New Jersey enacted one of the strongest state privacy laws in the country with the New Jersey Data Privacy Act (NJDPA), signed into law on January 16, 2024, and effective as of January 15, 2025. Here's what every New Jersey resident needs to know about their data privacy rights.
What Is the New Jersey Data Privacy Act (NJDPA)?
The NJDPA (Senate Bill 332) is a comprehensive consumer data privacy law that gives New Jersey residents significant control over how companies collect, use, and sell their personal information. It's widely considered one of the most protective state privacy laws in the nation.
The law applies to businesses that:
- Conduct business in New Jersey or target products/services to New Jersey residents
- Control or process the personal data of at least 100,000 consumers, OR
- Control or process the personal data of at least 25,000 consumers and derive revenue from selling personal data
Your Rights Under the NJDPA
As a New Jersey resident, you have the following data privacy rights:
Right to Know
You can request confirmation of whether a company is processing your personal data and obtain a copy of that data in a readily usable format. Companies must respond to your request within 45 days.
Right to Correct
If a company holds inaccurate personal data about you, you have the right to request corrections.
Right to Delete
You can request that a company delete all personal data it has collected about you. The company must also notify any third parties to whom it has shared your data to delete it as well.
Right to Data Portability
You can request a copy of your personal data in a format that allows you to transfer it to another service provider.
Right to Opt Out
You can opt out of:
- Sale of personal data — Prevent companies from selling your information to third parties
- Targeted advertising — Stop companies from using your data to serve you personalized ads
- Profiling — Prevent companies from using automated decision-making that produces legal or similarly significant effects
Universal Opt-Out Mechanisms
The NJDPA requires businesses to recognize universal opt-out mechanisms like the Global Privacy Control (GPC) browser signal. This means you can set your browser to automatically send opt-out requests to every website you visit, and New Jersey law requires businesses to honor those signals.
What Makes the NJDPA Unique
Several features make New Jersey's privacy law stand out from other state laws:
15-Day Opt-Out Processing
Companies must process your opt-out requests within 15 days — significantly faster than most state privacy laws, which typically allow 45 days.
Financial Data Is Sensitive
The NJDPA classifies financial information as sensitive data, requiring companies to obtain your consent before processing it. Most other state laws don't include this protection.
No Nonprofit Exemption
Unlike many state privacy laws, the NJDPA does not exempt nonprofit organizations. This means nonprofits that handle New Jersey residents' data must comply with the same requirements as for-profit businesses.
Heightened Consent for Sensitive Data
Companies must obtain your explicit, opt-in consent before processing sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Health information
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Financial information
- Precise geolocation data
- Personal data of known children under 13
Enforcement and Penalties
The NJDPA is enforced by the New Jersey Division of Consumer Affairs under the Attorney General's office. Key enforcement details:
- Until July 1, 2026, the Division will provide a cure period — if they identify a violation that can be fixed, they'll send a notice giving the company a chance to remedy it
- After July 1, 2026, the cure period is no longer guaranteed, and companies may face immediate enforcement action
- Violations are treated as unlawful practices under the New Jersey Consumer Fraud Act, which can result in significant fines
- The Division is expected to finalize proposed privacy rules by June 2, 2026
No Private Right of Action
Unlike some other consumer protection laws, the NJDPA does not allow individuals to sue companies directly for privacy violations. Only the Attorney General's office can bring enforcement actions. However, you can file complaints with the Division of Consumer Affairs to trigger investigations.
How to Exercise Your Privacy Rights
Here's how to put your NJDPA rights into action:
Step 1: Enable Global Privacy Control
Install the Global Privacy Control (GPC) signal in your browser. This automatically sends opt-out requests to every website you visit. Popular browsers like Firefox and Brave have GPC built in, and extensions are available for Chrome.
Step 2: Submit Data Deletion Requests
Identify companies that hold your personal data and submit deletion requests. Under the NJDPA, companies must respond within 45 days. Focus on:
- Data broker sites (Spokeo, Whitepages, BeenVerified, etc.)
- Marketing companies and advertisers
- Social media platforms
- Retailers and e-commerce sites
Step 3: Opt Out of Data Sales
Look for "Do Not Sell My Personal Information" links on websites you use. Under the NJDPA, companies must provide a clear and conspicuous opt-out mechanism.
Step 4: File Complaints
If a company refuses to honor your privacy rights, file a complaint with the New Jersey Division of Consumer Affairs at njconsumeraffairs.gov.
How PrivacyOn Helps New Jersey Residents
Exercising your NJDPA rights across hundreds of companies is time-consuming. PrivacyOn automates the process by submitting removal requests to 100+ data broker sites on your behalf and continuously monitoring for new listings. With 24/7 monitoring, dark web scanning, and family plans covering up to 5 people starting at just $8.33/month, PrivacyOn makes it easy to exercise your rights under New Jersey law — and every other state privacy law — without the hassle of doing it yourself.