Key point: In response to an open records request submitted by Troutman Pepper Locke, the New Jersey Attorney General’s office provided copies of all cure letters sent pursuant to New Jersey’s consumer data privacy law and resolved by the recipient.
As shown by recent enforcement actions in California, including its most recent $12.5 million fine, the risk for companies that are out of compliance with state consumer data privacy laws has never been higher. As more state laws go into effect and cure periods sunset, the risk will only grow. One state where the enforcement risk may be higher is New Jersey.
The New Jersey Data Privacy Act went into effect on January 15, 2025, and is enforced by the Office of the Attorney General (AG) through the Division of Consumer Affairs (the Division) and the Data Privacy and Cybersecurity Section of the Division of Law. The AG has a long history of enforcing New Jersey’s privacy laws, including entering into many data breach settlements and playing a leading role in other multistate data privacy investigations and lawsuits. The AG has reportedly been working aggressively to promote compliance with the privacy law since its effective date, including by issuing cure notices. The statute’s 30-day right-to-cure period sunsets on July 1, 2026. Yet, to date, none of the AG’s compliance or enforcement efforts has become public.
Until now. In March 2026, Troutman Pepper Locke submitted an open public records request to the Division requesting copies of all cure notices sent prior to the request. In response, the Division produced 10 cure letters, issued between March 24, 2025, and November 13, 2025. The 10 cure letters, each of which has been resolved without any further enforcement action, contain a total of 37 discrete alleged violations of the statute. Although certainly not exhaustive of the Division’s activities — which likely include ongoing investigations that would not be disclosed in response to a public records request — these cure letters provide a unique window into issues the regulators in New Jersey find relevant. With the cure period sunsetting in just a matter of weeks, the letters also provide helpful guidance for companies to ensure they are compliant with New Jersey’s privacy law.
In the article below, we provide a summary of the alleged violations cited in those cure notices, six takeaways for companies to consider as the cure period comes to a close, and a look at how some companies changed their practices after receiving cure notices.
Summary of Alleged Violations in Cure Notices
The chart below provides an overview of the types of violations alleged in the 10 cure notices obtained by Troutman. In sum, the Division asserted 37 discrete allegations across the 10 letters, referencing specific statutory sections. Three provisions account for roughly two-thirds of the cited deficiencies, as shown below.
|
# |
Allegation |
Letters Citing |
|
1 |
Did not adequately disclose in privacy notice how consumers may exercise their rights, § 166.6(a)(5) |
9 |
|
2 |
Did not provide a conspicuously available appeal process similar to the process for submitting requests to exercise a right, § 166.7(f) |
8 |
|
3 |
Did not adequately disclose in privacy notice the categories of personal data shared with third parties, § 166.6(a)(4) |
7 |
|
4 |
Did not clearly and conspicuously disclose how to opt out of the sale or processing of personal data, § 166.6(b) |
5 |
|
5 |
Did not provide a process for consumers to exercise rights without creating a new account, § 166.6(c) |
2 |
|
6 |
Did not provide a process for notifying consumers of material changes to the privacy notice, § 166.6(a)(6) |
2 |
|
7 |
Did not provide instructions for how to appeal a controller’s decision to decline action on a verified request, § 166.7(c) |
1 |
|
8 |
Did not adequately disclose in privacy notice the categories of personal data processed, § 166.6(a)(1) |
1 |
|
9 |
Did not adequately disclose in the privacy notice how to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects, § 166.10(a)(5) |
1 |
|
10 |
Did not take reasonable administrative, technical, and physical data security measures, § 166.12(a)(3) |
1 |
|
|
Total allegations across all letters |
37 |
Six Takeaways for Companies to Consider Before the Cure Period Expires
- Public disclosures matter
Public disclosures were the dominant source of violations. Almost every single alleged violation deals with companies’ public disclosures, including their privacy notices and website links. This focus is unsurprising given that the AG’s office likely identified its targets for cure letters based on its review of companies’ privacy notices to identify facially deficient disclosures and other readily apparent violations.
2. The appeals process is a surprisingly big focus
Perhaps more surprisingly, the cure notices demonstrate that the Division looked closely at companies’ appeal processes. With eight alleged violations, failure to provide a conspicuously available appeal process that is similar to the process for submitting requests to exercise privacy rights, pursuant to N.J.S.A. § 56:8-166.7(f), was the second most common violation alleged in the cure notices. Even so, this observation likely understates the significance of deficiencies concerning the appeal process, because the most common alleged violation — failure to adequately disclose how consumers may exercise their rights, pursuant to N.J.S.A. § 56:8-166.6(a)(5) — encompasses failures to adequately disclose how consumers may appeal. We believe it is reasonable to assume that appeal-related issues represent a distinct plurality of all violations alleged in the cure notices. The frequency of these alleged violations may reflect that the AG has adopted a strict approach to evaluating whether an appeal process is sufficiently similar to the process for exercising rights in the first instance.
3. Disclosure of categories of data disclosed to third parties is another significant focus
Seven of 10 letters allege violations of the requirement in N.J.S.A. § 56:8-166.6(a)(4) to disclose the categories of personal data shared with third parties. This requirement is only found in a handful of comparable state privacy laws and appears to be a notable area of focus in New Jersey.
4. Regulators remain focused on reducing friction for consumers exercising their rights
New Jersey’s cure letters indicate that the state is taking a cue from California in emphasizing the reduction in friction for consumers who seek to assert their privacy rights. Alleged violations of N.J.S.A. §§ 56:8-166.6(b) (clear and conspicuous opt-out) and 56:8-166.6(c) (ability to exercise rights without creating a new account) reflect that regulators are focused on whether consumers can easily exercise their rights in practice — not merely whether the rights are adequately described in privacy notices.
5. Data brokers in the spotlight
All 10 letters were issued to entities that share a defining commercial characteristic: all are registered as data brokers under California’s data broker law. Recipients included, for example, a marketing data company, an adtech identity provider, and a location/mobility data company. An early focus on data brokers makes sense both because of the nature of those businesses and their processing activities and because California has a publicly available registry that other states may use as a starting point for their own compliance efforts.
6. Cure letters (including names of recipients) are subject to public disclosure
Companies that receive cure letters from a privacy regulator may want to know whether the fact that they received such a letter may become public. Ongoing investigations are frequently treated as confidential and exempt from disclosure under state public records laws. However, the New Jersey AG apparently is of the view that “resolved” cure letters — those that did not result in a still-ongoing nonpublic investigation — are disclosable and that the names of the recipients should not be withheld from the public. Knowing that this information could become public may inform how companies respond.
Post-Letter Privacy Notice Revisions Appear to Track the Cited Deficiencies
As part of our review, we also looked at some of the websites of companies that had received the notices to identify what changes, if any, they initiated after receiving the notices. A high-level comparison of select recipients’ privacy notices before and after the issuance of cure letters indicates that their remediation activity focused on the same statutory provisions the cure letters highlighted: appeals processes, third-party data-sharing disclosures, and reducing friction in the exercise of rights.
One recipient substantially restructured its U.S. state-rights disclosures, added a defined appeal channel including by providing an email address for consumers to send appeals within 30 days, and revised its third-party data-sharing categories. Another recipient made comparatively modest revisions and appears to continue to rely on a single “unsubscribe” portal as the practical entry point for rights. A third recipient most recently replaced its prior privacy notice nearly a year after the cure letter was issued, with changes that may reflect a broader multistate compliance refresh rather than New Jersey-specific remediation.