New Jersey Assembly Bill A6309: The Privacy Protection Act

This month, the New Jersey Legislature rapidly advanced and enacted Assembly Bill A6309, officially titled the Privacy Protection Act. Introduced at the start of the new legislative session, the bill establishes strict limits on the collection, retention, and disclosure of sensitive personal information by state and local government entities and health care facilities. The legislation primarily targets data related to immigration status, citizenship, place of birth, Social Security numbers, Individual Taxpayer Identification Numbers (ITINs), and automated license plate recognition (ALPR) information.

The act reflects Democratic priorities to strengthen privacy protections amid concerns over potential federal immigration enforcement changes following the 2025 presidential transition. It forms part of a broader immigrant protection package, including the Safe Communities Act (A6308/S5036) and related measures limiting local cooperation with federal authorities. As of January 16, 2026, A6309 has been enacted following legislative concurrence with Governor Phil Murphy’s conditional veto recommendations released last week.

New Jersey Privacy Protection Act

The Privacy Protection Act prohibits unnecessary collection of sensitive personal information and makes such data exempt from the Open Public Records Act (OPRA). Disclosure is permitted only in narrowly defined circumstances, such as legal requirements for benefits administration, judicial processes, election verification, or with explicit informed consent. The bill also amends Motor Vehicle Commission privacy rules to explicitly restrict use of records for federal immigration purposes absent strict legal process or consent.

Advocates describe the law as creating a “privacy firewall” that encourages residents—particularly in immigrant communities—to access essential services without fear of data being shared with federal agencies. The legislation emphasizes that unrestricted data sharing can deter individuals from seeking health care, reporting crimes, or engaging in civic activities, ultimately harming public safety and trust in government institutions.

Sponsors and Co-Sponsors

The bill was primarily sponsored by Assemblywoman Annette Quijano (D-Union) and Assemblywoman Ellen J. Park (D-Bergen). Additional co-sponsors included Assembly members Raj Mukherji, Britnee N. Timberlake, and others, as well as Senate counterparts such as Patrick J. Diegnan Jr., Gordon M. Johnson, Angela V. McKnight, and Linda R. Greenstein. The Democratic sponsorship reflects the party’s focus on immigrant and privacy rights in the state.

Legislative Journey: A 10-Day Sprint

The bill’s progress was unusually swift, completing the entire legislative process in just ten days:

• January 2, 2026: Introduced in the Assembly and referred to the Assembly Judiciary Committee.
• January 5, 2026: Reported favorably out of the Assembly Judiciary Committee (4-2 vote) and referred to the Assembly Appropriations Committee.
• January 8, 2026: Reported out of the Assembly Appropriations Committee with amendments (denoted as 1R) and placed on second reading.
• January 12, 2026: Passed the Assembly (47-26). Substituted for identical Senate bill S5037 (1R) and passed the Senate (23-14).
• January 12, 2026 (later that day): Governor Phil Murphy issued a conditional veto with recommended changes, primarily removing a private right of action for violations involving health care facilities.
• January 12, 2026: Legislature concurred with the Governor’s recommendations. Assembly approved the revised version (45-22); Senate concurred (23-14). The final version is denoted as 2R.

With concurrence complete, the bill is enacted in its revised form and takes effect immediately for core provisions, pending final administrative processing.

Committee Actions in Detail

In the Assembly Judiciary Committee (January 5, 2026), the bill received favorable reporting with a 4-2 partisan vote. Supporting members included Chair Ellen J. Park, Vice Chair Carol A. Murphy, Joe Danielsen, and Gabriel Rodriguez. Opposing votes came from Robert Auth and Victoria A. Flynn.

The Assembly Appropriations Committee (January 8, 2026) advanced the bill with amendments on a 6-4 vote (one not voting). Supporting members included Chair Lisa Swain, Vice Chair Verlina Reynolds-Jackson, Shama A. Haider, Melinda Kane, Tennille R. McCoy, and Eliana Pintor Marin. Opposition came from Robert Auth, Antwan L. McClellan, Gregory E. Myhre, and Jay Webber; Gary S. Schaer did not vote.

“Government Entities”

The act defines “government entity” broadly to include all state departments, agencies, authorities, public higher education institutions, local governments, and their subdivisions.

• Collection Limits: Entities may request sensitive information (immigration/citizenship status, place of birth, SSN/ITIN, ALPR data) only when strictly necessary for eligibility or administration of a specific service, benefit, or program. Retention is limited to the duration needed or legally required.
• Confidentiality: Collected records are exempt from OPRA and cannot be disclosed except for benefits administration required by law, judicial warrant/subpoena/court order, election candidate verification, or with informed written consent.
• Consent Requirements: Consent must be written, in the individual’s preferred language, voluntary (with explicit statements against retaliation), revocable, and detail exactly what data is shared, why, and with whom.
• Compelled Disclosure Notice: If disclosure is required by legal process, the entity must notify the affected individual, specifying the data, recipient, and basis.
• ALPR Restrictions: Government entities cannot sell, share, or transfer ALPR data except to other agencies (when permitted), under judicial process, or with consent. Data hosting services are exempted.
• Policy Updates: Entities must review and revise confidentiality policies within one year, posting changes online.
• Enforcement: Knowing violations remain subject to injunctive relief and civil damages in Superior Court.

Health Care Facilities

Parallel restrictions apply to health care facilities (as defined under N.J.S.A. 26:2H-2). Collection and retention follow the same necessity rules. Disclosure exceptions are identical, but the final enacted version removes private civil enforcement for facility violations per the Governor’s recommendations. Oversight shifts to the Commissioner of Health, who must update applicable policies within one year.

Amendments to Motor Vehicle Commission Laws

The bill amends N.J.S.A. 39:2-3.4 to explicitly prohibit the MVC or any government entity from using or disclosing motor vehicle records for federal immigration enforcement purposes (Title 8 U.S.C.) without consent, judicial warrant, court order, or subpoena—unless federal law mandates it. Responses to legal process are limited to only the specifically requested information.

Governor’s Conditional Veto and Final Adjustments

Governor Murphy’s conditional veto focused on balancing protections with practical concerns from health care stakeholders. The primary change removed the private right of action for health care facility violations, eliminating potential litigation burdens while preserving substantive confidentiality mandates and shifting enforcement to departmental oversight. The Legislature’s rapid concurrence ensured the bill’s enactment in revised form without delay.

Legislative Findings and Declarations

The act’s preamble affirms New Jersey’s commitment to protecting safety, constitutional rights, and state resources. It recognizes individuals’ privacy interests and notes that unauthorized data sharing can deter access to essential services, ultimately undermining public health, safety, and community trust.

Stakeholder Reactions

Supporters, including the ACLU of New Jersey, New Jersey Alliance for Immigrant Justice, and various advocacy groups, celebrated the enactment as a major victory. They argue the law prevents state entities from inadvertently aiding federal immigration actions and encourages broader service utilization. Committee testimony highlighted risks from data brokers and surveillance tools aggregating information from routine interactions.

Republican lawmakers and critics expressed concerns that the restrictions could complicate legitimate federal cooperation or compliance with overriding laws. The partisan vote pattern underscores these divides.

Broader Context and Comparisons to Other States

New Jersey builds on its 2018 Immigrant Trust Directive (partially codified) with this data-focused approach. Similar “privacy firewall” laws exist in California (SB 54 extensions), Illinois, and Oregon, which limit state agency disclosure absent judicial process. New Jersey’s inclusion of health care facilities and explicit ALPR protections makes it distinctive, addressing modern surveillance concerns.

Implementation and Future Outlook

Covered entities have one year to update policies, providing time for training and system adjustments. Advocacy groups plan monitoring to ensure effective execution. Potential federal challenges may test the law under supremacy clause arguments, but exceptions for federal mandates and prior court precedents upholding similar measures (e.g., anti-commandeering doctrine) offer strong defenses.

For New Jersey’s over two million immigrants and diverse population, the Privacy Protection Act affirms equitable access to services. It draws clear boundaries in an era of extensive data collection, ensuring personal information shared for state purposes remains protected unless strictly justified. The law’s swift passage highlights the Murphy administration’s and Democratic leadership’s priorities in the closing days of the session.