Some help with legal information about GDPR and other privacy laws

Privacy laws

New Jersey Data Privacy Act NJDPA

New Jersey Data Privacy Act Explained

The New Jersey Data Privacy Act, or Senate Bill 322, was signed in January 2024 and comes into effect on January 16, 2025. The law follows other state-level privacy regulations: it grants consumers over how their data is collected and processed and sets legal requirements for businesses regarding consumers’ data privacy. 

Read this blog to learn more about the New Jersey Data Privacy Act and it’s differences from other state-level data privacy laws.

What Is the New Jersey Data Privacy Act?

The New Jersey Data Privacy Act (NJDPA) protects the privacy and personal data rights of New Jersey’s residents and establishes data privacy responsibilities for companies conducting business in the state and/or providing goods and services targeted to New Jersey residents.

The New Jersey Data Privacy Act becomes effective January 16, 2025.

Like all other US state-level data privacy laws, the NJDPA uses an opt-out cookie consent model, meaning that businesses can collect and process consumer personal data without needing data subjects’ consent in many cases. However, consumers have the right to opt out of data collection and use for sale, targeted advertising, or profilingin furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”.

Who Is Required to Comply with the NJDPA?

The New Jersey Data Privacy Act applies to controllers that conduct business in New Jersey or produce products or services that target New Jersey residents if the companies meet one of these criteria:

  • Control or process the personal data of at least 100,000 New Jersey consumers; or
  • Control or process the personal data of at least 25,000 New Jersey consumers and derive revenue (or receive a discount) from the sale or personal data.

Most obligations are imposed on controllers- the entities that determine the purpose and means of processing personal data.

The law also imposes some obligations on processors- the entities processing personal data solely on behalf of the controllers. These obligations are set by contract or by direct application of the law.

The New Jersey data privacy law does not have a specified revenue threshold for its scope of applicability, meaning that even small companies that process sufficient personal data will be subject to the law.

In addition, New Jersey is one of the few states to apply the consumer privacy law to institutions of higher education or data regulated by the federal Family Educational Rights and Privacy Act.

Exemptions to the NJDPA

The New Jersey data privacy law applies to New Jersey consumers- an individual who is a resident of the state of New Jersey and does not include individuals acting in a commercial or employment context.

However, the law contains exceptions common to other consumer privacy laws, including:

  • New Jersey government entities.
  • Financial institutions subject to the Gramm-Leach-Bliley Act.
  • Data collected, processed, sold or disclosed by a consumer reporting agency pursuant to the FCRA.
  • Data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
  • Secondary market institutions.
  • Insurance institutions subject to certain laws.
  • The state’s Motor Vehicle Commission.
  • Personal information covered by the Fair Credit Reporting Act.

Notably, the NJDPA does not exempt nonprofit organizations from the law.

CookieScript CMP can help you to comply with the NJDPA.

Register for free Show pricing plans

Consumer Rights under the New Jersey Data Privacy Act

Consumer rights under the NJDPA are quite standard compared to other data privacy laws in the US and include:

  • Right to access: Consumers have the right to know if the controller is processing the consumer’s personal information and access to that data, including information about third parties it’s shared with.
  • Right to disclosure: Consumers have the right to get a list of the categories of third parties to which the controller has disclosed the consumer’s personal data
  • Right to correct: Consumers have the right to correct any inaccurate or outdated information the controller has that was provided by the consumer.
  • Right to delete: Consumers have the right to delete any personal data the controller has about or from the consumer (with some exceptions).
  • Right to data portability: Consumers have the right to obtain a portable and readily usable copy of their personal data.
  • Protection against discrimination: Controllers cannot unlawfully discriminate against consumers for exercising their rights.
  • Right to opt out: Consumers have the right to opt out of the sale of personal data, targeted advertising, or profiling “in furtherance of decisions that produce legal or similarly significant effects concerning a consumer”

Consumers can make one free request to a controller to exercise their rights every 12 months, e.g. asking to delete their data or getting a copy of their data.

A controller can deny requests from a consumer that are “manifestly unfounded, excessive or repetitive”, or they can charge the consumer a reasonable fee to cover the administrative costs of complying with such a request. In such a case, the controller must demonstrate that request is unfounded. The controller can also deny a request when the consumer’s identity cannot reasonably be verified.

An organization has 45 days to respond, though they have the option to extend the response period by another 45 days if reasonably necessary, e.g. if fulfilling the request would be very complex or the controller has many requests to fulfill. If the controller extends the response period for a request, they must notify the consumer that they extend the response period before the original 45-day response period has expired, and must provide a reason for the extension.

What Information Is Protected under the NJDPA?

The New Jersey Data Privacy Act protects users personal data and sensitive data.

Personal Data

The New Jersey Data Privacy Act protects the Personal Data of New Jersey consumers which is defined broadly and means information that is linked or reasonably linkable to a person.

Sensitive Data

The law delineates Sensitive Data as a separate category of personal data that includes:

  • Genetic or biometric data.
  • Personal data collected from a child the company knows is under 13.
  • Precise geolocation data.
  • Personal data revealing racial or ethnic origin.
  • Citizenship or immigration status.
  • Religious beliefs.
  • Mental or physical health condition, treatment or diagnosis.
  • Sex life or sexual orientation.
  • Status as transgender or non-binary.

The law also considers financial information as Sensitive Data. Such financial information includes:

  • Consumer’s account number.
  • Account log-in.
  • Financial account, credit or debit card number, and other information that would permit access to a consumer’s financial account.

However, the incorporation of financial information into the definition of sensitive data leaves ambiguity: it is not clear whether other types of financial information may qualify as sensitive data under the law.

De-identified data and publicly available information

Like the other comprehensive state consumer privacy laws, the NJDPA does not consider de-identified data and publicly available information as Personal Data.

What Obligations Does NJDPA Impose on Controllers?

The New Jersey privacy law sets several obligations on controllers and processors. To comply with the NJDPA, controllers must follow these requirements:

Privacy notice: Provide consumers with a reasonably accessible, clear, and meaningful privacy notice about the controller’s practices regarding consumer data and consumer rights. The privacy notice must include:

  • The categories of personal data the controller processes.
  • The purpose for processing personal data.
  • The categories of all third parties to which the controller discloses the personal data, if any.
  • Methods for consumers to exercise their rights and appeal the controller's decisions.
  • An active email address or other online mechanism to contact the controller.
  • Other data, such as the effective date of the privacy notice, etc.

Data minimization: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which such data is processed, as disclosed to the consumer, unless the controller obtains user consent.

Purpose limitation: Not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains user consent.

Security practices: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and secure it from unauthorized access.

Selling of personal data. Clearly disclose to consumers if you sell personal data to third parties or process personal data for targeted advertising or profiling and provide a clear method for consumers to opt out of these activities.

Sensitive data restriction: Do not process sensitive consumer data without first obtaining the explicit consumer’s consent. Do not process any personal data of a known child under 13 years old without obtaining consent from parents or legal guardians.

Personal data restriction: Do not process personal data for targeted advertising, sale, or profiling without explicit user consent, where the controller knows, or willfully disregards, that the consumer is at least 13 years old but younger than 17 years old.

Non-discrimination: Process data in a non-discriminatory manner as defined by the law. Not discriminate against a consumer if the consumer chooses to opt out of the processing.

Consent revocation: Provide a mechanism for a consumer to revoke consent to process personal data that is equally easy as the mechanism to give consent, and to cease processing the data within 15 days of revocation of consent.

Data Protection Assessments: Conduct data protection assessments (DPIA) that present a heightened risk of harm to the consumer, including:

  • The processing of personal data for purposes of targeted advertising.
  • The processing of personal data for purposes of profiling that presents a reasonably foreseeable risk to the consumer.
  • The sale of personal data.
  • The processing of sensitive data.
  • The selling of personal data.
  • The processing for profiling.
  • Any processing activities involving personal data that present a heightened risk of harm to consumers, if the profiling presents an unreasonably foreseeable risk of unfair or deceptive treatment or disparate impact on consumers, financial or physical injury to consumers.

Processor contracts: Enter into a contract with any processor that includes instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the manner in which the processor must assist the controller.

Coverage for children: All data of children under 13 years of age is considered sensitive by default. Controllers are required to obtain explicit consent from parents or legal guardians for the collection and processing of personal data of children under 13 years of age.

Controllers are also required to obtain user consent for the collection and processing of personal data of people between 13 and 17 years of age if the data is used for the purposes of targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Allow for universal opt-out mechanisms: as required by other state-level data privacy laws, the NJDPA sets an obligation for controllers to allow consumers to communicate their privacy preferences through universal opt-out mechanisms such as Global Privacy Control.

What Obligations Does NJDPA Impose on Processors?

The New Jersey Data Privacy Act sets the following obligations on processors:

Data security: Processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. They should make a clear agreement on the responsibilities between the processor and the controller for the NJDPA implementation.

Confidentiality: Processors must ensure each person processing personal data must treat the data confidentially.

Assistance to controllers: Processors are obliged to adhere to the instructions of the controller and help the controller meet its obligations under the law.

Contract obligations: Processors are obliged to sign the contract with the controller and ensure each subcontractor is subject to a written contract that requires the subcontractor to meet the obligations of the processor with respect to personal data.

Enforcement of the NJDPA

The New Jersey Attorney General has exclusive authority to enforce the Act.

The penalties for the violation of the New Jersey data privacy law can reach up to $10,000 per violation for the first and up to $20,000 for subsequent violations. Until July 15, 2026, organizations have a 30-day cure period to cure any violation.

As in most cases of US state-level data privacy laws, the Act does not include a private right of action. California continues to be the only US state that enables privacy rights of action under their data privacy law.

NJDPA Differences from Other State-Level Data Privacy Laws

In conclusion, New Jersey’s privacy law follows the framework set by proceeding state-level data privacy laws. However, there are some notable differences.

Unlike other state-level data privacy laws, the NJDPA has a broader scope of applicability, including small businesses, nonprofits and educational institutions.

The NJDPA defines narrower exceptions, having a less clear B2B and employee data exception, a narrower Fair Credit Reporting Act (FCRA) exception, and a narrower Health Insurance Portability and Accountability Act (HIPAA) exception.

Differently from other state-level consumer privacy laws, the NJDPA defines financial information as sensitive data.

The law also includes child-focused privacy provisions. The NJDPA classifies the personal data of children under 13 as sensitive data. It also imposes separate consent requirements for selling of personal data or processing personal data for targeted advertising or profiling purposes of children between 13 and 17 years of age.

How Can CookieScript Help to Comply with the NJDPA?

Use a professional Consent Management Platform (CMP) to comply with the NJDPA and other data privacy laws.

CookieScript Consent Management Platform (CMP) comes with a Cookie Banner, Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager.  It recognizes a Global Privacy Controls signal, detects and categorizes cookies, local storage, session storage, and other trackers, provides a cookie notice and collects user consent, so you can be sure your website is compliant with the NJDPA and other privacy regulations 100%!

In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.

CookieScript CMP can help you comply with the NJDPA and avoid violating the Law.

Try a free 14-day trial of CookieScript CMP.

Register for free Show pricing plans

Frequently Asked Questions

When will the NJDPA go into effect?

The law goes into effect on January 15, 2025. Use CookieScript CMP to comply with the NJDPA and avoid penalties. In 2024, it was ranked the best CMP on G2. It is also a Goolge-certified CMP.

Does New Jersey’s data privacy law provide a cure period for violations?

Yes, the NJDPA has a 30-day cure period. However, the cure period also expires on July 15, 2026, after an 18-month grace period in which businesses are expected to adjust to the law. Use CookieScript CMP to comply with the NJDPA and avoid penalties. In 2024, it was ranked the best CMP on G2.

What are the penalties for violating the New Jersey Data Privacy Act?

No monetary amount is defined in the law’s text but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can result in fines of up to $10,000 per violation for the initial violation and up to $20,000 per violation for subsequent violations. The New Jersey Attorney General has exclusive authority to enforce the Act and set penalties. Use CookieScript CMP to comply with the NJDPA and avoid penalties.

How to comply with the New Jersey Data Privacy Act?

To comply with the NJDPA, controllers must follow these requirements: provide a privacy notice, limit the collection of personal data and use purpose limitation, implement reasonable security practices, non-discriminate consumers, conduct data protection assessments, enter into a contract with any processor, allow for universal opt-out mechanisms, and others. CookieScript CMP can help you to comply with the NJDPA. In 2024, it was ranked the best CMP on G2.

Does New Jersey’s privacy law require businesses to honor global opt-out signals?

Yes, the NJDPA sets an obligation for controllers to allow consumers to communicate their privacy preferences through universal opt-out mechanisms such as Global Privacy Control. CookieScript CMP can help you to comply with the NJDPA: it has the geo-targeting functionality, that detects if consumers are based in New Jersey and respects the Global Privacy Control signals. 

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.