The Murphy Administration has introduced proposed regulations to safeguard consumer data privacy in New Jersey. These rules aim to protect individuals from the unauthorized use and sale of their personal information by entities that collect it during business transactions.
Published in the New Jersey Register, these regulations implement the New Jersey Data Privacy Act (NJDPA), which was signed into law by Governor Phil Murphy in January 2024. The NJDPA is considered one of the strongest data privacy laws in the United States.
Governor Phil Murphy stated, “We live in a rapidly changing digital age, and personal data is collected at an alarming rate. Consumers in New Jersey deserve to know exactly when and how their information is used.” He emphasized that these rules will help residents regain control over their personal data.
Attorney General Platkin highlighted the importance of these protections, noting, “As data breaches and cyber threats continue to grow in this age of digital consumerism, protecting the personal data of New Jersey residents from unauthorized access and use is more important than ever.”
Elizabeth M. Harris, Acting Director of the Division of Consumer Affairs, added that there is a growing sense of helplessness among consumers regarding their data collection. She stated that these rules empower consumers to reclaim control over their personal information.
The proposed rules establish a comprehensive framework for implementing the NJDPA. They require businesses, referred to as controllers, to notify consumers about the collection and sharing of personal information with third parties. Consumers have rights under this law to opt-out of such practices and can request corrections or deletions of inaccurate information.
Among other provisions, the rules facilitate consumers' rights to opt out of having their data sold or used for targeted advertising and profiling decisions. They also allow consumers to access copies of their collected data, correct inaccuracies, delete collected data, and obtain portable copies.
Additionally, controllers must document efforts to limit personal data collection to what is necessary for disclosed purposes. Valid consent must be obtained before processing sensitive consumer data or children's data aged 13-17 for certain activities.
Protections are also established for children under 13 against misuse of their personal information.
A public comment period on these proposed rules begins today and will end on August 1, 2025. Stakeholders can submit written comments during this time. Following this period, the Division of Consumer Affairs will review all comments received before publishing a Notice of Adoption expected in 2026 when the rules become final.
