New Jersey Finalizes Public Comment Period on Proposed Data Privacy Rules

As a reminder for businesses operating in New Jersey, the Division of Consumer Affairs has proposed detailed regulations to implement the New Jersey Data Privacy Act (NJDPA), which became effective on January 15, 2025. Public comments were finalized on August 1, 2025.

Who’s Affected? The NJDPA applies to businesses that:

• Manage the personal data of 100,000+ New Jersey residents (excluding payment-only or employment data), or
• Manage the data of 25,000+ residents and earn revenue from selling that data.

Summary of Proposed Changes

1. Expanded Definitions

• “Personal data” includes information linkable to a person or device, even if the business cannot directly identify them.
• “Sensitive data” now includes financial details like account numbers and security codes.

2. Consent & Dark Patterns

• Silence or inaction is not consent.
• Coercive language, hidden opt-outs, and pre-selected choices are banned.
• Consent must be clear, specific, and easy to manage.

3. Consumer Rights

• Businesses must ensure vendors can fulfill consumer data requests.
• New rules apply to profiling and automated decisions that affect consumers.

4. Data Minimization & Security

• Businesses must justify and document why each type of data is collected.
• Data must be deleted when no longer needed or if consent is withdrawn.
• A new “duty of care” requires strong security practices based on risk and industry standards.

5. Privacy Notices

• Must clearly list what data is collected, why, how long it has been kept, and if it is shared or sold, especially for minors.
• Notices must be accessible, easy to understand, and available in all languages used by consumers.

6. Data Protection Assessments

• Required before any high-risk data use (e.g., profiling, targeted ads).
• Must be reviewed regularly and kept for at least 3 years.

7. AI & Internal Research

• Using personal data to train AI requires explicit consent.
• Sharing research data must follow strict rules or be de-identified.

8. Loyalty Programs

• Must provide clear notices before enrollment.
• Benefits must match the value of the data collected.
• Consumers must be able to withdraw at any time without penalty.

9. Universal Opt-Out

• Businesses must honor browser-based opt-out signals within 15 days.
• They must notify third parties and keep records of these requests.

10. Special Protections for Children

• Parental consent is required for data collected from children under 13.
• Parents must be informed of their opt-out rights.

For additional information:

• New Jersey Proposed Regulations – Privacy Rules

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.