New Jersey has proposed new regulations to clarify and implement its Data Privacy Act, setting the stage for broad protections around personal data and digital consumer rights.
The rules, published June 2, expand on what counts as personal data and lay out specific compliance requirements for businesses operating in the state. Information that can reasonably be linked to a person—including names, IP addresses, locations, and social media account identifiers—is considered protected under the law.
The proposed rules mirror provisions in other state laws, such as those in California and Colorado, and introduce obligations for data processors. Among the requirements are maintaining a detailed data inventory, documenting privacy rights requests, conducting impact assessments, and ensuring proper consent practices. Businesses would also be required to disclose their data handling practices, especially when involving loyalty programs.
One notable element is the introduction of a “duty of care” standard for safeguarding personal data. Though the law does not permit private lawsuits, this language could create future legal grounds for action.
The proposed rules are open to public comment until August 1. A final version is expected to be adopted in 2026 following regulatory review.
The New Jersey Digest is a new jersey magazine that has chronicled daily life in the Garden State for over 10 years.