New call-to-action

Understanding the NJDPA – New Jersey’s data privacy law in detail

11-12-2024 | 7 min read | Business to Government compliance, GDPR Compliance, GDPR Compliance

Author: Priyasha Purkayastha, Global Content Manager, TJC Group 

Compared with other countries, the USA takes a unique stance when it comes to data privacy. Its vastness as a continent means that some states have created their own local laws to protect consumers. In this blog, we explore the data protection law of one of the most sought-after states of the United States: New Jersey. Read on to learn more! 

Table of contents

Introduction 

As of today, 14 US states have their own data privacy regulations. This includes New Jersey, which unveiled its own legislation, the New Jersey Data Protection Act (New Jersey Data Privacy Act or NJDPA), on 16th January 2024. This was in response to a flurry of announcements made by eight other US states in 2023, which passed their own privacy laws. 

New Jersey’s legislation will become fully effective on 15th January 2025, and it is important for companies to be aware of their obligations, whether directly or indirectly affected by it. This article explains the key provisions of the NJDPA and highlights how it differs from other data privacy laws. Read on to know more! 

What is the scope of the New Jersey Data Privacy Act (NJDPA)? 

Organisations that meet any of the two following conditions must adhere to the regulations of the NJDPA: 

  • Any organisation that conducts business in the state of New Jersey 
  • Organisations that produce products or services targeted to New Jersey residents that meet either of two thresholds in any calendar year: 
  • Controls or processes personal data of at least 100,000 consumers and New Jersey residents, excluding personal data processed solely for the purpose of completing a payment transaction 
  • Controls or processes personal data of at least 25,000 consumers and derives revenue or receives a discount on the price of any goods or services from the sale of personal data 
Read our latest blog on the California Consumer Privacy Act 2020

Four interesting aspects of the NJDPA 

There are some interesting points to note about this data privacy law, namely,  

  • Small businesses that operate as brick-and-mortar stores and that do not otherwise collect personal information are exempt from complying with the regulation. 
  • The revenue-deriving threshold of this law is very broad and applies to any business that generates revenues from selling personal data or that receives a discount on the price of goods or services.  In other US states, their data protection laws include a minimum revenue-deriving threshold for their compliance regulations to apply.  
  • The NJPDA exempts government agencies and information, or data covered by other laws like the federal Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).  It also excludes personal information collected from residents in the context of employment or business-to-business transactions. 
  • Another important aspect of the NJPDA is that it applies to non-profits that meet the conditional thresholds, whereas many other states do not treat “not-for-profit” organisations in the same way as commercial entities.
Gain insights into Quebec’s Loi 25 or Law 25 here!

Obligations for controllers and processors 

The NJDPA is similar to other data privacy regulations, including the GDPR, because it defines the various ‘actors’ involved with the various data handling activities as controllers and processors. For the unversed, a “controller”, alone or jointly with others, determines the purpose and means of processing personal data; on the other hand, a “processor” processes personal data on behalf of a controller. A company that collects data for marketing purposes would be a controller, and an agency that creates marketing campaigns acting on behalf of the controller would be a processor.  

Data controller obligations under NJDPA 

Most of the primary privacy responsibilities within NJDPA fall on controllers to adhere to.  According to this law, controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which discloses: 

  • Categories and intended purpose for the personal information collected 
  • Categories of any third parties that may be exposed to the consumer’s personal data 
  • Categories of the personal information shared with any third parties 
  • Any third-party collection of personal data from different online services 
  • Details of how consumers can request access to or correct their personal information 
  • The process consumers can follow to request access to their information 
  • The process is to be followed by a controller needing to notify consumers of any changes to the legislation. 

The NJDPA also stipulates limits and obligations on personal data processing activities followed by controllers. This includes the following mandates: 

  • Personal data collection and processing is minimal and limited to what is necessary or consented to by the consumer. 
  • A range of administrative, technical, and physical measures are implemented to protect the data 
  • Consumers have the right to revoke previously given consent to controllers 
  • Consumers also have the right to obtain a portable copy of personal data  
  • Consent must be obtained before any processing of sensitive data or data pertaining to a child, which includes targeted advertising, sales, or marketing profiling 
  • Responses to any requests to access data must be made within forty-five (45) days of receipt, with the chance to include a forty-five (45) day extension for complex or multiple requests.   

Classification of sensitive data under NJDPA 

The way sensitive data is defined according to NJDPA is quite extensive and includes: 

  • Racial, ethnic origin, religious beliefs, sexual orientation, identification as transgender/non-binary 
  • Health conditions with any treatment or diagnostic information 
  • Financial information, including account numbers, logins, credit or debit card numbers, customer codes or password data 
  • Citizenship or immigration status 
  • Genetic or biometric data  
  • Precise geographical location.  

Although the majority of US states classify all these information categories as sensitive and require consumers to opt in for any data processing activities, the inclusion of financial information is exclusive to the NJDPA. 

In fact, this law goes a step further because it requires controllers to perform an extra data protection assessment if their data processing activities may result in a risk or harm to the consumer.  

Understanding obligations for data processors 

According to the NJDPA, data processors must also meet strict obligations when they process personal data on behalf of controllers.  These include: 

  • Having a contract in place that specifies their individual obligations 
  • Controls in place to protect the controller that includes ensuring that any employees or sub-contractors working for a processor maintain client confidentiality. 

Some important aspects of New Jersey’s data privacy law 

Special considerations for children’s data 

Children’s data is governed by additional protection and must always be processed in line with the Children’s Online Privacy Protection Act (COPPA). This has an extra caveat: consent for any data collection or processing must be obtained from parents or guardians. 

Considerations for “de-identified” and “pseudonymous” data 

Just like other data privacy rules, there is a special consideration for “de-identified data” within the NJDPA. According to this law, data can only be treated as “de-identified” if it cannot be linked to an identifiable individual or a device linked to an individual.  This is another difference in the state rules because other regions do not extend their legal requirements to include devices. Controllers need protections in place to ensure that de-identified data remains de-identified, including contractual obligations and public commitments not to re-identify such data. 

Interestingly, the NJDPA doesn’t mention a definition of “pseudonymous” data that has been artificially anonymised. This means that unless the data also qualifies as being “de-identified”, the usual exemptions will not apply. 

Link to: https://www.tjc-group.com/resource/durr-group-sap-ilm-and-data-deletion-case-study/  

How will the NJDPA be enforced? 

The New Jersey Attorney General’s office will enforce the NJDPA. In addition, the Division of Consumer Affairs within the Department of Law and Public Safety has the responsibility for ensuring that businesses understand and can comply with its rules and regulations. 

Notably, the NJDPA contains a thirty (30) day’ cure provision’, which gives controllers the timeframe to rectify or correct any violations before an enforcement action can commence.  However, this provision will be effective until 1st July 2026, after which no further grace period will be available. Unlike other data privacy laws, no set penalty amounts have been defined in advance and will be judged individually by the enforcers. 

Final word 

  • Data privacy, whether in the EU, India, or the US, aims the same thing – protecting the confidentiality of consumers’ personal data.  
  • Under the NJDPA, the definition of sensitive data is comprehensive, including health information, financial information, data pertaining to racial and ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, and more.  
  • It is imperative that processors oblige to the rules of the New Jersey data protection laws when processing the data on behalf of the data controllers.  
  • Data processors must comply with any instructions that a controller gives, helping them to meet their legal obligations under the data privacy regulations.  
  • There must be controls in place that helps protect the controllers; this includes ensuring that employees or even sub-contractors working the data processor maintain and protect the confidentiality of clients.  
  • The New Jersey Data Privacy Act also has a special provision for children’s data. They are governed by and must always be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).  

TJC Group takes data privacy and protection extremely seriously and ensures user data is collected only if consented by the consumer. Additionally, we have strong policies in place that are on par with the GDPR to protect the confidentiality of our clients and consumers. 

Data privacy series 

We also educate our readers through our data privacy blogs. If you would like to learn more about international data privacy regulations, here’s the series for you. 

  • All about South Korea data protection law (PIPA): Everything you need to know (coming soon) 
  • Data protection laws in the Middle East (coming soon) 
Back to all Blogs
Business to Government compliance Careers Cybersecurity DART Data Management for S/4HANA Migration Decommissioning of Legacy Systems Enterprise Legacy System Application (ELSA) Events Fichier des Écritures Comptables (FEC) GDPR Compliance Global e-invoicing and e-reporting IT Trends SAF-T Compliance SAP BTP SAP Data Archiving SAP Data Management SAP Highlights SAP Information Lifecycle Management Sustainability Tax and Audit Readiness TJC Group Corporate
January 2025December 2024November 2024October 2024September 2024August 2024July 2024June 2024May 2024April 2024March 2024February 2024January 2024December 2023November 2023October 2023September 2023August 2023July 2023June 2023May 2023April 2023March 2023February 2023January 2023December 2022November 2022October 2022September 2022August 2022June 2022April 2022March 2022February 2022December 2021November 2021October 2021September 2021July 2021June 2021May 2021April 2021March 2021February 2021January 2021December 2020November 2020October 2020September 2020August 2020June 2020May 2020April 2020March 2020February 2020January 2020December 2019October 2019September 2019July 2019November 2018August 2018July 2018June 2018April 2018February 2018December 2017May 2017February 2016December 2015May 2015February 2014March 2013

Recent Articles

SAP data archiving: definitions, benefits, impact on system performance
SAP Data Archiving: Definition, benefits, impact on system performance

07/01/2025 |  

6 min read
Virginia's data privacy law
Data privacy law: Everything you need to know about Virginia’s CDPA 

12/12/2024 |  

5 min read

More Like This

Virginia's data privacy law

Data privacy law: Everything you need to know about Virginia’s CDPA 

12/12/2024 |  

5 min read
SAP DRC

Understanding the key benefits of SAP DRC for organisations

09/12/2024 |  

5 min read
California Data Privacy

Data privacy law: A-Z about the California Consumer Privacy Act, CCPA of 2020 

04/12/2024 |  

8 min read