DCA Proposes Regulations Under the NJ Data Privacy Act
7/9/2025
Last month, the New Jersey Division of Consumer Affairs (DCA) published proposed regulations to implement the New Jersey Data Privacy Act (NJDPA). The public comment period ends on August 1, 2025.
Healthcare businesses are not necessarily exempt from the NJDPA. The NJDPA explicitly excludes from the definition of personal data protected under the law PHI (as defined under HIPAA) processed by HIPAA covered entities and their business associates. However, if a healthcare business processes personal data that is not deemed to be PHI and it meets the NJDPA’s controller thresholds, it will be required to comply with the Act with respect to that personal data. By way of examples, the Act may be triggered for a health care provider that sends out promotional emails about health or wellness services to non-patients, e.g., from a purchased contact list, or for a health care provider that launches a consumer-facing service (e.g., tele-nutrition or cosmetic services) where users sign up directly on-line.
Summary Overview
The NJDPA was signed into law on January 16, 2024 and became effective on January 15, 2025.[i] The law gives to New Jersey consumers certain rights regarding their personal data and imposes certain obligations on “controllers” and “processors” of personal data.
Certain Key Definitions
Controller – Any individual or entity that decides how and why consumers’ personal data is processed. Controllers subject to the Act are those that:
- Conduct business in New Jersey or produce products or services targeted to New Jersey residents; and
- During a calendar year either (i) control or process the personal data of at least 100,000 consumers, or (ii) control or process the personal data of at least 25,000 consumers and make money from the sale of personal data.
Processor – an individual or entity that processes personal data on behalf of the controller, at the request and under the direction of the controller.
Consumer Rights
The NJDPA protects the right of New Jersey consumers to, among other things:
- Confirm whether a controller processes their personal data;
- Obtain a copy of their personal data held by the controller;
- Correct inaccuracies in their personal data;
- Delete their personal data; and
- Opt out of a controller selling their personal data or using their personal data for targeted advertising and some types of profiling (e.g., profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).
Controller Obligations
Controllers must, among other obligations:
- Provide to consumers a privacy notice that includes, among other information, the categories of personal data the controller processes, the purpose for processing personal data and how consumers may exercise their rights under the NJDPA;
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which it is connected;
- Maintain administrative, technical and physical security controls;
- Not process a consumer’s sensitive data without consent or, with respect to children under age 13, compliance with the Children’s Online Privacy Protection Act; and
- Honor universal opt-out mechanisms.
Processor Obligations
Among other requirements, processors must operate under written contracts with controllers, comply with controller instructions, maintain security measures and delete or return data when required.
Enforcement
The New Jersey Attorney General is charged with enforcement of the Act. It may go to court to stop violations of the Act, seek compensation for victims, and impose monetary penalties of up to $10,000 for an initial offense and $20,000 for additional offenses. The Act provides for a grace period until July 1, 2026, during which controllers will be given written notice and a 30 day period to correct potential violations before an enforcement action may proceed.
What Actions Does Your Business Need to Take?
Some actions businesses should take include:
- Evaluate your business activities to determine if you are a controller or processor;
- Review the Act’s exemptions;
- Determine whether you process personal data;
- Measure the volume of the personal data you handle;
- Perform a data inventory and mapping; and
If the NJDPA is triggered, take actions to implement policies and procedures and other required actions under the law.
How We Can Help
Contact us for assistance in evaluating whether the Act applies to your business, what other data privacy and security laws apply to your business, and what actions you need to take to ensure legal compliance.
Lani M. Dornfeld, Esq., CHPC, Member, Healthcare Law at 973.403.3136 or ldornfeld@bracheichler.com
[i] P.L.2023, c.266; N.J.S.A. 56:8-166.4 et seq.
Lani M. Dornfeld
CHPC, Member
Healthcare Law, Cannabis Industry
973.403.3136 · 973.618.5536 Fax
ldornfeld@bracheichler.com
