Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The New Jersey Data Privacy Act (NJDPA)

Effective Date: January 15, 2025

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the NJDPA applies to an individual or legal entity conducting business in New Jersey (NJ) or producing products/services targeted to NJ residents (consumer), and, during a calendar year, controlling or processing either:

• 100,000+ NJ consumers' personal data (excluding personal data solely for the completion of payment transactions); or
• 25,000+ NJ consumers' personal data and derives any revenue (including services discount) from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, the NJDPA broadly defines "sale of personal data" to include the sharing, disclosing, or transferring of personal data for not only monetary compensation but also "other valuable consideration", subject to certain exemptions.

3. Business Obligations:

The NJDPA imposes additional obligations on persons who, alone or jointly with others, determine the purpose and means of processing personal information (Controller):

• Heightened Protection for Minor under the Age of 17: Teenagers who are at least 13 but younger than 17 years of age and children under the age of 13 are afforded heightened protection under the NJDPA.
• Data Processing Agreement (DPA): Processing activities by a third party on the Controller's behalf (Processor) shall be governed by a DPA between the Controller and Processor.
• Data Protection Assessment. Yes, where processing activities present a heightened risk of harm to consumers, including targeted advertising, certain high-risk profiling activities, sales of personal data, and processing of sensitive data.
• Privacy Notice: Yes, a Controller must provide consumers with a privacy notice that is reasonably accessible, clear, and meaningful, discloses categories of information processed, and the purpose of processing, among others.
• Universal Opt-out Mechanism: Effective no later than six months after January 15, 2025, a Controller must allow a consumer to opt out of any personal data processing for targeted advertising, or any personal data sales, by sending the Controller an opt-out preference signal...by a platform, technology, or mechanism…indicating such consumer's intent to opt-out of any such processing or sale.

4. Consumer Rights:

Subject to certain exceptions, a NJ consumer has the right to:

• Confirm whether a Controller is processing its personal data, and access the categories of data being processed;
• Correct inaccuracies in the consumer's personal data;
• Delete personal data provided by, or obtained about, the consumer (subject to certain exceptions);
• Obtain a copy of their personal data processed by the Controller; and
• Opt-out of data processing for targeted advertising, sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: Up to $10,000 per violation in civil penalties, with penalties of up to $20,000 for any subsequent violations under the New Jersey Consumer Fraud Act.

Cure Period: A 30-day cure period may be granted by the Division of Consumer Affairs following receipt of the notice of violation. This cure period will be sunset on "the 18th month following the effective date" of the NJDPA, i.e., July 15, 2026.