Press "Enter" to skip to content

New Jersey Enacts Comprehensive Consumer Data Privacy Law

NJ LegislatureNew Jersey Gov. Phil Murphy on Jan. 16 signed into law Senate Bill 332, making New Jersey the 13th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon and Delaware.  The law will go into effect Jan. 16, 2025.


The Act applies to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year either:

  1. control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
  2. control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

Exemptions include, but are not limited to:

  1. A financial institution, data, or affiliate of a financial institution that is subject to Gramm-Leach-Bliley Act and implementing rules;
  2. Protected health information collected under the Health Insurance Portability and Accountability Act of 1996;
  3. Personal data collected, processed, sold, or disclosed by a consumer reporting agency as authorized by the Fair Credit Reporting Act.

Consumers have the right to:

  1. Confirm a controller’s processing of their personal data;
  2. Correct inaccuracies in their personal data;
  3. Delete their personal data;
  4. Obtain a copy of their personal data held by the controller;
  5. Opt out of the processing of their personal data if the processing is for the purpose of targeted advertising, sale of their personal data, or certain profiling.

A controller may not process sensitive data concerning a consumer without first obtaining the consumer’s consent, or, in the case of the processing of personal data concerning a known child, without processing such data in accordance with the Children’s Online Privacy and Protection Act.

“Sensitive data” means personal data revealing:

  1. Racial or ethnic origin;
  2. Religious beliefs;
  3. Mental or physical health condition, treatment, or diagnosis;
  4. Financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account;
  5. Sex life or sexual orientation;
  6. Citizenship or immigration status;
  7. Status as transgender or non-binary;
  8. Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
  9. Personal data collected from a known child; or
  10. Precise geolocation data.

A contract between a controller and processor must clearly set forth:

  1. The processing instructions to which the processor is bound, including the nature and purpose of the processing;
  2. The type of personal data subject to the processing, and the duration of the processing;
  3. That the processor ensures each person processing the personal data is subject to a duty of confidentiality;
  4. That any subcontractor engaged by the processor is subject to the same contractual obligations as between the controller and the processor;
  5. That the controller and processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  6. That the processor deletes or returns all personal data to the controller as requested at the end of the provision of services;
  7. That the processor makes available to the controller all information necessary to demonstrate compliance; and
  8. That the processor allows for, and contributes to, reasonable assessments and inspections by the controller.

A controller must conduct a data protection assessment for processing that presents a heightened risk of harm to a consumer, including:

  1. Processing personal data for the purposes of targeted advertising or certain profiling;
  2. Selling personal data;
  3. Processing sensitive data.

The Act does not create a private right of action. A violation that is not cured within 30 days of notice is an unlawful practice under N.J. Stat. § 56:8-1, et seq., and the Attorney General may seek injunctive relief, costs, and penalties of not more than $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense.


The Attorney General, through the Division of Consumer Affairs, is charged with promulgating rules and regulations.


This legislation, which was introduced in 2022, is a good example of legislators listening to stakeholders and making appropriate changes in response. The bill was amended six times, with the next to the last gutting the bill and replacing it with provisions akin to those in laws adopted by most other states, which will be a relief to those incorporating the requirements into a compliance program. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: mandritoiu/

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.