ARTICLE
18 June 2025

New Jersey Proposes New Privacy Rules That Would Impact Compliance

WR
Wiley Rein

Contributor

Wiley Rein logo
Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
Explore Firm Details
On June 2, the New Jersey Division of Consumer Affairs (Division) published proposed regulations to implement the New Jersey Data Privacy Act (NJDPA).
United States New Jersey Privacy
Duane C. Pozza,Kathleen E. Scott,Tawanna Lee
+1 Authors

On June 2, the New Jersey Division of Consumer Affairs (Division) published proposed regulations to implement the New Jersey Data Privacy Act (NJDPA). Of note, these rules were proposed months after the NJDPA went into effect on January 1, 2025. Comments are due August 1, 2025.

The proposal, if adopted, would address definitions and exemptions under the NJDPA, as well as consumer rights and obligations of controllers and processors under the law. The stated purpose of the proposed rules is "to implement the provisions [of the NJDPA]," see Proposed N.J.A.C. 1345L-1.1(a), but the proposed rules feature several notable distinctions from the statute itself that, if adopted, could affect business compliance strategies.

For example:

  • Key Definitions. The proposal would establish new definitions and limitations to terms used or defined in the NJDPA. Of particular note, the proposal would define "reasonably linkable," a key element of the threshold term "personal data," and establish new limitations on the statutory exceptions to the definition of "sale." These changes could have important impacts on the scope of the NJDPA.
  • Key Exemptions. The proposal contemplates limitations on key exemptions as well, including limiting the common exemption for internal research so that it would not apply if "the data or resulting research is used to train artificial intelligence, unless the consumer has affirmatively consented to such use." See Proposed N.J.A.C. 1345L-1.3(d)(1).
  • Consumer Rights. The proposal would establish novel flow-down requirements for controllers to instruct processors to fulfill consumer rights requests.
  • Affirmative Controller Obligations. The proposed rules would establish specific guidance regarding controller obligations, including guidance around purpose specification and data minimization, that sets out relatively prescriptive standards. The proposal also includes recordkeeping requirements that are not listed in the statute.
  • Privacy Notice Requirements. The proposal would establish additional rules for privacy notices, including requirements to describe categories and purposes of use of personal data with sufficient detail and granularity; requirements to include "the length of time the controller intends to retain each category of personal data"; and specific requirements when controllers process personal data for profiling for a decision that produces legal or similarly significant effects concerning the consumer. See Proposed N.J.A.C. 13:45L-2.2(a)-(b). Additionally, the proposal includes new notice and consent rules in cases of material changes to a privacy notice, and details guidance on what constitutes a material change.
  • Rules Regarding User Interface Design, Choice Architecture, and Dark Patterns. The proposal includes provisions setting out principles for designing and implementing methods for submitting data right requests and obtaining consent, including highly specific guidance related to toggles, banner notices, bundling choices, links, scrolling, and processing time, among other operational issues.
  • Additional Consent Rules. The proposed rules set out lengthy and prescriptive provisions governing consent, including provisions that would require consent (where required under the law) to be refreshed if the controller and the consumer have not interacted with each other for 24 months, as well as guidance to "immediately delete sensitive data concerning the consumer for which the controller no longer has consent to process, control, possess, sell, or share," once a consumer revokes consent. See Proposed N.J.A.C. 13:45L-6.3(b)(6), 13:45L-7.1-7.7.
  • Data Protection Assessments (DPAs). The draft regulations contemplate specific rules for DPA content and timing, including a proposal to require annual DPA updates for profiling activities.

As illustrated in the examples above, the proposal is highly detailed and introduces requirements that – if adopted – will significantly impact operational aspects of covered entities' compliance strategies. Companies that are subject to the New Jersey privacy law should review the proposal carefully, and consider weighing in with the Division by August 1.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Duane C. Pozza
Duane C. Pozza
Photo of Kathleen E. Scott
Kathleen E. Scott
Photo of Joan Stewart
Joan Stewart
Photo of Tawanna Lee
Tawanna Lee
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More