← Back to Blog

New Jersey Data Privacy Act: Compliance Guide for Online Businesses

New Jersey's privacy law covers a large consumer base and requires GPC support. Here's what your online business needs to do.

2026-03-02

The New Jersey Data Privacy Act (NJDPA) took effect on January 15, 2025, making New Jersey one of the largest states by population (~9.3 million) to enact a comprehensive privacy law. Given New Jersey's size and proximity to major markets, many e-commerce businesses will find themselves in scope.

Who Does the NJDPA Apply To?

The NJDPA applies to businesses that conduct business in New Jersey or target New Jersey residents and meet either threshold:

  • Control or process personal data of at least 100,000 New Jersey consumers (excluding payment-only data), OR
  • Control or process personal data of at least 25,000 New Jersey consumers and derive revenue from selling personal data

There is no minimum revenue threshold. Given New Jersey's large population, many online retailers and service providers will meet the 100,000 consumer threshold.

Key Requirements

Universal Opt-Out

New Jersey requires businesses to honor universal opt-out mechanisms including Global Privacy Control (GPC) signals. Your website must detect browser-based opt-out signals and treat them as valid opt-out requests for data sale and targeted advertising.

Privacy Notice

Standard disclosure requirements: data categories, purposes, third parties, consumer rights, data sale practices.

Consumer Rights

New Jersey consumers can:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 45-day extension.

Sensitive Data

Opt-in consent required for sensitive data categories including racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric/genetic data, children's data, and precise geolocation. Also includes financial data beyond what's necessary for a transaction.

Data Protection Assessments

Required for targeted advertising, data sales, profiling, processing sensitive data, and any processing that presents a heightened risk of harm.

Enforcement

Enforced by the New Jersey Attorney General and the Division of Consumer Affairs. No private right of action. New Jersey includes a 30-day cure period for the first 18 months, after which the AG can enforce without offering a fix window.

Penalties fall under New Jersey's Consumer Fraud Act, which allows fines up to $10,000 per first offense and $20,000 per subsequent offense.

NJDPA Compliance Checklist

  • Privacy policy with required disclosures
  • GPC support — honor universal opt-out signals
  • Cookie consent banner with opt-out
  • Consumer request process — 45-day window
  • Sensitive data consent — opt-in (note: financial data included)
  • Data protection assessments for high-risk processing

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including New Jersey's NJDPA. It checks GPC support, trackers, cookies, and privacy policy completeness.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free