NJDPA

New Jersey Data Privacy Act

Flag of US
New Jersey, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
January 15, 2025
Enacted
January 16, 2024
Enforcing Authority
New Jersey Attorney General; Office of Consumer Affairs
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Controllers in NJ or targeting NJ residents: 100,000+ consumers OR 25,000+ consumers and revenue from selling PI

Overview

The NJDPA features the shortest opt-out processing requirement among US states (15 days) and explicitly requires that universal opt-out mechanisms must NOT default to opt-in. Coverage extends to profiling with legal or similarly significant effects — broader than most state laws.

What This Means for Your Website

  • GPC/UOOM signals must be honored from July 2025 — and must NOT default to opt-in
  • Opt-out requests must be processed within 15 days (shortest among US states)
  • Opt-in consent required for sensitive data
  • Escalating penalties: $10,000 for first violations, $20,000 for subsequent
  • The cure period (30 days) sunsets July 15, 2026

Key Requirements

The NJ AG and Office of Consumer Affairs enforce the NJDPA with escalating penalties. Consumer requests must be fulfilled within 45 days. The explicit prohibition on UOOM defaulting to opt-in is unique. Coverage of profiling with legal effects broadens the law's scope beyond most states.

How ConsentStack Handles This

ConsentStack processes New Jersey opt-out requests within the 15-day window and ensures UOOM mechanisms never default to opt-in, meeting the NJDPA's distinctive requirements.

Penalties

$10,000 per first violation; $20,000 per subsequent violation.

Maximum Fine
USD20,000 per violation

Key Requirements

  • Honor GPC/UOOM signals from July 2025 — must NOT default to opt-in
  • 15-day opt-out processing requirement — shortest among US states
  • Opt-in consent for sensitive data
  • Consumer rights: access, correct, delete, portability, opt-out
  • UOOM covers profiling with legal/significant effects

Notable Provisions

  • 15-day opt-out processing — shortest among US states
  • UOOM must NOT default to opt-in — explicit requirement
  • Escalating penalties ($10K first / $20K subsequent)
  • Cure period sunsets July 2026

US State Specifics

Cure Period
30 days
Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 13 data is sensitive requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

What makes New Jersey's opt-out unique?

The NJDPA requires opt-out processing within 15 days — the shortest among US states — and explicitly prohibits universal opt-out mechanisms from defaulting to opt-in.

What are the NJDPA penalties?

$10,000 per first violation and $20,000 per subsequent violation — an escalating penalty structure.

Does the NJDPA cover profiling?

Yes. The NJDPA covers opt-out of profiling for decisions with legal or similarly significant effects — broader than most US state privacy laws.

Stay compliant with NJDPA

ConsentStack helps you implement Opt-out consent for New Jersey, United States automatically.

Get started