New Jersey
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
New Jersey's NJDPL gives you the right to opt out of data brokers.
What the NJDPA does for you
Under the New Jersey Data Privacy Act (NJDPA), you have the right to know what personal data businesses collect about you, correct inaccuracies, request deletion, obtain a portable copy of your data, and opt out of the sale of your data, targeted advertising, and certain automated profiling. These rights apply to covered businesses that process data of New Jersey residents. You also have the right to be free from discrimination for exercising these rights.
Your rights under the NJDPA
Right to Know
You can ask a business to confirm whether it is processing your personal data and get access to that data. The business must tell you what categories of data it processes and for what purposes.
Exceptions: Controller is not required to reveal trade secrets; Does not apply to data collected before the law's effective date unless the controller continues to process it.
Source: S332 [6R], Section 7(a)(1)
Right to Delete
You can request that a business delete personal data it holds about you. The business must honor your request, though it may comply by keeping only a minimal record of the deletion to ensure the data stays deleted.
Exceptions: Does not apply to data collected before the law's effective date unless the controller continues to process it; Controller may retain minimum data necessary to honor deletion and prevent re-collection; Exceptions for legal compliance, fraud prevention, security, research, and other lawful purposes listed in Section 12.
Source: S332 [6R], Section 7(a)(3) and 7(b)
Right to Correct
You can ask a business to correct inaccuracies in your personal data. The business must consider the nature of the data and the purpose for which it is processed when fulfilling your request.
Source: S332 [6R], Section 7(a)(2)
Right to Opt Out of Sales
You can opt out of the sale of your personal data to third parties. 'Sale' means sharing your data for monetary or other valuable consideration — it does not include sharing with processors, affiliates, or in connection with a product or service you requested.
Exceptions: Disclosure to a processor acting on behalf of the controller is not a sale; Disclosure to a third party for a product or service you requested is not a sale; Transfer to an affiliate is not a sale; Transfer as part of a merger or acquisition is not a sale.
Source: S332 [6R], Section 7(a)(5)(b)
Right to Opt Out of Processing
You can opt out of having your personal data processed for targeted advertising or for profiling that produces legal or similarly significant effects on you (such as decisions about loans, housing, employment, or health care).
Exceptions: Opt-out does not prevent the controller from offering discounts or loyalty programs that require data processing, as long as this is clearly disclosed.
Source: S332 [6R], Section 7(a)(5)(a) and (c)
Right to Opt Out of Automated Decisions
You can opt out of profiling — automated processing of your data — when that profiling is used to make decisions that have legal or similarly significant effects on you, such as affecting your access to financial services, housing, insurance, education, employment, health care, or essential goods.
Exceptions: Does not apply to profiling that does not produce legal or similarly significant effects.
Source: S332 [6R], Section 7(a)(5)(c)
Right to Data Portability
You can request a copy of your personal data in a portable, readily usable format that lets you transfer it to another company without hindrance.
Exceptions: Controller is not required to provide data in a format that would reveal trade secrets.
Source: S332 [6R], Section 7(a)(4)
Right to Non-Discrimination
A business cannot discriminate against you — for example by denying services, charging higher prices, or providing lower quality — simply because you exercised your privacy rights under this law.
Exceptions: Controllers may offer discounts, loyalty programs, or different services that are reasonably related to the value of your data, as long as they clearly disclose this to you.
Source: S332 [6R], Section 5
Right to Limit Sensitive Data
Businesses must get your consent before processing your sensitive personal data. Sensitive data includes racial or ethnic origin, religious beliefs, health information, financial account details, sexual orientation, citizenship or immigration status, gender identity (transgender/non-binary status), genetic or biometric data, precise geolocation, and data about children.
Exceptions: Processing of children's data must comply with COPPA rather than requiring separate consent under this law.
Source: S332 [6R], Section 9(a)(4)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a NJDPA deletion or opt-out request. Covered businesses have 45 days to respond (S332 [6R], Section 4), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The NJDPA mentions authorized agents only in the context of opt-out requests (N.J. Stat. Ann. § 56:11-1 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.
Enforcement and penalties
The NJDPA is enforced by Office of the Attorney General of New Jersey and Division of Consumer Affairs in the Department of Law and Public Safety. Violating the NJDPA is an unlawful practice under New Jersey's Consumer Fraud Act (P.L.1960, c.39). Before bringing an enforcement action, the Division of Consumer Affairs must give businesses a 30-day notice and opportunity to cure during the first 18 months after the law takes effect. After that cure period expires, enforcement actions can proceed without a cure opportunity. There is no private right of action — only the Attorney General can sue.
Who does the NJDPA apply to?
This law applies to businesses (controllers) that conduct business in New Jersey or target products or services to New Jersey residents, and that either: (1) process personal data of at least 100,000 consumers per year (not counting data processed solely to complete a payment transaction), or (2) process personal data of at least 25,000 consumers and derive revenue or receive a discount on goods or services from the sale of personal data. Nonprofits, government agencies, HIPAA-covered entities, financial institutions subject to Gramm-Leach-Bliley, insurance institutions, consumer reporting agencies, and research data under federal human-subjects rules are generally exempt.
Frequently asked questions
Which companies does New Jersey's privacy law apply to?
The law applies to businesses that operate in New Jersey or target New Jersey residents and either process personal data of at least 100,000 consumers per year, or process data of at least 25,000 consumers and make money from selling personal data (S332 [6R], Section 2). Nonprofits, government agencies, HIPAA-covered health entities, Gramm-Leach-Bliley financial institutions, insurance companies, and consumer reporting agencies are generally exempt (S332 [6R], Section 10).
How do I submit a privacy request, and how long does the company have to respond?
You submit a verified request through the contact method the business provides — such as an email address, website, or toll-free phone number. The business must respond within 45 days of receiving your request (S332 [6R], Section 4(a)). If your request is complex, the company can take an additional 45 days but must notify you of the extension within the first 45-day period. Responses are free of charge once per 12-month period.
Can I use an authorized agent to opt out of data sales on my behalf?
Yes, you can designate an authorized agent to opt out of the sale of your personal data and targeted advertising on your behalf (S332 [6R], Section 8(a)). The business must honor the request if it can verify, using commercially reasonable effort, your identity and the agent's authority to act for you. You can also set a universal opt-out through browser settings or other device-level tools, which businesses that sell data or conduct targeted advertising must honor starting six months after the law takes effect.
What is 'sensitive data' and do I have extra protections for it?
Sensitive data includes things like your race or ethnicity, religion, health conditions, financial account numbers and passwords, sexual orientation, immigration status, transgender or non-binary status, biometric data, precise GPS location, and data collected from children (S332 [6R], Section 1, definition of 'Sensitive data'). A business must get your explicit consent before processing this type of data — they cannot use it without asking you first (S332 [6R], Section 9(a)(4)).
Can I sue a company directly if it violates my privacy rights?
No. The New Jersey Data Privacy Act does not give individuals a private right of action to sue. Only the New Jersey Attorney General has authority to enforce the law (S332 [6R], Section 16). If you believe a company has violated your rights, you can contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.