Check Consent Mode for free: Try our Chrome Extension
Contact Us

A Guide on New Jersey Data Privacy Act (NJDPA): Steps to NJDPA Compliance

Raisul Islam
Written by Raisul Islam, Product Manager, Growth and Analytics
First published February 11th, 2026
Last updated February 11th, 2026
Improve your SEO & CTR
Learn the New Jersey Data Privacy Act (NJDPA): who it affects, consumer rights, enforcement, and a step-by-step compliance plan.

If you operate a business in New Jersey, you might fall under the scope of the New Jersey Data Privacy Act (NJDPA). Here are some of the steps you can take to remain compliant.

What is the NJDPA?

The New Jersey Data Privacy Act is a data privacy law designed to protect the personal information of New Jersey residents (referred to as consumers). It applies specific obligations to businesses that process consumer data (referred to as data controllers).

Under NJDPA, data controllers are mandated to follow certain practices, including:

  • Providing a privacy policy outlining all data collection methods.
  • Respecting opt-out preference signals.
  • Maintaining a careful approach when processing sensitive information.

As with other statewide privacy laws, the NJDPA also grants certain rights to consumers. It imposes costly fines on data controllers deemed to have violated these rights.

Unlike legislation such as the GDPR, the NJDPA follows an opt-out consent model, meaning businesses aren’t required to obtain consent before collecting data (though there are some exceptions).

All the Essential Details of New Jersey Data Privacy Act (NJDPA)

Does NJDPA impact me?

NJDPA applies to all businesses that sell goods or services to New Jersey residents. Alongside this, businesses must meet one of the two criteria listed below:

  • They must control or process the personal data of 100,000 or more consumers.
    Or
  • They must control or process the personal data of 25,000 or more consumers and receive revenue or discounts from selling data.

There are some exemptions to NJDPA. Some examples of these include:

  • Healthcare data that is compliant with the Health Insurance Portability and Accountability Act (HIPAA).
  • Financial information covered by the Gramm-Leach-Bliley Act (GLBA).
  • Insurance institutions, secondary market institutions, and consumer reporting agencies.

What is personal data according to NJDPA?

Under NJDPA, personal data is defined as any information that could be used to identify an individual. Examples might include an email or postal address, a birth date, or a user’s IP address.

Public information, such as data gathered from government records, is not classed as personal data.

Sensitive data vs personal data

The law also differentiates between sensitive data and personal data. Sensitive data is information that might harm a consumer if it were exposed. Examples of this include:

  • Information relating to racial or ethnic origin.
  • Biometric data, such as fingerprint scans.
  • Personal information relating to a child.
  • Financial information, such as an account number or sort code.
  • Information relating to religious beliefs.
  • Any precise geolocation data.

What Is Considered Sensitive Personal Information

What are consumer rights under NJDPA?

NJDPA assigns several key rights to consumers. Organisations that fall under the scope of the legislation must respect these rights or face fines.

  • Right to access – Consumers can request any information that a data controller holds about them.
  • Right to disclosure – A consumer has the right to request information about any third parties with whom their data has been shared.
  • Right to correction – Consumers can request that any inaccurate data held by a data controller be corrected.
  • Right to deletion – Consumers can ask that their data be deleted by the controller.
  • Right to opt out – Consumers can request that their data not be sold, used for targeted advertising, or profiling.
  • Right to portability – Consumers have the right to a record of any data they have provided to a controller. This must be presented in an easy-to-access format.
  • Right not to be discriminated against – Controllers must not use data to discriminate against consumers.

How is NJDPA enforced?

As mentioned, NJDPA includes strict penalties for non-compliance. A business can be fined up to $10,000 for its first violation; fines for subsequent violations can be as high as $20,000.

All enforcement is handled by the Division of Consumer Affairs under the Attorney General. Consumers can submit concerns to the Attorney General, who will investigate data processors for wrongdoing. During an investigation, businesses may be required to produce certain documents, such as data protection assessments.

The legislation also outlines a 30-day ‘cure period’. During this time, organisations can correct errors and avoid penalties.

Steps to NJDPA compliance

With lofty fines for non-compliance, it’s important that organisations take steps to stay in line with the law. With that in mind, here are some tips help you achieve NJDPA compliance.

Minimise the data that you hold

NJDPA obligates data controllers to minimise the amount of data they hold. Ultimately, an organisation shouldn’t gather personal data for any purpose other than stated in its privacy policy. You also shouldn’t hold onto data any longer than needed.

To minimise your data collection, you should consider the information that you currently hold. Create a map of the data you collect, its sources, and why you need it. Any information that isn’t deemed essential should be offloaded.

Gather consent where necessary

As mentioned, NJDPA follows an opt-out consent model. That means in many cases, you won’t need to collect consent before gathering data. You will, however, need to have the necessary mechanisms for users to revoke consent.

It should be noted that in some instances, such as when gathering sensitive data or data relating to children, you will need to gather the consumer’s permission.

The easiest way to gather consent is by using a compliant consent management platform (CMP). Through a CMP, customers can choose which forms of data they wish to share with your business.

A CMP also enables consumers to adjust their consent preferences whenever they wish. When a customer revokes consent, make sure to stop data processing within 15 days of the request.

When collecting data relating to children, you’ll need to gather consent from parents or guardians. This could be through a downloadable form on your website or via a phone call.

Provide a clear privacy policy

NJDPA requires businesses to spell out their data collection practices through a privacy policy. Your policy should also be labelled clearly and easily accessible.

To be compliant, your privacy policy cover the following areas:

  • The different categories of personal data processed by your business.
  • The purpose of processing the data.
  • A list of third parties with whom you might share data, and the categories of data you share.
  • Contact information for consumers to submit requests.
  • An explanation of how consumers can exercise their rights.

Boost your data security

A key obligation of NJDPA is to make sure data is kept in a safe and secure way. It’s important to review your current data security practices to identify flaws and risks. By acting early and filling any gaps, you can minimise risks and ensure compliance.

Some of the steps you can take to boost data security include:

  • Improving login security – Use password managers and two-factor authentication to help reduce the risk of unauthorised access.
  • Use data access controls – Set permissions so that sensitive information is only accessible to the right people.
  • Encrypt data – Utilise end-to-end encryption to safeguard data during transmission.
  • Keep devices updated – Have employees update their devices regularly. Don’t use devices that are no longer supported.

Strong data security is only possible with high levels of awareness from your employees. Staff need training and education to understand legislation and how it affects them. Ensure that everyone, regardless of seniority, is filled in appropriately.

Monitor request channels regularly

NJDPA mandates organisations to create clear channels for consumers to exercise their rights, such as a dedicated email address. But simply having channels isn’t enough; they must also be monitored regularly.

Remember, for a request to be valid, a consumer must verify their identity. If they are unable to do so, you can reject their request. Ensure you have verification procedures in place.

If you do receive a valid request, respond promptly. Rather than paying lip service, put words into action. Demonstrating that you respect and value data privacy will win brownie points with customers.

Vet third parties carefully

Legislation requires organisations to be fully transparent about any third-party data processors they work with. For this, you need to have a full understanding of a third party’s data handling processes.

To ensure that customers’ data is held securely, it’s important to vet any third-party processors. When doing so, be sure to consider the following areas:

  • Privacy policy – When assessing a vendor, always ask for a copy of their privacy policy. Do they respect the rights of consumers?
  • Approach to security – What steps has a vendor taken to secure the data they hold? A lax approach increases the risk of data leaks and other issues.
  • Previous data breaches – All third-party processors should have a data breach registry listing all previous incidents. How many data breaches has a processor encountered? What steps have they taken to minimise future leaks?

Once you choose a vendor, create a clear contractual relationship that establishes compliance. This should lay out the rights and obligations of both parties and establish a set of standards for data processing.

Key Considerations for Selecting a Third party Provider

Achieve compliance today

If you operate in New Jersey, there’s a high chance you must comply with the NJDPA. Begin with a thorough assessment of your current data handling. Are there any issues that might impact your compliance? If so, act now – it’s always better to be safe than sorry.

And remember, NJDPA is just one example of a state-wide data privacy law. Other laws with different thresholds might apply to you. If you’re unsure, read our article covering the different Federal U.S. Data Privacy Laws.

Raisul Islam
Latest posts by Raisul Islam (see all)
0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Contents
What is the NJDPA?
Does NJDPA impact me?
What is personal data according to NJDPA?
Sensitive data vs personal data
What are consumer rights under NJDPA?
How is NJDPA enforced?
Steps to NJDPA compliance
Minimise the data that you hold
Gather consent where necessary
Provide a clear privacy policy
Boost your data security
Monitor request channels regularly
Vet third parties carefully
Achieve compliance today
Articles from our Blog
Google Signals and Consent Mode: What This GA4 Change Really Means
Read more
Autoblock vs Google Consent Mode Categories: Pros & Cons
Read more
Check if Consent Mode is Enabled & Fix for Free Using Consent Mode Monitor
Read more
0
Would love your thoughts, please comment.x
()
x