New Jersey Data Privacy Act (NJDPA)
New Jersey's consumer privacy law effective January 15, 2025, notable for a zero-percent data-sale revenue trigger, tiered escalating penalties, AG rulemaking authority, and a cure period that sunsets on July 17, 2026.
Overview
The New Jersey Data Privacy Act (SB 332, 2024), codified at N.J. Stat. Ann. Sec. 56:8-166 et seq., took effect on January 15, 2025. NJDPA is among the most protective comprehensive privacy laws outside California, combining a broad scope (zero-percent data-sale revenue trigger), mandatory UOOM, escalating penalties, formal AG rulemaking authority, and a cure period that expires on July 17, 2026.
Applicability: a controller must, in a calendar year, process personal data of 100,000 or more New Jersey consumers, or 25,000 or more consumers while deriving any revenue from the sale of personal data — no minimum percentage. This zero-percent threshold is uniquely broad: it captures businesses that treat data sales as an incidental revenue stream, not a primary one, closing a loophole common in 25%–50% thresholds.
Exemptions mirror the Virginia family: government, HIPAA, GLBA, non-profits, higher-education, and data covered by FCRA, DPPA, FERPA, COPPA. Employee and B2B data are excluded.
Consumer Rights
New Jersey provides the full Virginia-family rights bundle — access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling with significant effects, and right to appeal.
Sensitive data follows an expanded Virginia-family definition that explicitly includes financial data as a protected category alongside race, religion, health, sexual orientation, citizenship, genetic and biometric data, precise geolocation, and data of children under 13. Opt-in consent is required before processing.
Compliance Requirements
Controllers must publish a privacy notice, honor DSRs within 45 days (extendable +45 days), conduct DPIAs for heightened-risk processing, and execute processor contracts.
UOOM / GPC recognition is mandatory. Additionally, the New Jersey AG's Division of Consumer Affairs holds formal rulemaking authority to issue detailed regulations on DPIAs and other NJDPA requirements — meaning enforceable technical specifications may evolve beyond the statute's text.
Cure Period + Enforcement
The New Jersey Attorney General, through the Division of Consumer Affairs, holds exclusive enforcement authority — no private right of action. Penalties are tiered: up to $10,000 for a first violation, up to $20,000 for each subsequent violation — one of the more expensive regimes.
The cure period is 30 days and sunsets on July 17, 2026. After that date, no mandatory cure window applies — the AG may initiate enforcement immediately upon detecting a violation. Combined with the zero-percent threshold and escalating penalties, NJDPA demands proactive, well-documented compliance.
How Inori Addresses This
Inori's v1.2 privacy.mdx lists New Jersey with its January 15, 2025 effective date and flags the July 17, 2026 cure-period sunset as a compliance deadline on our internal roadmap. Our /api/dsar endpoint services the full rights bundle with a 45-day SLA. The middleware.ts respectGpc helper honors Sec-GPC: 1, satisfying the UOOM mandate.
Hard-purge via cron at 90 days satisfies the deletion lifecycle. We monitor the Division of Consumer Affairs' rulemaking docket so that any DPIA-related regulations issued under NJDPA authority are incorporated before enforcement. Automated DPIA generation is deferred, with procedural documentation handling current obligations.
Related Concepts
- CCPA/CPRA — The California regime NJDPA most closely resembles in protectiveness
- CTDPA — Connecticut, the operational template for NJDPA
- Global Privacy Control (GPC) — Browser signal NJDPA requires
See how Inori handles new jersey data privacy act (njdpa)
Try our free COI checker first, or start a free trial of the full platform.