Applies to businesses processing personal data of 100,000+ New Jersey residents, or 25,000+ if you derive 25%+ of revenue from data sales. Cure period sunsets July 15, 2026.
Effective
2025-01-15
Penalty max
$10,000
Cure period
30 days
Honor GPC
Required
Overview
The New Jersey Data Privacy Act (NJDPA) took effect January 15, 2025. New Jersey's law is structurally similar to Connecticut's CTDPA, with full consumer rights, GPC required, and data protection assessments required. New Jersey is notable for its strong protections for minors (opt-in consent required for ages 13-16), and for the historical aggressiveness of the NJ AG's consumer protection enforcement. The 30-day cure period sunsets on July 15, 2026, after which the AG can bring enforcement actions immediately.
Who it applies to
Businesses processing personal data of 100,000+ New Jersey residents annually.
Businesses processing personal data of 25,000+ New Jersey residents AND deriving 25%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
New Jersey's law brings strong protections for minors: businesses cannot sell or process for targeted advertising the personal data of any consumer they know to be 13-16 years old without opt-in consent. The NJ AG has been historically aggressive on consumer protection enforcement — the Division of Consumer Affairs has a track record of multi-million-dollar settlements with retailers and tech companies. The 30-day cure period sunsets July 15, 2026.
Penalties & enforcement
Enforced by the New Jersey Attorney General (Division of Consumer Affairs). Penalties range from $0 to $10,000 per violation.
New Jersey provides a 30-day cure period (sunsetting on 2026-07-15). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.
Compliance checklist
Add a 'Your Privacy Choices' link in the site footer
Configure your site to detect and honor Global Privacy Control (GPC) signals
If you serve users aged 13-16, obtain opt-in consent before targeted advertising or data sales
Update privacy policy with NJDPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Update vendor and processor agreements
Does the NJDPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including New Jersey.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.