Published in: Privacy laws

New Jersey Data Privacy Act: What You Need to Know

Published on: 02/05/2025

The landscape of data privacy laws in the United States is rapidly evolving, with states enacting their own regulations to ensure consumer data is protected and businesses are held accountable. One such significant regulation is the New Jersey Data Privacy Act, which came into effect on January 15, 2025. This law establishes new requirements for businesses that collect, process or sell personal data, giving residents of New Jersey more control over their data and privacy rights.

Introduction to the New Jersey Data Privacy Act

The New Jersey Data Privacy Act sets rules for how personal data is collected, processed, and managed in the state. It aims to give consumers more control over their personal information and requires businesses to follow strong privacy standards. This law gives consumers rights similar to those in other privacy laws, like the California Consumer Privacy Act (CCPA), but includes specific rules for New Jersey.

Applicability of the New Jersey Data Privacy Act

The New Jersey Data Privacy Act applies to businesses that collect, process, or sell personal data of New Jersey residents. It applies to both controllers (the entities determining the purpose and means of processing data) and processors (the entities processing personal data on behalf of controllers).

Who Must Comply?

Businesses that meet any of the following criteria must comply with the New Jersey Data Privacy Act:

Controls or processes the personal data of at least 100,000 consumers (but not for payment transactions).
Controls or processes the personal data of at least 25,000 consumers, and makes money or gets discounts by selling personal data.

It is important to note that the law applies to businesses located both within and outside New Jersey, as long as they target New Jersey residents. Therefore, organizations from across the United States and even abroad need to pay attention to this law if they are processing the personal data of New Jersey residents.

Exemptions

There are several exceptions outlined in the Act where its provisions do not apply:

Health Information: The law does not apply to protected health information that is collected by healthcare entities (e.g., hospitals, doctors, etc.) and subject to HIPAA (Health Insurance Portability and Accountability Act) regulations.
Financial Institutions: The law does not apply to financial institutions (e.g., banks) or their affiliates, as they are governed by the Gramm-Leach-Bliley Act and its regulations.
Secondary Market Institutions: It doesn’t apply to certain secondary market institutions (e.g., companies dealing with securities or loans), as defined in federal law.
Insurance Institutions: Insurance companies and their practices are exempt under a state law that governs insurance activities.
Motor Vehicle Data: Personal data related to consumers sold by the New Jersey Motor Vehicle Commission is exempt if it is permitted under the Drivers’ Privacy Protection Act (a federal law).
Consumer Reporting Agencies: Consumer reporting agencies (e.g., credit bureaus) are exempt if they collect, process, or sell data under the rules of the Fair Credit Reporting Act.
State Agencies and Political Entities: The law does not apply to state agencies, local governments, or their divisions (e.g., police, public offices).
Research Data: Data used for research purposes that follow specific federal regulations (for protecting human subjects) is not covered by this law.

What Rights Do Consumers Have?

One of the primary objectives of the New Jersey Data Privacy Act is to grant consumers greater control over their personal data. The law provides a variety of rights, empowering consumers to request the deletion, correction, or portability of their data.

The Right to Know

Consumers have the right to request detailed information about:

The types of personal data collected about them.
The purpose for which their personal data is being processed.
The categories of third parties with whom their personal data is shared.

The Right to Access

Consumers can request a copy of their personal data that is being processed by businesses. This right ensures transparency in how businesses handle consumer information.

The Right to Delete

Consumers can request the deletion of their personal data that is no longer necessary for the purposes for which it was collected. This right helps ensure that businesses do not retain consumer data indefinitely.

The Right to Correct

Consumers have the right to request the correction of inaccurate personal data held by businesses. This provision empowers consumers to keep their information up-to-date and accurate.

The Right to Opt-Out

Consumers can opt out of having their personal data used for:

Targeted advertising (ads based on their behavior).
Sale of their personal data.
Profiling (making decisions about them that have significant effects, like credit scoring or job offers).

The Right to Data Portability

Consumers can request that their personal data be transferred to another entity in a structured, commonly used, and machine-readable format. This ensures that consumers can easily switch between service providers without losing access to their personal data.

What are the requirements for Privacy Notice?

A business must give consumers a clear and easy-to-understand privacy notice, which includes:

What data the business processes (like your name, email, etc.).
Why the business processes this data (e.g., to provide services or improve products).
Who the business might share the data with (e.g., partners or service providers).
What data (if any) is shared with third parties.
How consumers can exercise their rights, including how to contact the business and appeal decisions.
How the business will notify consumers if there are significant changes to the privacy notice, and the effective date of the updated notice.
A contact method like an email address or online way for consumers to reach out to the business.
If a business sells personal data or uses it for targeted advertising or profiling, it must:

Clearly disclose this activity.
Tell consumers how they can opt out of the sale of their data or the targeted ads.

What are the Responsibilities of Businesses?

The New Jersey Data Privacy Act imposes several obligations on businesses (controllers) and those who process data on their behalf (processors). Businesses must adopt appropriate data management practices, implement robust data protection measures, and comply with consumer’s rights requests in a timely manner.

Controller’s Responsibilities

Controllers are the organizations that determine the purpose and means of processing personal data. They have the primary responsibility for ensuring compliance with the Act. Their duties include:

Limit Data Collection: The controller must only collect personal data that is necessary for the purpose it’s disclosed to the consumer. They should avoid collecting unnecessary or irrelevant data.
Avoid Unnecessary Processing: The controller cannot process personal data for purposes that are not related to the original purpose unless they get the consumer’s consent.
Data Security: The controller must implement appropriate security measures – administrative, technical and physical, to protect personal data from unauthorized access or breaches, during both storage and use.
Sensitive Data & Child Data: The controller must get explicit consent before processing sensitive data or data about children. In the case of children, the controller must follow COPPA (Children’s Online Privacy Protection Act) for compliance.
Compliance with Laws: The controller cannot process personal data in ways that break state or federal laws, particularly laws that prevent discrimination.
Revoking Consent: Consumers should be able to easily revoke consent for data processing. When consent is revoked, the business must stop processing the data within 15 days.
Targeted Ads, Data Sale, and Profiling: The controller cannot process data for targeted ads, sale, or profiling of a consumer under 17 without the consumer’s consent if the business knows the consumer is between 13 and 17 years old.
Clear Purpose for Data Use: The controller must clearly specify why they are processing personal data, with an express purpose disclosed to the consumer.
Data Protection Assessment (DPA): If the data processing presents a heightened risk to the consumer, the controller must assess the potential risks and document the findings. This is called a Data Protection Assessment (DPA).

Processor’s Responsibilities

Processors are entities that process personal data on behalf of controllers. While they act under the instructions of the controller, they still have several key obligations:

Adhere to Instructions: Processors must comply with the instructions given by controllers regarding how personal data should be handled.
Assist Controllers in Compliance: Processors must help controllers meet their obligations to respond to consumer requests, ensure security, and conduct data protection assessments.
Confidentiality: All individuals processing personal data must be bound by a confidentiality agreement to protect the information.
Subcontractor Agreements: If processors engage subcontractors, they must ensure that these subcontractors also comply with the obligations set out in the contract.

What are Penalties and Fines for Non-Compliance of New Jersey Data Privacy Act

Violations of the New Jersey Data Privacy Act are treated as unlawful practices under the New Jersey’s Consumer Fraud Act. The penalties for non-compliance are as follows:

First violation: Up to $10,000
Subsequent violations: Up to $20,000 for each additional offense

Preparing for the New Jersey Data Privacy Act

Businesses in New Jersey must comply with the New Jersey Data Privacy Act. Some key steps include:

Data Mapping: Businesses should conduct a thorough audit of the personal data they collect, how it is used, and where it is stored. This will help identify areas that need attention to meet the law’s requirements.
Privacy Policies: Companies must update their privacy policies to reflect the rights of consumers and the business’s obligations under the New Jersey Privacy Act.
Consumer Rights Management: Businesses must establish processes for responding to consumer requests for access, deletion, correction, and other rights granted under the law.
Security Measures: Implement appropriate security measures to protect personal data from breaches or unauthorized access.
Staff Training: Ensure that employees, especially those handling consumer data, are trained on the requirements of the New Jersey Privacy Act and the company’s data protection policies.
Review Contracts with Processors: Ensure that contracts with third-party processors comply with the law’s requirements, including clauses related to data security and breach notification.

Conclusion

The New Jersey Data Privacy Act brings a much-needed update to how businesses in New Jersey handle personal data. By giving consumers more control over their information and placing new obligations on businesses, the law helps ensure a safer, more transparent approach to data privacy.

Experience the difference our solution can make. Schedule your demo now!

Schedule A Demo

Consent Management Platform

Consent Management Platform

Explore our entire suite of webtools designed to keep your data safe, and your business in compliance

Cookie Consent

Consent Preference

DSAR Management

Social Fortuna

GDPR (EU)

CPRA / CCPA

VCDPA (Virginia)

PIPEDA (Canada)

IAB TCF v2.2

CPA (Colorado)

CTDPA (Connecticut)

LGPD (Brazil)

DPDPA (India)

PDPL (Saudi Arabia)

Ecommerce

Automotive

Healthcare

Fintech

Chambers of Commerce

Blogs

Insights Newsletter (Coming Soon)

Cookie Scanner & Site Audit

Privacy Policy Generator

14 Day Free Trial

About Us

Partnership Programs

Contact Us

Careers

Help Center

FAQs

Our Latest Blog

Send a message.