New Jersey Biometric Privacy Laws: Collection, Consent & Penalties (2026)

New Jersey takes biometric privacy seriously. The state rolled out one of the broadest biometric data definitions in the country when the New Jersey Data Privacy Act (NJDPA) took effect on January 15, 2025. Unlike states that passed narrow biometric-only statutes, New Jersey embedded biometric protections within a comprehensive consumer data privacy framework that covers everything from fingerprints to facial geometry.

If you collect, store, or process biometric data from New Jersey residents, here is what the law requires.

How New Jersey Defines Biometric Data

The NJDPA provides one of the most expansive biometric data definitions in the United States. Under N.J.S.A. 56:8-166.4, "biometric data" means:

Data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual.

This definition goes further than many state laws. The inclusion of "facial mapping," "facial geometry," and "facial templates" as separate categories means New Jersey covers the full spectrum of facial recognition technology inputs and outputs. The "other unique biological, physical, or behavioral patterns" catch-all gives the law room to cover emerging technologies like gait analysis, vein pattern recognition, and keystroke dynamics.

What Is Not Biometric Data

The NJDPA carves out specific exclusions. The following do not qualify as biometric data:

• Digital or physical photographs
• Audio or video recordings
• Data generated from photographs or recordings, unless that data is specifically generated through automatic or technological processing to identify an individual

This distinction matters. A security camera recording of a customer walking through a store is not biometric data. However, running that footage through facial recognition software that generates a facial geometry template does create biometric data under New Jersey law.

Biometric Data as Sensitive Data

The NJDPA classifies biometric data as a category of sensitive data. The statute defines sensitive data as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.

This sensitive data classification triggers the highest level of protection the NJDPA offers.

Consent Requirements for Biometric Data

Because biometric data qualifies as sensitive data, controllers face strict consent rules under Section 9 of the NJDPA. A controller must not process sensitive data concerning a consumer without first obtaining the consumer's consent.

"Consent" under the NJDPA means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to the processing of personal data. Pre-checked boxes, silence, or inactivity do not count. Burying consent in a terms-of-service agreement is not sufficient.

In practice, this means businesses must:

• Clearly inform the consumer about what biometric data will be collected
• Explain the specific purpose for processing the biometric data
• Obtain an affirmative opt-in before collection begins
• Allow the consumer to withdraw consent at any time

This requirement applies to any controller that conducts business in New Jersey or produces products or services targeted to New Jersey residents, and that processes the personal data of at least 100,000 consumers, or processes data of at least 25,000 consumers while deriving revenue from selling personal data.

Consumer Rights Over Biometric Data

New Jersey residents have five core rights over their biometric data under the NJDPA:

Right to Confirm and Access. Consumers can ask whether a controller processes their biometric data and obtain a copy of that data.

Right to Correct. If biometric data is inaccurate, consumers can request corrections.

Right to Delete. Consumers can request that a controller delete their biometric data.

Right to Data Portability. Consumers can obtain their biometric data in a portable, readily usable format that allows transfer to another controller.

Right to Opt Out. Consumers can opt out of the processing of their biometric data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers must respond to consumer requests within 45 days. They may extend this by an additional 45 days when reasonably necessary, provided they notify the consumer of the extension and the reason for it.

Enforcement and Penalties

Attorney General Authority

The NJDPA grants the Office of the Attorney General sole and exclusive authority to enforce the law. No other state agency, local government, or private individual can bring an enforcement action directly under the NJDPA.

Consumer Fraud Act Penalties

Section 14 of the NJDPA classifies any violation as "an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.)," which is the New Jersey Consumer Fraud Act (CFA). This linkage carries real consequences:

• First violation: Up to $10,000
• Subsequent violations: Up to $20,000 each
• The Attorney General can seek injunctive relief, civil penalties, and other remedies available under the CFA

The 30-Day Cure Period

During the first 18 months after the NJDPA took effect (January 15, 2025 through July 15, 2026), the Attorney General must issue a notice of violation and provide the controller 30 days to cure the issue before pursuing enforcement. If the controller fixes the problem and provides a written statement confirming the cure within 30 days, the matter is resolved.

After July 15, 2026, the cure period becomes discretionary. The Attorney General can choose whether to offer a cure opportunity or proceed directly to enforcement.

The Private Right of Action Question

The NJDPA explicitly states that "nothing in P.L.2023, c.266 shall be construed as providing the basis for...a private right of action." This means consumers cannot sue businesses directly under the NJDPA for mishandling their biometric data.

However, New Jersey legal commentators have noted a tension in the statute. The CFA itself, under N.J.S.A. 56:8-19, provides a private right of action for any person who suffers an ascertainable loss from an unlawful practice. A successful CFA plaintiff receives treble damages (three times actual losses), plus attorney fees and court costs. Since NJDPA violations are classified as CFA unlawful practices, the question of whether a consumer could bring a CFA claim based on a NJDPA violation remains untested in court. Businesses should not assume they are immune from private litigation.

Comparison with Other State Biometric Laws

New Jersey's approach differs from the two other major models in the United States:

Feature	New Jersey (NJDPA)	Illinois (BIPA)	Texas (CUBI)
Law Type	Comprehensive privacy law	Standalone biometric statute	Standalone biometric statute
Biometric Definition	Broad (includes facial mapping, geometry, templates)	Narrower (retina, iris, fingerprint, voiceprint, hand/face geometry)	Similar to Illinois
Consent Required	Affirmative opt-in for sensitive data	Written informed consent	Informed consent
Private Right of Action	None under NJDPA (CFA question open)	Yes, any violation	None (AG only)
Damages	$10,000/$20,000 per violation (AG)	$1,000/$5,000 per violation (private)	$25,000 per violation (AG)
Enforcement	AG only	Private lawsuits + AG	AG only
Photo/Video Exclusion	Yes, unless processed for identification	Yes	Yes

New Jersey's broad definition gives it wider coverage than Illinois on paper, but Illinois remains the more aggressive enforcement environment because of its private right of action, which has driven billions of dollars in settlements.

Proposed Biometric Surveillance Legislation

The New Jersey Legislature has continued to consider additional biometric protections. Senate Bill 1464 (introduced in the 2026 session) would prohibit businesses from selling, leasing, trading, or sharing information obtained through biometric surveillance systems. Violations would be treated as CFA unlawful practices with the same $10,000/$20,000 penalty structure.

This proposed legislation targets commercial facial recognition and remote biometric monitoring systems specifically. It would supplement the NJDPA's broader data privacy framework with targeted restrictions on biometric surveillance in commercial settings.

Attorney General Rulemaking

The Office of the Attorney General announced proposed rules in 2025 to implement the NJDPA through the Division of Consumer Affairs. These rules address controller obligations for data handling, consent mechanisms, universal opt-out compliance, and consumer rights processing. The public comment period ran from June 2, 2025, through August 1, 2025, and the Division is expected to publish a Notice of Adoption in 2026.

These regulations will provide more specific guidance on how businesses should handle biometric data consent, storage, and processing under the NJDPA framework.

Practical Compliance Steps for Businesses

Organizations that collect biometric data from New Jersey residents should take these steps:

Audit your biometric data collection. Identify every point where you collect fingerprints, facial scans, voiceprints, iris scans, or other biometric identifiers from New Jersey consumers or employees.

Implement affirmative consent mechanisms. Build clear, specific opt-in flows for biometric data collection. Generic privacy policy disclosures are not sufficient under the NJDPA.

Honor consumer rights requests. Set up systems to process access, correction, deletion, portability, and opt-out requests within the 45-day response window.

Review vendor contracts. If you share biometric data with processors, ensure your contracts require them to follow the same protections required by the NJDPA.

Prepare for the cure period sunset. After July 15, 2026, the Attorney General can enforce without offering a 30-day cure window. Get compliant before that date.

More New Jersey Laws

• New Jersey Data Privacy Laws
• New Jersey Whistleblower Laws
• New Jersey Child Support Laws
• New Jersey Dog Bite Laws
• New Jersey Recording Laws
• New Jersey Recording Laws
• New Jersey Recording Laws
• New Jersey Recording Laws

Sources and References

This article references New Jersey statutes and official government publications. For the full text of the NJDPA, visit the New Jersey Legislature. For Attorney General enforcement updates, visit njoag.gov. For the NJDPA definitions codified at N.J.S.A. 56:8-166.4, see the New Jersey Cybersecurity & Communications Integration Cell overview.

This article provides general legal information about New Jersey biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official New Jersey government sources.