On June 2, 2025, the New Jersey Division of Consumer Affairs (the “Division”), alongside the Office of the Attorney General, announced proposed rules (the “Proposed Rules”) to implement the New Jersey Data Privacy Act (“NJDPA”). The 60-day comment period, which closes on Friday, August 1, 2025, provides the public with an opportunity to weigh in on how the NJDPA is enforced. After the Division reviews and considers the submitted comments, it is expected to publish a Notice of Adoption in 2026.
The New Jersey General Assembly and Senate passed the NJDPA on January 8, 2024, and Governor Phil Murphy signed the bill into law on January 16, 2024. While the law went into effect on January 15, 2025, the NJDPA directs the Division to adopt rules and regulations that govern compliance with the state’s comprehensive privacy law.
This framework is similar to the California Consumer Privacy Act and Colorado Privacy Act, both of which have parallel regulations that govern compliance with the states’ comprehensive privacy laws. While the Proposed Rules share many similarities with those in California and Colorado, there are a few key differences not found in the NJDPA or most other comprehensive privacy laws.
Below, we have provided our key takeaways from the Proposed Rules. We will continue tracking these and other state privacy law developments in the WilmerHale Privacy and Cybersecurity Law Blog.
Key Takeaways from the Proposed Rules
The Proposed Rules expand and clarify the requirements in the NJDPA in the following ways:
— Elaborate on the NJDPA’s Definition of Personal Data: While the NJDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable person,” the Proposed Rules further elaborate on what constitutes “reasonably linkable” personal data. Under the Proposed Rules, personal data is “reasonably linkable” if the data can “identify a person or a device linked to a person when aggregated with other data, including, but not limited to, a person’s (1) full name; (2) mother’s maiden name; (3) telephone number; (4) IP address or other unique device identifiers; (5) place of birth; (6) date of birth; (7) geographical details (for example, zip code, city, state, or country); (8) employment information; (9) username, email address, or any other account holder identifying information (including, but not limited to, identifying information related to social media accounts); (10) mailing address; and (11) race, ethnicity, sex, sexual orientation, or gender identity or expression.”
— Clarify the NJDPA’s “Internal Research” Exemption: Under the NJDPA, the statute’s obligations for controllers and processors “shall not restrict a controller’s or processor’s ability to collect, use or retain data for internal use to…conduct internal research to develop, improve, or repair products, services, or technology.” However, the Proposed Rules make it clear that the collection, use, or retention of data is not considered internal research if (1) “[t]he data or resulting research is shared with a third party, unless it is de-identified or shared pursuant [to the Proposed Rules]” or (2) “[t]he data or resulting research is used to train artificial intelligence, unless the consumer has affirmatively consented to such use.”
— Require Privacy Notices and Disclosures to Be Understandable and Accessible: The Proposed Rules require controllers’ disclosures, notifications, and other communications to be understandable and accessible to the controller’s target audience, using “plain, straightforward language and avoid[ing] technical or legal jargon.” These communications must also be accessible to consumers with disabilities, available in the same languages the controllers use while interacting with consumers and not written in a way that is “unfair, deceptive, or misleading,” among other requirements. This is similar to the requirements under California’s and Colorado’s regulations.
— Elaborate on the NJDPA’s Content Requirements for Privacy Notices: The NJDPA requires controllers to provide consumers with a privacy notice that shall include, but is not limited to, “(1) the categories of the personal data that the controller processes; (2) the purpose for processing personal data; (3) the categories of all third parties to which the controller may disclose a consumer’s personal data; (4) the categories of personal data that the controller shares with third parties, if any; (5) how consumers may exercise their consumer rights, including the controller’s contact information and how a consumer may appeal a controller’s decision with regard to the consumer’s request; (6) the process by which the controller notifies consumers of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and (7) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.”
The Proposed Rules elaborate on the NJDPA’s content requirements and provide examples of sufficient descriptions for some of the categories outlined above. For example, the Proposed Rules note that categories of personal data must be “sufficiently granular to enable consumers to understand the type of personal data processed” and state that sufficient descriptions include “telephone number,” “email address,” and “government issued identification numbers.”
While these requirements are materially similar to those under other state comprehensive privacy laws, they add further details to the information that entities must provide in their privacy policies.
— Create Specific Content Requirements for Processing for Profiling and Loyalty Programs: In addition to the privacy notice content requirements outlined in the NJDPA, the Proposed Rules require that further information be provided by controllers that process personal data for profiling with regard to decisions that produce legal or similarly significant effects concerning the consumer, including “the decisions to be made using profiling,” “a plain language explanation of how the profiling software works,” and “if the system has been evaluated for accuracy, fairness, or bias.”
Furthermore, controllers that offer loyalty programs or other incentives for the processing or sale of a consumer’s personal data must provide a notice “at or before the point of program enrollment.” Similar to California’s “Notice of Financial Incentive,” loyalty program notices must contain (1) a statement that the loyalty program includes the sale or processing of the consumer’s data and that the consumer can opt out of the program; (2) an explanation of how the price or service difference associated with the loyalty program is reasonably related to the value of the consumer’s personal data; (3) a detailed description of the categories of the personal data collected through the loyalty program; (4) a detailed description of the third parties that will receive the consumer’s personal data, including whether the personal data will be shared with data brokers; (5) a statement acknowledging that the consumer has the right to withdraw from the loyalty program at any time and an explanation of how the consumer can exercise that right; (6) a list of loyalty program partners and the benefits provided by each partner; (7) a link to the controller’s privacy notice; (8) an explanation, if any is needed, regarding why the deletion of personal data makes it impossible to provide the consumer with a loyalty program benefit; and (9) an explanation, if any is needed, regarding why sensitive data is required for a loyalty program benefit.
— Require Refresh of Consent upon a Two-Year Lapse in Engagement or a Material Change in Processing Purpose: If a consumer has not interacted with the controller in two years or the purpose behind processing a consumer’s data has materially evolved, the controller must refresh consent before further processing sensitive data concerning a consumer or personal data concerning a consumer between the ages of 13 and 17. Children’s privacy has been an area of focus for other state comprehensive privacy laws, and New Jersey is no different in this regard.
— Require Controllers to Provide Two Methods for Data Subject Requests: The Proposed Rules require that a controller’s privacy notice specify two or more methods through which consumers can submit data rights requests, one of which must be a toll-free telephone number. Methods for exercising data rights do not have to be specific to New Jersey as long as they meet New Jersey’s requirements. If a consumer seeks to exercise their data rights using a method that is not one of the controller’s designated methods or is deficient in some manner, the controller must treat the attempt as if it had been made in accordance with the designated methods or respond to the consumer with information on how to exercise the data rights or remedy deficiencies.
— Create Requirements for User Interface Design and Prohibit Dark Patterns: The Proposed Rules include requirements for controllers’ user interface designs and choice of architectures. Controllers must design and implement methods for submitting data rights requests and obtaining consent that incorporate several principles, including using “plain, straightforward language” and elements that are not confusing to consumers. The methods must also be easy for consumers to execute and must not interfere with their ability to exercise their choice or give consent. For example, if controllers seek consent through an “accept all” website banner, controllers are also required to provide consumers with a “decline all” choice as well. These dark pattern restrictions are similar to those in other state comprehensive privacy laws, including the California and Colorado regulations.
— Create Affirmative Obligations for Controllers for the Purpose of Data Minimization: The Proposed Rules require controllers to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” In a section titled “Data Minimization,” the Proposed Rules require controllers to determine the minimum personal data necessary for the specific purposes communicated to the consumer, maintain a data inventory, immediately delete sensitive data once a consumer revokes consent, and assess on a yearly basis whether biometric identifiers, photographs, and audio and video recordings are necessary for the specific processing purposes. This last requirement in particular is notably different than retention requirements in other state comprehensive privacy laws.
— Require Data Protection Assessments for Processing Activities that Create a Heightened Risk of Harm: The NJDPA requires controllers to conduct a data protection assessment prior to conducting processing activities that present a heightened risk of harm to a consumer. The Proposed Rules outline certain requirements regarding these data protection assessments, which include minimum consent and timing requirements. Additionally, the Proposed Rules require the data protection assessments to include (1) a summary of the processing activity; (2) the categories of personal data being processed and whether that data includes sensitive data; (3) the relationship between the controller and the consumers whose data is being processed; (4) the elements of the processing activity; (5) the purposes of processing the personal data and any benefits that may occur; (6) risks presented to consumers’ rights, including harms, injuries, negative decision outcomes, and other detrimental consequences; (7) measures and safeguards the controllers will employ to reduce risks; (8) a risk-benefit analysis of processing the personal data; (9) relevant internal and external parties contributing to the data protection assessment; (10) any internal or external audit conducted in relation to the assessment; and (11) when the assessment was reviewed and approved, and by whom.
Titus Cornell, a pre-law fellow, also contributed to this article.