DSAR Requirements in New Jersey (NJDPA)
New Jersey DSAR requirements: consumer rights, response deadlines, identity verification, and penalties under the NJDPA.
Last updated: 2026-02-08
Consumer Rights That Trigger DSARs
New Jersey consumers can submit requests to:
- Access all personal data you hold about them
- Correct inaccurate personal data
- Delete personal data you collected
- Port their data in a portable, machine-readable format
- Opt out of the sale of personal data
- Opt out of targeted advertising
- Opt out of profiling that produces legal or similarly significant effects
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
45 days from receipt. You can extend by an additional 45 days if reasonably necessary — but you must notify the consumer of the extension and the reason.
New Jersey requires businesses to honor universal opt-out mechanisms (like Global Privacy Control).
Identity Verification
Required before fulfilling any request. The NJDPA does not prescribe a specific verification method.
Appeal Process
If you deny a request, the consumer can appeal. You must respond to appeals within 45 days. You must provide notice of their right to contact the New Jersey Attorney General if the appeal is denied.
Penalties
- $10,000 per first violation
- $20,000 per subsequent violation (highest escalating penalties among states)
- 30-day cure period available until July 15, 2026
- No private right of action — only the Attorney General can enforce
Enforced by the New Jersey Attorney General (Division of Consumer Affairs).
DSAR-Specific Exemptions
You may decline or limit a request when the data is needed to:
- Comply with a legal obligation
- Detect security incidents or protect against fraud
- Complete a transaction the consumer requested
Sensitive data requires opt-in consent before processing. New Jersey uniquely includes financial information as sensitive data (in addition to racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric data, geolocation, children's data).
Who This Applies To
Businesses that process personal data of 100K+ New Jersey consumers or 25K+ consumers with any revenue from data sales.
For the full New Jersey privacy law guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- DSAR Identity Verification — verification methods
- DSAR Exemptions — when you can refuse