New Jersey’s Consumer Privacy Act Takes Effect January 15, 2025
As the data privacy landscape continues to evolve, businesses must stay ahead of the curve to ensure compliance with the growing patchwork of state-level privacy laws. New Jersey’s Data Privacy Act (“NJDPA”), will go into effect on January 15, 2025. This law introduces several critical requirements for businesses operating in New Jersey, and it’s important for organizations to understand how it will impact their operations. The NJDPA mirrors privacy laws in other states, but it also brings unique provisions that businesses will need to navigate. While it largely follows the common framework seen in laws like California’s CCPA or Colorado’s Privacy Act, it introduces some notable differences.
Applicability.
The NJDPA applies to businesses, or "Controllers," that process or control personal data of at least 100,000 New Jersey residents per year, or 25,000 residents if the company derives revenue from the sale of personal data. It’s important to note that this law extends to nonprofit organizations as well, which sets it apart from other state laws that typically exempt nonprofits. The law also covers personal data processed for purposes beyond employment and commercial contexts, so businesses should carefully assess whether they fall within the scope of the law.
Privacy Notices.
One of the key requirements of the NJDPA is the implementation of a comprehensive privacy notice. Businesses must disclose several pieces of information, including the categories of personal data being processed, the purposes for processing, and the third parties with whom data may be shared. In addition, businesses must outline how consumers can exercise their rights, which includes the ability to opt out of targeted advertising and the sale of their personal data.
A unique aspect of the NJDPA is the requirement for businesses to notify consumers about material changes to their privacy policies. This disclosure must be clear and accessible, ensuring that consumers are informed about any updates to how their personal data is processed. Additionally, businesses must provide an easy-to-reach contact method, such as an active email address, to allow consumers to reach out with questions or concerns about their data.
Sensitive Data.
Another significant feature of the NJDPA is its focus on sensitive data. The law defines sensitive data more broadly than other privacy laws and mandates that businesses obtain explicit consent from consumers (or parents in the case of children under 13) before processing or collecting this type of data. This requirement emphasizes the importance of ensuring that consent mechanisms are in place and clearly communicated to consumers.
Data Protection Assessments.
Moreover, the NJDPA introduces the need for data protection assessments. Businesses will be required to assess certain data processing activities to evaluate their potential risks, particularly when processing sensitive data or engaging in targeted advertising. This proactive approach is designed to help businesses identify and mitigate risks before they arise.
Opt-Out Mechanisms.
The NJDPA also aligns with the growing trend of universal opt-out mechanisms. Starting six months after the law’s effective date, businesses will need to recognize and comply with user-selected opt-out signals for targeted advertising and the sale of personal data. This means businesses will need to ensure their systems are capable of processing and respecting opt-out preferences communicated through these universal mechanisms.
Enforcement and Compliance.
As with other state-level privacy laws, enforcement of the NJDPA will be carried out by the New Jersey Attorney General’s office. While there is no private right of action for consumers, businesses that fail to comply with the law could face significant fines, up to $10,000 per violation. The good news is that businesses will have a 30-day cure period following a notice of non-compliance, allowing them time to address issues before penalties are imposed.
Compliance Recommendation.
With the NJDPA this month, now is the time for businesses to finalize their data privacy practices and making the final necessary adjustments to meet the law’s requirements. Companies should:
-
Ensure Privacy Policies are Updated. Ensure your privacy notice reflects the categories of data collected, the purposes for processing, and how consumers can exercise their rights, including opt-out options for data sales and targeted advertising.
-
Confirm Consent Mechanisms are Working. Ensure you have clear, easy-to-use methods for obtaining consent for sensitive data processing, particularly when dealing with children’s data.
-
Data Protection Assessments. Conduct a thorough review of your data processing activities to assess risks, particularly those related to targeted advertising or sensitive data.
-
Universal Opt-Out Mechanisms. Ensure your systems can handle and respect user-selected opt-out signals, particularly for targeted advertising and the sale of personal data.
-
Communication Protocols. Be ready to notify consumers of any material changes to your privacy policies and ensure there’s an active mechanism for them to reach you.
As the January 15, 2025, deadline approaches, it’s important for businesses to understand the nuances of the NJDPA and ensure they’re fully prepared for the compliance obligations it imposes. Taking the time to assess your privacy practices now can help you avoid penalties and position your company as a leader in consumer trust and data protection.
© 2025 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.