Data Privacy Week (January 27-31) is an annual campaign to spread awareness about online privacy and empower users and organizations to respect privacy, safeguard data, and enable trust. A user’s online activity generates a wealth of data that websites, apps, devices, services, and companies can collect. Data privacy is typically exploited without the user’s knowledge that the data is being collected, shared, and sold. While users may not have control over all collected data, they have a right to data privacy.

Governor Phil Murphy previously signed legislation that became effective this month, protecting consumer privacy by requiring consumers to be notified of the collection and disclosure of their data by certain entities and allowing them to opt out. This legislation grants users the right to access, correct, and delete data collected, used, and sold. It also helps safeguard personal data as cyber threats, unauthorized access, data breaches, and identity theft become increasingly prevalent.

New Jersey has taken a significant step towards safeguarding consumer privacy by enacting Senate Bill 332, the New Jersey Data Protection Act (NJDPA). Signed into law by Governor Murphy on January 16, 2024, the law went into effect on January 15, 2025. It aims to establish robust protections for NJ residents and create strict data privacy standards for businesses operating in NJ or targeting its residents, providing clear information on how data is used and requiring permission before handling sensitive information such as health, financial, or biometric data. With the law in place, residents are afforded more control over their personal data, allowing them to access, correct, delete, and transfer their information. It also provides the option to opt out of having their data sold or used for targeted advertising.

The law impacts many organizations, ranging from retail to healthcare, nonprofits to higher education. While increasing its scope, compared to other state privacy regulations in the United States, the law applies only when the personal data of 100,000+ residents are processed or if revenue is derived from selling the data of 25,000+ residents. Companies are required to provide clear privacy notices and implement adequate mechanisms for consumers to exercise their rights. To evaluate high-risk data activities, like targeted advertising or profiling, they must also conduct data protection assessments to evaluate potential harm to consumers. Businesses are urged to review their data practices to ensure compliance with the NJDPA and to prioritize consumer trust.

The New Jersey Attorney General will enforce the NJDPA by overseeing compliance, providing notice of violations, and determining penalties. For the first 18 months of enforcement, businesses will have 30 days to remedy any violations after receiving a notice. Any further noncompliance could result in significant fines and mandatory corrective measures. Individual consumers are not afforded a private right of action or to sue; however, they may contact the State’s Attorney General’s Office with any grievances or known cases of nonadherence to this law.

The NJDPA marks a critical milestone in addressing the growing concerns over how personal data is handled and the digital rights of New Jersey residents in an increasingly digital world.