What the New Jersey Data Privacy Act Covers
New Jersey Governor Phil Murphy signed SB 332 into law on 16 January 2024, making New Jersey the thirteenth US state to adopt a comprehensive consumer privacy framework. The law took effect on 15 January 2025 and grants New Jersey residents a broad set of rights over how businesses collect, use, and share their personal data.
Unlike several other US state privacy laws, the NJDPA casts a wide net over what counts as personal data. It explicitly includes financial information, geolocation data, and health-related data within its definition. The law also places specific obligations around how controllers handle data belonging to minors aged 13 to 16.
If your website attracts visitors from New Jersey, understanding these requirements is not optional.
Who Must Comply: Applicability Thresholds
The NJDPA applies to any entity that conducts business in New Jersey or produces products or services targeted at New Jersey residents, and meets at least one of two thresholds:
- Processes the personal data of at least 100,000 New Jersey consumers during a calendar year (excluding payment transaction data).
- Processes the personal data of at least 25,000 New Jersey consumers and derives revenue, or receives a discount on goods or services, from the sale of personal data.
There is no minimum revenue threshold. A small online retailer that tracks enough New Jersey visitors through analytics cookies such as _ga or advertising pixels like _fbp could meet the 100,000-consumer threshold without realising it.
The law exempts certain entities and data types, including data already regulated under HIPAA, Gramm-Leach-Bliley, the Fair Credit Reporting Act, and the Driver's Privacy Protection Act. Non-profit organisations and higher education institutions are also exempt.
Consumer Rights Under the NJDPA
New Jersey residents gain several rights that directly affect how your website handles personal data. These rights align broadly with other state laws but include a few notable expansions.
Core rights
| Right | Description | Response deadline |
|---|---|---|
| Access | Confirm whether a controller processes their data and obtain a copy | 45 days |
| Correction | Request correction of inaccurate personal data | 45 days |
| Deletion | Request deletion of personal data provided by or obtained about the consumer | 45 days |
| Portability | Obtain a copy of their data in a portable, readily usable format | 45 days |
| Opt-out of sale | Opt out of the sale of personal data | 15 days |
| Opt-out of targeted advertising | Opt out of processing for targeted advertising purposes | 15 days |
| Opt-out of profiling | Opt out of profiling that produces legal or similarly significant effects | 15 days |
The inclusion of profiling opt-out is significant. New Jersey is one of the few states that requires controllers to honour universal opt-out signals for profiling, not just for targeted advertising and data sales.
Universal Opt-Out Signals: A Mandatory Requirement
Since 15 July 2025, controllers subject to the NJDPA must recognise and honour universal opt-out mechanisms such as Global Privacy Control (GPC). This applies to opt-outs for sale, targeted advertising, and profiling.
The NJDPA goes further than most state laws on one specific point. It prohibits controllers from using universal opt-out mechanisms that are configured to opt consumers in by default, unless the controller can demonstrate that the consumer affirmatively selected the opt-in setting. Put simply, you cannot treat a GPC signal as irrelevant just because a user has not explicitly configured it.
For website owners already honouring GPC signals under Colorado or Connecticut law, the technical implementation is similar. Your cookie management platform should detect the Sec-GPC HTTP header and suppress non-essential cookies and tracking scripts before they fire.
Sensitive Data and Financial Information
The NJDPA defines sensitive data broadly. It includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic and biometric data, personal data of children under 13, and precise geolocation data.
Financial data is explicitly included in the definition of personal data under the Act. This matters for ecommerce sites and financial service platforms that process payment-related cookies or store transaction identifiers. If your site uses payment gateway cookies from providers such as Stripe or PayPal, you should review whether those cookies handle data that falls under the NJDPA's personal data definition.
Processing sensitive data requires opt-in consent from the consumer. You cannot rely on implied consent or pre-ticked checkboxes.
Minors and Heightened Protections
The Act requires opt-in consent before processing personal data of consumers aged 13 to 16 for targeted advertising, sale of personal data, or profiling. For children under 13, the NJDPA defers to COPPA requirements, meaning verifiable parental consent is needed.
If your site could reasonably attract younger visitors, you may need age-gating mechanisms to identify minors and suppress tracking scripts accordingly. A well-designed cookie banner that blocks non-essential cookies by default helps satisfy this requirement without adding friction for adult visitors.
Data Protection Assessments
Controllers must conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. These activities include targeted advertising, sale of personal data, certain profiling, processing of sensitive data, and any processing that presents a heightened risk of harm.
Each assessment must weigh the benefits of the processing against potential risks to consumer rights. The assessments must be made available to the New Jersey Attorney General upon request, so treating them as a tick-box exercise is inadvisable.
If you operate in multiple US states, you can likely adapt existing assessments conducted under Colorado or Connecticut law, since the format and substance overlap considerably.
Enforcement, Penalties, and the Cure Period
The New Jersey Attorney General holds exclusive enforcement authority. There is no private right of action, meaning consumers cannot sue businesses directly for NJDPA violations.
A violation of the NJDPA is treated as a violation of New Jersey's Consumer Fraud Act (Unfair and Deceptive Acts and Practices). Penalties can reach up to $10,000 for an initial violation and $20,000 for each subsequent violation. The Attorney General may also seek injunctive relief and restitution for affected consumers.
A 30-day cure period currently applies. If the Division of Consumer Affairs identifies a potential violation, it will notify the controller, who then has 30 days to remedy the issue. This cure period sunsets on 15 July 2026. After that date, the Attorney General can proceed directly to enforcement without offering a cure window.
Regulatory developments
In June 2025, the New Jersey Division of Consumer Affairs published proposed rules to implement the NJDPA. These draft regulations address areas such as how controllers should format privacy notices, handle consumer requests, and document data protection assessments. A Notice of Adoption is expected sometime in 2026, which will provide additional clarity on compliance expectations.
How to Prepare Your Website for NJDPA Compliance
Start with a cookie audit. Identify every cookie, pixel, and tracking script your site loads, including those set by third-party vendors. Categorise each one and determine whether it processes personal data of New Jersey residents.
Ensure your cookie banner presents a genuine choice. Visitors must be able to opt out of targeted advertising and data sale without encountering dark patterns or confusing interfaces. Supporting GPC signals alongside your banner is a practical way to meet the universal opt-out requirement.
Review your privacy notice. The NJDPA requires controllers to disclose the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of third parties with whom data is shared, and the categories of data shared with third parties.
If you process sensitive data or data from minors, implement opt-in consent flows. Block relevant scripts by default using your consent management platform's script-blocking functionality and only fire them after affirmative consent.
Frequently Asked Questions
When did the New Jersey Data Privacy Act take effect?
The NJDPA took effect on 15 January 2025. The universal opt-out mechanism requirement became enforceable on 15 July 2025, and the 30-day cure period sunsets on 15 July 2026.
Does the NJDPA apply to small businesses?
There is no revenue threshold. If your business processes the personal data of 100,000 or more New Jersey consumers in a year, or 25,000 consumers while deriving revenue from data sales, you must comply regardless of your company size.
Do I need to honour Global Privacy Control under New Jersey law?
Yes. Since 15 July 2025, controllers must recognise universal opt-out mechanisms including GPC for targeted advertising, data sales, and profiling opt-outs.
What is the penalty for violating the NJDPA?
The Attorney General can seek penalties of up to $10,000 per initial violation and $20,000 for subsequent violations. Violations are treated under New Jersey's Consumer Fraud Act.
Does the NJDPA cover financial data?
Yes. Financial information is explicitly included in the definition of personal data under the Act, making it one of the broader US state privacy laws in scope.
Is there a private right of action under the NJDPA?
No. Only the New Jersey Attorney General has enforcement authority. Consumers cannot sue businesses directly for violations but may file complaints with the Attorney General's office.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether they fall under the NJDPA's scope, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
