From Hunton Andrews Kurth:
On June 2, 2025, proposed rules (“Proposed Rules”) were published under New Jersey’s Data Privacy Act (“NJDPA”). The Proposed Rules elaborate on what constitutes “personal data” and detail a number of compliance obligations, some of which parallel existing requirements under data privacy laws in California and Colorado.
Like many other state data privacy laws, the NJDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable person.” The Proposed Rules, further specify that data “is “reasonably linkable” if it can identify a person or a device linked to a person when aggregated with other data, including, but not limited to, a person’s: (1) full name; (2) mother’s maiden name; (3) telephone number; (4) IP address or other unique device identifiers; (5) place of birth; (6) date of birth; (7) geographical details (for example, zip code, city, state or country); (8) employment information; (9) username, email address, or any other account holder identifying information (including, but not limited to, identifying information related to social media accounts); (10) mailing address; and (11) race, ethnicity, sex, sexual orientation, or gender identity or expression.
The Proposed Rules also further detail a number of compliance obligations, including requirements relating to maintaining a data inventory, processing sensitive data, maintaining records of privacy rights requests, conducting data privacy impact assessments, providing privacy disclosures including in relation to loyalty programs, practices for receiving and responding to privacy rights requests, and practices for obtaining consent including requirements for avoiding dark patterns.
Read more at The National Law Review.