New Jersey
What Is the NJDPA? New Jersey Data Privacy Act
The New Jersey Data Privacy Act (NJDPA) is New Jersey's comprehensive consumer data privacy law, codified at N.J.S.A. 56:8-166.4 et seq. It was enacted as Senate Bill S332, signed by Governor Phil Murphy on January 16, 2024, and took effect on January 15, 2025. It gives New Jersey residents the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling.
As of 2026, the New Jersey Attorney General and the Division of Consumer Affairs enforce the law under the New Jersey Consumer Fraud Act, with civil penalties of up to $10,000 for a first violation and $20,000 for each subsequent violation. The 30-day right to cure that businesses rely on is scheduled to sunset roughly 18 months after the effective date, around July 15, 2026, so as of mid-2026 the guaranteed cure window is in its final weeks.
Jurisdiction scope: This covers New Jersey's Data Privacy Act (N.J.S.A. 56:8-166.4 et seq.). It is general legal information, not legal advice.
What the NJDPA is: statute, enactment, and effective date
The New Jersey Data Privacy Act is the state's first comprehensive consumer data privacy law. It is codified in Title 56 of the New Jersey Statutes, running from N.J.S.A. 56:8-166.4 through 56:8-166.19. The definitions that drive the rest of the law sit at N.J.S.A. 56:8-166.4.
The law was enacted as Senate Bill S332 and signed by Governor Phil Murphy on January 16, 2024, becoming P.L. 2023, c. 266. It then took effect on January 15, 2025, giving covered businesses roughly one year to build compliance programs before their obligations began.
As of 2026, the NJDPA is fully operative. Every controller that meets the applicability thresholds in N.J.S.A. 56:8-166.5 must honor consumer rights requests, respect opt-out signals, obtain consent before processing sensitive data, and maintain a compliant privacy notice. For the full set of controller and processor obligations, see the New Jersey data privacy laws parent page.
Who the NJDPA covers: the 100,000 and 25,000 thresholds
The applicability test lives in N.J.S.A. 56:8-166.5. The law applies to any controller that conducts business in New Jersey, or that produces products or services targeted to New Jersey residents, and that during a calendar year met either of two data thresholds.
The first trigger is controlling or processing the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction. That payment carve-out means a merchant does not count routine transaction-completion data toward the 100,000 figure.
The second trigger is controlling or processing the personal data of at least 25,000 consumers while the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data. New Jersey's "consumer" under N.J.S.A. 56:8-166.4 is a resident acting in an individual or household context, not in a commercial or employment context, so employee and business-to-business data generally does not count.
The revenue-or-discount trigger with no percentage floor
The second applicability prong is one of the NJDPA's most distinctive features. Many state privacy laws set their lower-headcount trigger at a fixed share of revenue, often 25 percent or 50 percent derived from selling personal data. New Jersey does not.
Under N.J.S.A. 56:8-166.5, a controller with 25,000 consumers is covered if it derives any revenue at all from the sale of personal data, or even if it merely receives a discount on the price of goods or services in exchange for that data. There is no percentage-of-revenue floor to clear.
This broadens the net considerably. A business that sells a modest amount of data, or that trades data for discounted services from a vendor, can be covered at 25,000 consumers even though the same business would escape a law that required selling data to be a meaningful share of its revenue. Companies should treat any data sale or data-for-discount arrangement as potentially triggering, not just a data-driven business model.
Financial information as sensitive data: an opt-in gate
Sensitive data sits at the center of the NJDPA because processing it requires opt-in consent. The definition at N.J.S.A. 56:8-166.4 is broad, and one inclusion sets New Jersey apart from most other states.
New Jersey treats financial information as sensitive data. The definition reaches a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to the consumer's financial account. Most state privacy laws do not classify financial information as sensitive at all, so this is a meaningful expansion of the consent gate.
The definition also covers data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, treatment, or diagnosis, sex life or sexual orientation, citizenship or immigration status, status as transgender or nonbinary, genetic or biometric data processed to identify an individual, personal data collected from a known child, and precise geolocation data. The express inclusion of transgender or nonbinary status, alongside financial information, makes New Jersey's sensitive-data category one of the broadest in the country.
Active rulemaking by the Division of Consumer Affairs
A second distinctive feature is that the NJDPA directs active administrative rulemaking. Most state privacy laws are enforced largely as written, with little or no formal regulatory build-out. New Jersey took a different path.
The Act directs the Director of the Division of Consumer Affairs, in the Department of Law and Public Safety, to adopt rules and regulations to effectuate the law. On June 2, 2025, the Division published proposed privacy regulations, opening a comment period that ran through August 1, 2025. The proposed rules address areas the statute leaves general, including detailed privacy-notice requirements, restrictions on dark patterns, symmetry-in-choice for consent, and limits on using personal data to train artificial intelligence without consent.
Because the rules can add detail beyond the statute, covered businesses cannot treat the statutory text as the final word. The regulatory layer is part of the compliance picture, and the NJDPA compliance checklist explains how to track it.
Teen protections for 13-to-16 year olds
New Jersey adds a distinct teen protection that reaches further than older child-privacy frameworks. Under the Act, where a controller knows that a consumer is at least 13 and younger than 17, it must obtain consent before processing that consumer's personal data for targeted advertising, the sale of personal data, or profiling.
This consent requirement covers the 13-to-16 age band that the federal Children's Online Privacy Protection Act, which focuses on children under 13, does not reach. For teens in that band, opt-out is not enough: the controller needs affirmative consent for those three high-impact processing activities.
The teen consent rule operates alongside the children's-data protections. Personal data collected from a known child under 13 is itself sensitive data under N.J.S.A. 56:8-166.4, so processing it already requires consent.
NJDPA vs. CCPA: the key differences
Companies that operate nationally often compare New Jersey's NJDPA with California's law. The state data privacy law comparison page covers the broader multistate picture, but several differences from California's CCPA stand out.
| Feature | New Jersey NJDPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 100,000 consumers, or 25,000 plus any revenue or a discount from data sales; no dollar or percentage floor | $25M revenue, 100,000 consumers, or 50% revenue from data sales |
| Lower-tier trigger | Any revenue or discount from data sales (no percentage floor) | 50% of revenue from selling or sharing data |
| Financial information | Treated as sensitive data; opt-in consent (N.J.S.A. 56:8-166.4) | Not classified as sensitive; opt-out right to limit |
| Sensitive data model | Opt-in consent required before processing | Right to limit use; opt-out model |
| Rulemaking | Active rules from the Division of Consumer Affairs (proposed June 2, 2025) | Detailed CPPA regulations |
| Private right of action | None | Limited, for certain data breaches |
The most consequential difference is the lower-tier trigger. New Jersey's 25,000-consumer prong with no percentage-of-revenue floor reaches businesses that California's 50-percent test would leave out. New Jersey also treats financial information as sensitive and requires opt-in consent for sensitive data, where California uses an opt-out right to limit. Both states route enforcement through state regulators, and neither the NJDPA nor the CCPA gives consumers a general private right of action for privacy violations.
Related guides
- New Jersey data privacy laws parent hub
- NJDPA consumer rights
- NJDPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- N.J.S.A. 56:8-166.4: Definitions (Sensitive Data, Financial Information)(njleg.state.nj.us).gov
- N.J.S.A. 56:8-166.5: Applicability and Thresholds(njleg.state.nj.us).gov
- N.J.S.A. 56:8-166.6: Privacy Notice and Consumer Rights Exercise(njleg.state.nj.us).gov
- N.J.S.A. 56:8-166.19: Authority and Enforcement(njleg.state.nj.us).gov
- New Jersey Legislature: S332 bill page (2022-2023 session)(njleg.state.nj.us).gov
- New Jersey Division of Consumer Affairs(njconsumeraffairs.gov).gov
- NJCCIC: New Jersey Enacts Comprehensive Data Privacy Law(cyber.nj.gov).gov