New Jersey NJDPA AI Compliance 2026: The Cure Period Sunsets July 15
New Jersey's Data Privacy Act took effect January 15, 2025 with an 18-month grace period built in — a 30-day right to cure that expires exactly 18 months later. That clock runs out today, July 15, 2026. From here forward, the Attorney General can move straight to enforcement without offering AI companies a chance to fix a violation first.
Does NJDPA Apply to Your AI Product?
NJDPA applies to controllers that conduct business in New Jersey or produce products or services targeted at New Jersey residents and that, during a calendar year, control or process the personal data of at least 100,000 consumers, or control or process the data of at least 25,000 consumers and derive revenue — or even just a discount on goods or services — from the sale of personal data.
That second trigger is unusually permissive. Most peer states set the alternate threshold at 50% of gross revenue from data sales; New Jersey doesn't set a percentage floor at all. An AI SaaS product that monetizes any meaningful data-sharing arrangement, even a small one, can find itself in scope at the 25,000-consumer mark well before it would trip a wire in Indiana, Virginia, or Colorado.
The Global Privacy Control Requirement
NJDPA required controllers to start honoring universal opt-out preference signals — most commonly the Global Privacy Control browser standard — by July 15, 2025, six months ahead of the law's other operational requirements. Any AI product with a consumer-facing website or consent flow should already be treating a detected GPC signal as a valid opt-out request for targeted advertising and the sale of personal data, without requiring a separate manual opt-out click.
Consumer Rights and AI Profiling
Profiling opt-out
Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.
Targeted advertising opt-out
Consumers can opt out of personal data being used for targeted advertising, enforceable via GPC as well as manual requests.
Sale of data opt-out
Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers.
Data Protection Assessments
Processing that presents a heightened risk of harm — including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment — requires a documented data protection assessment before the processing begins.
Why the Sunset Date Matters Today
Unlike Indiana's cure period, which has no sunset date, or Delaware's, which expired on a fixed calendar date unrelated to its own effective date, NJDPA's 30-day cure right was always designed as a temporary bridge — 18 months from the law taking effect, and no more. That bridge closes today. AI companies that have been relying on the promise of a fix-it window before facing enforcement should treat any known gap in their NJDPA compliance as urgent starting now, not as something to address after a warning letter arrives.
NJDPA Compliance Checklist for AI Companies
- ☐Track New Jersey consumer counts against the 100,000-consumer threshold as your user base grows
- ☐Separately check the 25,000-consumer alternate trigger — remember it has no revenue-percentage floor
- ☐Reassess quarterly rather than assuming a one-time exemption determination holds
- ☐Confirm your site already honors Global Privacy Control signals as a valid opt-out
- ☐Build opt-out flows for profiling, targeted advertising, and data sale
- ☐Document which AI-driven decisions fall into the legal-or-significant-effect category
- ☐Complete a data protection assessment before deploying profiling that carries a foreseeable risk of unfair treatment
- ☐Retain assessments in case the Attorney General requests them during an inquiry
- ☐Update assessments when the AI model or its training data materially changes
- ☐Do not assume a cure notice will be offered after July 15, 2026 — the automatic window is closed
- ☐Retain records supporting your scope and threshold determinations
- ☐Resolve any known gaps in GPC handling or opt-out flows immediately rather than waiting for a warning
See where your AI product is exposed
RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
How does NJDPA's cure sunset compare to Delaware's or Indiana's?
Indiana's cure period has no sunset date at all as of its January 1, 2026 effective date. Delaware's cure period sunset on a fixed calendar date, December 31, 2025, unrelated to the law's own effective date. New Jersey's is tied directly to its own effective date — 18 months after January 15, 2025 — meaning the sunset clock started ticking the moment the law took effect rather than being set by a separate legislative deadline.
What counts as a discount on goods or services under the NJDPA data-sale trigger?
The statute treats receiving a discount or other benefit in exchange for personal data as equivalent to receiving revenue from selling it. For AI products that offer reduced pricing or free tiers in exchange for data-sharing consent, that arrangement can count toward the 25,000-consumer alternate threshold even without a direct cash sale.
Does NJDPA apply retroactively to AI models trained before 2025?
NJDPA regulates ongoing processing and disclosure of personal data, not the historical training event itself. If a covered business continues to process, use, or profile with data collected from New Jersey consumers after the law's January 15, 2025 effective date, that processing is in scope regardless of when the underlying model was originally trained.