New Jersey Releases Proposed Regulations Expanding on Obligations Under Privacy Law

On June 2, 2025, Governor Murphy announced proposed regulations (the "Regulations") implementing and expanding on the requirements of the New Jersey Data Privacy Act (the "Act"). We discussed the Act in detail in this post.

The Regulations impose a number of data privacy obligations described more fully below. While many of the Regulations mirror the obligations contained in the Act and in other state privacy laws, they impose the following new or uncommon requirements:

• Controllers and processors must obtain consent to use personal data for training artificial intelligence.
  
  
  • The Regulations require controllers and processors to obtain consent before using consumers' personal data to train artificial intelligence systems. Specifically, while the Act provides that it should not be construed to restrict a controller or processor's ability to process data to conduct internal research to develop products, services, or technology, the Regulations state that processing data to train artificial intelligence shall not be considered processing "for the purpose of internal research" unless the consumer has affirmatively consented to such use. The Regulations do not define or create any other obligations specific to artificial intelligence.
• In addition to the typical disclosures that most state privacy laws require, privacy notices must include the purpose(s) of collecting personal data, described in a level of detail that gives consumers a meaningful understanding of how each category of personal data is used. Examples of sufficiently granular purpose descriptions include: "targeted advertising," "credit profiling," or "AI modeling." Controllers must not (i) identify one broad purpose to justify numerous processing activities, (ii) specify one broad purpose to cover potential future processing activities, or (iii) specify so many purposes for which personal data could potentially be processed that the purpose or purposes become unclear or uninformative.
• Controllers must make the following additional disclosures when they process personal data for profiling for decisions that produce legal or similarly significant effects:
  
  
  • The decisions to be made using profiling.
  • The consequences of decisions based on profiling.
  • A plain language explanation of how the profiling software works.
  • A plain language explanation of how profiling is used in the decision-making process, including any human involvement.
  • The categories of personal data to be processed as part of profiling in furtherance of decisions that produce legal or similarly significant effects.
  • If the system has been evaluated for accuracy, fairness, bias, or the impact of the use of sensitive data, and the outcome of such evaluation.
  • Information about how a consumer may exercise the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

  Decisions that produce legal or similarly significant effects will include decisions that result in the provision or denial of any objects, wares, goods, commodities, services, or anything that is consumed or used to preserve, protect, or sustain the life, health, safety, or comfort of persons or their property.

• Controllers must implement certain methods for submitting rights requests and obtaining consent that incorporate the following principles:
  
  
  • Use plain, straightforward language and not language, visuals, or interactive elements that are confusing to the consumer, including double negatives or toggles or buttons that do not clearly indicate the consumer's choice.
  • Refrain from using language, visuals, or interactive elements to coerce or steer consumer choice or consent, including by presenting choices in a way that shames or pressures the user into selecting a specific choice.
  • Do not require the consumer to click through disruptive screens before being able to opt out or bundle choices so that the consumer is forced to consent to the use of personal data for any purposes that are incompatible with the context in which the personal data was collected.
  • Ensure opt-out mechanisms are easy to execute without unnecessary burdens or friction for the consumer, for example, by requiring the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting an opt-out request. A controller that knows or should know of but does not remedy circular or broken links or nonfunctional email addresses, such as inboxes that are not monitored or have aggressive filters that screen emails from the public, may be in violation of this principle.
  • Ensure that exercising any one option is not more time-consuming or difficult or is presented less prominently than any other option.
  • Do not interpret a consumer's silence or failure to take an affirmative action as acceptance or consent.
  • Do not present choice options with a preselected or default option.
  • Do not unnecessarily interrupt or intrude upon a consumer's expected interaction with a website, application, device, or product to request consent.
  • Ensure consent choice options do not include misleading statements, omissions, affirmative misstatements, or intentionally confusing language to obtain consent.
  • Consider the vulnerabilities or unique characteristics of the target audience of a product, service, or website when deciding how to present choice options.

  A method that does not comply with these principles will be considered a dark pattern, and any option chosen through the use of dark patterns will not constitute valid consumer consent even if it is a design or practice that is commonly used. 

  Moreover, when requesting consent, the controller must provide the following information to consumers:

  • The controller's identity,
  • The reason that consent is required explained in plain language,
  • The processing purpose or purposes for which consent is sought,
  • The categories of personal data that the controller shall process to effectuate the processing purpose or purposes,
  • The names of any third parties receiving sensitive data through sale, and
  • An explanation of the consumer's right to withdraw consent for the processing purpose or purposes at any time without detriment and an explanation of the method or methods through which the consumer may exercise that right. The method for withdrawing consent must be at least as accessible and user-friendly as the mechanism by which a consumer provides consent.

  Controllers must refresh consent when required if the consumer has not interacted with the controller in the prior 24 months.

• Controllers must do the following to comply with data minimization obligations:
  
  
  • Consider and document the personal data necessary for each processing purpose disclosed to the consumer.
  • Create, maintain, and update data inventories that specify the types of personal data that the controller possesses, where such data is stored, and who has access to such data.
  • Keep the consumer's personal data in a form which allows for the identification of consumers for no longer than is necessary for the processing purpose or purposes.
  • Delete and instruct any processors with which the controller has shared the personal data to delete any personal data that is no longer necessary for the specific processing purpose or purposes.
  • At least once a year, assess whether biometric identifiers, photographs depicting one or more persons, audio or voice recordings containing the voice of one or more persons, or any personal data generated from a photograph or an audio or video recording held by a controller are still necessary for the specific processing purpose or purposes and document such assessment.
  • After a consumer revokes consent to process the consumer's personal data, immediately delete sensitive data concerning the consumer for which the controller no longer has consent to process, control, possess, sell, or share.
  • If collecting, using, or retaining personal data pursuant to an exception in the Act, assess why the collection, use, or retention of such data is covered under the relevant exception.

  When considering whether a new processing purpose is reasonably necessary to or compatible with the purposes disclosed to a consumer, controllers must consider the following:

  • The expectations of an average consumer concerning how their personal data would be processed once it was collected.
  • The link between the original specified purpose or purposes for which the data was collected and the purpose or purposes of further processing;
  • The relationship between the consumer and the controller and the context in which the personal data was collected.
  • The type, nature, and amount of personal data subject to the new processing purpose.
  • The type and degree of possible consequence or impact to the consumer of the new processing purpose.
  • The identity of the entity conducting the new processing purposes, for example, the same or different controller or a third party.
  • The existence of additional safeguards for the personal data, such as encryption or pseudonymization.
• Universal opt-out mechanisms must adhere to detailed technical specifications. However, the Regulations do not indicate whether any existing mechanisms, such as Global Privacy Control, satisfy these criteria, or whether controllers are expected to assess the mechanisms for compliance prior to recognizing their signals.
• Controllers also must notify consumers of material changes to a privacy notice. The Regulations define material changes broadly to include changes to categories of personal data processed, the purposes for which personal data is processed, the name or ownership of the controller, the act of—or policies concerning—the sharing of personal data with third parties, the categories of third parties with whom personal data is shared, and the methods by which consumers may exercise their rights.
• Controllers must make disclosures when offering loyalty programs to consumers. The disclosures are similar to those that the California Consumer Privacy Act requires for loyalty programs.
• Controllers must comply with additional data security requirements when determining appropriate data security safeguards.

The public comment period is open until August 1, 2025.

+++

DWT's privacy and security team regularly advises clients on compliance with emerging regulatory regimes and will continue to monitor developments regarding the Regulations.