NEW JERSEY DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Prepared Pursuant to the New Jersey Data Privacy Act (NJDPA), N.J. Stat. § 56:8-166 et seq.

COVER PAGE

Document Classification

☐ Confidential — Attorney-Client Privileged
☐ Confidential — Internal Use Only
☐ Restricted Distribution
☐ Other: [________________________________]

NJDPA Privilege Note: Data protection assessments disclosed to the New Jersey Division of Consumer Affairs or the Attorney General's office are confidential and exempt from public inspection, copying, or disclosure. Disclosure does not constitute a waiver of attorney-client privilege or work-product protection that might otherwise apply.

EXECUTIVE SUMMARY

Overview of Processing Activity

[________________________________]

Provide a concise description of the data processing activity under assessment, including its business purpose, the categories of consumers affected, and the nature of personal data involved.

Overall Risk Level

☐ Low Risk — Processing activity presents minimal risk to consumer rights
☐ Moderate Risk — Processing activity presents some risk requiring standard mitigation
☐ High Risk — Processing activity presents heightened risk requiring enhanced safeguards
☐ Critical Risk — Processing activity presents severe risk; recommend cessation or fundamental redesign

Summary of Key Findings

[________________________________]

Recommendation

☐ Approve processing activity as described with current safeguards
☐ Approve processing activity subject to implementation of recommended mitigation measures
☐ Defer approval pending further analysis or consultation
☐ Do not approve — risks outweigh benefits

NJDPA DPIA Trigger Assessment

This DPIA is required because the processing activity involves one or more of the following heightened-risk activities under the NJDPA:

☐ Processing of personal data for purposes of targeted advertising
☐ Sale of personal data
☐ Processing of personal data for purposes of profiling, where profiling presents a reasonably foreseeable risk of:
☐ Unfair or deceptive treatment of, or unlawful disparate impact on, consumers
☐ Financial, physical, or reputational injury to consumers
☐ An intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers where such intrusion would be offensive to a reasonable person
☐ Processing of sensitive data
☐ Any other processing activity presenting a heightened risk of harm to consumers

SECTION 1: PROCESSING ACTIVITY DESCRIPTION

1.1 Nature of Processing

What personal data is being processed?

1.2 Whose Data Is Processed?

☐ New Jersey consumers (residents)
☐ Employees / job applicants
☐ Customers / clients
☐ Website visitors / app users
☐ Vendors / contractors
☐ Minors (under 13)
☐ Minors (13-17)
☐ Other: [________________________________]

Estimated number of NJ data subjects affected: [________________________________]

1.3 Purpose of Processing

1.4 How Is Data Processed?

☐ Collection (direct from consumer)
☐ Collection (from third-party sources)
☐ Storage (electronic)
☐ Storage (physical records)
☐ Organization / structuring
☐ Analysis / profiling
☐ Automated decision-making
☐ Targeted advertising
☐ Sale to third parties
☐ Sharing with service providers / processors
☐ Cross-border or interstate transfer
☐ Deletion / destruction
☐ Other: [________________________________]

1.5 Retention Period

1.6 Data Storage Locations

SECTION 2: LEGAL BASIS AND NECESSITY

2.1 Lawful Basis for Processing Under NJDPA

The NJDPA requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed. The controller must provide a reasonably accessible, clear, and meaningful privacy notice.

Primary legal justification for this processing activity:

☐ Consumer consent (opt-in) — required for sensitive data
☐ Performance of a contract or provision of a requested product/service
☐ Compliance with federal or state legal obligation
☐ Legitimate business purpose within the reasonable expectations of the consumer
☐ Protection of vital interests
☐ Internal operations reasonably aligned with the consumer's expectations based on the consumer's existing relationship with the controller
☐ Other: [________________________________]

2.2 Purpose Limitation Assessment

• Is processing limited to purposes disclosed in the privacy notice? ☐ Yes ☐ No
• Are there secondary uses of the data not disclosed to consumers? ☐ Yes ☐ No
• If secondary uses exist, have consumers been notified and/or consent obtained? ☐ Yes ☐ No ☐ N/A
• Is processing compatible with the context in which data was originally collected? ☐ Yes ☐ No

2.3 Data Minimization Assessment

• Is only the minimum necessary personal data collected? ☐ Yes ☐ No
• Could the processing purpose be achieved with less data? ☐ Yes ☐ No
• Could the processing purpose be achieved with de-identified data? ☐ Yes ☐ No
• Could the processing purpose be achieved with aggregated data? ☐ Yes ☐ No
• Has a formal data minimization review been conducted? ☐ Yes ☐ No

2.4 NJ-Specific Legal Requirements

NJDPA Applicability Thresholds:
- Does the organization control or process personal data of 100,000 or more NJ consumers (excluding data processed solely for completing payment transactions)? ☐ Yes ☐ No
- Does the organization control or process personal data of 25,000 or more NJ consumers AND derive revenue or receive a discount on the price of goods or services from the sale of personal data? ☐ Yes ☐ No
- Note: There is no revenue minimum. The NJDPA applies to nonprofit organizations (unlike most other state privacy laws).

NJDPA Exemptions:
☐ Organization is exempt as a financial institution subject to GLBA (Title V) — exemption applies to activities, not the entity
☐ Organization is exempt as a covered entity or business associate under HIPAA — exemption applies to PHI only
☐ Organization is exempt as a government entity
☐ Data is exempt: data processed under FCRA, DPPA, FERPA, or Farm Credit Act
☐ Data is exempt: employment data processed in the employment context
☐ None — NJDPA applies in full

Important: The NJDPA does NOT exempt higher education institutions or nonprofits.

SECTION 3: DATA INVENTORY

3.1 Categories of Personal Data

3.2 Sensitive Data Under NJDPA

The NJDPA defines the following categories of sensitive data requiring opt-in consent before processing:

3.3 Data Sources

3.4 Data Recipients and Sharing

3.5 Cross-Border and Interstate Transfers

SECTION 4: STAKEHOLDER CONSULTATION

4.1 Data Subject Consultation

• Were consumers or their representatives consulted? ☐ Yes ☐ No
• If no, explain why consultation was not feasible: [________________________________]

4.2 Data Protection Officer (DPO) Input

4.3 Business Stakeholder Input

4.4 Legal Counsel Review

SECTION 5: NECESSITY AND PROPORTIONALITY

5.1 Necessity Assessment

The NJDPA requires that data protection assessments identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards the controller can employ.

Is the processing necessary for the stated purpose?
☐ Yes — processing is essential and cannot reasonably be achieved otherwise
☐ Partially — some aspects of processing could be reduced or eliminated
☐ No — less intrusive alternatives exist that would achieve the stated purpose

Explanation: [________________________________]

5.2 Less Intrusive Alternatives

5.3 Benefits vs. Risks Weighing

Benefits to Controller:
[________________________________]

Benefits to Consumer:
[________________________________]

Benefits to Other Stakeholders / Public:
[________________________________]

Risks to Consumer Rights:
[________________________________]

Safeguards Employed to Reduce Risks:
[________________________________]

5.4 Proportionality Factors

• Use of de-identified data: ☐ Evaluated ☐ Not Evaluated
• Reasonable expectations of consumers given context: ☐ Evaluated ☐ Not Evaluated
• Relationship between controller and consumer: ☐ Evaluated ☐ Not Evaluated
• Whether processing involves minors: ☐ Evaluated ☐ Not Evaluated
• Whether processing involves sensitive data: ☐ Evaluated ☐ Not Evaluated

SECTION 6: RISK ASSESSMENT

6.1 Risk Likelihood and Severity Matrix

6.2 Identified Risks to Data Subjects

6.3 Overall Risk Rating

☐ Low ☐ Moderate ☐ High ☐ Critical

Justification: [________________________________]

SECTION 7: RISK MITIGATION MEASURES

7.1 Technical Measures

7.2 Organizational Measures

7.3 Contractual Measures

7.4 Residual Risk After Mitigation

SECTION 8: NEW JERSEY-SPECIFIC COMPLIANCE CHECKLIST

8.1 NJDPA Consumer Rights Compliance

8.2 Universal Opt-Out Mechanism (Effective July 15, 2025)

CRITICAL: The NJDPA requires recognition of universal opt-out mechanisms (such as Global Privacy Control) as of July 15, 2025.

☐ Universal opt-out mechanism recognized and honored (GPC, etc.)
☐ Technical implementation verified
☐ No requirement for consumer to submit separate request when universal signal detected
☐ Documentation of opt-out signal processing

8.3 Cure Period Status

NJDPA Cure Period Timeline:
- January 15, 2025 — July 15, 2026: 18-month cure period available
- After July 16, 2026: Cure period expires; AG has discretion to offer cure

☐ Organization is aware of cure period sunset date (July 16, 2026)
☐ Compliance remediation processes are in place to address violations within cure period
☐ Organization is prepared for post-cure enforcement environment

8.4 Privacy Notice Requirements

8.5 Breach Notification Requirements (N.J. Stat. § 56:8-163)

8.6 Penalties Under NJDPA

• $10,000 per first violation
• $20,000 per subsequent violation
• AG/Division of Consumer Affairs has exclusive enforcement authority
• No private right of action under the NJDPA
• Violations may also constitute unfair practices under the Consumer Fraud Act (N.J. Stat. § 56:8-1 et seq.)

SECTION 9: THIRD-PARTY AND VENDOR ASSESSMENT

9.1 Sub-Processors

9.2 Processor Contract Requirements Under NJDPA

For each processor, verify the following contractual provisions:

☐ Clear instructions for processing personal data
☐ Nature and purpose of processing
☐ Type of data subject to processing
☐ Duration of processing
☐ Rights and obligations of both parties
☐ Confidentiality obligations
☐ Requirement to delete or return personal data at end of service
☐ Obligation to make available all information to demonstrate compliance
☐ Subprocessor engagement restrictions and notification obligations
☐ Assistance with consumer rights requests

9.3 Vendor Security Assessment

For each vendor processing NJ consumer personal data:

☐ SOC 2 Type II report reviewed (or equivalent certification)
☐ Encryption standards meet or exceed requirements
☐ Access controls verified
☐ Incident response capabilities confirmed
☐ Data deletion / return procedures documented
☐ Subprocessor restrictions documented
☐ Insurance coverage verified
☐ NJ-specific breach notification cooperation clause included

SECTION 10: AUTOMATED DECISION-MAKING AND PROFILING

10.1 Profiling Activities

• Does this processing involve profiling? ☐ Yes ☐ No

NJDPA Profiling Definition: Any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

10.2 Heightened Risk Profiling Assessment

Under the NJDPA, profiling presents heightened risk when it creates a reasonably foreseeable risk of:

☐ Unfair or deceptive treatment of consumers
☐ Unlawful disparate impact on consumers
☐ Financial, physical, or reputational injury to consumers
☐ Physical or other intrusion upon the solitude or seclusion of consumers

Assessment of whether this profiling activity meets heightened-risk threshold:
[________________________________]

10.3 Automated Decision-Making

• Are decisions made solely through automated means with legal or similarly significant effects? ☐ Yes ☐ No
• If yes, describe the decision-making logic: [________________________________]
• Human review / override mechanism: [________________________________]
• Has the algorithm been tested for bias? ☐ Yes ☐ No
• Has the algorithm been tested for accuracy? ☐ Yes ☐ No

SECTION 11: CHILDREN'S DATA

11.1 COPPA and NJDPA Children's Data Requirements

Under the NJDPA, personal data of a known child under the age of 13 is classified as sensitive data requiring opt-in consent.

• Does this processing involve data of individuals known to be under 13? ☐ Yes ☐ No
• If yes, is verifiable parental consent obtained per COPPA (15 U.S.C. § 6501 et seq.)? ☐ Yes ☐ No ☐ N/A
• Does the organization have a COPPA-compliant privacy policy? ☐ Yes ☐ No
• Are age-gating mechanisms in place? ☐ Yes ☐ No
• Is data of minors aged 13-17 processed? ☐ Yes ☐ No
• If yes, describe additional protections: [________________________________]

11.2 Children's Data Safeguards

SECTION 12: MONITORING AND REVIEW

12.1 Review Schedule

12.2 Trigger Events for Reassessment

☐ Material change in the processing activity
☐ New categories of personal data collected
☐ New categories of data subjects
☐ Change in purpose of processing
☐ New sub-processor or third-party data recipient
☐ Geographic expansion (new jurisdictions)
☐ Security incident or data breach
☐ Regulatory inquiry from NJ AG or Division of Consumer Affairs
☐ Legislative amendment to the NJDPA
☐ Final regulations published by the Division of Consumer Affairs
☐ Consumer complaints related to this processing activity
☐ Organizational changes (M&A, restructuring)
☐ Significant change in data volume (increase > 25%)
☐ Cure period expiration (July 16, 2026)

12.3 Version Control

SECTION 13: APPROVAL AND SIGN-OFF

Data Protection Officer / Privacy Lead

Chief Information Security Officer (CISO)

Legal Counsel

Business Owner / Executive Approver

APPENDIX A: DATA FLOW DIAGRAM

[Data Subject] ---> [Collection Point] ---> [Primary Storage]
|
[Processing System]
|
+---------------+---------------+
| | |
[Analytics] [Third Party] [Backup/DR]
| | |
[Reporting] [Sub-Processor] [Archive]
Instructions: Replace the above placeholder with an actual data flow diagram specific to the processing activity. The diagram must show all collection points, storage systems, processors, sub-processors, third-party recipients, and data lifecycle endpoints.

APPENDIX B: RISK MATRIX TEMPLATE

Scoring Guide:
- Critical (16-25): Immediate escalation; processing must not proceed without executive approval
- High (10-15): Senior management review required; implement additional mitigations
- Moderate (5-9): Standard mitigation measures; document and monitor
- Low (1-4): Acceptable risk; routine monitoring

APPENDIX C: GLOSSARY OF TERMS

NEW JERSEY-SPECIFIC COMPLIANCE NOTES

Unique NJDPA Features

1. Nonprofit Applicability: Unlike most state privacy laws, the NJDPA applies to nonprofit organizations, making it one of the broadest in scope among US state privacy laws.

2. Universal Opt-Out Requirement (July 15, 2025): Controllers must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC). This requirement took effect six months after the law's effective date.

3. 18-Month Cure Period: The NJDPA provides an 18-month cure period from its effective date (January 15, 2025 through July 15, 2026). After July 16, 2026, cure is at the discretion of the Division of Consumer Affairs.

4. Draft Regulations Expected: The Division of Consumer Affairs was authorized to issue draft regulations beginning June 2, 2025, with final regulations expected in 2026. These regulations will provide detailed guidance on DPIA requirements, consumer rights request processes, and opt-out mechanisms.

5. NJ State Police Notification First: Under the breach notification statute (N.J. Stat. § 56:8-163), entities must report breaches to the NJ State Police before notifying affected consumers, a unique requirement among US states.

6. Broad Definition of Personal Information for Breach: New Jersey's breach notification law covers a broad range of data elements including medical information and health insurance information in addition to traditional categories.

7. DPIA Confidentiality: Data protection assessments are confidential and exempt from public inspection, and disclosure to the AG does not waive privilege protections.

8. Heightened Penalty Structure: The NJDPA imposes $10,000 for first violations and $20,000 for subsequent violations, with no cap on total penalties, creating significant financial exposure for organizations with widespread non-compliance.

SOURCES AND REFERENCES

1. New Jersey Data Privacy Act (NJDPA), S332, codified at N.J. Stat. § 56:8-166 et seq. — https://www.njleg.state.nj.us/bill-search/2022/S332/bill-text?f=S0500&n=332_R6
2. N.J. Stat. § 56:8-163, Security Breach Notification — https://www.njleg.state.nj.us
3. NJ Cyber.gov, "New Jersey Enacts Comprehensive Data Privacy Law" — https://www.cyber.nj.gov/guidance-and-best-practices/identity-theft-privacy/data-privacy/nj-data-privacy-prevention-act
4. White & Case, "New Jersey Enacts Comprehensive Data Privacy Law" — https://www.whitecase.com/insight-alert/new-jersey-enacts-comprehensive-data-privacy-law
5. SecurePrivacy, "New Jersey Data Privacy Act (S332) Complete Guide for 2025" — https://secureprivacy.ai/blog/new-jersey-s332-privacy-bill-guide
6. BigID, "NJ Data Privacy Legislation SB 332" — https://bigid.com/blog/nj-sb-332-data-privacy-legislation/
7. Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.
8. IAPP, US State Privacy Legislation Tracker — https://iapp.org/resources/article/us-state-privacy-legislation-tracker
9. Centraleyes, "New Jersey Privacy Act 2025: What to Expect" — https://www.centraleyes.com/new-jersey-privacy-act/