Home » Publications » Insights » Cybersecurity & Data Privacy » The New Jersey Data Protection Act is in Effect

The New Jersey Data Protection Act is in Effect

Published on: | by

On January 16, 2025, New Jersey’s Data Protection Act (“NJDPA” or the “Act”) went into effect, making New Jersey the nineteenth state to adopt a comprehensive data privacy law. The opportunity to cure any defects under the law will sunset on July 1, 2026. Therefore, it is critical that covered entities, or “controllers” of personal data, act now to ensure compliance with the law’s requirements as outlined more fully in this article.

To Whom Does the Law Apply?

The NJDPA applies to companies that:

  1. Conduct business in New Jersey or produce products and services targeted to New Jersey residents; and

a. Control or process the personal data of at least 100,000 consumers (excluding personal data processed solely to complete a payment transaction); or

b. Control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data.

Who is Covered by the Law?

The NJDPA works to protect the data of New Jersey “consumers,” which is defined as an “individual person who is a resident of [New Jersey] acting only in an individual or household context.” Protected data extends to children ages thirteen to sixteen and requires that covered entities obtain consent before processing personal data of these consumers.

Critically, the definition does not include a person acting in a commercial or employment context. For example, a New Jersey resident who has his or her personal data collected by a retailer while making a purchase for the consumer’s household is protected under the NJDPA. However, a New Jersey resident who has his or her personal data collected by a potential employer while applying for a job is not protected under the Act.

Other exemptions exist for certain public entities, state-regulated insurance providers, financial institutions governed by the Gramm-Leach-Biley Act, protected health information under the Health Insurance Portability and Privacy Act, information covered under the Drivers’ Privacy Protection Act, and personal data processed by a consumer reporting agency under the Fair Credit Reporting Act. Notably, nonprofit entities are not excluded from the law’s application.

What are the Requirements Under the Law?

Under the NJDPA, covered entities are required to:

  • Limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose for which the data is processed;
  • Implement reasonable data security practices;
  • Provide privacy notices that are reasonably accessible, clear, and meaningful to consumers. The notices must include the following information:
    • The categories of the personal data that the company processes.
    • The purpose of processing personal data.
    • The categories of all third parties to which the company may disclose a consumer’s personal data.
    • The categories of personal data that the company shares with third parties, if any.
    • The process by which consumers may exercise their consumer rights.
    • The process by which the controller notifies consumers of material changes to the notification.
    • An active e-mail address or other online mechanism that consumers may use to contact the company.
  • Conduct data protection impact assessments for processing that presents a heightened risk of harm to consumers (targeted advertising, profiling with foreseeable risks like unfair and deceptive treatment, and selling and processing sensitive personal data);
  • Disclose the sale or processing of personal data to third parties, and the manner in which a consumer may exercise the right to opt out;
  • Enter into contracts with data processors governing the processor’s data processing procedures; and
  • Keep records of data protection assessments.

How is the Law Enforced?

There is no private right of action under the NJDPA. The attorney general has the sole and exclusive authority to enforce a violation of the statute under the New Jersey Consumer Fraud Act. Violations range from up to $2,500 for the first violation to $20,000 for the fourth or subsequent violations.

Up through July 1, 2026, the Division of Consumer Affairs is required to provide notice to the covered entity of violations and further provide that entity with thirty days to cure the noticed violation, if such a cure exists. After this date, no such notice will be required.

We will continue to monitor this law, including the anticipated release of regulations scheduled for later this year. Should you have any questions or concerns, please do not hesitate to contact the Labor & Employment Team at Lindabury, McCormick, Estabrook & Cooper, P.C.

by
Published on:
Updated:

Comments are closed.

Contact Information
Westfield - Main Office
53 Cardinal Dr
Westfield, NJ 07090
Tel: 908.233.6800Fax: 908.233.5078
Summit
469 Morris Ave
Summit, NJ 07901
Tel: 908.273.1212Fax: 908.273.8922
Red Bank
One River Centre, Building Two
331 Newman Springs Rd #225
Red Bank, NJ 07701
Tel: 732.741.7777Fax: 732.758.1879
New York
200 Liberty St 27th floor
New York, NY 10281
Tel: 212.742.3390Fax: 212.269.5016
Newtown
Silver Lake Executive Campus
41 University Dr #400
Newtown, PA 18940
Tel: 267.757.8716
Mailing Address
53 Cardinal Dr
P.O. Box 2369
Westfield, NJ 07091
We serve clients throughout New Jersey, New York, and Pennsylvania including: Union County including Westfield, Summit, Linden, and Cranford; Essex County including Newark and Livingston; Mercer County including Trenton; Middlesex County including Edison, Woodbridge, and New Brunswick; Monmouth County including Red Bank, Middletown, Eatontown, and Freehold; Morris County including Morristown and Parsippany-Troy Hills; and the cities of New York and Philadelphia. View More

Attorney Advertising

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2016 – 2025, Lindabury, McCormick, Estabrook & Cooper, P.C.
JUSTIA Law Firm Website Design