New Jersey Is Already Enforcing Its Privacy Law — And Data Brokers Are First in the Crosshairs

What 10 Real Cure Letters Tell You About Where the NJDPA Is Being Enforced Right Now

The Quiet Enforcement Story You May Have Missed

Most companies treating New Jersey’s Data Privacy Act (NJDPA) as a “watch and wait” law need to recalibrate — quickly. New Jersey’s Attorney General has been actively issuing cure notices since the law took effect on January 15, 2025, and those notices are now becoming public.

Through an open records request, the law firm Troutman Pepper Locke obtained all 10 resolved cure letters issued by the New Jersey Division of Consumer Affairs under the NJDPA. Those letters, issued between March and November 2025, cite a combined 37 alleged violations across real businesses. Every single recipient was a registered data broker under California’s data broker registration law.

With the NJDPA’s 30-day cure period set to expire on July 1, 2026 — after which the AG can move directly to enforcement without a second chance — this is exactly the kind of intelligence compliance professionals need in their hands right now.

Why New Jersey Deserves Your Attention

The NJDPA is enforced by the New Jersey AG’s Office, which has a long and aggressive track record on privacy. This is not an office standing on the sidelines. The AG has been a leader in multistate data breach settlements, multistate privacy investigations, and consumer protection actions for years. The Division of Consumer Affairs reportedly began actively reviewing privacy notices for compliance issues from the law’s first day in effect.

The kicker: the AG’s position is that resolved cure letters are public records — and that company names should not be withheld. That means receiving a cure letter is not a confidential event. It can and will become public.

The 37 Violations: A Breakdown

Here is what the 10 cure letters actually cited, ranked by frequency:

#	Violation	Times Cited
1	Privacy notice did not adequately explain how consumers may exercise their rights	9 of 10
2	No conspicuous appeal process comparable to the rights-request process	8 of 10
3	Privacy notice did not disclose categories of personal data shared with third parties	7 of 10
4	Did not clearly and conspicuously disclose how to opt out of sale/processing	5 of 10
5	No way to exercise rights without creating a new account	2 of 10
6	No process for notifying consumers of material privacy notice changes	2 of 10
7	No instructions for appealing a declined privacy request	1 of 10
8	Inadequate disclosure of categories of personal data processed	1 of 10
9	No opt-out disclosure for profiling with legal/significant effects	1 of 10
10	Failure to implement reasonable data security measures	1 of 10

Three provisions alone — how to exercise rights, the appeals process, and third-party data-sharing disclosures — account for roughly two-thirds of all cited violations. That concentration is important. It tells you exactly where to look first.

6 Compliance Lessons From the Cure Letters (With Actionable Guidance)

1. Your Privacy Notice Is Being Read Like a Regulator’s Checklist

Nearly every violation cited was a public-facing disclosure deficiency — something reviewable by sitting at a desk with a browser. This is precisely how the AG’s office identified targets in the first place: they read your privacy notice.

What to do: Treat your privacy notice as a live compliance document. Read it aloud. Can a consumer understand, without specialized knowledge, what data you collect, what you share with third parties, and how to exercise their rights? If your answer is “mostly,” that is not enough.

Specifically, your notice must clearly describe:

• The categories of personal data you collect and process

• The categories of personal data you share with third parties (this is a New Jersey-specific requirement not found in most other state laws)

• How consumers can submit requests to exercise each right — not just that rights exist

• How to opt out of the sale or targeted processing of their data, in clear and conspicuous terms

2. Your Appeals Process Is Probably Not Good Enough

This is the finding that should surprise most compliance teams. Eight of the ten cure letters cited failures related to the consumer appeals process — and that almost certainly understates the problem, because many of the “how to exercise rights” violations also involved inadequate disclosures about how to appeal a declined request.

Under the NJDPA, if you deny a consumer’s privacy rights request, you must give them a meaningful way to appeal — and that appeal pathway must be comparable in ease and visibility to the original rights-request mechanism. You cannot bury appeal instructions in fine print while advertising a prominent opt-out portal.

What to do:

• Audit your appeal process end-to-end. If you have a web form for submitting rights requests, your appeal process should be equally accessible — ideally a similarly formatted form, email address, or online portal, not a buried paragraph of legalese.

• Clearly state the timeframe in which consumers must submit an appeal (typically 30 days of receiving your decision).

• Verify that your appeal pathway is disclosed in your privacy notice and in the response letter or email you send to consumers when you decline a request.

3. Third-Party Data Sharing Is a Uniquely New Jersey Flashpoint

Seven out of ten letters cited a failure to disclose the categories of personal data shared with third parties. This specific requirement — found in N.J.S.A. § 56:8-166.6(a)(4) — is not standard across all state privacy laws. Many companies imported their GDPR or California-style privacy notice and assumed it would cover New Jersey. It often does not.

What to do: Audit your data flows and map every category of personal data that moves to a third party — whether through data sales, advertising technology integrations, analytics partnerships, or service providers acting as independent controllers. Your privacy notice must reflect those categories clearly. Broad language like “we may share data with our partners” almost certainly falls short.

4. Friction Is Enforcement Bait

Two of the 10 letters cited a failure to allow consumers to exercise their privacy rights without first creating a new account. This mirrors a well-established California enforcement priority: regulators are not just asking whether you described the rights correctly — they are asking whether you made it genuinely easy to use them.

What to do: Walk through your rights-request process as if you were a consumer who has never visited your website. Can you submit a data deletion request without signing up for an account? Can you opt out of sale with two clicks or fewer? If your process requires a login, verification hurdles that exceed what is reasonably necessary, or navigation through multiple pages, expect scrutiny.

5. Data Brokers Are the First and Clearest Target — But Not the Last

All 10 cure letter recipients were registered California data brokers. This is not coincidence. California maintains a publicly searchable data broker registry, and regulators in other states — including New Jersey — can use it as a ready-made list of companies processing large volumes of sensitive consumer data. It is low-friction targeting for an AG’s office that wants to demonstrate enforcement is real.

But the implication should not be that “only data brokers need to worry.” The AG chose data brokers first because they were easy to identify and because the nature of their business makes non-compliance likely. Once those cases are resolved, the scope will expand. Any company subject to the NJDPA — broadly, entities that do business in New Jersey, target New Jersey consumers, or process data on 100,000 or more New Jersey residents — should treat this enforcement activity as a signal.

If you are a data broker: Check whether you are registered in California, because if you are, you may already be on a list that New Jersey is reviewing. Your compliance timeline is not theoretical — it is now.

6. “Resolved” Does Not Mean Secret

This is a critically underappreciated point. When New Jersey considers a cure letter “resolved” — meaning the company corrected the cited violations and no further enforcement action was opened — the AG’s position is that the letter becomes a public record, including the company’s name.

This changes the calculus for how companies should think about cure letters. Receiving one is not a quiet administrative event. It can become a press story, a reputational data point for clients and partners, or evidence in private litigation. Companies reviewed by the Troutman team showed tangible post-letter changes to their privacy notices: restructured state-rights disclosures, new appeal channels with dedicated email addresses, and clearer third-party sharing categories. Those changes are visible and traceable.

What to do: If you receive a cure letter, treat remediation as both a legal obligation and a reputational priority. Document your remediation steps thoroughly. Engage counsel. And do not assume the letter stays private.

The July 1, 2026 Deadline: What It Really Means

The NJDPA’s 30-day cure period sunsets on July 1, 2026. After that date, the New Jersey AG can bring an enforcement action without first giving companies a chance to fix violations. The window to correct deficiencies before facing fines has already largely closed.

This is the practical consequence: companies that receive a notice after July 1 will not receive a warning. They will receive an enforcement action. Given that the AG has been issuing cure letters since March 2025, the infrastructure for enforcement is clearly in place. What changes after July 1 is only the outcome.

Your Pre-July Compliance Checklist

Use this as a rapid review framework before the cure period expires. (Note for WordPress: You can convert these bullet points into a “Checklist” or “Checkbox” block if you use a plugin like Yoast or Spectra, or leave them as a clean list).

Privacy Notice

• Clearly describes how consumers exercise each available right

• Discloses the categories of personal data you share with third parties (not just service providers)

• Describes the categories of personal data you collect and process

• Contains a clear, conspicuous opt-out mechanism for sale and targeted advertising

• Describes your process for notifying consumers of material changes

Consumer Rights Infrastructure

• Rights requests can be submitted without creating an account

• Appeals process is comparable in accessibility to the original request mechanism

• Appeal instructions are provided to consumers when a request is declined

• Response letters reference how to appeal and within what timeframe

Data Broker / Third-Party Data Flows

• Data flows to third parties are mapped and categorized

• Privacy notice reflects all categories of data shared externally

• California data broker registration status is confirmed and current

Internal Governance

• Data security measures are documented and reasonable

• Opt-out for profiling with significant legal effects is disclosed where applicable

• Compliance program is reviewed for all 37 violation types cited in the NJ cure letters

Bottom Line

New Jersey is not waiting. The AG’s office has been running a quiet but active enforcement program since the NJDPA took effect, and the cure letters obtained through public records show a clear and consistent enforcement focus: public-facing disclosures, appeals processes, third-party data-sharing transparency, and consumer-friendly rights mechanisms.

The cure period ends July 1, 2026. The companies that act now — reviewing their privacy notices, testing their consumer rights processes, and auditing their third-party data flows — are the ones who will not be reading about their own enforcement letter in a future public records release.