New Jersey
New Jersey Data Privacy Laws: NJDPA Consumer Rights Guide (2026)
The New Jersey Data Privacy Act (N.J.S.A. 56:8-166.4 et seq.), effective January 15, 2025, gives New Jersey consumers the right to access, correct, delete, and port their personal data and to opt out of data sales and targeted advertising. The Attorney General enforces violations; no private right of action exists.
New Jersey enacted one of the strongest data privacy laws in the United States when Governor Phil Murphy signed the New Jersey Data Privacy Act (NJDPA) on January 16, 2024. The law took effect on January 15, 2025, making New Jersey one of a growing number of states with comprehensive consumer data protection legislation.
What sets the NJDPA apart from other state privacy laws is its breadth. New Jersey includes financial information in its definition of sensitive data, does not exempt nonprofit organizations, and requires businesses to recognize universal opt-out mechanisms. Combined with the state's existing data breach notification law, New Jersey residents now have substantial protections over how their personal information is collected, used, and shared.
This guide covers the full scope of New Jersey data privacy laws, including your rights as a consumer, what businesses must do to comply, and the penalties for violations.
New Jersey Data Privacy Act (NJDPA)
The New Jersey Data Privacy Act was enacted as P.L. 2023, c.266 (S332) and is codified at N.J.S.A. 56:8-166.4 et seq. It establishes comprehensive data privacy protections for New Jersey residents. The law was modeled in part on Connecticut and Colorado privacy frameworks but includes several provisions that make it one of the more demanding state privacy laws in the country.
The NJDPA regulates how businesses collect, process, store, sell, and share personal data belonging to New Jersey consumers. It creates specific consumer rights, imposes obligations on businesses that act as data controllers and processors, and grants exclusive enforcement authority to the New Jersey Attorney General.
Who the NJDPA Applies To
The NJDPA applies to any person or entity that conducts business in New Jersey or produces products or services targeted to New Jersey residents, and during a calendar year meets either of two thresholds.
The first threshold is controlling or processing the personal data of at least 100,000 New Jersey consumers, excluding personal data processed solely to complete a payment transaction.
The second threshold is controlling or processing the personal data of at least 25,000 consumers while deriving revenue or receiving discounts on the price of goods or services from the sale of personal data.
Unlike some other state privacy laws, the NJDPA does not include a minimum annual revenue threshold. This means smaller businesses can fall under the law if they meet either processing threshold.
Exempt Entities and Data
The NJDPA provides both entity-level and data-level exemptions, though its exemption list is notably narrower than many comparable state laws.
Entity-level exemptions include financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and certain secondary market institutions. State agencies and political subdivisions are also exempt.
Data-level exemptions cover data already regulated under specific federal laws, including:
- Protected health information under HIPAA
- Financial data governed by the GLBA
- Consumer report data under the Fair Credit Reporting Act (FCRA)
- Driver information under the Driver's Privacy Protection Act (DPPA)
- De-identified or publicly available data
- Employee and business contact data (in certain contexts)
One of the NJDPA's most distinctive features is what it does not exempt. Unlike many other state privacy laws, the NJDPA does not exempt nonprofit organizations or institutions of higher education. It also does not create an exemption for educational records governed by FERPA. This broader scope means more organizations in New Jersey must comply.
Consumer Rights Under the NJDPA
The NJDPA grants New Jersey residents five core rights over their personal data. These rights give consumers meaningful control over how their information is collected, used, and shared.
Right to Confirm and Access
You have the right to confirm whether a business is processing your personal data. If processing is occurring, you can request access to the specific personal data the business holds about you.
Right to Correct
You can request that a business correct inaccurate personal data it maintains about you, taking into account the nature of the data and the purposes of processing.
Right to Delete
You have the right to request that a business delete personal data it has collected from or about you. This includes data the business obtained directly from you and data obtained from third-party sources.
Right to Data Portability
You can request a copy of your personal data in a portable, readily usable format that allows you to transmit the data to another entity without hindrance.
Right to Opt Out
You have the right to opt out of three specific types of processing:
- Targeted advertising. You can stop businesses from using your data to display ads selected based on your personal characteristics or online activities.
- Sale of personal data. You can prevent businesses from selling your personal data to third parties.
- Profiling. You can opt out of automated processing that produces legal or similarly significant effects concerning you.
Controllers must respond to consumer requests within 45 days of receiving the request. If reasonably necessary due to the complexity of the request or the volume of requests, the controller may extend the response period by an additional 45 days, provided it informs the consumer of the extension and the reason for it.
If a controller denies a consumer's request, the consumer has the right to appeal. The controller must provide a mechanism for the consumer to submit an appeal and must respond to the appeal within 60 days.
Universal Opt-Out Mechanism
The NJDPA requires controllers to recognize user-selected universal opt-out mechanisms for targeted advertising and the sale of personal data. This requirement took effect by July 15, 2025, six months after the law's effective date.
Universal opt-out mechanisms include browser settings, browser extensions, and privacy preference signals such as the Global Privacy Control (GPC). These tools allow consumers to exercise their opt-out rights across multiple websites simultaneously rather than submitting individual requests to each business.
The law specifies that a universal opt-out mechanism must not unfairly disadvantage another controller, must not use a default setting that opts the consumer in unless the consumer has affirmatively chosen that setting, and must be consumer-friendly and easy to use.
Sensitive Data Under the NJDPA
The NJDPA defines sensitive data more broadly than most other state privacy laws. Before processing any sensitive data, a controller must obtain the consumer's affirmative, freely given, specific, informed, and unambiguous opt-in consent.
Sensitive data under the NJDPA includes personal data that reveals:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition, treatment, or diagnosis
- Sex life or sexual orientation
- Citizenship or immigration status
- Status as transgender or nonbinary
- Genetic data
- Biometric data used for identification purposes
- Precise geolocation data
- Personal data collected from a known child
Financial Data as Sensitive Data
One of the NJDPA's most notable provisions is its inclusion of financial information in the sensitive data definition. The law classifies the following as sensitive data requiring opt-in consent: account numbers, account log-in credentials, financial account numbers, and credit or debit card numbers combined with any access code, security code, or password that would permit access to a consumer's financial account.
This is a significant departure from other state privacy laws. Most state comprehensive privacy laws do not treat financial data as sensitive. The NJDPA's approach means that businesses handling New Jersey consumers' financial information must obtain explicit consent before processing it, unless the data is already covered by a GLBA exemption.
Children's Data Protections
The NJDPA provides layered protections for children's personal data based on age.
For children under 13 years of age, the processing of personal data requires verifiable parental consent, consistent with the federal Children's Online Privacy Protection Act (COPPA).
For consumers between 13 and 16 years of age, when a controller has actual knowledge or willfully disregards that the consumer is in this age range, the controller must obtain the consumer's own opt-in consent before processing personal data for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects.
All personal data collected from a known child is classified as sensitive data under the NJDPA, triggering the heightened consent requirements that apply to all sensitive data categories.
New Jersey lawmakers are separately advancing children's online safety legislation. The Assembly Science, Innovation and Technology Committee approved a three-bill package in February 2026 that would adopt an Age-Appropriate Design Code for New Jersey, requiring certain online services to implement protections for minors. Those bills remain pending in the 2026-2027 legislative session.
Controller Obligations
Businesses that act as data controllers under the NJDPA must meet several specific requirements.
Data Minimization
Controllers must limit their collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose of processing. Controllers cannot process personal data for purposes that are not reasonably necessary to or compatible with the purposes they disclosed to the consumer.
Security Requirements
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. These practices must protect the confidentiality, integrity, and accessibility of personal data.
Privacy Notice Requirements
Controllers must provide consumers with a clear, meaningful privacy notice that includes:
- The categories of personal data processed
- The purpose for processing each category
- How consumers can exercise their rights, including the right to appeal
- The categories of personal data shared with third parties
- The categories of third parties with whom data is shared
- Whether the controller sells personal data or processes it for targeted advertising, and how to opt out
Consent Revocation
Controllers must provide mechanisms for consumers to revoke their consent. When a consumer revokes consent, the controller must stop processing the consumer's personal data within 15 days of receiving the revocation request.
Data Processing Agreements
Controllers must enter into binding contracts with any processors that handle personal data on their behalf. These contracts must specify the nature and purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both parties.
Data Protection Assessments
The NJDPA requires controllers to conduct data protection assessments before engaging in processing activities that present a heightened risk of harm to consumers. Activities that trigger this requirement include:
- Processing personal data for purposes of targeted advertising
- Selling personal data
- Processing personal data for profiling where the profiling presents a foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusion on solitude or seclusion
- Processing sensitive data
Each assessment must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to consumer rights. The assessment must factor in the use of de-identification, consumer expectations, the context of the processing, and the relationship between the controller and the consumer.
Controllers must make their data protection assessments available to the Attorney General upon request.
Processor Obligations
Data processors under the NJDPA also have specific legal obligations. Processors must:
- Ensure that each person processing personal data is subject to a duty of confidentiality
- Execute written subcontractor agreements requiring subcontractors to meet the same obligations
- Assist controllers in meeting their obligations to respond to consumer rights requests
- Assist controllers in meeting data security obligations
- Facilitate breach notification where required
- Assist controllers in conducting data protection assessments
- After the end of the service relationship, delete or return all personal data as directed by the controller
Enforcement and Penalties
The NJDPA is enforced exclusively by the New Jersey Attorney General through the Division of Consumer Affairs in the Department of Law and Public Safety. There is no private right of action, meaning individual consumers cannot sue businesses directly for NJDPA violations.
Violations of the NJDPA are treated as unlawful practices under the New Jersey Consumer Fraud Act (N.J.S.A. 56:8-1 et seq.). This means the full range of Consumer Fraud Act remedies is available to the Attorney General.
Penalty Amounts
Under the Consumer Fraud Act, the Attorney General may seek civil penalties of up to $10,000 for a first violation and up to $20,000 for each subsequent violation. These penalties apply on a per-violation basis, meaning a single data practice affecting thousands of consumers could result in significant cumulative penalties.
Cure Period and the July 15, 2026 Sunset
For the first 18 months following the law's effective date, the Division of Consumer Affairs must issue a notice to a controller before bringing an enforcement action, provided a cure is deemed possible. The controller then has 30 days to cure the alleged violation after receiving notice of noncompliance. That 18-month window runs from January 15, 2025 through July 15, 2026.
After July 15, 2026, the mandatory cure period sunsets. Whether to offer a cure opportunity before taking enforcement action then becomes entirely at the discretion of the Attorney General. Businesses that have not yet completed NJDPA compliance programs face materially higher enforcement risk after that date, because the AG can pursue penalties without first giving a 30-day warning.
Rulemaking Authority and Proposed Regulations
The NJDPA grants the Division of Consumer Affairs authority to adopt rules and regulations to implement and enforce the law. The Murphy administration published proposed rules on June 2, 2025, opening a 60-day public comment period that closed August 1, 2025. The Murphy administration did not adopt the rules before Governor Murphy left office in January 2026.
The Sherrill administration inherited the open rulemaking. Under New Jersey administrative procedure, the proposed rules expire unless adopted and filed for publication within one year of the original proposal date, meaning by June 2, 2026. The Division may extend that deadline to December 2, 2026 if it makes substantial modifications requiring additional public comment. As of May 2026, the Sherrill administration has not announced whether it will adopt the rules as proposed, modify them, or restart the process. The June 2 deadline is approaching, and businesses should monitor the New Jersey Register for any adoption notice.
New Jersey Data Breach Notification Law
Separate from the NJDPA, New Jersey has a longstanding data breach notification law codified at N.J.S.A. 56:8-161 through 56:8-166 (the Identity Theft Prevention Act). This law predates the NJDPA and establishes requirements for notifying consumers when their personal information has been compromised.
What Triggers a Notification
A "breach of security" under New Jersey law means unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of that information. The notification obligation is not triggered if the data was secured by encryption or another method that renders the information unreadable or unusable.
Personal Information Definition
"Personal information" under the breach notification law means an individual's first name or first initial and last name linked with any one or more of the following:
- Social Security number
- Driver's license number or state identification card number
- Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to a financial account
- Username, email address, or other account holder identifying information combined with any password or security question and answer that would permit access to an online account
Notification Requirements
Businesses must notify affected New Jersey residents in the most expedient time possible and without unreasonable delay after discovering a breach. The law does not specify a fixed number of days, but it requires that any delay be justified by law enforcement needs or measures necessary to determine the scope of the breach and restore system integrity.
Before notifying consumers, businesses and public entities must first report the breach to the New Jersey State Police in the Department of Law and Public Safety for investigation or handling. This is a notable requirement that distinguishes New Jersey from states that allow simultaneous notification.
When a breach affects more than 1,000 New Jersey residents, the business must also notify nationwide consumer reporting agencies without unreasonable delay.
Notification Methods
Notification can be provided through written notice or electronic notice that complies with the federal E-SIGN Act. If the breach involves only usernames and passwords (without other personal information elements), substitute electronic notice directing individuals to change their credentials is permitted.
Law Enforcement Delay
Notification may be delayed if a law enforcement agency determines that disclosure would impede a criminal or civil investigation. The business must provide notification after law enforcement confirms that disclosure will not compromise the investigation.
Exception to Notification
A business or public entity is not required to provide notification if it establishes that misuse of the compromised information is not reasonably possible. This exception requires the entity to affirmatively demonstrate that misuse is unlikely.
New Jersey Daniel's Law and Data Brokers
New Jersey's Daniel's Law (N.J.S.A. 56:8-166.1 et seq.) is a separate statute that predates the NJDPA and addresses a narrower but significant data-privacy issue: the unauthorized disclosure of home addresses and unpublished telephone numbers of covered persons, including judges, prosecutors, law enforcement officers, and their immediate family members.
The law prohibits data brokers and other entities from publishing or re-disclosing this information after receiving a takedown request from a covered person. Violations carry significant civil penalties. Since February 2024, Atlas Data Privacy Corporation (as assignee of approximately 19,000 covered individuals) has filed more than 140 lawsuits against data brokers for alleged non-compliance.
The constitutional status of Daniel's Law is currently before the New Jersey Supreme Court. In October 2025, the New Jersey Supreme Court agreed to accept a certified question from the Third Circuit regarding what mental state, if any, is required to establish liability under the law. That question remains pending as of May 2026. The outcome could affect how broadly similar private-right-of-action data-privacy schemes are interpreted in New Jersey.
New Jersey does not yet have a comprehensive data broker registration law applicable to all consumers (comparable to California's data broker registry under the CCPA or Vermont's data broker registry). A bill requiring general data broker registration has been introduced in the legislature but has not been enacted as of May 2026.
Federal Privacy Law Overlay
Federal law applies alongside New Jersey's state statutes. Several federal frameworks directly affect New Jersey residents and businesses.
TAKE IT DOWN Act (2025)
Congress enacted the TAKE IT DOWN Act (Pub. L. 119-12, Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act), signed by President Trump on May 19, 2025. The law has two components.
The criminal prohibition took effect immediately upon signing. It prohibits the nonconsensual publication of intimate visual depictions, including AI-generated deepfakes.
The platform takedown obligations took effect May 19, 2026, one year after signing. Covered platforms must now establish a notice-and-removal process and remove qualifying content within 48 hours of receiving a valid removal request. The FTC enforces platform violations as unfair or deceptive acts under Section 18(a)(1)(B) of the FTC Act.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) governs protected health information held by covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates. HIPAA preempts state law only where the state rule is less protective; the NJDPA's health-data provisions apply to controllers outside the HIPAA covered-entity definition.
COPPA
The Children's Online Privacy Protection Act (COPPA) requires operators of websites or online services directed to children under 13 to obtain verifiable parental consent before collecting personal information. COPPA enforcement by the FTC operates alongside New Jersey's NJDPA children's data provisions.
GLBA
The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions collect and share nonpublic personal information. Financial institutions subject to GLBA are exempt from the NJDPA at the entity level, but GLBA-regulated data that is separately collected by non-GLBA entities remains subject to the NJDPA.
FTC Act Section 5
The FTC Act Section 5 prohibits unfair or deceptive acts or practices affecting commerce. The FTC has used this authority to pursue data security and privacy failures by companies regardless of whether a sector-specific privacy statute applies.
American Privacy Rights Act (APRA)
Congress introduced a bipartisan federal privacy bill (the American Privacy Rights Act) in 2024. It did not pass. A revised version, sometimes called APRA 2.0, was introduced in 2025. As of May 2026, no federal comprehensive consumer privacy law has been enacted. New Jersey's NJDPA continues to govern in the absence of federal preemption.
Penalty Comparison Table
| Law | Statute | Penalty Per Violation | Cure Period | Enforcement |
|---|---|---|---|---|
| NJDPA | N.J.S.A. 56:8-166.4 et seq. | $10,000 first / $20,000 subsequent | 30 days (sunsets July 15, 2026) | Attorney General |
| Breach Notification | N.J.S.A. 56:8-163 | Consumer Fraud Act penalties | None specified | Attorney General |
| Consumer Fraud Act | N.J.S.A. 56:8-1 et seq. | $10,000 first / $20,000 subsequent | None | Attorney General |
| Daniel's Law | N.J.S.A. 56:8-166.1 et seq. | Civil damages + penalties | None | Private right of action + AG |
| TAKE IT DOWN Act | Pub. L. 119-12 | FTC Act penalties | None | FTC (federal) |
What Makes the NJDPA Different From Other State Privacy Laws
The NJDPA stands out from other state comprehensive privacy laws in several important ways.
Financial data as sensitive data. New Jersey is the only state that broadly classifies financial information as sensitive personal data requiring opt-in consent before processing. Other states typically leave financial data regulation to the federal GLBA framework.
No nonprofit exemption. Most state privacy laws exempt nonprofit organizations. The NJDPA does not, meaning charities, advocacy groups, religious organizations, and other nonprofits that meet the processing thresholds must comply with the full scope of the law.
No higher education exemption. The NJDPA does not exempt institutions of higher education or create a carve-out for data governed by FERPA. Universities and colleges operating in New Jersey must comply.
Broad sensitive data definition. The NJDPA's sensitive data categories include citizenship and immigration status as well as status as transgender or nonbinary. These categories are not universally included in other state privacy laws.
Rulemaking authority. Unlike most state privacy laws that are enforced based solely on statutory text, the NJDPA grants the Division of Consumer Affairs explicit authority to adopt implementing regulations, adding a layer of uncertainty until those regulations are finalized.
Practical Compliance Steps for Businesses
Businesses that meet the NJDPA's applicability thresholds should take the following steps, particularly given that the cure-period safety net sunsets on July 15, 2026.
1. Map your data flows. Identify all personal data your organization collects from New Jersey consumers, the purposes for which it is processed, and the third parties to whom it is disclosed. This inventory is the foundation of every other compliance obligation.
2. Update your privacy notice. Ensure your privacy notice discloses the categories of personal data collected, the purposes of processing, the categories of third-party recipients, and how consumers can exercise their rights. The notice must be clear and accessible.
3. Build a consumer-rights response process. Establish a verified request intake mechanism. You have 45 days to respond, with one 45-day extension permitted. You must also provide an appeal mechanism with a 60-day response window.
4. Honor universal opt-out signals. Configure your website to recognize and honor Global Privacy Control (GPC) and similar browser-level opt-out signals. This obligation has been in effect since July 15, 2025.
5. Audit sensitive data processing. If you process any of the NJDPA's sensitive data categories (including financial information, health data, biometrics, or geolocation), confirm you have obtained affirmative opt-in consent for each category before processing begins.
6. Execute data processing agreements. Review contracts with all vendors that process personal data on your behalf. Contracts must include the NJDPA-required provisions covering nature and purpose of processing, data type, duration, and mutual obligations.
7. Conduct data protection assessments. Complete written assessments before beginning any high-risk processing activity (targeted advertising, data sales, profiling, or sensitive data processing). Keep assessments available for AG review.
8. Prepare for the July 15, 2026 cure-period sunset. After that date, the AG can bring enforcement actions and pursue penalties without giving your organization a 30-day advance cure opportunity. Compliance gaps that could be quietly remedied today will carry full enforcement risk after mid-July.
How to Exercise Your Data Privacy Rights in New Jersey
If you are a New Jersey resident and want to exercise your rights under the NJDPA, start by locating the privacy notice or privacy policy on the business's website. The privacy notice should explain how to submit requests to access, correct, delete, or obtain a copy of your personal data, and how to opt out of targeted advertising, data sales, or profiling.
You can also enable a universal opt-out mechanism such as Global Privacy Control (GPC) in your browser. Businesses subject to the NJDPA are required to honor these signals as of July 15, 2025.
If a business denies your request, you have the right to appeal. The business must provide an appeal mechanism and respond within 60 days.
If you believe a business has violated your data privacy rights and you cannot resolve the issue directly, you can file a complaint with the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety.
More New Jersey Laws
Looking for information on other New Jersey recording and privacy laws? Visit our Data Privacy Laws by State hub to compare New Jersey with other states. You can also explore related topics:
- New Jersey AI Meeting Recording Laws
- New Jersey Alimony Laws
- New Jersey At-Will Employment Laws
- New Jersey Car Accident Laws
- New Jersey Child Custody Laws
- New Jersey Child Support Laws
- New Jersey Common Law Marriage Laws
- New Jersey Deepfake Laws
- New Jersey Divorce Laws
- New Jersey Dog Bite Laws
- New Jersey Emancipation Laws
- New Jersey Expungement Laws
- New Jersey Hit and Run Laws
- New Jersey Landlord-Tenant Laws
- New Jersey Lemon Laws
- New Jersey Power of Attorney Laws
In-depth guides
Sources and References
- New Jersey Data Privacy Act (P.L. 2023, c.266 / S332)(njleg.state.nj.us).gov
- Governor Murphy Signs Legislation Protecting Consumer Data(nj.gov).gov
- NJCCIC - New Jersey Enacts Comprehensive Data Privacy Law(cyber.nj.gov).gov
- NJ Division of Consumer Affairs - Data Privacy Law FAQs(njconsumeraffairs.gov).gov
- NJ Identity Theft Prevention Act (N.J.S.A. 56:8-161 to 56:8-166)(njconsumeraffairs.gov).gov
- New Jersey Data Breach Notification Statute Summary(dwt.com)
- Federal Trade Commission - Gramm-Leach-Bliley Act(ftc.gov).gov
- Global Privacy Control(globalprivacycontrol.org)
- Update on New Jersey Proposed Privacy Regulations (January 2026)(troutmanprivacy.com)