The New Jersey Data Privacy Act (NJDPA), effective since January 15, 2025, requires covered businesses to honor opt-outs and protect sensitive data with affirmative consent. Coverage turns on consumer counts and data sales, not company revenue, so smaller businesses can qualify too.
Below: who must comply, the rights New Jersey residents get, and what counts as sensitive data. Also covered: the universal opt-out deadline, penalties, the cure period, and what it means for your website's cookies.
What Is the New Jersey Data Privacy Act (NJDPA)?
The New Jersey Data Privacy Act (NJDPA) is a state law that gives New Jersey residents rights over their personal data. It sets compliance duties for the businesses that collect it. Signed as Senate Bill 332, it took effect January 15, 2025.
New Jersey was the first state to sign a comprehensive privacy law in 2024. By the time it went live, it joined a wave of roughly 20 US states with such laws.
The law's official citation is the New Jersey Data Privacy Law, P.L. 2023, c. 266 (NJDPL), also codified at N.J. Stat. 56:8-166.4 et seq. The New Jersey Division of Consumer Affairs administers it. Three names describe the same statute: New Jersey Data Privacy Act, New Jersey Data Privacy Law, and New Jersey Data Protection Act. All three refer to Senate Bill 332.
This is a different, newer law than the older New Jersey Personal Information and Privacy Protection Act, which restricts government and healthcare entities. When a source mentions "New Jersey privacy law" without a bill number, confirm which statute it means before relying on it.
New Jersey's law sits inside a broader wave of US state privacy laws passed since 2023. It shares the controller-and-processor structure used by Connecticut and Virginia, rather than the business-and-service-provider terms the CCPA uses. One choice sets it apart from that Connecticut and Virginia template. The NJDPA treats financial information as sensitive data requiring opt-in consent, which those peer laws do not.
When Did the New Jersey Data Privacy Act Take Effect?
The New Jersey Data Privacy Act took effect January 15, 2025. Governor Phil Murphy signed the bill into law on January 16, 2024, giving businesses a one-year runway before enforcement began.
The full compliance timeline runs as follows.
- January 16, 2024: Governor Murphy signs Senate Bill 332 into law.
- January 15, 2025: The NJDPA takes effect; covered businesses must comply with its consumer rights and business obligations.
- June 2, 2025: The Division of Consumer Affairs publishes proposed implementing rules and opens a 60-day public comment period.
- July 15, 2025: Controllers must start honoring universal opt-out preference signals, such as Global Privacy Control.
- July 1, 2026: The automatic 30-day cure period for violations ends.
The proposed rules remained unadopted as of early 2026. The statute itself has been binding law since January 15, 2025, regardless of the rulemaking's status.
Who Has to Comply with the New Jersey Data Privacy Act?
A business must comply with the NJDPA if it does business in New Jersey or targets New Jersey residents. It must also meet one of two consumer-count thresholds in a calendar year; only one threshold needs to be met, not both.
A business is covered if it:
- Controls or processes the personal data of 100,000 or more New Jersey consumers, or
- Controls or processes the personal data of 25,000 or more New Jersey consumers, and derives revenue or receives a financial benefit, such as a discount, from selling that personal data
The NJDPA has no flat company-revenue threshold. That is a real difference from the CCPA, which exempts any business under $26,625,000 in annual gross revenue regardless of how much data it handles.
A small New Jersey business with modest revenue can still trigger NJDPA coverage the moment it crosses either consumer-count threshold. The law also reaches out-of-state businesses that target New Jersey residents, not just companies headquartered there.
Who Is Exempt from the NJDPA?
Several categories of data and entities fall outside the NJDPA's scope. The exemptions apply to specific data types rather than entire industries in most cases.
- Protected health information already covered by HIPAA
- Data collected and used under the Fair Credit Reporting Act
- Certain financial and insurance data regulated under the Gramm-Leach-Bliley Act
- New Jersey Motor Vehicle Commission data governed by federal law
- State agency and government data
- Data used for federally compliant research
What Rights Does the NJDPA Give New Jersey Consumers?
New Jersey residents get five core rights over the personal data that businesses collect about them. A controller must provide a way to exercise each one.
| Right | What it lets a consumer do |
|---|---|
| Confirm and access | Confirm whether a controller is processing their data and obtain a copy of it |
| Correct | Fix inaccuracies in their personal data |
| Delete | Request deletion of personal data a controller holds |
| Data portability | Receive their data in a format they can transfer elsewhere |
| Opt out | Stop the sale of their data, targeted advertising, and certain profiling |
Consumers aged 13 to 16 must give their own consent before a business sells their data or uses it for targeted advertising. For children under 13, a business needs verifiable parental consent, consistent with federal COPPA rules.
What Counts as Sensitive Data Under the NJDPA?
Sensitive data under the NJDPA requires a business to get a consumer's affirmative opt-in consent before processing it. This is unlike the law's default opt-out model for ordinary personal data; the narrow opt-in requirement sits inside an otherwise opt-out law.
The NJDPA defines sensitive data as personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health condition, treatment, or diagnosis
- Financial information
- Sexual activity or sexual orientation
- Immigration or citizenship status
- Transgender or non-binary status
- Genetic or biometric data
- Precise geolocation data
- Personal data of a known child
Including financial information sets New Jersey's list apart from most peer state privacy laws. Connecticut and Virginia's frameworks, which the NJDPA otherwise resembles, do not classify financial information as sensitive data on its own.
A business processing bank account numbers, income data, or credit information about a New Jersey resident needs affirmative consent first. The same data might not trigger opt-in consent under a neighboring state's law.
What Does the NJDPA Require Businesses to Do?
Covered businesses, called controllers under the NJDPA, carry five core compliance duties. Each duty applies regardless of company size once a business crosses the applicability thresholds.
- Provide a clear, accessible privacy notice explaining what data is collected, why, and how consumers exercise their rights
- Limit data collection to what is reasonably necessary for the disclosed purpose (data minimization)
- Get affirmative opt-in consent before processing sensitive data
- Honor consumer rights requests and universal opt-out preference signals
- Complete a data protection assessment before high-risk processing, such as targeted advertising, profiling, or selling data
Universal Opt-Out Signals and Data Protection Assessments
Since July 15, 2025, controllers must detect and honor universal opt-out signals such as Global Privacy Control, sent from a consumer's browser or device. The signal tells every site the consumer visits that they opt out of targeted advertising and data sales. That detection duty falls on the business, not the consumer.
A data protection assessment is a documented risk review. A controller completes one before starting high-risk processing: targeted advertising, certain profiling, selling personal data, or processing sensitive data. The controller must make the assessment available to the Division of Consumer Affairs on request, though it does not need to file it proactively.
What Are New Jersey's Proposed Privacy Rules?
The New Jersey Data Privacy Act itself has been binding law since January 15, 2025, but the state's detailed implementing rules remain proposed, not final. Businesses must comply with the statute now; the proposed rules would only add interpretive detail on top of it.
The Division of Consumer Affairs published proposed rules on June 2, 2025, opening a 60-day public comment period that ran through August 1, 2025. Attorney General Matthew Platkin said the rules require full disclosure of how businesses use consumer data, calling them an advance for consumer privacy protections.
As of early 2026, the Division had not adopted the proposed rules. The proposal expires unless adopted and filed for publication by June 2, 2026, a deadline the Division can extend to December 2, 2026.
The proposed rules would add detail on disclosure accessibility and language requirements, universal opt-out signal handling, and data protection assessment content. Until they are finalized, compliance obligations come from the statute and the Division's published FAQ guidance, not from the draft rule text.
How Is the New Jersey Data Privacy Act Enforced? (Fines and the Cure Period)
The New Jersey Attorney General, acting through the Division of Consumer Affairs, is the sole enforcer of the NJDPA. Consumers cannot sue a business directly; there is no private right of action under this law.
Violations carry civil penalties of up to $10,000 for an initial offense and $20,000 for each subsequent offense. Until July 1, 2026, the Division must give a business written notice and 30 days to fix a suspected violation before pursuing formal enforcement. After that date, the guaranteed cure window ends. The Division can then enforce without offering a chance to correct the issue first.
A consumer who believes a business violated the NJDPA can file a complaint with the Division of Consumer Affairs. The Division, not the consumer, decides whether to investigate and pursue an enforcement action.
How Is the NJDPA Different from the CCPA and GDPR?
The NJDPA, CCPA, and GDPR share the goal of consumer data protection but diverge on consent model, thresholds, and enforcement.
| NJDPA | CCPA | GDPR | |
|---|---|---|---|
| Consent model | Opt-out, with opt-in required for sensitive data | Opt-out, with opt-in for minors under 16 | Opt-in by default for most processing |
| Coverage trigger | 100,000+ consumers, or 25,000+ consumers and revenue from data sale (no flat revenue threshold) | $26,625,000+ annual revenue, or 100,000+ consumers' data, or 50%+ revenue from data sales | Any organization processing EU residents' data, regardless of size |
| Private right of action | None | Limited, for certain data breaches | Not applicable (regulatory enforcement) |
| Sensitive data scope | Broad, includes financial information | Narrower sensitive-info category | Special category data, does not include general financial information |
New Jersey's law follows the same opt-out foundation as the CCPA, but its sensitive-data list reaches further by including financial information outright. The GDPR framework takes the opposite approach entirely, requiring opt-in consent before most processing begins, not just for a sensitive-data subset.
A business serving New Jersey, California, and EU visitors needs three different consent postures on the same site. New Jersey and California both run opt-out with their own carve-outs, while the EU defaults to opt-in.
What the New Jersey Data Privacy Act Means for Your Website and Cookies
The NJDPA does not name "cookie banner" anywhere in its text. A banner with a working opt-out control, though, is the standard way covered sites deliver the consent and disclosure the law requires. A privacy notice alone does not satisfy the opt-out obligation.
A covered site needs to take five concrete actions.
- Post a clear privacy notice describing what data is collected and how it is used or shared
- Give New Jersey visitors a way to opt out of targeted-advertising cookies and the sale of their data
- Detect and honor universal opt-out preference signals sent by a visitor's browser
- Get affirmative consent before loading any script that processes sensitive data, including financial information
- Keep records of each visitor's consent choice for compliance documentation
This mirrors the same block-before-consent discipline used for GDPR cookie consent requirements. Here it applies to New Jersey's targeted-advertising and data-sale cookies, not the EU's broader opt-in default.
How Consently Helps You Meet New Jersey's Opt-Out and Consent Requirements
Consently supports the consumer-facing side of NJDPA compliance. It provides a New Jersey opt-out banner, region-based display, and an audit trail of consent choices, all managed from one dashboard.
Consently shows New Jersey visitors a CCPA and US state-law opt-out banner with a built-in Do Not Sell control. It matches the NJDPA's own opt-out model.
Its automatic geotargeting handles the rest. New Jersey and California visitors see that opt-out banner, while EU visitors see an opt-in GDPR banner on the same site, no separate setup required.
Two features back the record-keeping side specifically. Consent logs with export give a timestamped record of who opted out and when, useful if the Division of Consumer Affairs ever asks for proof. The cookie, privacy, and terms-and-conditions policy generators produce the disclosure documents the NJDPA's privacy-notice requirement calls for.
One requirement Consently does not handle automatically: detecting and honoring a visitor's browser-level universal opt-out signal, such as Global Privacy Control. That is a separate NJDPA obligation a business must configure through its own systems. Consently's banner, region-based display, and consent logs support the tasks above; a policy generator provides compliance assistance, not a legal guarantee.
Consently's CCPA and US state-law opt-out tools are free to try for 14 days, no credit card required. Try Consently Free to see the opt-out banner and consent log in your own dashboard.
FAQs
What is the New Jersey Data Privacy Act in simple terms?
The New Jersey Data Privacy Act is a state law that gives New Jersey residents rights over their personal data. It makes covered businesses honor opt-out requests and get consent before handling sensitive data, including financial information.
When did the New Jersey Data Privacy Act take effect?
The law took effect January 15, 2025, after Governor Murphy signed it on January 16, 2024. Controllers had to start honoring universal opt-out signals by July 15, 2025.
Who has to comply with the New Jersey Data Privacy Act?
A business must comply if it does business in New Jersey or targets New Jersey residents. It must also control or process the data of 100,000 or more consumers, or 25,000 or more consumers while profiting from selling that data.
Does the NJDPA apply to small businesses?
Only if a business meets one of the two consumer-count thresholds. Many small sites fall below 100,000 New Jersey consumers and never sell data, so they stay outside the law's scope.
A small business that sells data at scale is covered regardless of its revenue. The same holds for one that reaches 25,000 New Jersey consumers while profiting from the sale.
What are the penalties for violating the New Jersey Data Privacy Act?
Violations carry civil penalties of up to $10,000 for an initial offense and $20,000 for each subsequent offense. The New Jersey Attorney General, through the Division of Consumer Affairs, enforces these penalties.
Who enforces the New Jersey Data Privacy Act?
The New Jersey Attorney General enforces the NJDPA exclusively, acting through the Division of Consumer Affairs. No other state agency or private party can bring an enforcement action.
Is there a private right of action under the NJDPA?
No. Consumers cannot sue a business directly for a violation. They can file a complaint with the Division of Consumer Affairs, which decides whether to investigate.
Does the New Jersey Data Privacy Act require a cookie banner?
The statute does not use the term "cookie banner". A banner with an opt-out control is the practical way a covered site delivers the required opt-out and consent. A privacy notice alone does not meet the law's obligations.
Is the New Jersey Data Privacy Act the same as the New Jersey Data Protection Act?
Yes. New Jersey Data Privacy Act, New Jersey Data Privacy Law, and New Jersey Data Protection Act all name the same statute. It is Senate Bill 332, codified as P.L. 2023, c. 266.
New Jersey's law is one entry in a broader set of US state privacy laws. Each carries its own thresholds and rights worth comparing before you build a compliance program. For the full landscape of global data privacy laws, including GDPR and international frameworks, see the complete regulatory map.
If your site also serves EU visitors, how to be GDPR compliant walks through the opt-in side of the compliance work.

