICDPA) Iowa residents January 1, 2025 Data protection, opt-out of data sharing Up to $7,500 per violation
Minnesota (MCDPA) Minnesota residents July 31, 2025 Consumer data rights, opt-out options TBD

What makes the NJDPA stand out?

The New Jersey Data Protection Act introduces several distinctive features:

  1. Rapid opt-out processing: Businesses must process consumer opt-out requests within 15 days, a notably shorter timeframe compared to the 30 or 45 days mandated by other state privacy laws.
  2. Active enforcement and rulemaking: The NJDPA grants the New Jersey Attorney General authority for enforcement and rulemaking, indicating a proactive stance on consumer protection.
  3. Sensitive data definition: The Act's definition of "sensitive data" is broader than in comparable laws, encompassing financial information alongside categories like racial or ethnic origin, health conditions, and precise geolocation.
  4. Applicability to nonprofits and educational institutions: Unlike some state privacy laws, the NJDPA applies to nonprofit organizations and institutions of higher education, expanding its reach beyond for-profit entities.

These provisions position the NJDPA as a comprehensive and stringent data privacy law, emphasizing swift consumer rights processing and broad applicability.

How Ketch can simplify NJDPA compliance

Complying with the NJDPA and other state privacy laws can be simpler than you think. The Ketch Data Permissioning Platform helps businesses stay compliant by:

  • Automate your data mapping. Understand where sensitive personal data lives throughout your data ecosystem. 
  • Deploy NJDPA-compliant privacy notices for New Jersey residents. Ketch Consent Management includes a pre-built policy template for the NJDPA, with ability to customize rights as desired, no coding required to make changes. 
  • Gather the consent necessary to process sensitive data. Ketch consent banners and modals are customizable, making it easy for you to ensure consent is gathered for processing various types of data. 

Final thoughts: Preparing your business for the NJDPA

The New Jersey Data Privacy Act represents a significant step forward in data privacy. By preparing for compliance now, businesses can avoid penalties and build stronger relationships with their customers.

Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQs about the New Jersey Data Privacy Act

This a sample accordion element needed for script above to work

Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
  1. Does the NJDPA require businesses to implement a global privacy control (GPC)?
    The New Jersey Data Protection Act (NJDPA) requires businesses to recognize and process universal opt-out mechanisms, such as the Global Privacy Control (GPC), for targeted advertising. Controllers have six months following the effective date to implement this functionality, ensuring consumers can easily exercise their opt-out rights.
  2. What constitutes “sensitive data” under the NJDPA?
    Sensitive data includes information revealing health conditions, racial or ethnic origin, religious beliefs, sexual orientation, precise geolocation, genetic or biometric data, and certain financial data not covered by other federal laws.
  3. Does the NJDPA apply to small businesses?
    The NJDPA generally does not apply to small businesses unless they process personal data for 100,000 or more residents annually or process personal data of at least 25,000 consumers and derive revenue or receive discounts from the sale of personal data. Notably, the NJDPA does not set a minimum annual revenue threshold. Therefore, small businesses that meet the above criteria are subject to the NJDPA's provisions, regardless of their revenue size.
  4. How does the NJDPA handle de-identified or publicly available data?
    De-identified or publicly available data is excluded from the NJDPA’s scope, as it does not fall under the definition of “personal data.”
  5. Are businesses required to notify consumers of data breaches under the NJDPA?
    No, the NJDPA does not explicitly address data breach notifications. Businesses must comply with existing New Jersey data breach notification laws.
  6. How are children’s data protected under the NJDPA?
    Processing personal data of children under 13 requires compliance with the Children’s Online Privacy Protection Act (COPPA), as the NJDPA defers to existing federal protections.
  7. Does the NJDPA mandate specific data security standards?
    The NJDPA requires businesses to implement reasonable administrative, technical, and physical safeguards but does not prescribe specific standards, allowing flexibility based on the size and scope of the business.
  8. Can businesses be fined for each consumer impacted by a violation?
    Yes, penalties of up to $7,500 per violation could apply, meaning fines may scale based on the number of affected consumers.
Matt George
Data Protection Officer
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
Try Ketch for Free
Book a Demo