New Jersey has entered the modern era of privacy laws. As of January 15, 2025, the New Jersey Data Privacy Law (“NJDPL” or “NJDPA”) is in effect—and it brings with it new obligations for companies processing New Jersey consumers’ data, and significant opportunities (and challenges) for enforcement. Because NJDPL does not grant a private right of action, the New Jersey Consumer Fraud Act (CFA) is being watched carefully as a possible vehicle for consumer claims.
In this post, we’ll break down key provisions of NJDPL, show how CFA might be used, and sketch possible case theories. If your business deals with consumer data in NJ—or you represent consumers—this is essential reading.
What Rights Do You Have Under the NJDPL?
Under the new law, New Jersey residents can:
- Access the personal data companies hold about them.
- Correct information that’s wrong.
- Delete their information.
- Opt out of having their data sold or used for targeted advertising.
- Know when sensitive information like account numbers or login credentials is collected.
Businesses that collect data from at least 100,000 New Jersey residents (or 25,000 if they sell that data) have to follow these rules.
What If a Company Breaks the Rules?
Here’s the catch: the new privacy law does not allow individual consumers to file lawsuits directly. Instead, it’s enforced by the New Jersey Attorney General.
But that doesn’t mean you’re left without options.
The law says that violations of the NJDPL are also considered violations of the New Jersey Consumer Fraud Act (CFA). That’s important, because the CFA does allow consumers to bring lawsuits—including class actions—if they’ve been misled, deceived, or harmed by a company’s unlawful practices.
How the Consumer Fraud Act Can Help
The Consumer Fraud Act is one of the strongest consumer protection laws in the country. It allows you to:
- Sue for financial losses caused by unlawful or deceptive business practices.
- Recover triple damages (three times your loss).
- Have the company pay your attorneys’ fees if you win.
If a company mishandles your data—by selling it without permission, ignoring your request to delete it, misrepresenting how it uses your information, or failing to secure it properly—you may have a case under the CFA.
Examples of Potential Cases
- A website promises not to sell your data but secretly shares it with advertisers.
- A company suffers a data breach because it didn’t put proper security in place, leading to identity theft.
- You ask a business to delete your data, and they refuse or ignore the request.
- A privacy policy says one thing, but the company’s actual practices are very different.
Each of these situations could be considered an “unlawful practice” under the Consumer Fraud Act, opening the door for consumer lawsuits.
Why This Matters
Data is the new currency. Every time you log in, shop, or sign up, companies are collecting and often profiting from your information. The NJDPL is designed to give you back some control. And with the Consumer Fraud Act, you may have the power to hold businesses accountable when they cross the line.
Our Firm Can Help
If you believe a business has:
- Sold your personal data without consent,
- Failed to protect your information in a breach, or
- Misled you about how your data would be used—
We want to hear from you. These cases are new in New Jersey, and acting early could help set important precedent and protect thousands of consumers.
The New Jersey Data Privacy Law is a big step forward, but enforcement will depend in part on consumers standing up for their rights. If you think your data has been misused, you may have a claim under the Consumer Fraud Act.
Contact us today to discuss your situation. Consultations are confidential and at no cost.
