New Jersey Data Privacy Act (NJDPA)

    Overview

    The New Jersey Data Privacy Act (NJDPA) requires businesses that collect personal data from consumers to notify them about the collection and sharing of their data. It aims to provide transparency in data handling, enhance consumer control over personal data, and regulate the sale and processing of sensitive information. The law applies to certain for-profit entities, establishing obligations for data security, consent, and consumer rights.

     

    Regulation Summary

    Timeline
    • December 2023: NJDPA passed in the Senate and Assembly.
    • January 16, 2024: Signed into law by Governor Phil Murphy.
    • January 15, 2025: Law becomes enforceable.
    What Businesses Are Affected
    • Applies to businesses conducting operations in New Jersey or targeting New Jersey residents.
    • Businesses must meet one of the following thresholds:
      • Control or process personal data of at least 100,000 consumers annually (excluding payment transaction data).
      • Control or process data of at least 25,000 consumers and derive revenue from the sale of personal data.
    Exemptions
    • Government entities, nonprofits, and financial institutions.
    • Data regulated by HIPAA, FERPA, GLBA, and COPPA.
    • Data collected for research or public health activities.
    Responsibilities for Businesses
    • Data Security: Implement appropriate administrative, technical, and physical safeguards.
    • Transparency: Provide clear privacy notices specifying the types of data collected, purposes of processing, and third-party sharing practices.
    • Purpose Limitation: Avoid secondary uses without consumer consent.
    • Non-discrimination: Prohibit penalizing consumers who opt out of data sales or targeted advertising.
    Specific Responsibilities for Website Owners
    • Opt-Out Mechanism: Display an opt-out mechanism for data sales and targeted advertising.
    • Privacy Notices: Provide detailed disclosures, including a description of consumer rights and how to exercise them.
    • Data Access Requests: Respond to verified requests within 45 days, with a possible extension of another 45 days if necessary.
    Additional Requirements
    • Sensitive Data: Consent required for processing sensitive data (e.g., health data, biometric data).
    • Data Protection Assessments: Required for processing activities involving high-risk data use (e.g., targeted advertising, profiling).
    Data Subject Rights
    • Access: Request confirmation and access to personal data.
    • Correction: Request corrections to inaccurate data.
    • Deletion: Request deletion of personal data.
    • Portability: Obtain personal data in a machine-readable format.
    • Opt-Out: Refuse data sales and profiling decisions.
    Enforcement
    • Enforced by the New Jersey Attorney General.
    • Businesses have 30 days to cure violations after notice during the first 18 months of the law's enactment.
    • Civil penalties imposed as violations of New Jersey's consumer protection laws.
    • No private right of action (individual lawsuits not permitted).
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596