Iubenda logo
Start generating

Documentation

Table of Contents

New Jersey Data Protection Act (NJDPA)

Effective Date: January 15, 2025

New Jersey is set to implement robust privacy protections for consumers with the enactment of the New Jersey Data Protection Act (NJDPA), effective January 15, 2025. The NJDPA provides comprehensive safeguards for personal data, aligning with the growing trend of state-led privacy initiatives and enhancing consumer rights in the digital age. 

This article provides a breakdown of the key provisions of the NJDPA, including its scope, consumer rights, and business obligations.

Scope and Applicability

The NJDPA applies to businesses that:

  1. Conduct business in New Jersey or offer products or services targeting New Jersey residents; and
  2. During a calendar year, either:
  • Control or process personal data of at least 100,000 consumers (excluding data processed solely for payment transactions), or
  • Control or process the personal data of at least 25,000 consumers and derive revenue, or receive discounts on goods or services, from the sale of personal data.

Important Note: Unlike some privacy laws, the NJDPA does not include a revenue threshold for applicability. It also applies to non-profit organizations but exempts state entities, along with certain types of data governed by federal laws (such as health information under HIPAA).

Definition of Sensitive Data

Under the NJDPA, sensitive data includes:

  1. Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health condition, treatment or diagnosis.
  2. Financial data such as, for example, a consumer’s account number, credit/debit card number, along with any required access codes or passwords that would grant access to a financial account.
  3. Information about sex life or sexual orientation, or citizenship or immigration status.
  4. Status as transgender or non-binary.
  5. Genetic or biometric data that can uniquely identify an individual.
  6. Personal data collected from a known child (under the age of 13).
  7. Precise geolocation data.

Consumer Rights Under the NJDPA

New Jersey residents will have the following rights under the NJDPA:

  1. Access and Confirmation: Consumers can confirm whether their personal data is being processed and access that data (unless revealing the data would expose trade secrets).
  2. Data Portability: Consumers can obtain a copy of their personal data in a portable, usable format that allows for easy transfer to another controller.
  3. Correction: Consumers can request that inaccurate personal data be corrected.
  4. Deletion: Consumers can request the deletion of their personal data.
  5. Opt-Out Rights: Consumers can opt out of targeted advertising, the sale of their personal data, and certain profiling activities with legal or other significant implications.
  6. Non-Discrimination: Consumers cannot be discriminated against for exercising their rights.

Exercising Consumer Rights

Consumers can submit requests to businesses using the methods specified in the privacy notice, without needing to create an account. For those with existing accounts, businesses may request that they use their accounts for submitting requests. Additionally, consumers can appoint an authorized agent to make opt-out requests on their behalf, including through universal opt-out signals (when such technology becomes available).

Controller’s Obligations to Consumers

Businesses (controllers) must:

Limit Data Collection: Only collect personal data that is relevant and necessary for the stated processing purposes.

Obtain Consent: Controllers must obtain explicit consent to process personal data for purposes not necessary to nor compatible with those originally disclosed, process sensitive data, or process personal data of individuals between 13 and 17 for purposes of targeted advertising, sale of personal data, or profiling.

Privacy Notice Requirements: Businesses must provide a clear and accessible privacy notice that includes, among others:

  • Categories of personal data processed.
  • Purposes for processing.
  • Categories of third parties the data is shared with.
  • How consumers can exercise their rights, including their right of appeal.
  • The process for communicating material changes to the privacy notice.

Contract with Data Processors: Businesses must ensure that their data processors are also aligned with NJDPA provisions.

Data Protection Assessments: Businesses must perform and document data protection assessments for activities that present a higher risk of harm to consumers’ privacy, such as the processing of sensitive data or the sale of personal data.

Security Practices: Businesses must implement reasonable data security measures to protect personal data from unauthorized access, both during storage and use.

Response to Consumer Requests

Businesses must respond to consumer requests within 45 days. If more time is needed, businesses may extend this period by an additional 45 days, but consumers must be informed of the delay. Information must be provided free of charge for one request per consumer every 12 months. If a request is manifestly unfounded, excessive, or repetitive, businesses may charge a reasonable fee to cover administrative costs.

Appeal Process

Consumers have the right to appeal decisions made by businesses regarding their requests. The appeal process must be easy to access and similar to the process for submitting the initial request. Businesses must respond to appeals within 45 days. If an appeal is denied, consumers can contact the New Jersey Division of Consumer Affairs to file a complaint.

Penalties and Enforcement

The New Jersey Attorney General will have exclusive authority to enforce the NJDPA. Businesses that fail to comply with the law will be subject to civil penalties, which could result in significant financial consequences. Until July 1, 2026, violators have 30 days to remedy any violations after receiving written notice.

Universal Opt-Out Mechanisms

By July 15, 2025, businesses will need to provide consumers with an option to opt out of the sale of personal data, targeted advertising, and profiling through universal opt-out signals.

How iubenda can help

The New Jersey Consumer Data Protection Act represents a major step toward protecting consumer privacy in the state. With its strong emphasis on transparency, consumer control over personal data, and business accountability, the NJDPA ensures that consumers in New Jersey can exercise their rights over their personal information. 

Businesses operating in New Jersey must begin preparing to comply with the law ahead of its January 15, 2025 effective date. This includes revising privacy policies, implementing data protection practices, and ensuring that consumer rights processes are in place.

Act now to mitigate compliance risks and demonstrate your commitment to consumer privacy under the NJDPA.

Start generating

Still have questions?

Attend one of our free webinars Email us Live chat