New Jersey Privacy Law Helps Expand US Consumer Privacy System

On Jan. 16, New Jersey Gov. Phil Murphy (D) signed the New Jersey Data Privacy Act into law. Its passage makes New Jersey the 14th state to adopt a comprehensive consumer data privacy law.

Given the NJDPA’s nuances compared to other current state privacy laws, companies subject to the New Jersey law will have to closely analyze how the new requirements apply to their products and services and assess how their compliance programs should be adjusted to satisfy those requirements.

The NJDPA applies only to entities that meet certain geographic and processing requirements. Specifically, it applies to people who either conduct business in New Jersey or produce products or services that are targeted to the residents of New Jersey and who, during the preceding calendar year, either:

  • Controlled or processed the personal data of at least 100,000 consumers
  • Controlled or processed the personal data of at least 25,000 consumers and derived revenue or received a discount on the price of any good or service from the sale of personal data.

The NJDPA follows Colorado’s privacy law standard of applicability for the sale of personal data by not requiring a specific percentage of revenue threshold. Other states require a 25% or 50% of revenue threshold for this applicability standard.

The New Jersey law, as with laws in ConnecticutDelawareMontana, and Oregon, exempts personal data used solely for the purpose of completing a payment from its applicability threshold. New Jersey’s statute doesn’t have a revenue threshold as a basis of applicability.

Like other state privacy laws, the NJDPA provides the state’s residents with comprehensive privacy protections and new rights regarding their personal data and requires companies to adhere to several data protection obligations. But it introduces distinctive elements that set it apart from other state privacy laws.


The NJDPA provides narrower exemptions than other state privacy laws. Specifically, it doesn’t contain an entity-level exemption for covered entities or business associates under the federal law restricting release of medical information.

Rather, as found in Delaware’s law, the New Jersey statute provides a narrow data-level exemption for protected health information subject to privacy laws.

One other unique aspect of the New Jersey Law is its applicability to nonprofits and public higher education institutions. Colorado, Oregon, and Delaware are the only states that apply broadly to nonprofits.

Sensitive Data

The NJDPA introduces a broad definition of sensitive data, which signifies an evolving trend in state privacy laws toward more inclusive definitions of sensitive data. This category includes financial information, including “a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”

The California Consumer Privacy Act’s definition of sensitive personal information contains similar language. Unlike the CCPA, the New Jersey law requires controllers to obtain prior consent to process and collect sensitive data.

Children’s Data

The NJDPA prohibits the processing of personal data of consumers between 13 and 16 for targeted advertising, the sale of their data, or use of minors’ data in profiling in furtherance of decisions that produce legal or similarly significant effects, without the consumer’s consent.

This rule applies if the controller has actual knowledge or willfully disregards that the consumer is in this age group. The provision is marked by nuances that divert from children’s data prohibitions found in other state privacy laws. For example, Oregon’s privacy law includes a similar prohibition but sets an age limit of 15.

Delaware’s privacy law has an age range like the NJDPA, but it doesn’t extend the prohibition to profiling.

All these state laws, as well as other state legislative proposals that are more narrowly focused on children and minors online, suggest lawmakers will continue to grapple with ways to protect minors online that don’t run afoul of the Constitution.

Data Protection Assessments

The New Jersey law prohibits covered companies from engaging in processing of personal data that presents a heightened risk of harm to consumers without first conducting and documenting a data protection assessment of these processing activities.

Processing that is identified as presenting a heightened risk of harm includes activities such as targeted advertising, selling personal data, profiling that may lead to reasonably foreseeable consumer risks, and handling sensitive data.

The requirement to conduct and document a data protection assessment is found in other state laws. Like Colorado’s privacy law, New Jersey’s explicitly requires completion of a data protection assessment before engaging in any processing of personal data that presents a heightened risk of harm. Other laws don’t include this language.

Privacy Notices

The NJDPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, as required by other state privacy laws. Like Oregon’s and Delaware’s privacy laws, New Jersey’s law requires privacy notices to disclose to consumers both the categories of personal data shared with third parties as well as the categories of third parties receiving this data.

It also requires controllers to describe in their privacy notices “the process by which the controller notifies consumers of material changes” to the privacy notice—a requirement not found in other state privacy laws.

Rulemaking and Enforcement

The NJDPA grants the director of the Division of Consumer Affairs in the Department of Law and Public Safety rulemaking powers to effectuate the New Jersey law’s purposes. California’s and Colorado’s privacy laws provide similar rulemaking.

The New Jersey law doesn’t contain a private right action and provides companies with a 30-day right to cure period following receipt of a notice of violation, which expires 18 months after the NJDPA’s effective date.

Covered entities under the NJDPA now have just under a year to prepare for compliance. The law becomes effective on Jan. 15, 2025.


Published originally by Bloomberg INDG on January 23, 2024, 

Copyright 2024 Bloomberg Industry Group, Inc. (800-372-1033) Reproduced with permission.