New Jersey Data Privacy Laws: NJDPA Consumer Rights Guide (2026)

New Jersey enacted one of the strongest data privacy laws in the United States when Governor Phil Murphy signed the New Jersey Data Privacy Act (NJDPA) on January 16, 2024. The law took effect on January 15, 2025, making New Jersey one of a growing number of states with comprehensive consumer data protection legislation.

What sets the NJDPA apart from other state privacy laws is its breadth. New Jersey includes financial information in its definition of sensitive data, does not exempt nonprofit organizations, and requires businesses to recognize universal opt-out mechanisms. Combined with the state's existing data breach notification law, New Jersey residents now have substantial protections over how their personal information is collected, used, and shared.

This guide covers the full scope of New Jersey data privacy laws, including your rights as a consumer, what businesses must do to comply, and the penalties for violations.

New Jersey Data Privacy Act (NJDPA)

The New Jersey Data Privacy Act was enacted as P.L. 2023, c.266 (S332), establishing comprehensive data privacy protections for New Jersey residents. The law was modeled in part on Connecticut and Colorado privacy frameworks but includes several provisions that make it one of the more demanding state privacy laws in the country.

The NJDPA regulates how businesses collect, process, store, sell, and share personal data belonging to New Jersey consumers. It creates specific consumer rights, imposes obligations on businesses that act as data controllers and processors, and grants exclusive enforcement authority to the New Jersey Attorney General.

Who the NJDPA Applies To

The NJDPA applies to any person or entity that conducts business in New Jersey or produces products or services targeted to New Jersey residents, and during a calendar year meets either of two thresholds.

The first threshold is controlling or processing the personal data of at least 100,000 New Jersey consumers, excluding personal data processed solely to complete a payment transaction.

The second threshold is controlling or processing the personal data of at least 25,000 consumers while deriving revenue or receiving discounts on the price of goods or services from the sale of personal data.

Unlike some other state privacy laws, the NJDPA does not include a minimum annual revenue threshold. This means smaller businesses can fall under the law if they meet either processing threshold.

Exempt Entities and Data

The NJDPA provides both entity-level and data-level exemptions, though its exemption list is notably narrower than many comparable state laws.

Entity-level exemptions include financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and certain secondary market institutions. State agencies and political subdivisions are also exempt.

Data-level exemptions cover data already regulated under specific federal laws, including:

• Protected health information under HIPAA
• Financial data governed by the GLBA
• Consumer report data under the Fair Credit Reporting Act (FCRA)
• Driver information under the Driver's Privacy Protection Act (DPPA)
• De-identified or publicly available data
• Employee and business contact data (in certain contexts)

One of the NJDPA's most distinctive features is what it does not exempt. Unlike many other state privacy laws, the NJDPA does not exempt nonprofit organizations or institutions of higher education. It also does not create an exemption for educational records governed by FERPA. This broader scope means more organizations in New Jersey must comply.

Consumer Rights Under the NJDPA

The NJDPA grants New Jersey residents five core rights over their personal data. These rights give consumers meaningful control over how their information is collected, used, and shared.

Right to Confirm and Access

You have the right to confirm whether a business is processing your personal data. If processing is occurring, you can request access to the specific personal data the business holds about you.

Right to Correct

You can request that a business correct inaccurate personal data it maintains about you, taking into account the nature of the data and the purposes of processing.

Right to Delete

You have the right to request that a business delete personal data it has collected from or about you. This includes data the business obtained directly from you and data obtained from third-party sources.

Right to Data Portability

You can request a copy of your personal data in a portable, readily usable format that allows you to transmit the data to another entity without hindrance.

Right to Opt Out

You have the right to opt out of three specific types of processing:

• Targeted advertising. You can stop businesses from using your data to display ads selected based on your personal characteristics or online activities.
• Sale of personal data. You can prevent businesses from selling your personal data to third parties.
• Profiling. You can opt out of automated processing that produces legal or similarly significant effects concerning you.

Controllers must respond to consumer requests within 45 days of receiving the request. If reasonably necessary due to the complexity of the request or the volume of requests, the controller may extend the response period by an additional 45 days, provided it informs the consumer of the extension and the reason for it.

If a controller denies a consumer's request, the consumer has the right to appeal. The controller must provide a mechanism for the consumer to submit an appeal and must respond to the appeal within 60 days.

Universal Opt-Out Mechanism

The NJDPA requires controllers to recognize user-selected universal opt-out mechanisms for targeted advertising and the sale of personal data. This requirement took effect by July 15, 2025, six months after the law's effective date.

Universal opt-out mechanisms include browser settings, browser extensions, and privacy preference signals such as the Global Privacy Control (GPC). These tools allow consumers to exercise their opt-out rights across multiple websites simultaneously rather than submitting individual requests to each business.

The law specifies that a universal opt-out mechanism must not unfairly disadvantage another controller, must not use a default setting that opts the consumer in unless the consumer has affirmatively chosen that setting, and must be consumer-friendly and easy to use.

Sensitive Data Under the NJDPA

The NJDPA defines sensitive data more broadly than most other state privacy laws. Before processing any sensitive data, a controller must obtain the consumer's affirmative, freely given, specific, informed, and unambiguous opt-in consent.

Sensitive data under the NJDPA includes personal data that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition, treatment, or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• Status as transgender or nonbinary
• Genetic data
• Biometric data used for identification purposes
• Precise geolocation data
• Personal data collected from a known child

Financial Data as Sensitive Data

One of the NJDPA's most notable provisions is its inclusion of financial information in the sensitive data definition. The law classifies the following as sensitive data requiring opt-in consent: account numbers, account log-in credentials, financial account numbers, and credit or debit card numbers combined with any access code, security code, or password that would permit access to a consumer's financial account.

This is a significant departure from other state privacy laws. Most state comprehensive privacy laws do not treat financial data as sensitive. The NJDPA's approach means that businesses handling New Jersey consumers' financial information must obtain explicit consent before processing it, unless the data is already covered by a GLBA exemption.

Children's Data Protections

The NJDPA provides layered protections for children's personal data based on age.

For children under 13 years of age, the processing of personal data requires verifiable parental consent, consistent with the federal Children's Online Privacy Protection Act (COPPA).

For consumers between 13 and 16 years of age, when a controller has actual knowledge or willfully disregards that the consumer is in this age range, the controller must obtain the consumer's own opt-in consent before processing personal data for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects.

All personal data collected from a known child is classified as sensitive data under the NJDPA, triggering the heightened consent requirements that apply to all sensitive data categories.

Controller Obligations

Businesses that act as data controllers under the NJDPA must meet several specific requirements.

Data Minimization

Controllers must limit their collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose of processing. Controllers cannot process personal data for purposes that are not reasonably necessary to or compatible with the purposes they disclosed to the consumer.

Security Requirements

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. These practices must protect the confidentiality, integrity, and accessibility of personal data.

Privacy Notice Requirements

Controllers must provide consumers with a clear, meaningful privacy notice that includes:

• The categories of personal data processed
• The purpose for processing each category
• How consumers can exercise their rights, including the right to appeal
• The categories of personal data shared with third parties
• The categories of third parties with whom data is shared
• Whether the controller sells personal data or processes it for targeted advertising, and how to opt out

Consent Revocation

Controllers must provide mechanisms for consumers to revoke their consent. When a consumer revokes consent, the controller must stop processing the consumer's personal data within 15 days of receiving the revocation request.

Data Processing Agreements

Controllers must enter into binding contracts with any processors that handle personal data on their behalf. These contracts must specify the nature and purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both parties.

Data Protection Assessments

The NJDPA requires controllers to conduct data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers. Activities that trigger this requirement include:

• Processing personal data for purposes of targeted advertising
• Selling personal data
• Processing personal data for profiling where the profiling presents a foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusion on solitude or seclusion
• Processing sensitive data

Each assessment must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to consumer rights. The assessment must factor in the use of de-identification, consumer expectations, the context of the processing, and the relationship between the controller and the consumer.

Controllers must make their data protection assessments available to the Attorney General upon request.

Processor Obligations

Data processors under the NJDPA also have specific legal obligations. Processors must:

• Ensure that each person processing personal data is subject to a duty of confidentiality
• Execute written subcontractor agreements requiring subcontractors to meet the same obligations
• Assist controllers in meeting their obligations to respond to consumer rights requests
• Assist controllers in meeting data security obligations
• Facilitate breach notification where required
• Assist controllers in conducting data protection assessments
• After the end of the service relationship, delete or return all personal data as directed by the controller

Enforcement and Penalties

The NJDPA is enforced exclusively by the New Jersey Attorney General through the Division of Consumer Affairs in the Department of Law and Public Safety. There is no private right of action, meaning individual consumers cannot sue businesses directly for NJDPA violations.

Violations of the NJDPA are treated as unlawful practices under the New Jersey Consumer Fraud Act (N.J.S.A. 56:8-1 et seq.). This means the full range of Consumer Fraud Act remedies is available to the Attorney General.

Penalty Amounts

Under the Consumer Fraud Act, the Attorney General may seek civil penalties of up to $10,000 for a first violation and up to $20,000 for each subsequent violation. These penalties apply on a per-violation basis, meaning a single data practice affecting thousands of consumers could result in significant cumulative penalties.

Cure Period

For the first 18 months following the law's effective date (January 15, 2025, through approximately July 15, 2026), the Division of Consumer Affairs must issue a notice to a controller before bringing an enforcement action, provided a cure is deemed possible. The controller then has 30 days to cure the alleged violation after receiving notice of noncompliance.

After July 2026, the mandatory cure period sunsets. At that point, whether to offer a cure opportunity before taking enforcement action becomes entirely at the discretion of the Attorney General. This is a critical transition for businesses, as the AG will no longer be required to give advance warning before pursuing penalties.

Rulemaking Authority

The NJDPA grants the Division of Consumer Affairs authority to adopt rules and regulations to implement and enforce the law. Proposed rules were unveiled on June 2, 2025, with an adoption deadline of June 2, 2026 (extendable to December 2, 2026, if substantial modifications require additional public comment). As of March 2026, the incoming Sherrill administration has not yet finalized these regulations.

New Jersey Data Breach Notification Law

Separate from the NJDPA, New Jersey has a longstanding data breach notification law codified at N.J.S.A. 56:8-161 through 56:8-166. This law predates the NJDPA and establishes requirements for notifying consumers when their personal information has been compromised.

What Triggers a Notification

A "breach of security" under New Jersey law means unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of that information. The notification obligation is not triggered if the data was secured by encryption or another method that renders the information unreadable or unusable.

Personal Information Definition

"Personal information" under the breach notification law means an individual's first name or first initial and last name linked with any one or more of the following:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to a financial account
• Username, email address, or other account holder identifying information combined with any password or security question and answer that would permit access to an online account

Notification Requirements

Businesses must notify affected New Jersey residents in the most expedient time possible and without unreasonable delay after discovering a breach. The law does not specify a fixed number of days, but it requires that any delay be justified by law enforcement needs or measures necessary to determine the scope of the breach and restore system integrity.

Before notifying consumers, businesses and public entities must first report the breach to the New Jersey State Police in the Department of Law and Public Safety for investigation or handling. This is a notable requirement that distinguishes New Jersey from states that allow simultaneous notification.

When a breach affects more than 1,000 New Jersey residents, the business must also notify nationwide consumer reporting agencies without unreasonable delay.

Notification Methods

Notification can be provided through written notice or electronic notice that complies with the federal E-SIGN Act. If the breach involves only usernames and passwords (without other personal information elements), substitute electronic notice directing individuals to change their credentials is permitted.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that disclosure would impede a criminal or civil investigation. The business must provide notification after law enforcement confirms that disclosure will not compromise the investigation.

Exception to Notification

A business or public entity is not required to provide notification if it establishes that misuse of the compromised information is not reasonably possible. This exception requires the entity to affirmatively demonstrate that misuse is unlikely.

Penalty Comparison Table

Law	Statute	Penalty Per Violation	Cure Period	Enforcement
NJDPA	P.L. 2023, c.266	$10,000 first / $20,000 subsequent	30 days (sunsets July 2026)	Attorney General
Breach Notification	N.J.S.A. 56:8-163	Consumer Fraud Act penalties	None	Attorney General
Consumer Fraud Act	N.J.S.A. 56:8-1 et seq.	$10,000 first / $20,000 subsequent	None	Attorney General

What Makes the NJDPA Different From Other State Privacy Laws

The NJDPA stands out from other state comprehensive privacy laws in several important ways.

Financial data as sensitive data. New Jersey is the only state that broadly classifies financial information as sensitive personal data requiring opt-in consent before processing. Other states typically leave financial data regulation to the federal GLBA framework.

No nonprofit exemption. Most state privacy laws exempt nonprofit organizations. The NJDPA does not, meaning charities, advocacy groups, religious organizations, and other nonprofits that meet the processing thresholds must comply with the full scope of the law.

No higher education exemption. The NJDPA does not exempt institutions of higher education or create a carve-out for data governed by FERPA. Universities and colleges operating in New Jersey must comply.

Broad sensitive data definition. The NJDPA's sensitive data categories include citizenship and immigration status as well as status as transgender or nonbinary. These categories are not universally included in other state privacy laws.

Rulemaking authority. Unlike most state privacy laws that are enforced based solely on statutory text, the NJDPA grants the Division of Consumer Affairs explicit authority to adopt implementing regulations.

How to Exercise Your Data Privacy Rights in New Jersey

If you are a New Jersey resident and want to exercise your rights under the NJDPA, start by locating the privacy notice or privacy policy on the business's website. The privacy notice should explain how to submit requests to access, correct, delete, or obtain a copy of your personal data, and how to opt out of targeted advertising, data sales, or profiling.

You can also enable a universal opt-out mechanism such as Global Privacy Control (GPC) in your browser. Businesses subject to the NJDPA are required to honor these signals.

If a business denies your request, you have the right to appeal. The business must provide an appeal mechanism and respond within 60 days.

If you believe a business has violated your data privacy rights and you cannot resolve the issue directly, you can file a complaint with the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety.

More New Jersey Laws

Looking for information on other New Jersey recording and privacy laws? Visit our Data Privacy Laws by State hub to compare New Jersey with other states. You can also explore related topics:

• New York Data Privacy Laws for comparison with a neighboring state
• Pennsylvania Data Privacy Laws for another neighboring state
• Connecticut Data Privacy Laws for comparison with the CTDPA, which influenced the NJDPA
• California Data Privacy Laws for comparison with the CCPA/CPRA

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in New Jersey for advice about your specific situation. Last reviewed: March 2026.