New Jersey Data Privacy Act: Everything You Need to Know

New Jersey has taken a big step forward in protecting consumer data. On January 15, 2025, the New Jersey Data Privacy Act (NJDPA) came into force, giving Garden State residents new rights over how their personal information is collected, shared, and used. It establishes clear guidelines for businesses, nonprofits, and institutions that handle large amounts of consumer data.

This post breaks down the NJDPA in comprehensive terms: what it means, who it affects, how consumers can exercise their rights, what businesses need to do, and what comes next.

What is the NJDPA — and why does it matter?

New Jersey’s data privacy law — called the New Jersey Data Protection Act — joins more than a dozen other states in governing how personal data is handled. It goes into effect on January 15, 2025 and includes a grace or cure period until mid-2026 for violations.

Senator Raj Mukherji, a former Assemblyman, emphasized the stakes bluntly: many New Jerseyans would be surprised to learn that their private family details are sold for profit like commodities, often without disclosure. 

At its core, the new law aims to change that. It gives New Jersey consumers rights over their personal data and imposes clear responsibilities on companies that collect or use it. The stakes are significant in a digital age where every click, location ping, or online sign-up can quietly build a profile about us — frequently without our knowledge at all.

• The NJDPA (officially N.J. Stat. § 56:8‑166.4 et seq.) was signed into law in early 2024 and takes effect on January 15, 2025
• It sets clear consumer rights in NJ around personal data and lays out obligations for controllers and processors — the entities that collect or handle that data.
• Enforcement lies solely with the New Jersey Attorney General, specifically the Division of Consumer Affairs, meaning there's no private right of action for individuals.

In short, if you're a resident, the NJDPA empowers you. If you're a business or organization handling data, the NJDPA simply demands real accountability.

What the New Law Actually Does

At its core, the New Jersey Data Privacy Act is about NJ consumer rights and giving people more control over their own information.

It says that if companies collect your data — things like your name, address, email, browsing habits, or even more sensitive details — you get certain rights, and companies must handle that data responsibly.

Unlike some laws, this one will be enforced by the state Attorney General, not by individuals filing lawsuits. That means if a company breaks the rules, the state can step in and take action.

Who Has to Follow These Rules

Not every business is covered. The law applies mostly to bigger companies or organizations that handle a lot of personal data. Specifically:

• Businesses that process data from 100,000 or more New Jersey residents in a year
• Or, businesses that process data from 25,000 or more residents and make money by selling personal data

This includes not just for-profit businesses, but also nonprofits and colleges: a unique twist that sets New Jersey apart from many other states.

Exemptions exist for things like:

• Healthcare data already covered by HIPAA
• Financial institutions regulated under other federal laws
• State and local government agencies
• Publicly available information

So while not every company falls under the law, many online retailers, social media platforms, and service providers that operate in New Jersey will have to comply.

What Rights You’ll Have as a Consumer

Once the law kicks in, you as a New Jersey resident will have the power to do a lot more with your personal data. Some of the key rights include:

• Access — You can ask a company if they’re collecting your data, and they have to tell you.
• Correction — If the information is wrong, you can get it fixed.
• Deletion — You can ask for your data to be deleted.
• Portability — You can request a copy of your data in a usable format.
• Opt-Out — You can say no to things like targeted advertising, selling your data, or profiling.

And here’s a big one: for sensitive data, companies have to get your permission before using it. Sensitive data means things like:

• Your health information
• Biometric data (like facial scans or fingerprints)
• Religious beliefs
• Sexual orientation or gender identity
• Precise location data
• Financial account details

Children’s data gets even more protection. For anyone under 16, companies need clear consent before targeting them with ads or selling their data, to comply with COPPA protection.

What Companies Have to Do Differently

The law doesn’t simply give rights to consumers: it also puts a lot of responsibility on businesses. If you run a company that falls under the law, here’s what’s expected:

• Be transparent — You’ll need to publish a clear privacy notice explaining what data you collect, why, who you share it with, and how people can exercise their rights.
• Use less data — Collect only what you need and use it only for stated purposes.
• Keep it safe — Strong security measures are required.
• Assess risks — Before doing high-risk things like targeted advertising or selling sensitive data, companies must perform a Data Protection Assessment.
• Honor universal opt-outs — Starting July 2025, companies must recognize tools like the Global Privacy Control browser signal, which lets people opt out of data sales with one setting.

Processors — businesses that handle data for someone else (like cloud providers or payroll companies) — must also sign contracts with controllers and follow strict rules.

Enforcement, Cure Periods, and Penalties

• The AG’s office enforces this law: individuals cannot sue directly.
• Prior to action, the AG must send a notice with 30 days to cure, where a cure is possible. This amenity expires 18 months after effectiveness, i.e., after July 15, 2026.
• Violations constitute Consumer Fraud Act violations.
• The Division of Consumer Affairs has rulemaking authority — allowing detailed guidance on technical and enforcement matters.

Gig Workers and Data Privacy: Real-Life Example

Take Maria, a driver for a popular food delivery app in Newark. Every time she logs into the app, it collects data about her: not just her name and payment information, but also her location, delivery times, customer ratings, and even details about the restaurants she frequents.

Under the New Jersey Data Privacy Act, Maria may gain new rights when the law takes effect:

• She could ask the company for a copy of the data it has on her, including her full performance history.
• If something is inaccurate — say, a mistaken customer review tied to her account — she could request a correction.
• She could even opt out of certain profiling if the company uses algorithms to rank drivers or assign shifts.

For Maria, these rights for privacy tie directly to her livelihood. A bad rating or data error can mean fewer shifts, less income, or even deactivation from the platform. Having the ability to see and correct her data could help protect her job.

For the delivery company, this means new responsibilities. It will need to set up systems for handling these requests, make sure its algorithms comply with the law, and train staff to respond properly. If it fails, it could face penalties from the state — or damage its reputation with workers and customers alike.

Gig workers, contractors, and even traditional employees are often subject to heavy data collection. The new law on NJ consumer private data is designed to give people like Maria a stronger voice in how that data is used, which can directly affect job security and fairness in the workplace.

What Makes NJ’s Law Stand Out?

• Broad definitions and scope — including financial account details as sensitive data; doesn’t exempt nonprofits or higher ed.
• Opt-in rather than opt-out for sensitive and youth data — stronger protections than some states.
• UOOM requirement — aligning with privacy trend for easier consumer control.
• Exclusive public enforcement with a cure window — businesses get a window to fix issues before enforcement.

Timeline: What’s Next?

1. Law effective date: January 15, 2025.
2. Cure window kicks in: Now open, ends July 15, 2026.
3. Universal opt-out compliance: Required by July 15, 2025.
4. Data Protection Assessments and disclosures: Start immediately upon law effective.

What You Should Do Now As a Worker or Employer

Whether you’re a consumer or a business, here are some practical steps:

For consumers:

1. Start paying attention to privacy notices — they’re going to matter more.
2. Learn how to use universal opt-out tools like Global Privacy Control.
3. Don’t be afraid to exercise your rights when the law takes effect.

For businesses:

1. Do a data inventory — figure out what you’re collecting, why, and from whom.
2. Update your privacy policies and notices.
3. Review contracts with vendors to make sure they comply.
4. Put systems in place to respond quickly to consumer requests.
5. Train staff — especially HR, IT, and customer service.

If your workplace handles both employee data and consumer data, careful policy design, strong data governance, and legal guidance will be essential.

Workplace Monitoring and the NJDPA: What Employees Should Know

More and more workplaces use digital tools to keep track of their employees. Sometimes it’s obvious — like a timeclock app or a GPS tracker on a delivery vehicle. Other times, it’s less visible, like keystroke logging software, email monitoring, or productivity dashboards that record how long you spend on tasks.

The law was written mainly for consumer data, not employee data. But that doesn’t mean workers are left unprotected.

• Employers still have legal obligations — Even if the NJDPA does not fully cover employee data, other New Jersey employment laws and privacy rules may restrict how much monitoring is allowed in the workplace.
• Job applicants may qualify as “consumers” — If you apply for a job online and submit personal details, those details could fall under the NJDPA’s protections. That means applicants may have rights to access, correct, or request deletion of their information.
• Transparency is essential — Forward-thinking employers will update employee handbooks and privacy policies to explain exactly what data they collect, why they collect it, and how it is used. This is both a compliance step and a trust-building measure.
• Overlap creates risk — Some companies use the same systems to collect both consumer data and employee data. Without clear separation, businesses could face compliance problems under the NJDPA.

Data rights are becoming the norm. Even if employees aren’t fully covered yet, the cultural and legal shift is happening. Workers are asking tougher questions about how their information is used, and employers will need to be ready with answers.

Why This Matters

In a world where our phones know more about us than some of our closest friends, having control over personal information isn’t a luxury anymore — it’s a necessity.

The New Jersey Data Privacy Act is a big step forward in protecting residents, holding companies accountable, and setting new standards for fairness in the digital age.

For everyday people, it means more control. For businesses, it means a new era of responsibility. And for workers, it’s another reminder that the rules around technology and employment are evolving quickly.

Looking Back and Looking Ahead

New Jersey’s law reflects a trend: with no comprehensive federal privacy law yet in place, states themselves are filling the gap. NJ’s version stands out for its robust protections and inclusive scope — including nonprofits, financial info, and baby steps toward universal opt-out controls.

As privacy becomes a professional task, not just a checkbox, the NJDPA signals a significant shift. It encourages businesses to treat data with respect, gives residents meaningful control, and positions the Garden State as a forward-thinking actor in digital consumer rights.

Not Sure Where to Begin? Let Us Help.

If you’re unsure how the NJDPA may affect your workplace — whether you're an employee navigating personal data practices or an employer arranging compliant policies — help is available.

We specialize in navigating privacy concerns in the workplace and can help ensure your policies are not just compliant, but fair and transparent.

Contact us today for experienced legal advice and a free consultation.