New Jersey Data Protection Act: A Guide for Small Businesses
Plain-English guide to New Jersey's NJDPA for small businesses. Learn the 100K threshold, consumer rights, financial data rules, and how to comply.
Last updated: 2026-02-08
New Jersey is one of the largest consumer markets on the East Coast, and as of January 15, 2025, its residents have a comprehensive set of data privacy rights under the New Jersey Data Protection Act (NJDPA). If your e-commerce store, SaaS platform, or digital agency serves customers in New Jersey, this law may apply to you -- and it carries some of the steeper per-violation penalties among state privacy laws, at up to $10,000 for a first offense and $20,000 for each subsequent violation. The NJDPA follows a structure similar to Connecticut and Delaware, but it adds its own wrinkles, particularly around financial data and the broad scope of what counts as a "sale" of personal data. This guide walks through the essentials.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the New Jersey Data Protection Act (N.J. Stat. Ann. § 56:8-166 et seq., S. 332), as of the date of publication.
Does This Law Apply to Your Business?
The NJDPA applies to businesses that conduct business in New Jersey or produce products or services targeted at New Jersey residents and that during a calendar year meet at least one of two thresholds.
The first threshold is the standard one: your business controls or processes the personal data of 100,000 or more New Jersey consumers, excluding data processed solely to complete a payment transaction. New Jersey has roughly 9.3 million residents, making it the 11th most populous state. A nationally operating e-commerce business with a few percent of its traffic from New Jersey could cross this line.
The second threshold applies if your business controls or processes the personal data of 25,000 or more New Jersey consumers and derives revenue from the sale of personal data. The NJDPA does not specify a minimum revenue percentage; any amount of revenue from data sales combined with the 25,000-consumer count is enough.
The NJDPA defines "sale" broadly. It means the sharing of personal data for monetary or other valuable consideration. If you share customer data with a third-party advertising platform in exchange for better ad targeting (rather than a direct cash payment), that could constitute a sale under this law.
Exempt entities include government agencies, entities regulated under HIPAA, financial institutions subject to the Gramm-Leach-Bliley Act, and data governed by the Fair Credit Reporting Act, FERPA, and the Driver's Privacy Protection Act. Notably, the NJDPA does not exempt nonprofits in the same blanket manner as some other state laws, though some nonprofit activities may fall outside the law's scope depending on the nature of their data processing.
Imagine you run a 30-person digital marketing agency in Philadelphia that manages campaigns for New Jersey retailers. If you process personal data from 100,000 or more New Jersey consumers on behalf of your clients, or from 25,000 while earning revenue from data services, the NJDPA applies to you -- even though your office is across the river in Pennsylvania.
What Rights Do Consumers Have?
The NJDPA gives New Jersey consumers a comprehensive set of rights. Your business must respond to consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.
Right to Access. Consumers can confirm whether your business is processing their personal data, and they can request a copy of that data. This is the foundation of any DSAR workflow.
Right to Correction. Consumers can request that you correct inaccurate personal data, taking into account the nature of the data and the purposes of processing.
Right to Deletion. Consumers can ask you to delete the personal data you have collected. You must also instruct your processors to delete it. Standard exceptions apply for legal obligations, fraud detection, and transaction completion.
Right to Portability. When consumers exercise their right to access, the data must be provided in a portable, readily usable, machine-readable format. This allows consumers to transmit their data to another controller.
Right to Opt Out. Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. The NJDPA also requires that controllers honor universal opt-out mechanisms (like the Global Privacy Control signal), which puts it in line with California's CCPA/CPRA and Colorado's CPA.
Appeal Rights. If your business denies a consumer request, you must provide a mechanism for the consumer to appeal. You must respond to the appeal within 45 days, and if you deny the appeal, you must inform the consumer of the right to contact the Division of Consumer Affairs.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and provide a copy of data |
| Correction | ✅ | Must correct inaccurate data on request |
| Deletion | ✅ | Must delete and instruct processors to delete |
| Portability | ✅ | Data in portable, machine-readable format |
| Opt out of sale | ✅ | Broad definition of 'sale' includes non-monetary consideration |
| Opt out of targeted ads | ✅ | Must stop targeted advertising on request |
| Opt out of profiling | ✅ | For decisions with legal or significant effects |
| Universal opt-out (GPC) | ✅ | Must honor Global Privacy Control signals |
What Your Business Must Do
Your privacy notice must clearly disclose the categories of personal data you process, the purposes, the categories of third parties you share data with, a description of each consumer right and how to exercise it, and the categories of data shared with third parties. If you sell data or use it for targeted advertising, that fact must be disclosed. You must also explain how consumers can appeal a denial of their request.
Consumer requests must be fulfilled within 45 calendar days, with a possible 45-day extension when reasonably necessary. You must notify the consumer of any extension and explain the reason. Identity verification is required, but the law does not prescribe a specific method.
The NJDPA treats sensitive data with heightened protection. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation data, personal data of a known child under 13, and -- notably -- financial information. This last category is broader than many other state laws and reflects New Jersey's attention to the financial services industry. If your business collects bank account details, credit card information, or financial account credentials from New Jersey consumers, that data qualifies as sensitive and requires opt-in consent before processing.
Data protection assessments are required for processing activities that pose a heightened risk of harm, including targeted advertising, data sales, sensitive data processing, and certain types of profiling. These assessments must weigh the benefits of processing against potential risks and be made available to the Attorney General upon request.
Processor contracts must include clear terms governing the nature and purpose of processing, data types, duration, and obligations of both parties. Processors must assist with consumer requests, data security, and breach notification, and they must delete or return personal data at the end of the relationship.
The NJDPA also requires controllers to implement reasonable data security practices appropriate to the volume, scope, and nature of the personal data processed. While it does not prescribe specific technical standards, this provision creates liability if inadequate security leads to a breach.
How Is It Enforced?
The NJDPA is enforced by the New Jersey Attorney General, acting through the Division of Consumer Affairs. There is no private right of action.
Violations are treated as unlawful practices under New Jersey's Consumer Fraud Act, which carries penalties of up to $10,000 for a first violation and up to $20,000 for each subsequent violation. These per-violation figures are among the highest in state privacy law and can scale rapidly with the number of affected consumers.
The law includes a 30-day cure period for the first 18 months after the effective date (until approximately July 15, 2026). During this window, the Attorney General must notify a business of an alleged violation and give 30 days to cure it before taking enforcement action. After the cure period expires, enforcement can proceed without a cure opportunity.
New Jersey's Division of Consumer Affairs has a strong track record of enforcement in other consumer protection areas, and the state's large consumer population means the AG's office is likely to be active once the cure period expires. Businesses should not wait for enforcement to begin before building their compliance programs.
How This Compares to Other State Laws
The NJDPA is structurally similar to Connecticut and Delaware, with some notable differences. Here is how it compares to those laws and to California:
| Feature | NJDPA (NJ) | CTDPA (CT) | DPDPA (DE) | CCPA/CPRA (CA) |
|---|---|---|---|---|
| Effective date | Jan 15, 2025 | Jul 1, 2023 | Jan 1, 2025 | Jan 1, 2020 |
| Consumer threshold | 100K | 100K (drops to 35K in 2026) | 35K | 100K |
| Financial data as sensitive | Yes | No | No | No (separate CFPA rules) |
| Universal opt-out (GPC) | Required | Required | Required | Required |
| Cure period | 30 days (sunsets Jul 2026) | 60 days (sunset) | 60 days (sunset) | None |
| Max penalty per violation | $10,000 / $20,000 | $5,000 | $10,000 | $7,500 |
| Private right of action | No | No | No | Yes (breaches only) |
New Jersey's higher per-violation penalties ($10,000 first offense, $20,000 subsequent) make it one of the more financially punitive state privacy laws. Its inclusion of financial data in the sensitive data category is also notable -- businesses handling financial information from New Jersey consumers need to implement opt-in consent for that processing, which goes beyond what most other states require. If you already comply with Connecticut's CTDPA, the NJDPA adds the financial data requirement and the higher penalty exposure as the main areas requiring additional attention.
Action Checklist for Small Businesses
-
Count your New Jersey consumers. Review your analytics, CRM, and marketing lists. Determine whether you hit the 100,000 threshold, or the 25,000 threshold combined with any revenue from data sales.
-
Audit your data sales. The NJDPA defines "sale" broadly. If you share data with advertising partners or data brokers for non-monetary value, that may qualify.
-
Update your privacy notice. Add required disclosures about categories, purposes, third-party sharing, consumer rights, the appeals process, and whether you sell data or use it for targeted advertising.
-
Build a DSAR response workflow. Set up intake channels (web form and email), document your process, and assign a point person. Target a 30-day internal deadline to stay within the 45-day legal window.
-
Implement opt-in consent for sensitive data. Pay special attention to financial data, health data, biometric data, precise geolocation, and data about children. Build affirmative consent flows for each category.
-
Honor Global Privacy Control (GPC) signals. Configure your website to detect and respect browser-level opt-out signals.
-
Conduct data protection assessments. Document risks and benefits for targeted advertising, data sales, profiling, and sensitive data processing.
-
Review processor contracts. Ensure agreements include NJDPA-required terms on purpose, scope, consumer request assistance, and data return or deletion.
-
Train your team. Brief customer-facing staff on recognizing and routing privacy requests.
Key Dates
- January 16, 2024: Governor Phil Murphy signed the NJDPA into law (S. 332).
- January 15, 2025: NJDPA took effect.
- July 15, 2026 (approx.): 30-day cure period expires (18 months after effective date).
References
- New Jersey Data Protection Act: N.J. Stat. Ann. § 56:8-166 et seq. (S. 332, 2024). Full text on New Jersey Legislature
- New Jersey Division of Consumer Affairs: Official website
- New Jersey Consumer Fraud Act: N.J. Stat. Ann. § 56:8-1 et seq.
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Ready to build your DSAR process? Get our DSAR Response Templates for a step-by-step framework tailored to state privacy law requirements.