Cyber Fraud Unit

Notice: The following questions and answers are intended for the convenience of businesses that may be subject to the New Jersey Data Privacy Law, P.L. 2023, c. 266. This should not be considered a legal document or a complete explanation of the law and should not be relied upon as such. The Division of Consumer Affairs recommends consulting an attorney or other professional for formal advice.

General Questions

1. What is the New Jersey Data Privacy Law?

   The New Jersey Data Privacy Law, P.L. 2023, c. 266 ("NJDPL"), guarantees New Jersey consumers certain rights with regard to their personal data and imposes requirements on the individuals and businesses that process that data (which are called "controllers").
   

2. When does the NJDPL take effect?

   January 15, 2025.
   

3. What is "personal data"?

   Personal data is any information that is not publicly available and can be used to identify a specific individual. Some examples of personal data may include a home address, a driver's license number or state identification number, passport information, a financial account number, login credentials, and browsing history.
   

4. What rights does the NJDPL protect?

   The NJDPL protects the right of New Jersey consumers to:

   • Confirm whether a controller processes their data;
   • Correct inaccuracies in their personal data;
   • Delete their personal data;
   • Say "no" to (opt out of) a controller selling their personal data or using their personal data for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).

5. Who is a consumer under the NJDPL?

   A consumer is a New Jersey resident acting in an individual or household context (as opposed to an employment or commercial context). For example, a New Jersey resident who has their personal data collected by a retailer while making a purchase for their household is protected under the NJDPL. A New Jersey resident who has their personal data collected by a potential employer while applying for a job is not protected under the NJDPL.
   

6. What does it mean to "process" personal data?

   Processing refers to actions a controller may take with respect to personal data, including collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
   

7. What is a "controller"?

   A controller is any individual or entity that decides how and why consumers' personal data is processed. For example, retailers can be controllers if they collect consumer information when customers make purchases and then decide how that information will be used.
   

8. How can consumers opt out of the processing of personal data?

   To say "no" to (opt out of) the processing of personal data, consumers may use any of the methods identified in a controller's privacy notice. The controller's privacy notice must clearly state how consumers may exercise their rights.

   In addition, by July 15, 2025, controllers must honor opt out signals sent by consumers through "universal opt-out mechanisms." Universal opt-out mechanisms—like Global Privacy Control, among others—are designed to allow consumers to automatically opt out of data processing across different websites, platforms, or devices.
   

9. Can consumers have someone else opt out for them?

   Yes, a consumer can use an "authorized agent" to opt out of the processing of personal data. An opt-out request must be granted if the controller can verify the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.
   

10. Who is required to comply with the NJDPL?

    Any controller that:

    • Does business in New Jersey or produces products or services targeted to New Jersey residents; and
    • During a calendar year either (a) controls or processes the personal data of at least 100,000 consumers, or (b) controls or processes the personal data of at least 25,000 consumers and makes money from the sale of personal data.

    Processors (see questions 19-20 below) are also required to comply with the NJDPL.

11. Are certain types of personal data excluded from the NJDPL?

    Yes. Health information protected by the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"); certain data sold by the New Jersey Motor Vehicle Commission in accordance with federal law; data that can be processed under the federal Fair Credit Reporting Act; data collected by state agencies; personal data processed as part of research that complies with federal law; and data collected by certain financial and insurance institutions are all excluded from the NJDPL.
    

12. Are non-profits and small businesses excluded from the NJDPL?

    No. Non-profits and small businesses are required to comply with the NJDPL if they meet the thresholds identified in question 10 above or if they act as processors.
    

13. What is a "data protection assessment"?

    A data protection assessment considers the risks and benefits of the processing activity, the reasonable expectations of the consumer, and the potential use of de-identified data.
    

14. What is "de-identified data"?

    De-identified data is data that cannot be linked to or used to infer information about a specific individual or a device linked to that individual. Data is considered to be de-identified only if the controller takes steps to ensure that the data cannot be linked to the consumer.
    

15.  When does processing present a "heightened risk of harm"?

    Processing presents a heightened risk of harm to the consumer when:

    • There is a risk of unfair treatment, illegal discrimination, or financial or physical injury;
    • The controller sells personal data; or
    • The controller processes sensitive data.

16. What is "sensitive data"?

    Sensitive data is a subset of personal data that reveals a consumer's racial or ethnic origin; religious beliefs; health condition; financial information; sexual activity or sexual orientation; immigration or citizenship status; status as transgender or non-binary; genetic or biometric data; or precise geolocation data. It also includes personal data collected from a known child.
    

17. What steps must controllers take to protect sensitive data?

    The controller must get the consumer's consent before processing the consumer's sensitive data. A controller must also complete a data protection assessment when it processes sensitive data.
    

18. Are there special protections for children and minors?

    Yes. Federal law regulate the online privacy of children under the age of 13. And in New Jersey, when a controller knows or should know that a consumer is between the ages of 13 and 16, the controller must get the consumer's consent before processing the consumer's personal data.
    

19. What is a "processor"?

    A processor is an individual or entity that processes personal data on behalf of the controller. A processor is different than a controller because it does not have decision-making authority over personal data. A processor can only process personal data at the request and under the direction of a controller. For example, a cloud services provider might act as a processor by storing personal data collected by a controller, as directed by that controller.
    

20. What steps must a processor take to protect consumers' personal data?

    Among other requirements, a processor must:

    • Follow the controller's instructions;
    • Help the controller meet its obligations under the NJDPL;
    • Keep personal data confidential;
    • Enter into a contract with the controller that contains processing instructions; identifies the data that will be processed and for how long it will be processed; and requires the processor to return or delete the personal data once processing is complete.

21. Who can enforce the NJDPL?

    The Office of the Attorney General enforces the NJDPL. Consumers cannot file lawsuits on their own behalf. However, consumers are encouraged to report suspected violation of the NJDPL to the Division of Consumer Affairs' ("Division") attention by filing a complaint here: https://njconsumeraffairs.nj.gov/file-a-complaint/.
    

22. What happens if a controller violates the NJDPL?

    The Attorney General may go to court to stop violations of the NJDPL; seek compensation for victims; and require the violator to pay up to $10,000 for an initial offense and $20,000 for later offenses.
    

23. Will enforcement begin immediately when the NJDPL becomes effective?

    Businesses and other entities that are controllers of personal data are expected to comply with the NJDPL when the law becomes effective. However, until July 1, 2026, if the Division identifies a potential violation that the controller can remedy, the Division will send a notice to the controller to give them the chance to fix the problem. If the controller does not fix the problem within 30 days, the Division can proceed with an enforcement action.
    

24. Does the Division intend to adopt regulations?

    Yes. Regulations will be forthcoming in 2025. In the meantime, controllers and processors are required to comply with the NJDPL starting on January 15, 2025.