Privacy & Information Security Law Blog

On June 2, 2025, proposed rules (“Proposed Rules”) were published under New Jersey’s Data Privacy Act (“NJDPA”). The Proposed Rules elaborate on what constitutes “personal data” and detail a number of compliance obligations, some of which parallel existing requirements under data privacy laws in California and Colorado. 

Like many other state data privacy laws, the NJDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable person.” The Proposed Rules, further specify that data “is “reasonably linkable” if it can identify a person or a device linked to a person when aggregated with other data, including, but not limited to, a person’s: (1) full name; (2) mother’s maiden name; (3) telephone number; (4) IP address or other unique device identifiers; (5) place of birth; (6) date of birth; (7) geographical details (for example, zip code, city, state or country); (8) employment information; (9) username, email address, or any other account holder identifying information (including, but not limited to, identifying information related to social media accounts); (10) mailing address; and (11) race, ethnicity, sex, sexual orientation, or gender identity or expression.

The Proposed Rules also further detail a number of compliance obligations, including requirements relating to maintaining a data inventory, processing sensitive data, maintaining records of privacy rights requests, conducting data privacy impact assessments, providing privacy disclosures including in relation to loyalty programs, practices for receiving and responding to privacy rights requests, and practices for obtaining consent including requirements for avoiding dark patterns. In addition, the Proposed Rules refer to the obligation to safeguard personal data as a “duty of care,” which may create a basis for litigation in that regard despite the prohibition on private rights of action under the NJDPA.

“We live in a rapidly changing digital age, and personal data is collected at an alarming rate. Consumers in New Jersey deserve to know exactly when and how their information is used,” said Phil Murphy, New Jersey’s Governor. New Jersey’s Attorney General added, “the proposed rules advance consumer privacy protections by requiring internet websites, online providers, and other entities to fully disclose to consumers how their private data will be used, notify consumers of their data privacy rights, and provide them with information on how to exercise those rights,” and New Jersey’s Acting Director of the Division of Consumer Affairs further added, “there is a growing sense of helplessness among consumers who do not want their data collected but feel powerless to stop it. The rules we are proposing . . . empower consumers to reclaim control over their personal data, including how and when it is collected, shared, or sold.”

There is a 60-day public comment period to submit written comments on the proposed rules that ends on August 1, 2025. After the public comment period, the New Jersey Division of Consumer Affairs will review the comments that were submitted. The rules will become final when a Notice of Adoption is published, which is expected sometime in 2026.