New Jersey
NJDPA Consumer Rights: New Jersey Privacy Law
The New Jersey Data Privacy Act (NJDPA), N.J.S.A. 56:8-166.4 et seq., gives New Jersey residents the right to confirm and access the personal data a business holds about them, to correct inaccuracies, to delete their data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. A controller generally must respond within 45 days of a verified request.
As of 2026, these rights are fully in force. If a controller declines a request, it must explain why and give the consumer a way to appeal, and it must honor a universal opt-out signal such as Global Privacy Control. Enforcement runs through the New Jersey Attorney General and the Division of Consumer Affairs under the Consumer Fraud Act, with no private right of action.
Jurisdiction scope: This covers New Jersey's Data Privacy Act (N.J.S.A. 56:8-166.4 et seq.). It is general legal information, not legal advice.
The core consumer rights
The NJDPA gives New Jersey residents a familiar set of consumer rights, modeled on the framework most state privacy laws share. The rights apply to a "consumer," which under N.J.S.A. 56:8-166.4 means a New Jersey resident acting in an individual or household context, not someone acting in a commercial or employment role.
A consumer may confirm whether a controller is processing their personal data and access that data. A consumer may correct inaccuracies, taking into account the nature of the data and the purpose of processing. A consumer may delete personal data the controller holds about them. A consumer may also obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows the data to be transmitted to another controller.
Alongside these access-style rights, the NJDPA gives consumers three opt-out rights. A consumer may opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The 45-day response deadline
The timing rules sit at N.J.S.A. 56:8-166.7. A controller that receives a verified consumer request must respond without undue delay and in any event within 45 days of receiving the request.
The controller may extend that period once by an additional 45 days where reasonably necessary, considering the complexity and number of the consumer's requests. To use the extension, the controller must inform the consumer of the extension, and the reason for it, within the initial 45-day window.
Requests are generally free of charge. A controller may charge a reasonable fee, or decline to act, only where a request is manifestly unfounded, excessive, or repetitive. In that situation the controller bears the burden of demonstrating that the request meets that standard, so the default is that the consumer's request is honored at no cost.
Verifying the consumer and the request
Before acting, a controller must be able to authenticate the request as coming from the consumer it concerns. If a controller cannot authenticate a request using commercially reasonable efforts, it is not required to comply and may ask the consumer for additional information reasonably necessary to authenticate the request.
This verification step protects consumers from someone else accessing, changing, or deleting their data. It also means a consumer may need to provide enough information to confirm identity before a controller will release or erase data.
For requests submitted through an authorized agent, including a browser-based opt-out signal for the opt-out rights, the controller may use technology to determine whether the consumer is a New Jersey resident and whether the agent is authorized to act on the consumer's behalf.
Appeals when a controller says no
If a controller declines to take action on a request, the consumer is not at a dead end. Under N.J.S.A. 56:8-166.6 and 56:8-166.7, a controller that refuses must inform the consumer, without undue delay and within the 45-day window, of the justification for declining and of how to appeal.
The controller must establish a conspicuous and readily accessible process for a consumer to appeal the refusal. Within a reasonable time after receiving an appeal, the controller must inform the consumer in writing of any action taken or not taken in response, with a written explanation of the reasons.
If the appeal is denied, the controller must also provide the consumer with an online mechanism, if available, or another method to contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint. That gives consumers a path to the regulator when a business will not resolve the request.
Opt-outs and the universal opt-out mechanism
The three opt-out rights, covering targeted advertising, the sale of personal data, and certain profiling, are central to how the NJDPA works in practice. A controller must give consumers a clear and conspicuous way to exercise each of these rights, typically through links or settings in its privacy notice.
The NJDPA also requires controllers to recognize a universal opt-out mechanism. This is a browser or device setting, such as Global Privacy Control, that signals a consumer's choice to opt out of targeted advertising and the sale of personal data without filling out a form on each website. The obligation to honor such a signal took effect no later than six months after the January 15, 2025 effective date, by approximately July 15, 2025.
When a consumer sends a universal opt-out signal, the controller must treat it as a valid request to opt out for that browser or device. The mechanism cannot unfairly disadvantage another controller, cannot be a default setting that conflicts with the consumer's express choice, and must be consumer-friendly and easy to use.
Sensitive data and the financial-information consent gate
Some data carries a higher bar. Under N.J.S.A. 56:8-166.4, sensitive data may not be processed without the consumer's opt-in consent, and New Jersey's sensitive-data category is unusually broad.
Sensitive data in New Jersey includes financial information, defined as a consumer's account number, account log-in, financial account, or credit or debit card number combined with any required security code, access code, or password that would permit access to the account. It also includes status as transgender or nonbinary, along with data revealing racial or ethnic origin, religious beliefs, health condition, treatment, or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, the personal data of a known child, and precise geolocation data.
Because financial information is treated as sensitive, a business that processes that kind of payment-credential data for non-payment purposes generally needs the consumer's affirmative consent first. Consent under the Act must be a clear affirmative act that is freely given, specific, informed, and unambiguous, and it cannot be obtained through dark patterns. Consumers also retain the right to revoke consent.
Teen protections for 13-to-16 year olds
The NJDPA adds an extra layer of protection for teenagers. Where a controller knows that a consumer is at least 13 and younger than 17, it must obtain consent before processing that consumer's personal data for targeted advertising, the sale of personal data, or profiling.
For teens in that 13-to-16 band, the usual opt-out approach is not enough. The controller needs affirmative consent before it may use their data for those three high-impact activities. This reaches an age group that the federal Children's Online Privacy Protection Act, which covers children under 13, does not address.
Personal data collected from a known child under 13 is itself sensitive data under N.J.S.A. 56:8-166.4, so it already requires consent. Together, these rules give New Jersey minors broader protection than the consumer rights that apply to adults.
Rights and deadlines at a glance
The table below summarizes the consumer rights and the key timing rules. The deadlines are statutory minimums; a controller may always respond faster.
| Right or step | What it covers | Deadline |
|---|---|---|
| Confirm and access | Confirm processing and get a copy of the data | 45 days (one 45-day extension) |
| Correct | Fix inaccurate personal data | 45 days |
| Delete | Erase personal data the controller holds | 45 days |
| Portability | Receive data in a portable, usable format | 45 days |
| Opt out (targeted ads, sale, profiling) | Stop those processing activities | Honor promptly; recognize universal signal |
| Appeal | Challenge a refusal to act | Reasonable time, in writing, then route to Division of Consumer Affairs |
| Sensitive data | Financial info, transgender or nonbinary status, and more | Opt-in consent required before processing |
For how a business operationalizes these rights, see the NJDPA compliance checklist.
Related guides
- New Jersey data privacy laws parent hub
- What is the NJDPA?
- NJDPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- N.J.S.A. 56:8-166.4: Definitions (Consumer, Sensitive Data)(njleg.state.nj.us).gov
- N.J.S.A. 56:8-166.6: Privacy Notice, Consumer Rights, and Appeals(njleg.state.nj.us).gov
- N.J.S.A. 56:8-166.7: Verified Request, 45-Day Response Period(njleg.state.nj.us).gov
- New Jersey Legislature: S332 bill page (2022-2023 session)(njleg.state.nj.us).gov
- New Jersey Division of Consumer Affairs(njconsumeraffairs.gov).gov
- NJCCIC: New Jersey Enacts Comprehensive Data Privacy Law(cyber.nj.gov).gov