New Jersey Consumer Data Privacy Act (NJCDPA)
The NJPA applies to “personal data,” which it defines as “information that is linked or reasonably linkable to an identified or identifiable person.” The definition explicitly excludes information that is de-identified or publicly available.
Is Complying with NJCDPA Mandatory?
The NJPA applies to controllers conducting business in New Jersey or producing products or services targeted to New Jersey residents (consumers) and that during a calendar year either:
Control or process personal data of at least 100,000 consumers (except personal data processed solely for completing transactions)
Control or process the personal data of at least 25,000 consumers while deriving revenue, or receiving a discount on the price of any goods or services, from selling personal data.1
The NJCDPA does not contain a minimum annual revenue threshold, meaning that relatively small businesses might find themselves subject to its provisions.
What are the penalties for not complying with NJCDPA?
A violation of NJ CDPA is considered a violation of New Jersey’s Unfair Deceptive Acts and Practices (UDAP), and the Attorney General could seek penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations.