New Jersey’s comprehensive data privacy law — the New Jersey Data Privacy Law (NJDPL) — took effect on January 15, 2026. If your business collects, processes, or stores personal data from New Jersey residents, this law applies to you. And unlike some state privacy laws with narrow applicability, the NJDPL casts a wide net.
Here’s what NJ businesses need to understand and the concrete steps you should be taking right now.
Who Does the NJDPL Apply To?
The law applies to businesses that conduct business in New Jersey or produce products or services targeted to NJ residents, AND during a calendar year either control or process the personal data of at least 100,000 NJ consumers, or control or process the personal data of at least 25,000 NJ consumers and derive revenue from the sale of personal data.
That second threshold is lower than many other state privacy laws. If you’re a professional services firm, medical practice, law firm, or financial advisor in NJ with a meaningful client base, you’re very likely covered.
What Rights Do Consumers Have?
The NJDPL gives NJ residents a suite of rights over their personal data. Consumers can request to know what personal data you’ve collected about them, request deletion of their personal data, request correction of inaccurate data, opt out of the sale of their data, targeted advertising, or profiling, and obtain a copy of their data in a portable format.
Your business must be able to respond to these requests within 45 days. That means you need processes, systems, and trained staff to handle these requests — not just a policy document gathering dust.
What Counts as “Personal Data”?
The definition is broad: any information that is linked or reasonably linkable to an identified or identifiable person. This includes the obvious (names, emails, phone numbers, Social Security numbers) and the less obvious (IP addresses, device identifiers, geolocation data, browsing history, and inferences drawn from any of these).
The law also creates a category of “sensitive data” — including racial or ethnic origin, religious beliefs, health data, biometric data, precise geolocation, and data from known children — that requires explicit opt-in consent before processing.
What Your Business Needs to Do Now
Conduct a data inventory. You can’t comply with a privacy law if you don’t know what data you collect, where it lives, who has access, and how long you keep it. Map out every system that touches personal data — your CRM, email marketing platform, website analytics, client management software, and even your phone system.
Update your privacy policy. Your website privacy policy needs to disclose the categories of personal data you collect, the purposes for processing, the categories of third parties you share data with, how consumers can exercise their rights, and your data retention practices. Generic template policies won’t cut it — the disclosures need to be specific to your actual practices.
Build a consumer rights request process. When someone emails asking “what data do you have on me?” — you need a documented, repeatable process to verify their identity, search your systems, compile the data, and respond within 45 days. Designate someone as responsible for handling these requests.
Review your vendor agreements. If you share personal data with vendors (cloud providers, marketing platforms, payment processors), your contracts need to include data processing agreements that comply with the NJDPL. Many vendors have already updated their terms — check whether yours have.
Implement reasonable security. The NJDPL requires “reasonable” data security measures. While the law doesn’t prescribe specific controls, the standard practice includes encryption, access controls, regular security assessments, employee training, and incident response planning. This is where your IT provider plays a critical role.
What Are the Penalties?
The NJDPL is enforced by the New Jersey Division of Consumer Affairs. There’s no private right of action (consumers can’t sue you directly under this law), but the Attorney General can impose civil penalties of up to $10,000 per violation for initial offenses and up to $20,000 per violation for subsequent offenses.
The Division must provide a 30-day cure period for first-time violations through July 2026 — but this grace period expires, and it only applies if you can actually cure the violation within 30 days. If your data handling practices are fundamentally non-compliant, 30 days won’t be enough.
How This Intersects with Your Existing Obligations
If you’re already subject to HIPAA, GLBA, or other federal privacy frameworks, the NJDPL doesn’t replace those — it layers on top. However, many of the security controls you’ve already implemented for HIPAA or financial regulations will satisfy the NJDPL’s “reasonable security” requirement. The gap is usually in the consumer rights processes and updated privacy disclosures, not in the technical controls.
For NJ businesses that haven’t dealt with comprehensive privacy regulation before — many professional services firms, construction companies, and smaller organizations — this is new territory. The good news is that the compliance framework is manageable if you start now.
Iron Core helps NJ businesses implement the technical controls and documentation needed for NJDPL compliance. If you’re unsure where your business stands, start with a free assessment — we’ll map your data exposure and give you a clear action plan.