Support Centre

New Jersey


Law: An Act concerning commercial Internet websites, online services, consumers, and personally identifiable information (the Act)

Regulator: New Jersey Office of the Attorney General (AG)

Summary: On January 16, 2024, the Act was signed by the Governor of New Jersey. The Act marks the States first comprehensive privacy legislation, and includes rights for data subjects, obligations of data controllers and data processors, and the exclusive enforcement of its provisions by the New Jersey AG.

Beyond the Act, New Jersey courts have interpreted Article 1(1) of the New Jersey Constitution to guarantee an individual's right to privacy. In addition, there are various privacy-related provisions in the New Jersey Revised Statutes and the New Jersey Administrative Code which create obligations for data collected by companies in different sectors, including the health, financial, employment, and education sectors.

In addition, under the New Jersey breach notification requirements, businesses need to disclose, without unreasonable delay, breaches of computerised records to affected customers, as well as to the Division of State Police in the New Jersey Department of Law and Public Safety.


Kentucky's Governor Andy Beshear signed the Act Relating to Consumer Data Privacy as an addition to Kentucky's Consumer Protection Act (under Chapter 367 of the Kentucky Revised Statutes) on April 4, 2024. Kentucky's new privacy law is the 16th state consumer privacy law enacted in the US and the third in 2024. It shares many of the same features as the other comprehensive US state privacy laws. Julia Jacobson and Alexandra Kiosse, from Squire Patton Boggs, compare 2024's first three new consumer privacy laws.

New Jersey became the 13th state to enact comprehensive privacy legislation when Governor Murphy signed S332 into law on January 16, 2024. The New Jersey Data Protection Act (NJDPA) is designed to protect the personal data of New Jersey residents and imposes various obligations and requirements on persons and entities that are deemed to be 'controllers' (i.e., who alone or jointly determine the purpose and means of processing a consumer's personal data) or 'processors' (i.e., who process personal data on behalf of the controller). The NJDPA will become effective and enforceable on January 15, 2025. Although the NJDPA shares many similarities with other comprehensive state privacy laws - like the Colorado Privacy Act and the Virginia Consumer Data Protection Act - there are significant differences that businesses must consider to ensure they comply with the unique requirements of the laws of each state that may apply to business operations. John T. Wolak, Partner at Gibbons P.C., covers the main provisions that businesses should consider to ensure compliance with the NJPDA. 

New Jersey has joined other US states in adopting a comprehensive state privacy law. The Act concerning online services, consumers, and personal data (the Act), was originally introduced to the New Jersey State Senate in January 2022. Since then, the bill has passed the General Assembly and the State Senate, and was signed by the Governor of New Jersey, Philip D. Murphy, on January 16, 2024. The Act will enter into effect 365 days following its enactment on January 15, 2025. 

The Act protects consumer privacy by requiring data controllers, such as websites and online service providers, to notify consumers of the collection, disclosure, and sale of their personal data. Controllers must allow consumers to opt out of such collection, disclosure, or sale in certain circumstances. OneTrust DataGuidance Research provides an overview of the Act.