New Jersey Data Privacy Law FAQs Released

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit (the Division) published 24 frequently asked questions (FAQs) on the New Jersey Data Privacy Law (NJDPL). The FAQs provide a general overview of the NJDPL, including its scope, enforcement date and cure period, and potential fines for violations.

The NJDPL applies to entities that (1) do business in New Jersey or produce products or services to New Jersey residents; and (2) during a calendar year either (i) control or process the personal data of at least 100,000 consumers, or (ii) control or process the personal data of at least 25,000 consumers and make money from the sale of personal data. The FAQs clarify that non-profits and small businesses are subject to the NJDPL if they meet the thresholds described above or act as processors of personal data.

The NJDPL goes into effect on January 15, 2025, and the FAQs emphasize that entities and controllers subject to the NJDPL are expected to comply with the law by this date. However, the FAQs further indicate that, until July 1, 2026, if the Division identifies a potential violation of the NJDPL that the entity can remedy, the entity will receive a notice from the Division and a chance to cure the violation. If the violation is not cured within 30 days, the Division may proceed with an enforcement action.

The FAQs provide some practical guidance regarding the primary aspects of the law, which are similar to many of the other comprehensive state privacy laws, such as individual rights, contract requirements for processors, and the like. Violations of the NJDPL may include fines of up to $10,000 for an initial offense and $20,000 for subsequent offenses. And, although consumers cannot file lawsuits on their own behalf, consumers are encouraged to report suspected violations of the NJDPL by filing a complaint with the Division. The FAQs also note that the Division expects to adopt regulations this year.

Please contact the authors of this post or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group if you have questions about the NJDPL or privacy compliance more generally.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.