On this pageDoes the New Jersey Data Privacy Act apply to your business?
State Law Practice Note

New Jersey Consumer Privacy Law (NJDPA)

The New Jersey Data Privacy Act gives New Jersey consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General as an unlawful practice under the Consumer Fraud Act, with no private right of action and only a temporary right to cure.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawN.J.S.A. 56:8-166.5; N.J.S.A. 56:8-166.13; N.J.S.A. 56:8-166.6; N.J.S.A. 56:8-166.16; N.J.S.A. 56:8-166.15; N.J.S.A. 56:8-166.12; N.J.S.A. 56:8-166.4; N.J.S.A. 56:8-166.19; N.J.S.A. 56:8-166.17; N.J.S.A. 56:8-166.18

Does the New Jersey Data Privacy Act apply to your business?

It turns on consumer volume, not overall revenue. The NJDPA applies to controllers that do business in New Jersey or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers (setting aside data used only to complete a payment), or at least 25,000 consumers while deriving any revenue or a discount from selling personal data . Several categories of regulated data and entities — including GLBA-regulated financial institutions and HIPAA-covered health information — fall outside the law entirely .

Two features make New Jersey broader than many of its peers. There is no minimum dollar-revenue floor, so a smaller company that handles a high volume of resident data can be covered. And the second threshold has no majority-of-revenue test: deriving any revenue, or even a discount, from selling personal data is enough at 25,000 consumers. A consumer is a New Jersey resident acting in an individual or household context, not someone in a commercial or employment context. The law also carves out, among others, GLBA-regulated financial institutions, HIPAA-covered protected health information, FCRA-governed consumer-reporting data, and state and local government — but, unlike most state privacy laws, it contains no blanket exemption for nonprofit organizations.

Sources for this answer

Primary law

A.1 N.J.S.A. 56:8-166.5

The NJDPA applies to controllers doing business in New Jersey or targeting its residents that, in a calendar year, control or process the data of at least 100,000 consumers (excluding payment-only data), or at least 25,000 consumers while deriving revenue or a discount from the sale of personal data.

the provisions of P.L.2023, c.266 (C.56:8-166.4 et seq.) shall only apply to controllers that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either: a. control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or b. control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

See N.J.S.A. 56:8-166.5.

Primary law

A.2 N.J.S.A. 56:8-166.13

The NJDPA does not apply to GLBA-regulated financial institutions and their affiliates, HIPAA-covered protected health information, FCRA-governed consumer-reporting data, and state and local government, among other carve-outs.

a financial institution, data, or an affiliate of a financial institution that is subject to Title V of the federal “Gramm-Leach-Bliley Act,” 15 U.S.C. s.6801 et seq., and the rules and implementing regulations promulgated thereunder;

See N.J.S.A. 56:8-166.13(b).

What must your New Jersey privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data it processes and the purpose for processing them, among other required disclosures .

For a template privacy policy, section 56:8-166.6 is the content checklist. The full list runs to seven items: the categories of data processed; the purpose of processing; the categories of all third parties data may be disclosed to; the categories of data shared with third parties; how consumers exercise their rights, including contact information and how to appeal a decision; the process for notifying consumers of material changes; and an active email address or other online mechanism to reach the controller. A controller that sells personal data, or processes it for targeted advertising or profiling that produces legal or similarly significant effects, must also clearly and conspicuously disclose that and how to opt out. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 N.J.S.A. 56:8-166.6

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed and the purpose for processing, among other required disclosures.

A controller shall provide to a consumer a reasonably accessible, clear, and meaningful privacy notice that shall include, but may not be limited to: (1) the categories of the personal data that the controller processes; (2) the purpose for processing personal data;

See N.J.S.A. 56:8-166.6(a).

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's handling of the data — so a data processing agreement is a statutory requirement, not a best practice . A separate set of exceptions preserves the parties' ability to comply with other law and run defined internal operations .

Section 56:8-166.16 specifies the required terms: the processing instructions the processor is bound by, including the nature and purpose of processing; the type of data and the duration; a duty of confidentiality for everyone handling the data; deletion or return of data at the controller's direction when services end; the information needed to demonstrate compliance; cooperation with the controller's assessments and inspections (or an annual independent audit at the processor's expense); and a requirement that any subcontractor be bound by written contract to the same obligations. A separate provision (section 56:8-166.15) sets out the exceptions that let a controller or processor still comply with other laws, respond to legal process, and run ordinary internal operations. A compliant template DPA tracks each of these. The statute is also blunt about who bears the risk: a person that processes outside the controller's instructions is treated as a controller for that processing, and no contract can shift the liabilities the law assigns by role.

Sources for this answer

Primary law

C.1 N.J.S.A. 56:8-166.16

Processing by a processor must be governed by a binding contract between the controller and the processor that sets forth the processing instructions, including the nature and purpose of the processing.

Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets forth: (1) the processing instructions to which the processor is bound, including the nature and purpose of the processing;

See N.J.S.A. 56:8-166.16(e).

Primary law

C.2 N.J.S.A. 56:8-166.15

The NJDPA's obligations do not restrict a controller's or processor's ability to comply with other law, respond to legal process, or carry out defined internal operations.

Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) shall be construed to restrict a controller's or processor's ability to: (1) comply with federal or State law or regulations;

See N.J.S.A. 56:8-166.15(a).

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead handle the data in accordance with the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing race or ethnicity, religious beliefs, a health condition or diagnosis, financial account credentials, sex life or sexual orientation, citizenship or immigration status, or status as transgender or non-binary; genetic or biometric data used to identify a person; data collected from a known child; and precise geolocation .

This is the opt-in model: consent must be a clear affirmative act, and the statute expressly rules out acceptance of broad terms of use, passive interactions like hovering or muting, and anything obtained through dark patterns. New Jersey also reaches teenagers: for a consumer the controller knows, or willfully disregards, is at least 13 but younger than 17, it cannot process data for targeted advertising, sale, or profiling without consent. Biometric data is treated as sensitive and so is subject to the same opt-in rule, even though New Jersey has no standalone biometric statute with its own private right of action.

Sources for this answer

Primary law

D.2 N.J.S.A. 56:8-166.4

Sensitive data includes data revealing race or ethnicity, religious beliefs, health condition, financial account credentials, sex life or sexual orientation, citizenship or immigration status, transgender or non-binary status, genetic or biometric data, data from a known child, and precise geolocation.

means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

See N.J.S.A. 56:8-166.4.

Can a consumer sue your business under the NJDPA?

No. The Office of the Attorney General has sole and exclusive authority to enforce the NJDPA, and the law cannot be the basis for a private right of action . A violation is treated as an unlawful practice under New Jersey's Consumer Fraud Act, the state's general anti-fraud statute .

What makes New Jersey distinctive is the enforcement channel: rather than a freestanding penalty scheme, the NJDPA folds violations into the long-standing Consumer Fraud Act, so the Attorney General brings them with the remedies and penalties that statute already supplies. The right to cure is only temporary. For the law's first 18 months, the Division of Consumer Affairs must send notice and allow 30 days to fix a violation it deems curable before bringing an action ; after that window closes the Attorney General can proceed directly. Day-to-day rulemaking sits with the Director of the Division of Consumer Affairs, who is charged with promulgating regulations to carry out the act . The practical posture is to build the notice, consent, and contracting controls up front, because the cure off-ramp will not last.

Sources for this answer

Primary law

E.1 N.J.S.A. 56:8-166.19

The Office of the Attorney General has sole and exclusive authority to enforce the NJDPA, and the act provides no private right of action.

The Office of the Attorney General shall have sole and exclusive authority to enforce a violation of P.L.2023, c.266 (C.56:8-166.4 et seq.). Nothing in P.L.2023, c.266 (C.56:8-166.4 et seq.) shall be construed as providing the basis for, or subject to, a private right of action for violations of P.L.2023, c.266 (C.56:8-166.4 et seq.).

See N.J.S.A. 56:8-166.19.

Primary law

E.2 N.J.S.A. 56:8-166.17

A controller's violation of the NJDPA is an unlawful practice under the New Jersey Consumer Fraud Act.

It shall be an unlawful practice and violation of P.L.1960, c.39 (C.56:8-1 et seq.) for a controller to violate the provisions of P.L.2023, c.266 (C.56:8-166.4 et seq.).

See N.J.S.A. 56:8-166.17(a).

Primary law

E.3 N.J.S.A. 56:8-166.17

For the law's first 18 months, the Division of Consumer Affairs must give notice and a 30-day chance to cure a curable violation before bringing an enforcement action.

Until the first day of the 18th month next following the effective date of P.L.2023, c.266 (C.56:8-166.4 et seq.), prior to bringing an enforcement action before an administrative law judge or a court of competent jurisdiction in this State, the Division of Consumer Affairs in the Department of Law and Public Safety shall issue a notice to the controller if a cure is deemed possible.

See N.J.S.A. 56:8-166.17(b).

Primary law

E.4 N.J.S.A. 56:8-166.18

The Director of the Division of Consumer Affairs is charged with promulgating rules and regulations to effectuate the purposes of the NJDPA.

The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.2023, c.266 (C.56:8-166.4 et seq.).

See N.J.S.A. 56:8-166.18.

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer