New Jersey
Code/Regulations
- Senate Bill 322
- Code: N.J. Stat. Ann. §§ 56:8-166.4 – 166.19 (2024)
Effective Date: January 16, 2025
Details
Threshold
Entities that conduct business in New Jersey or produce products or services targeted to New Jersey residents and
- Control or process the personal data of at least 100,000 New Jersey residents (excluding personal data processed solely to complete transactions); or
- Control or process the personal data of at least 25,000 New Jersey residents and derive any amount of revenue or discount from the sale of personal data
Definition of "Personal Data"
Information that is linked or reasonably linkable to an identified or identifiable person. Does not include de-identified or publicly available information. Includes potentially all of a consumers' financial information (to the extent it is not covered by GLBA)
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Mental or physical health condition, treatment, or diagnosis; and
- Sexual orientation.
In addition, New Jersey’s definition also includes:
- Sex life;
- Status as transgender or nonbinary;
- Financial information, including a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account
- Precise geolocation; and
- Personal data collected from a known child.
Definition of "Sale"
Exchange of personally identifiable information for monetary consideration by the operator to a third party
Data-Protection Assessments
Yes
Opt-In Consent Required for Processing Sensitive Data
Yes
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads/Sharing
Yes
Consumer Right to Opt Out of Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
Yes
Data of Minors
Parental Opt-In consent to process information in accordance with COPPA
GLBA Exemption
Yes (both entity-level and data-level)
HIPAA Exemption
Yes (data specific)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context
Nonprofit Exemption
Yes
Private Right of Action
No
Cure Period
30 Days
Cure Period Expiration
July 16, 2026
Enforcement Authority/Damages
The Office of the Attorney General has exclusive authority to enforce the Act. The Director of the Division of Consumer Affairs in the Office of the Attorney General has rulemaking authority
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.