State Privacy Laws: New Jersey
New Jersey Data Protection Act (NJDPA)
Overview
New Jersey was the thirteenth state to adopt comprehensive data privacy legislation. The New Jersey Data Protection Act protects personal data and gives New Jersey residents control over how their data is used.
Key Dates
- Signed into law: January 16, 2024
- Effective date: January 15, 2025
Thresholds
The NJDPA applies to controllers hat conduct business in the state or produce products or services targeted to residents that meet either of two thresholds in a calendar year:
- Control or process the personal data of at least 100,000 consumers (NJ residents), excluding personal data processed solely for the purpose of completing a payment transaction
- Control or process the personal data of at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Consumer Rights
- The right to confirm whether a controller accesses and processes their personal data.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data.
- The right to obtain a copy of their personal data held by the controller in a readily usable format (i.e., data portability).
- The right to opt out of processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling. Consumers may also designate an authorized agent to exercise their right to opt out on their behalf.
Sensitive Data
Sensitive data is defined as personal data revealing
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or treatment
- Sex life or sexual orientation
- Financial information, including account access details
- Citizenship or immigration status
- Transgender or non-binary status
- Genetic or biometric data that could identify an individual
- Data collected from a known child
- Geolocation data
Penalties
No monetary penalties are defined in the Act, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.
Configure Your Consent Banner for NJDPA
Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. NJDPA in New Jersey). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like NJDPA in New Jersey).
Recommended Consent Settings
Based on the current laws, we recommend the following regional settings:
- Consent Mode: Implied
- Blocking Mode: Strict
- Google Consent Mode V2: Basic
- Consent Duration: 12 months
- Enable Limit Sensitive Information: Enabled
- Enable Do Not Sell Consent: Enabled
- Enable Global Privacy Control: Enabled
For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.
Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.
