New Jersey Data Privacy Act: What to Do Before July 15

The New Jersey Data Privacy Act cure period expires on July 15, 2026. After that date, the NJ Attorney General can pursue fines of up to $10,000 per violation without first giving your business 30 days to fix the problem. If your company processes personal data on 100,000 or more New Jersey residents, that deadline is six weeks away.

Most businesses with NJ customer data have heard about the NJDPA. Fewer have actually built the compliance infrastructure the law requires. The cure period ending is the enforcement shift that makes the difference.

Here is what covered businesses need to address before July 15.

Who the NJDPA Actually Covers

The law applies to any business that operates in New Jersey or targets NJ residents and meets one of two thresholds:

• Processes personal data of 100,000 or more NJ consumers in a calendar year, or
• Processes data of 25,000 or more NJ consumers and derives revenue from the sale of that personal data

There is no employee count threshold. A 40-person e-commerce company with 150,000 NJ customer records is covered. A 200-person professional services firm that processes no direct consumer data is probably not.

The law also has an important B2B carve-out. The NJDPA's definition of "consumer" excludes "a person acting in a commercial or employment context." If you are a B2B company whose contacts are people acting in their professional capacity, that data generally falls outside the law's scope. If you have any consumer-facing data at all, including website visitors or job applicants, those records count toward the threshold.

Healthcare organizations face a specific nuance. The NJDPA provides a data-level exemption for protected health information (PHI) collected under HIPAA, but there is no entity-level exemption. If your healthcare billing company processes 150,000 patient records, the PHI portion of that data is likely exempt. Website visitor data, job applicant records, and marketing data from the same company are not.

What the July 15 Deadline Means in Practice

For the first 18 months of the law (January 15, 2025 through July 15, 2026), the NJ Attorney General was required to give businesses a 30-day written notice to cure violations before pursuing fines. That mandatory cure window disappears on July 15.

After that date, the AG's office can still offer a cure period at its discretion, but there is no legal requirement to do so. The first enforcement actions against NJ businesses are expected in the second half of 2026, once regulators have completed the infrastructure they built during the cure window.

Fines can reach $10,000 per initial violation and $20,000 per subsequent violation. The NJ Consumer Fraud Act framework that applies here allows violations to be counted per affected resident in some enforcement scenarios.

What Covered Businesses Must Have in Place

The NJDPA requires covered businesses to have six core compliance elements operational:

A compliant privacy notice. The notice must include the categories of personal data you collect, your processing purposes, the categories of third parties you share data with, how consumers can exercise their rights, how you will notify them of material changes, and an active contact mechanism for inquiries. This is not a standard website privacy policy. Review yours carefully against these seven required elements.

An opt-out mechanism for targeted advertising and data sales. If your business processes personal data for targeted advertising or sells it, the privacy notice must include a clear link for consumers to opt out. More importantly, your systems must recognize the Global Privacy Control (GPC) browser signal. That requirement was actually due July 15, 2025, not July 15, 2026. If you are not currently honoring GPC signals, you are already out of compliance.

A consumer rights response process. NJ residents can submit requests to access, correct, delete, or export their personal data. You have 45 days to respond, with a possible 45-day extension. Appeals must be resolved within 60 days. You need a documented internal process for receiving, routing, and completing these requests. The response also covers the prior 12 months of data.

Data Protection Assessments for high-risk processing. If your business processes any of the 10 categories of sensitive data, sells personal data, uses personal data for targeted advertising, or conducts profiling, you are required to document a Data Protection Assessment. This is a formal evaluation of the benefits of the processing weighed against potential risks to consumers. The NJ AG can request these during an investigation.

Opt-in consent for sensitive data. The NJDPA requires affirmative consent before processing sensitive data. The 10 categories include racial or ethnic origin, health conditions, biometric data, geolocation within 1,750 feet, children's data, citizenship status, sex life or sexual orientation, and genetic data. Read the next section about the category most NJ businesses are not prepared for.

Data processor agreements. If you use any third-party vendors that process personal data on your behalf, your contracts with those vendors must address data privacy obligations. A processor that creates a NJDPA violation could create exposure for your business.

The Sensitive Data Category Most Businesses Are Missing

New Jersey is the only state in the country that classifies financial data as sensitive personal data requiring opt-in consent. Specifically: account numbers, account logins, and credit or debit card numbers combined with a security code, access code, or password that would permit access to a financial account.

This is not just about storing credit cards. Any business that combines login credentials with financial account numbers in a way that would allow account access is handling sensitive data under the NJDPA. That covers a lot of customer portals, billing systems, and payment workflows that businesses assumed were fine under standard PCI compliance.

Where IT Infrastructure Fits In

Getting into NJDPA compliance is not purely a legal exercise. The actual work lands on IT.

You cannot build a consumer rights response process without knowing where your data lives. Data inventory and classification, role-based access controls, and audit logs are the technical foundation for every NJDPA requirement. If you do not know which systems hold NJ consumer data, you cannot complete a Data Protection Assessment, fulfill a deletion request, or demonstrate compliance during an AG investigation.

Incident response matters here too. A data breach involving NJ consumer data triggers notification obligations. Businesses without a documented, tested incident response plan are exposed on multiple fronts. The same IT governance work that protects against a breach is the work that keeps you compliant.

Vendor management is the third piece. Shadow IT and unsanctioned data tools create real exposure under privacy laws, because data flowing through unauthorized platforms means data you are not tracking or controlling. This is covered in more detail in this post about shadow AI risks for growing businesses.

If you are working toward NJDPA readiness, the place to start is a data inventory covering which systems collect NJ consumer data, what categories of data those systems hold, and which third-party vendors have access. That inventory drives everything else: the privacy notice, the DPAs, the processor agreements, and the consumer rights workflows.

---

Frequently Asked Questions

Does the NJDPA apply to businesses headquartered outside New Jersey?

Yes. The law applies to any business that conducts business in New Jersey or produces products or services targeted at NJ residents, provided it meets the 100,000-consumer or 25,000-consumer-plus-data-sale thresholds. A company based in New York City with significant NJ customer data is subject to the same requirements as an NJ-based company.

My company only works with other businesses, not individual consumers. Do we have to comply?

The NJDPA explicitly excludes individuals acting in a commercial or employment context from its definition of "consumer." If your business processes only data about people in their professional capacity (business contacts, client employees), that data generally falls outside the law. If you maintain any consumer-facing data, including website analytics linked to identifiable individuals or employee records for NJ-based staff, those records may count toward the threshold.

What is the difference between NJDPA and HIPAA compliance?

They operate on different scope and subject matter. HIPAA covers protected health information for covered entities and business associates in the healthcare sector. The NJDPA is a general consumer privacy law covering any business that meets the data volume threshold, regardless of industry. They can apply simultaneously. A healthcare billing company subject to HIPAA still needs NJDPA compliance for any non-PHI personal data it processes.

What happens if my business gets a complaint after July 15?

Before July 15, the AG is required to give you a 30-day window to correct the violation. After July 15, that mandatory notice goes away. The AG can pursue fines directly, at its discretion, without advance notice. Penalties start at $10,000 per violation.

Where should a covered business start if it is not yet compliant?

Start with a data inventory. Identify every system that collects, stores, or processes NJ consumer data. Map what categories of data each system holds and who has access. From there, you can build the privacy notice, assess which processing activities require a Data Protection Assessment, identify sensitive data that requires opt-in consent, and build the consumer rights response workflow. If your IT systems are not documented and governed, the legal compliance work cannot happen effectively.

---