The New Jersey Data Privacy Act (NJDPA)
The consumer privacy law of the state of New Jersey.
Data Privacy & Web Accessibility Compliance Score
What is the New Jersey Data Privacy Act?
The New Jersey Data Privacy Act, or Senate Bill 332, is New Jersey’s comprehensive privacy law, approved at the end of December, 2023, and passed both in the Senate and Assembly on January 8, 2024.
On January 16, 2024, the bill was approved by New Jersey’s Governor Phil Murphy, meaning it will come into effect one year from its signature date, January 15, 2025. The bill introduces key terms like "sale," "controller," and "processor," aligning with similar concepts in other U.S. state privacy laws. It grants rule-making authority to the attorney general and addresses children's privacy in line with the Children's Online Privacy Protection Rule.
What is Personal Information and what are other key definitions?
Under the NJDPA “personal data” is “any information that is linked or reasonably linkable to an identified or identifiable person,” which does not include “de-identified data or publicly available information,” the latter of which is “any information that is linked or reasonably linkable to an identified or identifiable person” but which does not include “de-identified data or publicly available information.”
The privacy law of New Jersey also offers a comprehensive definition for ‘sensitive data’ as “personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.”
In addition to these, New Jersey’s privacy law defines “biometric data” as “data generated by automatic or technological processing, measurements, or analysis of an individual’s biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual,” but which excludes “a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.”
Same as with other privacy laws in the United States, a data subject is called here a “consumer,” defined as “an identified person who is a resident of this State acting only in an individual or household context” which does not include “a person acting in a commercial or employment context.” “Consent” under the NJDPA means “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer,” which may include “a written statement, including by electronic means, or any other unambiguous affirmative action,” but excludes the following: “acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.”
A “controller” is “an individual, or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data,” and a “processor” is “a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.”
Last but not least, under the New Jersey privacy regulation, “sale” is defined as “the exchange of personally identifiable information for monetary consideration by the operator to a third party for purposes of licensing or selling personally identifiable information at the third party's discretion to additional third parties,” but which excludes several categories of disclosures as follows:
- “the disclosure of personally identifiable information to a service provider that processes that information on behalf of the operator;
- the disclosure of personally identifiable information to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personally identifiable information to the operator;
- the disclosure or transfer of personally identifiable information to an affiliate of the operator; or
- the disclosure or transfer of personally identifiable information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the operator’s assets.”
Who has to comply with the New Jersey Data Privacy Act?
The New Jersey Data Privacy Act applies “to controllers that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either:
- control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.”
Who is excluded from compliance with the New Jersey Data Privacy Act?
Same as with other consumer privacy laws in the United States, New Jersey’s privacy law excludes:
- Covered entities and business associates handling protected health information as defined by HIPAA and the HITECH Act;
- Financial institutions and their affiliates that are regulated under the Gramm-Leach-Bliley Act;
- Secondary market institutions;
- Insurance institutions regulated by specific New Jersey legislation;
- New Jersey Motor Vehicle Commission;
- Consumer reporting agencies that are regulated by the Fair Credit Reporting Act.
How can I keep my organization compliant with the New Jersey Data Privacy Act?
In order to be compliant with the New Jersey data protection law, as a controller you have to do the following:
- provide to consumers “a reasonably accessible, clear, and meaningful privacy notice that shall include, but may not be limited to:
- the categories of the personal data that you process;
- the purpose for processing personal data;
- the categories of all third parties to which you may disclose a consumer’s personal data;
- the categories of personal data that you share with third parties, if any;
- how consumers may exercise their consumer rights, including your contact information and how a consumer may appeal your decision with regard to the their request;
- the process by which you notify consumers of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice.
- an active electronic mail address or other online mechanism that the consumer may use to contact you.
- if you sell personal data to third parties or process personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, you have to “clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.”
- not “require a consumer to create a new account in order to exercise a right” but you are allowed to “require a consumer to use an existing account to submit a verified request;
- “based solely on the exercise of a right and unrelated to feasibility or the value of a service” to not increase “the cost of, or decrease the availability of, the product or service.”
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which personal data is processed, as disclosed to the consumer.
- except as otherwise provided in the law, to not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless you obtain the consumer’s consent.
- take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue.
- to not process sensitive data concerning a consumer without first obtaining the consumer’s consent, or, in the case of the processing of personal data concerning a known child, without processing such data in accordance with COPPA.
- to not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination against consumers.
- provide an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism by which the consumer provided the consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request.
- to not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer’s consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age.
- specify the express purposes for which personal data are processed.
- to not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of the New Jersey Data Privacy Act, that present a heightened risk of harm to a consumer, where heightened risk includes:
- “processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
- selling personal data;
- processing sensitive data.”
- Comply with an opt-out request submitted through a Universal Opt-Out Mechanism (UOOM).
As far as processor obligations are concerned, processors have to “adhere to the instructions of the controller and assist the controller to meet its obligations under this act” by
- taking appropriate technical and organizational measures, insofar as possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights under this act;
- helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to notification of a breach of the security of the system;
- providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required;
- ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data;
- engage a subcontractor pursuant to a written contract which has to govern any processing activity done on their behalf by the subcontractor;
- have in place a contract between themselves and the controller that is binding on both parties and that sets forth the obligations of both parties.
What data access rights does the New Jersey Data Privacy Act grant consumers?
Under the NJDPA consumers have the following rights:
- Right to Access
- Right to Correct
- Right to Delete
- Right to Data Portability
- Right to Opt-Out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The New Jersey Data Privacy Act (NJDPA) compliant website with Clym
How should companies address data subject access requests under the New Jersey Data Privacy Act?
Upon receiving a verified request from a consumer you have to provide a response to the consumer within 45 days of the receipt of the request. You may extend the response period by 45 additional days where reasonably necessary, considering the complexity and number of the consumer’s requests, provided that you inform the consumer of any such extension within the initial 45-day response period and the reason for the extension and that you provide the information for all disclosures of personal data that occurred in the prior 12 months.
If you decline to take action regarding the consumer’s request, you have to inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.
Information provided in response to a consumer request has to be provided “free of charge, once per consumer during any twelve-month period” unless you receive “a second or subsequent identical request within a 12-month period, in which case you may charge an amount calculated pursuant to regulations. If requests from a consumer are manifestly unfounded, excessive, or repetitive, you may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request but you bear the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.
If you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with a request and instead have to provide notice to the consumer that you are unable to authenticate the request to exercise such right or rights until they provide additional information that is reasonably necessary to authenticate them and their request.
You are not required to authenticate an opt-out request but you may deny such a request if you have “a good faith, reasonable and documented belief that such request is fraudulent.” If you do so, you have to send a notice to the person who made the request informing them that you believe their request is fraudulent, along with why you believe this, and that you will not comply with the request.
In the cases where you refuse to honor the request from a consumer, you are required to establish a process for the consumer to appeal your refusal to take action on their request within a reasonable period of time after they have received your decision. The appeal process has to be conspicuously available and similar to the process for submitting requests and no later than 45 days after receipt of an appeal, you have to inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you have to also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.
Enforcement and penalties
The enforcing authority for violations of the New Jersey Data Privacy Act is the Attorney General and the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety is given rulemaking authority. There is a 30 day cure period allowed for controllers to cure any alleged violations, however this cure period will sunset 18 months from the effective date, which will be July 15, 2026.
While the text of the NJDPA does not specifically mention an amount for penalties, it does state that any violation of this privacy law will be considered an unlawful practice and violation of the New Jersey Consumer Fraud Act which mandates “a penalty of not more than $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense.”
Data Subject Rights - GDPR vs. New Jersey Data Privacy Act
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
New Jersey Data Privacy Act
- Right to access
- Right to correct
- Right to delete
- Right to data portability
- Right to Opt Out
- Right to appeal
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
FAQs About the New Jersey Data Privacy Act
What does the New Jersey Data Privacy Act apply to?
The New Jersey Data Privacy Act applies “to controllers that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either:
- control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
- control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.”
What does the New Jersey Data Privacy Act exempt?
Same as with other consumer privacy laws in the United States, New Jersey’s privacy law excludes:
- Covered entities and business associates handling protected health information as defined by HIPAA and the HITECH Act;
- Financial institutions and their affiliates that are regulated under the Gramm-Leach-Bliley Act;
- Secondary market institutions;
- Insurance institutions regulated by specific New Jersey legislation;
- New Jersey Motor Vehicle Commission;
- Consumer reporting agencies that are regulated by the Fair Credit Reporting Act.
What rights does the New Jersey Data Privacy Act provide to New Jersey consumers?
The NJDPA grants New Jersey consumer the right to access, correct, or delete their personal data, the right to data portability, the right to appeal a refusal by the controller, and the right to opt out of processing for the purposes of targeted advertising, the sale of personal data, or profiling. All data subject requests have to be replied to within 45 days with an additional 45 days extension, where reasonably necessary.
Who enforces the New Jersey Data Privacy Act?
The enforcing authority for violations of the New Jersey Data Privacy Act is the Attorney General and the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety is given rulemaking authority. There is a 30 day cure period allowed for controllers to cure any alleged violations, however this cure period will sunset 18 months from the effective date, which will be July 15, 2026.
What are the penalties for violations of the New Jersey Data Privacy Act?
While the text of the NJDPA does not specifically mention an amount for penalties, it does state that any violation of this privacy law will be considered an unlawful practice and violation of the New Jersey Consumer Fraud Act which mandates “a penalty of not more than $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense.”
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message