New Jersey Privacy Law (NJDPA): What Small Businesses Need to Know

The New Jersey Data Privacy Act (NJDPA) took effect January 15, 2025, and applies to any business processing the personal data of 100,000 or more New Jersey consumers in a calendar year — with no annual revenue threshold. A secondary trigger captures businesses processing data of 25,000 or more New Jersey consumers and deriving 50% or more of revenue from data sales. The New Jersey Attorney General is the sole enforcement authority. New Jersey is the most populous state in the Northeast and the 11th most populous in the country, which means national e-commerce stores frequently reach the 100,000 consumer threshold for NJDPA without realizing it. NJDPA also includes universal opt-out signal requirements similar to California, Colorado, and Connecticut.

Does NJDPA Apply to My Business?

NJDPA applies to any controller that conducts business in New Jersey or produces products or services targeted to New Jersey residents AND meets one of two thresholds:

• Controls or processes personal data of 100,000 or more New Jersey consumers during a calendar year (excluding personal data processed solely to complete a payment transaction), OR
• Controls or processes personal data of 25,000 or more New Jersey consumers AND derives revenue or receives a discount from the sale of personal data.

The threshold logic is OR, with no revenue floor under either path. NJDPA's secondary path is broader than most other state laws because it does not require a specific revenue percentage — any revenue or discount from data sales counts, mirroring Colorado.

New Jersey accounts for roughly 2.7% of the US population. A national e-commerce store with approximately 3.7 million annual unique US visitors would, on a population basis, reach 100,000 New Jersey consumers. Stores with strong Northeast distribution can reach the threshold at lower volumes — and the New Jersey-New York-Pennsylvania metro corridor is one of the densest e-commerce markets in the country.

What Does NJDPA Require?

NJDPA grants New Jersey consumers a comprehensive set of state privacy law rights and includes universal opt-out signal requirements.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests.

Disclosures you must publish. Privacy notice covering categories of personal data processed, purposes, third-party sharing, rights, and appeals process. NJDPA also requires disclosure of any algorithmic processing that affects consumers.

Operational practices you must implement. Conduct data protection assessments for high-risk processing. Obtain affirmative opt-in consent before processing sensitive personal data. Honor universal opt-out signals including GPC. Establish reasonable security practices.

How NJDPA Affects Small Businesses

New Jersey is the most populous state on the East Coast and one of the largest e-commerce markets in the country. Combined with a 100,000 consumer threshold and no revenue floor, NJDPA catches a substantial number of nationally distributed Shopify merchants and direct-to-consumer brands. The Northeast metro corridor concentration means stores with strong Mid-Atlantic distribution can reach the threshold at lower total US volumes than other state laws would suggest.

The GPC handling requirement is the operational issue most likely to surface in compliance gaps. If you have already implemented GPC for California, Colorado, Connecticut, or other GPC-mandate states, that work covers New Jersey automatically. If you have not, you need to.

The 25,000-consumer-plus-any-data-sale-revenue secondary path is also broader than most state laws. Businesses with ad tech monetization, affiliate revenue, or analytics partnerships that meet the legal definition of "sale of personal data" can be in scope under NJDPA at very low absolute consumer counts.

Key Differences from Other State Privacy Laws

NJDPA stands out on two dimensions:

Broad secondary threshold. The 25,000 + any data sale revenue path mirrors Colorado but is broader than the 50% used by Texas, Virginia, and most other states. This catches more businesses with ad tech ecosystems.

Universal opt-out signal mandate. Like California, Colorado, Connecticut, Delaware, Maryland, Montana, and New Hampshire, NJDPA requires honoring GPC.

Compared to California CCPA/CPRA, NJDPA is similar in requiring GPC handling but has no private right of action and no dedicated enforcement agency.

Compared to Virginia VCDPA, NJDPA's secondary threshold is broader (any data sale revenue vs Virginia's 50%) and NJDPA requires honoring GPC.

Compared to Connecticut CTDPA, NJDPA's primary threshold is higher (100K vs 35K), but NJDPA's secondary is broader.

How to Comply with NJDPA

If NJDPA applies to your business, the following steps establish baseline compliance.

1. Confirm scope. Calculate annual New Jersey consumer count from analytics and customer records. Check whether you derive any revenue or discount from arrangements that meet the broad "sale of personal data" definition with at least 25,000 New Jersey consumers.
2. Implement automatic GPC signal handling. Detect Global Privacy Control browser headers and apply opt-out preferences automatically. If already implemented for other states, this work covers New Jersey too.
3. Update your privacy notice with categories, purposes, third-party sharing, rights, appeals process, and information about any algorithmic processing.
4. Add explicit opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
5. Build a consumer rights request workflow with the 45-day response deadline tracked.
6. Build a denial appeals process with timely written response.
7. Implement opt-in consent for sensitive data.
8. Conduct data protection assessments for high-risk processing activities including any algorithmic processing.
9. Document reasonable security practices appropriate to data volume.

NJDPA Enforcement and Penalties

The New Jersey Attorney General has exclusive enforcement authority for NJDPA. There is no private right of action — New Jersey consumers cannot sue businesses directly. The AG may seek civil penalties under New Jersey's Consumer Fraud Act, with penalties of up to $10,000 for the first violation and $20,000 for each subsequent violation.

NJDPA includes a 30-day cure period before formal enforcement during the first 18 months after the law's effective date (until July 15, 2026), after which the cure period becomes discretionary. The New Jersey AG has historically been one of the more active state AG offices in consumer protection enforcement.

Frequently Asked Questions

When did New Jersey's privacy law take effect?

New Jersey's Data Privacy Act (NJDPA) took effect January 15, 2025, with no revenue threshold and a 100,000 consumer threshold.

Does NJDPA have a revenue threshold?

No. NJDPA applies based on consumer data volume only: 100,000 or more New Jersey consumers annually, or 25,000 or more consumers if you derive any revenue or discount from selling personal data. There is no annual revenue minimum.

Does NJDPA require honoring universal opt-out signals?

Yes. NJDPA requires covered businesses to honor universal opt-out mechanisms, including the Global Privacy Control browser signal. Your website must detect the GPC header and apply opt-out preferences automatically.

What are the penalties for NJDPA violations?

The New Jersey AG can seek civil penalties of up to $10,000 for the first violation and $20,000 for each subsequent violation under the Consumer Fraud Act. There is no private right of action. A 30-day cure period applies during the first 18 months after the effective date.

Is NJDPA strict compared to other state privacy laws?

NJDPA is moderately strict. The 100,000 primary threshold is standard, but the secondary threshold (25,000 + any data sale revenue) is among the broadest, and the GPC handling requirement adds technical complexity. New Jersey is also a populous state, so absolute scope is high.

Does NJDPA apply if my business is not based in New Jersey?

Yes. NJDPA applies based on where your consumers are located, not where your business is incorporated. If you process data from 100,000 or more New Jersey consumers annually — or 25,000 with any data sale revenue — NJDPA applies regardless of your business location.

Check if NJDPA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.