/>iThe New Jersey Data Protection Act (NJDPA), N.J. Stat. § 56:8-166.4 et seq., will go into effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws.
The Garden State’s Division of Consumer Affairs Cyber Fraud Unit recently posted answers to twenty-four frequently asked questions (FAQs) that offer a comprehensive summary of the law, outline definitions, and explain consumer rights and business responsibilities.
Quick Hits
- The New Jersey Data Protection Act (NJDPA) takes effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws.
- The NJDPA defines a “consumer” as a New Jersey resident acting in an individual or household context, excluding those acting in commercial or employment contexts.
- The New Jersey Division of Consumer Affairs will provide a grace period for enforcement of the NJDPA until July 1, 2026.
Our prior article laid out the obligations the statute entails and the relatively small universe of companies that are covered under the NJDPA. (The statute does not have a specific title, and as a result, it has been referred to in different publications by various names, such as the “New Jersey Data Protection Act,” the “New Jersey Data Privacy Act,” or the “New Jersey Data Privacy Law.”) The FAQs offer some insight and further clarification as to the scope and application of the law.
Who Is a ‘Consumer’ Under the NJDPA?
The FAQs state an important distinction regarding the scope of the NJDPL, namely, that the NJDPL does not cover employment records. In the statute, “consumer” is defined as a person who is a New Jersey resident acting only in an individual or household context. In contrast, the definition of consumer does not include a person acting in a commercial or employment context. For example, a New Jersey resident who has his or her personal data collected by a retailer while making a purchase for the consumer’s household is protected under the NJDPL. However, a New Jersey resident who has his or her personal data collected by a potential employer while applying for a job is not protected under the NJDPL. (See FAQ #5.)
Are There Special Protections for Children and Minors?
The FAQs indicate that in New Jersey, controllers must obtain consent before processing personal data of consumers aged thirteen to sixteen. This requirement is broader than the statute, which only mandates consent for targeted advertising, selling personal data, or profiling with significant effects, and applies when the controller knows or willfully disregards that a consumer is thirteen to seventeen years old. Although nonbinding, the FAQs suggest the Division of Consumer Affairs may adopt a stricter approach to children’s privacy, using a “should know” standard rather than the statute’s “actual knowledge or willful disregard” standard. (See FAQ #18.)
Will Enforcement Begin Immediately When the NJDPA Becomes Effective?
The FAQs clarify that even though businesses and other entities that are controllers of personal data are expected to comply with the NJDPL when the law becomes effective, there will be a grace period for bringing enforcement actions. Specifically, until July 1, 2026, if the Division of Consumer Affairs identifies a potential violation that the controller can remedy, the division will send a notice to the controller to give them the chance to fix the problem. If the controller does not fix the problem within thirty days, the division can proceed with an enforcement action. (See FAQ #23.)
Does the New Jersey Division of Consumer Affairs Intend to Adopt Regulations?
The division stated in its answer to FAQ #24 that regulations would be issued in 2025. “In the meantime,” the division noted, “controllers and processors are required to comply with the [NJDPA] starting on January 15, 2025.”
