Who does the NJDPA apply to?

The NJDPA applies to entities conducting business in New Jersey or targeting NJ consumers that process data of 100,000+ consumers, or 25,000+ consumers while deriving revenue from data sales.

What are the minor protections under the NJDPA?

The NJDPA prohibits the sale of personal data and targeted advertising for consumers under 17 without affirmative consent, making it one of the stricter state laws for minor protections.

What are the penalties under the NJDPA?

Penalties are up to $10,000 per first violation and $20,000 for subsequent violations, enforced by the NJ Attorney General.

New Jersey Privacy Law

Q: Does New Jersey require GPC recognition?

Yes. The NJDPA requires businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC) from the law's effective date.

New Jersey Data Privacy Act

Effective: January 15, 2025Active

Overview

The New Jersey Data Privacy Act (NJDPA) was signed into law on January 16, 2024, and became effective on January 15, 2025. New Jersey's law is among the more consumer-friendly state privacy laws, requiring businesses to honor universal opt-out mechanisms and providing comprehensive consumer rights. The NJDPA grants New Jersey consumers the right to access, correct, delete, and obtain a portable copy of their personal data. Consumers also have the right to opt out of the sale of personal data, targeted advertising, and profiling. The law includes a robust appeals process and requires businesses to recognize Global Privacy Control (GPC) signals. New Jersey's law is notable for its broad definition of sensitive data and strong protections for minors. The law applies to entities conducting business in New Jersey or targeting New Jersey consumers that control or process personal data of 100,000 or more consumers (excluding payment transaction data), or control or process personal data of 25,000 or more consumers while deriving revenue from the sale of personal data. The NJDPA includes a 30-day cure period and penalties of up to $10,000 per violation for first offenses and $20,000 for subsequent violations, enforced by the New Jersey Attorney General.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

100,000+

New Jersey consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law became effective January 15, 2025 — enforcement ramping up
Universal opt-out mechanism requirement in full effect
NJ AG developing enforcement track record under the NJDPA
Continued monitoring for amendments strengthening minor protections

Enforcement Details

Enforced By

New Jersey Attorney General (Division of Consumer Affairs)

Penalty Per Violation

$10,000

Cure Period

30 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationFinancial informationBiometric data for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising from the law's effective date.

Effective: January 15, 2025

Minor / Child Protections

The NJDPA requires opt-in consent for processing personal data of known children under 13. For consumers under 17, the law prohibits the sale of personal data and targeted advertising without affirmative consent. This is one of the broader minor protection provisions among state privacy laws.

Compliance Checklist

1Determine applicability based on New Jersey consumer data processing volumes
2Implement universal opt-out signal recognition (GPC and similar mechanisms)
3Update privacy notices with all NJDPA-required disclosures including sensitive data processing
4Implement consumer rights request mechanisms with 45-day response period
5Obtain opt-in consent for processing sensitive personal data
6Establish an appeals process for denied consumer requests
7Review and comply with minor protection requirements for consumers under 17

New Jersey Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.