New Jersey Data Privacy Act – Compliance Guide for 2025

New Jersey Data Privacy Act – Compliance Guide for 2025

Summary

The New Jersey Data Privacy Act (NJDPA) grants residents control over their personal data. It covers businesses that operate in New Jersey or target its residents and meet certain data thresholds. Consumers can access, correct, delete, and transfer their data, and opt out of data sales and targeted advertising.

To comply, businesses update privacy policies, limit data collection, obtain consent for sensitive data, and provide opt-out options. The New Jersey Consumer Fraud Act enforces violations, imposing fines of up to $20,000. Tools like WPLP Compliance Platform simplify the compliance process.

In today’s digital world, the issue of data privacy has moved from a personal choice to a legal requirement. 

With customers getting smarter and new stories breaking about data breaches across the country, state governments in the United States have begun to take steps to protect personal information. 

A recent state to join the chorus is New Jersey, with the passing of the New Jersey Data Privacy Act (NJDPA). This law is designed to empower citizens with rights regarding their personal data, as well as hold businesses accountable for how they obtain, use, and share that data.

Whether you are a small business owner, a marketer, or a compliance officer, you need to understand the NJDPA. 

This article will give you everything you need to know about the NJDPA, including the applicability of the law, rights that consumers have under the law, business obligations and compliance, and potential fines for noncompliance. 

Continue reading to keep ahead of this ever-changing landscape, so you can protect yourself and your business while meeting New Jersey privacy standards.

What is the New Jersey Data Privacy Act (NJDPA)

New Jersey’s Data Privacy Act, or Senate Bill 332, was officially signed into law in January 2024. The law took effect on January 16, 2025. 

The NJDPA is a general privacy law that gives privacy rights to New Jersey residents to protect their personal data. It also includes data that shows how organizations use data about New Jersey consumers online. 

Lawmakers define personal data in the NJDPA as “information that could reasonably be used to identify an individual,” excluding de-identified data and publicly available information.

new jersey sb 332 definition personal data

The NJDPA, like other state privacy laws, gives consumers more control over how businesses collect and process their data. It also lays out legal obligations of organizations with respect to consumers’ data privacy. 

However, there are some contextual differences. For example, the NJDPA considers some types of financial information to be sensitive information. 

The NJDPA classifies criminal background information, along with mental and physical health details, as sensitive personal information.Additionally, the law does not automatically exempt non-profit organizations. 

Lastly, the NJDPA sets out several of its “privacy-by-default” principles, such as data minimization and purpose limitations.

Who Must Comply With the New Jersey Data Privacy Act?

The New Jersey privacy law governs data controllers that collect personal data from New Jersey residents.

SB 332 calls entities “controllers” when they determine the purpose and means of processing a consumer’s personal information.

definition controller

Controllers who meet the following criteria are subject to New Jersey’s privacy law:

  • Located in New Jersey and/or
  • Offer goods or services to consumers in New Jersey, and
  • Control or process personal data of at least 100,000 consumers (not including personal data maintained only to complete a payment), or
  • Control or process personal data of at least 25,000 consumers and receive revenue or receive discounted goods or services from selling their personal data

SB 332 clarifies that the law applies to controllers that are doing business in New Jersey and meet its qualifications:

law applies excerpt

Who Is Exempt From the NJDPA?

The following entities and organizations are exempt from the NJDPA:

  • Covered entities or business associates dealing with protected health information (PHI) that fall under the “Health Insurance Portability and Accountability Act (HIPAA)
  • Financial institutions that are liable to follow the Gramm-Leach Bliley Act (GLBA)
  • Secondary market institutions, as defined in the United States Code, are Congress-chartered entities through which transactions are conducted without the transfer or sale of personal information to third parties.
  • The Insurance Information Practices Act covers insurance organizations.
  • The federal Drivers’ Privacy Protection Act authorizes the sale of personal data by the New Jersey Motor Vehicle Commission.
  • Any state agencies, political subdivisions, divisions, boards, bureaus, offices, commissions, or other instrumentalities established by a political subdivision.

What are the Consumer Rights Under the NJDPA Law

New Jersey’s privacy law gives consumers the following rights:

  • Right to access: Consumers are entitled to know whether the controller is processing the consumer’s Personal Information and have access to it, along with details of third parties it has been shared with.
  • Right to disclosure: Consumers have the right to obtain a list of the categories of third parties to whom the controller has disclosed the consumer’s personal data.
  • Right to correct: Consumers have the right to correct inaccurate or out-of-date information that the controller has about the consumer.
  • Right to erase: Consumers are entitled to erase any personal information the controller possesses about them (except in a few cases).
  • Right to data portability: Consumers are entitled to have access to a portable and easily usable copy of their personal information.
  • Right against discrimination: Controllers are not allowed to discriminate against consumers illegally for exercising their rights.
  • Right to opt out: Consumers are entitled to opt out of the sale of personal information, advertising that is targeted, or profiling “in furtherance of decisions that have legal or similarly important effects relating to a consumer.”

A consumer may make one free request to a controller to enforce their rights on a 12-month basis. For example, they can request that their data be erased or can ask for a copy of their data.

Consumer requests that are “manifestly unfounded, excessive, or repetitive” may be refused by a controller, or a reasonable fee may be charged to cover the administrative costs of fulfilling the request.

 In such instances, the controller must consider the request to be unfounded. A controller may also deny a request if the consumer’s identity cannot be reasonably verified.

consumer rights section

How Businesses Can Comply With New Jersey Law Regulations 

In this section, let us discuss some of the actions you can take to be compliant with New Jersey’s privacy law. This includes having a privacy policy, receiving consumer consent, and giving consumers the ability to opt out of the collection and processing of their personal data.

Review and Maintain a Privacy Policy

If your company is within the scope of the New Jersey Law regulations, one of the most effective ways to ensure compliance is to maintain a clearly written, regularly updated privacy policy on your website.

A privacy policy is a legal statement explaining how you gather and utilize consumers’ personal information and what you do to protect it.

New Jersey state law mandates that relevant organizations have a privacy policy on their website that includes (but is not limited to) the following provisions:

  • What personal information does the controller process
  • Why is personal data processed
  • What third parties does the controller pass on personal data to
  • The categories of data the controller discloses to third parties
  • How consumers are able to enforce their rights
  • How the controller informs consumers about changes in the Privacy Policy
  • The controller’s contact information online
  • Alert if the controller sells personal information or uses it for targeted advertising

SB 332 outlines the required provisions a privacy policy must include to comply with the statute, such as definitions of data categories processed by a controller and instructions for consumers to exercise their rights.

privacy notice section

Let’s take a deeper look at the clauses you should include in your Privacy Policy to make it SB 332-compliant.

What Personal Information You Collect

This provision defines the types of personal data you gather from consumers visiting your website or online business.

Kettle’s Privacy Policy states that it collects both anonymous information and data that can identify individuals. It provides a link to an email address where consumers can submit opt-out requests.

kettle privacy policy information collect clause

Why You Process Personal Data

You need to outline the grounds for processing consumers’ personal information. You should process only the personal information necessary to achieve your business goals.

Groundies’ Privacy Policy outlines its grounds for obtaining and processing consumers’ personal information, such as for purposes of account sign-up and order completion.

groundies privacy policy data collection use clause

Which Third Parties do You Share Personal Information With

You should list any third parties with which you share personal information of consumers. This section also explains whether consumers’ use of your website allows third parties to collect consumers’ personal information over time or across different sites.

Magna-Tiles’ privacy policy explains that the only third parties it shares consumers’ personal data with are governmental agencies or companies involved in fraud prevention or investigation.

magna tiles privacy policy distribution information clause

What Personal Information You Share With Third Parties

This section describes what kind of personal data you share with third parties.

Orangetheory Fitness’s privacy policy outlines the kinds of personal information it may share with third parties. Information includes names, heart rate data, body scanner results, and other exercise and health data.

orangetheory fitness privacy policy share information clause

Limit Collection of Personal Data

You must use your privacy policy to share with consumers the reasons that you have collected their personal data, and you should only collect it to the extent it is necessary to complete those reasons. 

SB 332 requires data controllers only to collect personal data that is “adequate, relevant, and reasonably necessary” to achieve the purposes disclosed to consumers.

new jersey sb 332 limit collection data section

You must obtain consent from consumers in the following data processing activities:

  • Use consumers’ personal data for different purposes than what they agreed to initially
  • Processing sensitive data
  • Processing children’s data (you will need to get parental or guardian consent before processing children’s personal data)
  • Selling personal data
  • Using personal data for targeted advertising purposes
  • Using personal data for profiling purposes

You must also have a mechanism for consumers to revoke their consent. It must be as easy for the consumer to revoke their consent as it was to give it.

As your business prepares for the NJDPA, the WPLP Compliance Platform offers you plugins to ease your compliance process. Plugins like WP Legal Pages and WP Cookie Consent can help you comply with the law.

WP Legal Pages Plugin

WP Legal Pages helps you generate privacy policies by answering simple business-related questions. Then, it generates a compliant policy based on your responses, which can be uploaded to your website in just seconds.

See what it looks like below.

WP Legal Pages Privacy Policy Generator NJDPA Compliance
WP Cookie Consent Plugin

WP Cookie Consent is the top WordPress plugin that allows sites to manage user consent.It is Google-certified and built to help businesses become compliant with global privacy legislations like GDPR, CCPA, LGPD, Quebec Law 25, and more.

It makes sure that websites collect and handle user consent transparently and legally. Since data privacy laws oblige websites to inform users regarding their data-processing behavior, this plugin is a must for ethical data management.

In addition, you can add a Data Subject Access Request(DSAR) form to your website. WP Cookie Consent also helps you manage DSARs efficiently by collecting, tracking, and responding to user requests.

Most importantly, WP Cookie Consent meets the opt-out requirements described by NJDPA law.

See what it looks like in the screenshot below.

WP Cookie Consent Opt Out feature.

New Jersey Law Penalties and Fines for Non-Compliance

The New Jersey Data Privacy Act (NJDPA) does not specify a fine in its text; however, authorities consider any breach of the NJDPA a violation of the New Jersey Consumer Fraud Act.

Initial breaches can impose civil fines of up to $10,000 USD. Continuous non-compliance can result in fines of up to $20,000 USD.

The New Jersey Attorney General administers these punishments, and companies can further face civil lawsuits and bad publicity if found guilty.

FAQ

1. What is the New Jersey Data Privacy Act (NJDPA)?

The New Jersey Data Privacy Act (NJDPA) provides protections for the personal data of New Jersey residents. It grants consumers certain rights regarding their data and requirements for companies that collect and process consumers’ personal data.

2. To Whom Does the NJDPA Law Apply?

The NJDPA primarily applies to businesses that operate in New Jersey or offer goods or services intended for New Jersey residents. In addition to controlling or processing the personal data of 100,000 or more consumers, or 25,000 or more consumers if they derive revenue from selling personal data.

3. What are the Penalties for Non-Compliance with the NJDPA Law?

Penalties for Non-Compliance with the New Jersey Data Privacy Act Law can result in fines up to €10 million or 2% of the company’s global annual turnover.

4. How Can Businesses Comply With the New Jersey Data Privacy Act?

To comply with the New Jersey Data Privacy Law, businesses should have a privacy policy and a cookie consent banner on their website. We recommend using the WPLP Compliance Platform.

Conclusion

If your business falls under the New Jersey Data Privacy Act, make sure you follow these steps to ensure your compliance with the law:

Review your cookie policy and privacy policy to make sure you have completed all of the notification obligations required by law. In addition, start to prepare your website to have UOOMs acknowledged by July 2025.

Add a DSAR form to your website and make sure that you have put the appropriate contracts in place with any data processor or third party you are dealing with.

Whether you are a small startup or a large business, WP Legal Pages Compliance Platform can assist you in complying with privacy legislation and the New Jersey Data Privacy requirements and other laws worldwide.

If you like this article, you might also like reading: 

Are you looking to stay compliant with data privacy regulations? Grab the WP Legal Pages Compliance Platform now!