Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Vendors must notify NJ data owners immediately, if breached
  • Violations can result in heavy penalties and civil suits with triple damages
  • Data protection laws extend out-of-state 
  • Laws also cover data protection and data disposal to prevent breaches

Who Me?


New Jersey breach and notification laws may apply if you are a business or public entity that:

  • Compiles or maintains computerized records that include PII;
  • Compiles or maintains computerized PII records on behalf of a NJ data owner.

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in New Jersey include a person's name plus one or more of the following:

  • Social Security Number;
  • Driver license or state identification number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account;
  • Dissociated data that, if linked, would become PII or the means allowing access to said PII.



A few applicable laws include, but are not limited to:

Title 56 Trade Names, Trade-Marks and Unfair Trade Practices

  • 56:8-161 to 56:8-166;
  • 56:11-44 to 56:11-50.


New Jersey has laws related to the protection and disposal of personal information to prevent breaches.  A few of these laws include:

Title 56 Trade Names, Trade-Marks and Unfair Trade Practices

  • 56:8-162, 56:8-164, 56:8-196,197,198, 56:11-17,18,20-27, 56:11-42



It is an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to willfully, knowingly or recklessly violate the laws. Violators are subject to penalties, in additional to any other penalties authorized by law, as well as civil suits, entitling the plaintiff to treble damages and costs.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was encrypted or secured;
  • If the data included any kind of key or cipher;
  • If it was acquired by an unauthorized person;
  • If misuse of the information is reasonably possible.

A determination of non-notification must be documented in writing and retained for five years.


It is mandatory for the business or public entity to report the breach to the Division of State Police prior to any disclosure to customers. Notification may be delayed if law enforcement determines it will interfere with an investigation, otherwise, the notification must be made in the most expedient time possible and without unreasonable delay.


Requires detailed information and potential provision of services

If notification is required to more than 1000 residents, they must also report it, without unreasonable delay to all consumer reporting agencies with specific information.

The notification may be delivered by mail or email, with stipulations.

A substitute notice, with specific requirements, may be sent if the business demonstrates that the cost will exceed $250,000 or the persons to be notified exceeds 500,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR