GDPR Compliance in New Jersey: EU GDPR + New Jersey Data Privacy Act
New Jersey is one of the few US states with a comprehensive consumer privacy law — the New Jersey Data Privacy Act (NJDPA), effective January 15, 2025 — that creates a GDPR-parallel compliance framework for NJ resident data. New Jersey businesses with EU customers must comply with both GDPR and NJDPA simultaneously. New Jersey's pharmaceutical sector (home to Johnson & Johnson, Merck, and numerous biotech companies) has particularly significant GDPR exposure from EU clinical trial and pharmaceutical regulatory data.
NJ AG enforces New Jersey Data Privacy Act; can seek civil penalties; no private right of action under NJDPA; GDPR enforced by EU supervisory authorities
State Penalties: NJDPA civil penalties: up to $10,000 per violation, $20,000 per subsequent violation. NJ AG can seek injunctive relief. No private right of action. GDPR fines apply additionally for EU data.
Federal Penalties: GDPR: up to €20M or 4% of global annual turnover for most serious violations
How Federal + New Jersey Law Overlap
GDPR applies to NJ businesses processing EU resident data. NJDPA (effective January 2025) applies to NJ businesses processing personal data of 100,000+ NJ residents annually (or 25,000+ if selling data). The two frameworks share core principles but differ in details — a single privacy program can address both with appropriate customization.
Additional New Jersey Requirements Beyond Federal Law
- New Jersey Data Privacy Act (NJDPA, effective January 15, 2025) — consumer rights: access, correction, deletion, portability, opt-out of targeted advertising and data sale
- NJDPA sensitive data categories overlap significantly with GDPR special categories: health data, biometrics, racial/ethnic origin, mental health, immigration status
- NJDPA requires data protection assessments for high-risk processing — parallel to GDPR Data Protection Impact Assessments (DPIAs)
- NJDPA opt-in consent required for processing sensitive personal data — comparable to GDPR explicit consent
- NJ Identity Theft Prevention Act — breach notification for all NJ businesses; no minimum threshold for AG notification
- EU Regulation 536/2014 (EU CTR) applies to NJ pharmaceutical clinical trial data for EU participants
Key Compliance Requirements for New Jersey
- Publish Privacy Notice satisfying both NJDPA and GDPR disclosure requirements (largely overlapping; some GDPR-specific elements needed)
- Data subject rights system: GDPR requires response within 30 days; NJDPA allows 45 days — use 30 days as unified standard
- NJDPA and GDPR both require opt-in consent for sensitive data — a single consent mechanism satisfies both
- Data Protection Assessments required under both NJDPA (for high-risk processing) and GDPR Art. 35 (DPIAs)
- EU data transfers: Standard Contractual Clauses for all EU-to-NJ data flows
- NJ pharma companies: clinical trial participant data must satisfy both GDPR and EU CTR
Common Violations in New Jersey
- Missing NJDPA-compliant privacy notice (enforcement priority since January 2025)
- Cookie consent failures for EU visitors to NJ company websites
- Sensitive data processing without opt-in consent under both NJDPA and GDPR
- Missing Data Protection Assessments for high-risk processing activities
- Clinical trial informed consent failures for EU participants at NJ pharmaceutical companies
Recent GDPR Enforcement in New Jersey
Check Your GDPR Readiness in New Jersey
Take our free compliance quiz to see how your organization stacks up against GDPR requirements in New Jersey.
Take the Free Quiz → Risk Calculator →Frequently Asked Questions
Do New Jersey businesses need to comply with both GDPR and NJDPA?
Potentially yes. NJDPA applies to NJ businesses processing personal data of 100,000+ NJ consumers annually. GDPR applies if you process EU resident data. Many NJ businesses, particularly in tech, pharma, and financial services, exceed both thresholds. A unified privacy program can satisfy both frameworks with appropriate customization for EU-specific requirements.
How does NJDPA compare to GDPR?
NJDPA and GDPR share the same core architecture: data subject rights, consent for sensitive data, data protection assessments, and processor contracts. Key differences: GDPR requires a legal basis for all processing; NJDPA uses an opt-out model for general processing and opt-in for sensitive data. GDPR fines are much higher (up to 4% of global revenue vs. $20K/violation for NJDPA). GDPR has broader territorial reach.
What GDPR requirements apply to New Jersey pharmaceutical companies?
NJ pharma companies (J&J, Merck, Bristol Myers Squibb have NJ operations) must comply with GDPR for EU clinical trial participant data, EU patient data from drug commercialization, and EU employee data. EU CTR (Regulation 536/2014) adds specific clinical trial data requirements. Explicit consent is required for health data. Standard Contractual Clauses are required for EU-to-NJ data transfers.
Who enforces NJDPA?
The New Jersey AG enforces the NJDPA. There is no private right of action — consumers cannot sue directly. The AG can seek civil penalties up to $10,000 per first violation and $20,000 per subsequent violation. The AG provides a 30-day cure period for first violations. GDPR violations are enforced separately by EU supervisory authorities.
What is the timeline for NJDPA compliance?
The New Jersey Data Privacy Act took effect January 15, 2025. Enforcement by the NJ AG began immediately. Businesses had the period from legislative enactment (January 2024) to the effective date to prepare. NJ businesses that have not yet assessed NJDPA applicability, published compliant privacy notices, or implemented consumer rights systems are at immediate enforcement risk.