The Start of Something New? New Jersey’s Proposed Privacy Rules

On June 2, 2025, the New Jersey Office of Consumer Protection announced proposed rules for New Jersey’s comprehensive consumer privacy law, the New Jersey Data Privacy Act (NJDPA), which went into effect on January 16, 2025. 

While the proposed rules draw from the California and Colorado privacy regulations, they also would introduce a number of significant definitions and compliance mandates not found in the NJDPA or most other states.

Below are several key provisions in the proposed rules. 

Definition of “Personal Data”

The NJDPA defines “personal data” as any information “linked or reasonably linkable to an identified or identifiable person,” excluding de-identified data or publicly available information. The proposed rules incorporate that common standard but potentially expand it by listing the following data elements, which, when combined with other data, may render information “reasonably linkable”: 

1. Full name;
2. Mother’s maiden name;
3. Telephone number;
4. IP address or other unique device identifiers;
5. Place of birth;
6. Date of birth;
7. Geographical details (for example, zip code, city, state, or country);
8. Employment information;
9. Username, email address, or any other account holder-identifying information (including, but not limited to, identifying information related to social media accounts);
10. Mailing address; and
11. Race, ethnicity, sex, sexual orientation, or gender identity or expression.

A number of these data elements are not typically included in traditional definitions of “personal data” across state privacy laws. The proposed definition introduces new ambiguity into a generally well-established consensus of what constitutes personal data across U.S. states. Instead, the proposed rules imply that these elements may not constitute personal data by themselves, but could constitute personal data “when aggregated” with other data (including the above elements) such that the elements are “reasonably linkable” to a person or device linked to a person. 

Novel Obligations

The proposed rules contain a number of novel obligations not contained in the NJDPA or most other state privacy regimes, such as the following:

• Refresh consent. Controllers would have to refresh consent when a consumer has not interacted with a controller in the prior 24 months in order to continue processing sensitive data, data of a known child, or processing personal data for the purposes of targeted advertising, data sales, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer when the controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age, but younger than 17 years of age.
• Data minimization. There are a number of proposed obligations in the name of data minimization, including that controllers would have to create and maintain an inventory of the types of data processed, where data is stored, and who can access the data. Further, the controller would have to “immediately” delete sensitive data concerning a consumer following the consumer’s revocation of consent to process the data—which may pose operational challenges to a number of businesses.
• Risk assessments. The NJDPA prohibits controllers from processing personal data that presents a heightened risk of harm without conducting and documenting a data protection impact assessment (DPIA). The proposed rules would require companies to add significant detail, beyond that required by the NJDPA, to their DPIAs by evaluating reputational, psychological, or discriminatory risks, and by including technical descriptions of the processing operations that trigger the assessment.
• Privacy notice. The proposed rules flesh out the privacy notice requirements imposed by the NJDPA and would impose additional requirements for controllers to disclose more detailed information about the data they collect and process, how long such data is retained, treatment of minors' data, and the mechanics of the controller’s data subject request process. The proposed privacy notice requirements also would impose new transparency requirements for companies that use profiling to make decisions that produce legal or similarly significant effects concerning the consumer.
• Loyalty program notice. The proposed rules would impose a requirement to provide a "Loyalty Program Notice" to consumers at or before enrollment in companies’ loyalty or rewards programs, though such requirement is not contained in the NJDPA. Similar to California’s requirement of a “Notice of Financial Incentive,” this notice would have to include specific information about the program, such as the types of personal data collected through the loyalty program, the purposes for which the data is used, and any third parties that will receive the consumer’s personal data, including whether personal data will be provided to data brokers. Additionally, the notice would have to explain the value of the consumer's data in relation to the offered benefits and provide clear information on how consumers can opt out of the program. 

Dark Patterns

The proposed rules would impose detailed obligations regarding consent and rights requests, and would provide that any method for obtaining consent or submitting data rights requests that does not adhere to the proposed rule’s laundry list of provisions would be deemed a “dark pattern.” These proposed requirements and prohibitions include the following: 

• Requiring consumers to click through “disruptive screens” before being able to opt out;
• Requiring consumers to consent to unrelated uses of their personal data–such as selling geolocation data to brokers–when accessing a service is not permitted, and prohibiting consent for necessary service functions from being bundled with consent for incompatible data uses;
• Requiring opt-out methods to be easy to use, free of unnecessary obstacles, and tested to ensure they work and respect consumer choices;
• Prohibiting circular or broken links that the controller knows or should know about but does not remedy, nonfunctional email addresses, and unmonitored inboxes; and

• Prohibiting choice options to be presented with a preselected or default option.

  *           *           *           *           *

  Comments on the proposed rules must be filed no later than August 1, 2025 and may be submitted electronically here.

[View source.]