enactedUS-NJEffective January 15, 2025

New Jersey Data Privacy Act (NJDPA)

Complete compliance guide for companies with <200 employees. Everything you need to know about NJDPA requirements, deadlines, and penalties.

DSAR Deadline

45 calendar days

+ 45 days extension

Max Penalty

$10,000/violation

Up to $10,000 for first offense and $20,000 for subsequent violations under the New Jersey Consumer Fraud Act. A 30-day cure period applies for the first 18 months (until July 1, 2026), after which the Attorney General may proceed directly with enforcement.

Threshold

100,000 consumers

Est. Cost

$5,000 – $18,000

5-12 weeks

Mid-Market Compliance Guide

New Jersey's NJDPA is among the stricter US state privacy laws. It requires disclosure of specific third parties (not just categories) and mandates consent withdrawal processing within 15 days. A 30-day cure period applies for the first 18 months (until July 2026), after which the AG can pursue enforcement immediately. Like Oregon, it applies to nonprofits. The threshold is 100,000+ consumers (excluding payment transactions) or 25,000+ consumers with revenue from data sales.

Key Requirements

Provide a clear and accessible privacy notice
Limit data collection to what is adequate, relevant, and necessary
Obtain consent before processing sensitive data
Conduct data protection assessments for high-risk processing
Implement and maintain reasonable data security practices
Process consent withdrawal requests within 15 days
Honor universal opt-out mechanisms

Enforced by: New Jersey Attorney General / Division of Consumer AffairsOfficial site

Consumer Rights

Right to Access personal data

Right to Correct inaccurate data

Right to Delete personal data

Right to Data Portability

Right to Opt-Out of sale, targeted advertising, and profiling

Right to Obtain a list of specific third parties receiving data

Business Obligations

1.Provide privacy notice with required disclosures
2.Respond to consumer requests within 45 days
3.Process consent withdrawal within 15 days
4.Disclose specific third parties (not just categories)
5.Execute data processing agreements with processors
6.Implement reasonable data security measures

Exemptions

•HIPAA-covered entities and data
•GLBA-covered financial institutions
•Higher education institutions
•Government entities

Related Privacy Laws

CTDPA

US-CT

Connecticut Data Privacy Act

OCPA

US-OR

Oregon Consumer Privacy Act

CCPA/CPRA

US-CA

California Consumer Privacy Act

Recommended Compliance Tools

No vendors have been reviewed for NJDPA coverage yet.

Browse all compliance tools

Get a mid-market compliance checklist for NJDPA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce NJDPA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under NJDPA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/3/2026.

Read the official text of NJDPA