New Jersey Data Privacy Act (NJDPA)

NJDPA defines personal data as any information linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

Controllers must limit the processing of consumers' personal data to only ‘what is relevant, adequate, and reasonably necessary’ and for purposes that are communicated to the consumer at the time of collection.

Controllers must obtain the consumer’s freely given, specific, informed, and unambiguous consent before using their personal data for any purposes that are either not reasonably necessary or compatible with the purposes initially communicated to the consumer.

Controllers must not process sensitive data without express consent, or for children, without complying with COPPA.

Controllers must not process personal data for targeted advertising, sale, or profiling without express consent for consumers aged 13-17, if the controller knows or disregards their age.

Controllers must provide the consumers with a ‘reasonably accessible, clear, and meaningful’ privacy notice.¨

Controllers must establish and implement adequate technical, physical, and administrative data security measures to ensure the data’s confidentiality, accessibility, and integrity against unauthorized access while it is stored or used.

Controllers must conduct and document a data protection assessment (DPA) before initiating any processing activity that may contain a ‘heightened risk of harm to a consumer.’

NJDPA provides consumers with the right to confirm and access their personal information, the right to correct, the right to delete, the right to data portability and the right to opt-out.

The Office of the Attorney General of the state of New Jersey has the exclusive authority to enforce the law.