The Impact of the New Jersey Data Privacy Act on Your Business

September 10, 2025

The New Jersey Data Privacy Act (the “Act”), which went into effect on January 15, 2025, is intended to give New Jersey residents greater control over their personal data.  At the same time, however, it imposes substantial obligations and potential penalties on many New Jersey businesses.  This article focuses on the impact on businesses that collect personal data from consumers.

The primary goal of the Act is to protect personal data of New Jersey consumers by granting them the following rights with respect their personal data in the hands of a business (referred to as a “controller” by the Act):

  1. The right to access their data
  2. The right to correct inaccuracies
  3. The right to have the data deleted
  4. The right to receive a copy of the data in a reusable format
  5. The right to opt out, including by means of a user-selected universal opt-out mechanism if data is being used for targeted advertising

Under the Act, any entity that determines the purpose and means of processing personal data is a “controller.”  Therefore, any business (with limited exceptions) that collects and uses personal data of New Jersey consumers is a controller.  If the business “processes” the “personal data” of at least 100,000 consumers during the prior calendar year, or of 25,000 consumers in the prior calendar year and derives any revenue from the sale of that date it is bound by the obligations imposed by the Act.  As these terms (“processes” and “personal data”) are broadly defined by the law, the Act is anticipated to impact numerous businesses in the state, most likely businesses that maintain a mailing list of customers.

The Act defines “personal data” as information that is “linked or reasonably linkable to an identified or identifiable person.”  This would exclude de-identified data or publicly available information.  Personal data includes email addresses, birthdays, full names and addresses.

“Process” means “an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data . . .” (emphasis added)

The definition of “process” in the Act includes not only collection, but storage of data as well.  So, if a business maintains a database or list of customer information, for counting the number of consumers in any calendar year the business must include all customers on that list, not only those added in the prior year.  This cumulative formula makes it likely even for a small business to exceed the 100,000 consumer threshold.  Unless information is deleted regularly, once a customer’s information is collected by the business, that customer will always be counted toward the threshold.

If the threshold is met, and the Act applies, the business is required to provide a clear and accessible privacy notice to consumers which includes, at a minimum, the following:

  • Categories of personal data processed
  • Purpose for which it is processing the personal data
  • Categories of all third parties to which the personal data may be disclosed
  • Categories of personal data that are shared with third parties
  • How consumers exercise their consumer rights, including contact information for the entity and how it may appeal a decision by the entity regarding a consumer request
  • Process by which the entity will notify the consumer of changes to this notice
  • Email address or other online means of contacting the entity

In addition to providing a privacy notice, the business must:

  • Limit the collection of personal data to that which is necessary
  • Only process personal data that is necessary
  • Maintain security of the personal data
  • Not process sensitive data without obtaining consent
  • Provide a mechanism for the consumer to revoke consent
  • Not process personal data of a minor without consent
  • Conduct data protection assessments for high-risk processing such as handling sensitive data, profiling, or personal data sales

Failure to comply with the Act could lead to fines of up to $10,000 for initial violations, and up to $20,000 for repeated violations.  However, until July 15, 2026, any violators will be granted a 30-day notice and cure period prior to any enforcement action.  With this grace period ending in less than a year, now is the time for businesses to establish privacy notices and policies that comply with the new law.  If you have any questions about whether your business is subject to the Act, or what steps are required for compliance, Beattie Padovano is here to assist in ensuring compliance with the New Jersey Data Privacy Act in the following ways:

  • Advise whether a business is subject to compliance with the Act.
  • Assist with updating Privacy Notices.
  • Advise if the mechanism to permit consumer exercise of rights complies with the Act.
  • Advise if opt-in or data risk assessment is needed given the nature of data collected.
  • Advise whether a business constitutes a processor under the Act and offer guidance on enhanced obligations.

Categories

Related Attorneys

Cristin M. Keegan

Cristin M. Keegan

Counsel to the Firm