New Jersey's Data Privacy Act

What Is “Personal Data”?

Personal data is “any information that is linked or reasonably linkable to an identified or identifiable individual.” Deidentified data or publicly available information is excluded from this definition.

Personal data is more than just names and email addresses, though, and can cover anything from IP addresses to internet cookies to shopping habits.

Are Data Protection Assessments Required?

The New Jersey law requires organizations to perform data protection assessments for certain types of processing activities that present a “heightened risk of harm” to consumers. This includes:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity that presents a heightened risk of harm to consumers

How Much Do Violations Cost?

The statute does not provide a specific penalty for violations, but states that a violation shall be considered an unlawful practice under New Jersey’s consumer protection laws. The penalty for violating these laws is up to $10,000 for the first offense, and up to $20,000 for each subsequent offense.

Initially, the Attorney General's Office must give businesses 30 days to cure any alleged violations. This mandatory cure-period provision sunsets after 18 months.

Can Businesses Be Sued by Consumers?

The NJDPA does not grant a private right of action to consumers, meaning they cannot sue an organization over alleged violations. Only the New Jersey Attorney General’s Office has authority to enforce the law.