Murphy Administration Announces Proposed Rules Establishing Comprehensive Consumer Data Privacy Protections

TRENTON – The Murphy Administration today announced proposed rules aimed at protecting consumers from the unauthorized use and sale of their personal data by the operators – or “controllers” – that collect it during certain business transactions.

The proposed rules, published in the New Jersey Register today, implement P.L. 2023, c.266 – also known as the New Jersey Data Privacy Act (“NJDPA”), which Governor Phil Murphy signed into law in January 2024, providing New Jerseyans with some of the strongest data privacy protections in the country.

“We live in a rapidly changing digital age, and personal data is collected at an alarming rate. Consumers in New Jersey deserve to know exactly when and how their information is used,” said Governor Phil Murphy. “Our residents rely on the internet for everything from shopping and working to deeply personal tasks such as managing finances or medical care. This highly sensitive information should never be exploited. These proposed rules will help ensure consumers in New Jersey can reclaim control over their personal data.”

“As data breaches and cyber threats continue to grow in this age of digital consumerism, protecting the personal data of New Jersey residents from unauthorized access and use is more important than ever,” said Attorney General Platkin. “The proposed rules advance consumer privacy protections by requiring internet websites, online providers, and other entities to fully disclose to consumers how their private data will be used, notify consumers of their data privacy rights, and provide them with information on how to exercise those rights.”

“There is a growing sense of helplessness among consumers who do not want their data collected but feel powerless to stop it,” said Elizabeth M. Harris, Acting Director of the Division of Consumer Affairs. “The rules we are proposing today empower consumers to reclaim control over their personal data, including how and when it is collected, shared, or sold.”

The proposed rules establish a comprehensive regulatory framework for the implementation of the NJDPA, a law that grants consumers certain rights regarding their personal data, defined as “any information that is linked or reasonably linkable to an identified or identifiable person” (with exceptions for “de-identified data or publicly available information”).

Among other things, the NJDPA requires controllers to notify consumers of the collection and disclosure of personal information to other third parties, and to provide consumers with an ability to opt-out of that collection or disclosure. The law also entitles consumers to know which data is held by the controller, so they have the ability to correct or delete incorrect information. Controllers also must limit the collection of personal data to what is adequate, relevant, and reasonably necessary to their business and must specify the express purposes for which personal data are processed.

Among other things, the proposed rules:

• Facilitate New Jersey consumers’ rights to:
• say “no” to (or opt out of) a controller selling or using their personal data for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy). (N.J.A.C. 13:45L-3.4);
• know if a controller processes their personal data, and obtain a copy of the personal data that the controller has collected (N.J.A.C. 13:45L-3.5);
• correct inaccuracies in their personal data that are maintained by a controller (N.J.A.C. 13:45L-3.6);
• delete the personal data that a controller collects from them (N.J.A.C. 13:45L-3.7); and
• obtain a portable copy of their personal data (N.J.A.C. 13:45L-3.8).

• Provide the framework for universal opt-out mechanisms, which allow consumers to communicate their opt-out choice with multiple controllers using a single, simple technological mechanism. (N.J.A.C. 13:45L-5.1, 5.2)

• Require controllers to document their efforts to limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose for which the data is processed. (N.J.A.C. 13:45L-6.3)

• Obtain valid consent prior to processing:
• a consumer’s sensitive data; or
• the personal data of kids aged 13-17 for targeted advertising, profiting, or sale, or processing a consumer’s sensitive data. (N.J.A.C. 13:45L-7.1)

• Establish additional protections for children under 13 to protect them from harm arising from the misuse of their personal data. (N.J.A.C. 13:45L-7.4)

The 60-day public comment period, during which stakeholders have an opportunity to submit written comments on the proposed rules, begins today. The public comment period ends August 1, 2025.

After the close of the public comment period, the Division of Consumer Affairs will review the comments that were submitted. A summary of the public comments and the Division’s responses to them will be published in a Notice of Adoption expected sometime in 2026. Upon publication of the Notice of Adoption, the rules become final.

To view the proposed rules and obtain information on how to submit a comment go to: NEW JERSEY REGISTER | PAW Document Page

More News from Raritan

• Commissioner Singleterry Appointed to Judge of Superior Court Commissioner Singleterry is required to resign from office, effectively immediately.
• Reciprocal Borrowing Expanded to Raritan Public Library, Enhancing County-Wide Access to Library Resources All SCLSNJ cardholders can now borrow materials directly from the Raritan Public Library.