New Jersey: The Date Protection Act – here’s what you need to know

The New Jersey Data Protection Act (NJDPA), effective January 15, 2025, imposes obligations on controllers and processors handling New Jersey residents’ personal data, with no revenue threshold for applicability. It covers all personal data, including sensitive data, and excludes data in commercial or employment contexts. Controllers must provide clear privacy notices, obtain opt-in consent for sensitive data, and allow universal opt-out mechanisms by July 15, 2025. The NJDPA is enforced by the New Jersey Attorney General, with violations constituting breaches of the New Jersey Consumer Fraud Act, potentially resulting in fines.