As data privacy concerns escalate, New Jersey has enacted the New Jersey Data Privacy Act (NJDPA), effective January 15, 2025. This legislation introduces stringent requirements for businesses handling personal data of New Jersey residents with some key differentiators: sensitive data includes some common financial data, the language around data minimization is strong, and there is no exemption for non-profits or higher learning institutions. Understanding the NJDPA’s scope and obligations is crucial for compliance and maintaining consumer trust. 

Scope and Applicability 

The NJDPA applies to “controllers” conducting business in New Jersey or targeting products or services to its residents. A controller falls under the NJDPA if, during a calendar year, it: 

• Processes personal data of at least 100,000 consumers (excluding data processed solely for payment transactions). 
• Processes personal data of at least 25,000 consumers and derives revenue or receives discounts from selling personal data. 

Notably, the NJDPA does not specify a revenue threshold, meaning businesses of various sizes could be subject to its provisions. 

Exemptions 

Certain entities and data types are exempt from the NJDPA, including: 

• Organizations regulated by the Gramm-Leach-Bliley Act. 
• State-regulated insurance providers. 
• Personal data managed under the Fair Credit Reporting Act. 
• Data transactions permitted by the Drivers’ Privacy Protection Act. 

These exemptions aim to prevent regulatory overlap and acknowledge existing federal data protection laws.  

Key Provisions of the NJDPA  

Controller Obligations 

Controllers must adhere to several responsibilities, including: 

• Data Minimization: Collect only data necessary for specified purposes. 
• Data Security: Implement measures to protect personal data. 
• Consent for Sensitive Data: Obtain explicit consent before processing sensitive information. 
• Non-Discrimination: Ensure equal service quality, regardless of a consumer’s data privacy choices. 
• Privacy Notices: Provide clear information about data collection and processing practices. 
• Data Protection Assessments: Conduct evaluations for activities involving personal data processing.  

Processor Obligations 

Processors are required to:  

• Maintain confidentiality agreements with personnel handling data. 
• Establish contracts with subcontractors. 
• Assist controllers in fulfilling consumer rights requests. 
• Support data security and breach notification efforts. 
• Participate in data protection assessments.  

Consumer Rights 

The NJDPA grants consumers rights to: 

• Access: Review their personal data held by a controller. 
• Correction: Amend inaccuracies in their data. 
• Deletion: Request removal of their personal data. 
• Data Portability: Obtain a copy of their data in a usable format. 
• Opt-Out: Decline the processing of their data for targeted advertising or sales.

Controllers must establish mechanisms to facilitate these rights, including recognizing universal opt-out signals within six months of the act’s effective date.  

Special Considerations  

• Financial Information: Classified as sensitive data, requiring explicit consent for processing. 
• Minors Aged 13-17: Processing data of minors in this age group necessitates opt-in consent. 
• Nonprofit Organizations: Unlike some state laws, the NJDPA includes nonprofit entities within its scope. 

Enforcement and Compliance 

The NJDPA empowers the Director of the Division of Consumer Affairs to issue additional rules and oversee enforcement. Businesses must ensure compliance to avoid potential penalties and legal actions. 

FAQs About the NJDPA 

In preparation for the New Jersey Data Privacy Law (NJDPL) taking effect on January 15, 2025, the Division of Consumer Affairs (DCA) issued 24 Frequently Asked Questions (FAQs) to offer clarity and guidance on meeting the law’s requirements. The FAQs serve as a valuable reference tool for individuals involved in privacy compliance within organizations covered by the NJDPL. 

• What constitutes “sensitive data”? Sensitive data includes financial information, data concerning children, health-related data, and biometric identifiers. Businesses must obtain explicit consent to process this type of information. 
• Are small businesses exempt from the NJDPA? Small businesses could still fall under the NJDPA if they meet the thresholds for processing consumer data. The absence of a revenue threshold makes it crucial for smaller entities to evaluate their data practices. 
• How does the NJDPA handle data of minors? The NJDPA requires opt-in consent for processing personal data of minors aged 13–17, adding a layer of protection for younger consumers. 
• What are the penalties for non-compliance? While the NJDPA outlines enforcement mechanisms, specific penalties will depend on the severity of non-compliance and may include fines, legal actions, or injunctions. 
• Are there protections for businesses following reasonable data protection practices? Yes, the NJDPA provides certain safeguards for businesses that proactively adopt reasonable data protection measures, especially in cases of unavoidable data breaches. 

These FAQs serve as a guide for businesses to better interpret and prepare for the NJDPA’s implementation. 

Beginning NJDPA Compliance 

To align with the NJDPA, businesses should: 

1. Assess Data Practices: Review current data collection, processing, and storage methods to identify areas needing adjustment. 
2. Update Privacy Policies: Ensure transparency in data handling practices by revising privacy notices. 
3. Implement Consent Mechanisms: Establish processes to obtain explicit consent for processing sensitive data and data of minors. 
4. Enhance Data Security: Adopt robust security measures to protect personal data from breaches. 
5. Train Employees: Educate staff on NJDPA requirements and best practices for data privacy. 
6. Establish Consumer Rights Processes: Create systems to efficiently handle consumer requests regarding their data rights. 

Businesses operating in or targeting New Jersey must promptly evaluate and adjust their data practices to comply with the NJDPA. Proactive compliance not only avoids legal repercussions but also fosters consumer trust in an increasingly privacy-conscious market. For questions on how Truyo can help you in your NJDPA compliance efforts, reach out to hello@truyo.com or visit our Data Privacy Platform page to learn more.