This article is operational guidance on data plumbing changes, not legal advice. The New Jersey Data Protection Act’s 18-month cure period sunsets on July 15, 2026 — 64 days from publication. After that date, the New Jersey Attorney General can pursue enforcement under the New Jersey Consumer Fraud Act without offering a 30-day cure window, with penalties of up to $10,000 for a first violation and up to $20,000 for each subsequent violation (Day Pitney, 2026). Most WooCommerce stores selling to New Jersey residents don’t realise they’re in scope.

The threshold isn’t geography. It’s volume: 100,000 New Jersey consumers per year, or 25,000 if any of your revenue derives from selling personal data (Bass, Berry & Sims, 2025). A store in California, Texas, or outside the U.S. entirely can be in scope if New Jersey buyers cross either threshold.

What WooCommerce Stores Selling to NJ Customers Must Change Before Then

Three things make the NJDPA operationally harder than CCPA or Virginia’s CDPA, even before the cure window closes:

• GPC has been mandatory since July 15, 2025 (Bass, Berry & Sims, 2025). Six months after the law’s effective date, the obligation to recognise universal opt-out signals — the Global Privacy Control browser flag chief among them — became active. Most WooCommerce stores still pass GPC-signalled traffic to ad pixels as if no signal was sent.
• Opt-out processing must complete within 15 days — the fastest in U.S. state privacy law (Ketch, 2026). CCPA gives you 45 days. Virginia gives you 45. New Jersey gives you 15, and the clock runs the moment the request is received, not when you get around to processing it.
• Financial information is classified as sensitive data, unique among U.S. state privacy laws (UniConsent, 2025). Account numbers, login credentials, payment card numbers with access codes — all sensitive. Sensitive data requires opt-in consent under NJDPA, not the default opt-out regime. Every pixel that touches order data hits that bar.

The cure-period sunset doesn’t change what the law requires. It changes whether you get a 30-day window to fix the violation before penalties land.

Who’s Actually In Scope (and Why Most Stores Don’t Realise It)

The NJDPA’s applicability threshold is calendar-year volume. Two ways to trip it:

• Path one: 100,000 New Jersey consumers in a calendar year, excluding data processed solely to complete a payment transaction. A direct-to-consumer brand shipping nationwide hits this faster than its founders typically expect — New Jersey is one of the most densely populated states in the country and disproportionately represented in mid-Atlantic ecommerce traffic.
• Path two: 25,000 New Jersey consumers if any portion of your revenue comes from selling personal data, including affiliate arrangements that share customer email lists with partners in exchange for placement fees.

The threshold counts processing, not just paying customers. Browsing visitors who never purchase still count toward the 100,000 if you’re tracking them with any persistent identifier — which a default WooCommerce + GA4 + Meta pixel setup does the moment they land.

Maryland’s MODPA follows the same pattern: out-of-state stores routinely in scope, default WooCommerce pixel stacks routinely non-compliant. Multi-state operators end up needing to satisfy the strictest of the three or four state laws that apply — usually New Jersey for opt-out speed and Maryland for sensitive-data scope.

What Changes on July 15

Before July 15: the New Jersey AG must offer a 30-day cure opportunity for most violations before pursuing enforcement. A store that gets a notice can fix the issue, document the fix, and avoid penalties.

After July 15: cure is no longer mandatory. The AG can move directly to enforcement under the New Jersey Consumer Fraud Act. Penalties of up to $10,000 for an initial violation and up to $20,000 for each subsequent one (Day Pitney, 2026). The mechanics of what counts as a “subsequent violation” are an AG discretion question — but the worst case is per-consumer, per-violation, which compounds quickly.

The cure window doesn’t return. There is no second 18-month grace.

The Three Plumbing Changes a WooCommerce Store Has to Make

Operationally, three changes need to happen at the data layer before the sunset:

1. GPC recognition at ingress

The browser sends a Sec-GPC: 1 header on every request when a user has GPC enabled. A compliant store inspects that header on the first request — at the server, before any client-side script loads — and writes the opt-out state to a session record. Every downstream destination (Meta pixel, GA4, Google Ads conversion, Klaviyo) is then told the user is opted out by reference to that single state.

This was technically required as of July 15, 2025. Most WooCommerce stores either don’t read the GPC header or read it client-side, where ad blockers and ITP can interfere with applying the signal.

2. Consent-aware routing for every destination

Per-tag GTM consent settings cannot operationally pass an NJDPA audit at scale. GTM has 40 per-tag consent settings; the audit wants one. A WooCommerce store running 8-12 tags has dozens of consent toggles to keep synchronised, each one a single misclick away from leaking data on an opted-out user.

Server-side ingress collapses that to a single gate. The consent state is evaluated once, at the request layer, and applied to every destination by routing the event only when consent allows. The audit surface is one decision point, not forty.

3. 15-day opt-out propagation plumbing

When a New Jersey consumer submits an opt-out, the clock starts. Within 15 days, the opt-out must propagate to every system that holds the consumer’s data — your CDP, your Meta CAPI destination, your Klaviyo list, your Google Ads customer match audience, your email marketing platform. Doing this manually for each system is how missed-deadline violations happen.

The architectural fix is treating opt-out as a single API call to your ingress layer that fans out to every connected destination’s deletion or suppression endpoint. The same architecture that handles GPC at ingress handles explicit opt-outs through the same gate.

How Seresa Handles the Single-Gate Architecture

Here’s how you actually do this on a WooCommerce store. Transmute Engine™ — Seresa’s first-party Node.js tracking server — sits as the single ingress point where consent state (GPC, banner choice, explicit opt-out) is evaluated once and applied to every downstream destination. The same gate that enforces NJDPA for New Jersey consumers enforces MODPA for Maryland consumers and GDPR for EU consumers without requiring separate per-tag configuration for each jurisdiction.

Transmute Engine is a dedicated server, not a plugin. The inPIPE plugin in WordPress is the courier; the engine on your subdomain handles capture, consent evaluation, and routing. First-party server-side architecture is the privacy-compliant default — the same reasoning that applied to GDPR now applies to NJDPA’s 15-day opt-out window.

Key Takeaways

• The NJDPA cure period sunsets July 15, 2026 — 64 days from publication. After that date, the AG can pursue penalties of up to $10,000 (first violation) and $20,000 (subsequent) without offering a 30-day fix window.
• WooCommerce stores selling to New Jersey customers are routinely in scope without realising it — the threshold is 100,000 NJ consumers per year (or 25,000 with any data-sale revenue), and the threshold counts processing, not purchases.
• Three plumbing changes are non-negotiable: GPC recognition at the server-side ingress layer, consent-aware routing for every destination, and 15-day opt-out propagation across every connected system.
• New Jersey is the fastest opt-out window in U.S. state privacy law — 15 days versus 30-45 elsewhere. Per-tag GTM consent settings struggle to enforce that timeline at scale.
• Financial information is uniquely classified as sensitive data in New Jersey — triggering opt-in consent requirements on any pixel that touches order data containing account numbers, login credentials, or payment card details.

Frequently Asked Questions

Audit your store’s GPC handling, consent routing, and opt-out propagation this week. 64 days is enough time to fix the plumbing if you start now. Start at seresa.io.