Skip to Content
Close
Kaufman Dolowich, LLP Kaufman Dolowich, LLP

Mansfield Rule Certified 2025

Kaufman Dolowich, LLP

|
(844) 860-1010 |

New Jersey Publishes Proposed Regulations to Implement Data Protection Act, by Christopher Nucifora, Esq., 9-19-2025

News & Resources

New Jersey Publishes Proposed Regulations to Implement Data Protection Act, by Christopher Nucifora, Esq., 9-19-2025

Posted Sep 19, 2025

The New Jersey Division of Consumer Affairs has published proposed regulations to implement the New Jersey Data Protection Act (NJDPA).

These draft rules, which are expected to be finalized in the coming year, offer further guidance to businesses on complying with the NJDPA’s robust privacy, security, and data governance mandates.

Among other elements, the NJDPA, which went into effect earlier this year, grants consumers certain rights regarding their personal data, defined as “any information that is linked or reasonably linkable to an identified or identifiable person” with certain exceptions.

Key Highlights of the Draft Regulations:

  • New Definitions: The proposed regulations include new definitions for certain terms such as “access request,” “correction request,” “data portability request,” and “deletion request.”
  • Disclosures/Notices: The proposed rules set forth the following requirements for disclosures, notification and other communications to consumers.

Among provisions this type of correspondence must be:

  1. Understandable and accessible to a controller’s target audience
  2. Accessible to consumers with disabilities
  3. Available in the languages in which the controller in the ordinary course provides web pages, interfaces, contracts, disclaimers, sale announcements, and other information to consumers; and,
  4. Provided in a readable format on all devices through which the consumers regularly interact with the controller.
  • Consumer Rights: The draft rules expand on the NJDPA’s provisions for consumer rights, including access, correction, deletion, and data portability, and set out procedures businesses must follow to respond to such requests. For example, no later than ten business days after receiving a request to exercise a data right, a covered entity must confirm receipt of the request and provide the consumers with information about how the controller will effectuate the request.
  • Duty of Care Obligations: Covered parties must establish, implement, update, maintain and document data security practices to protect “the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition,” according to the proposed rules. When determining appropriate data security safeguards, controllers should consider such factors as applicable industry standards and frameworks, the sensitivity and amount of personal data and the risk of harm to consumers resulting from unauthorized or unlawful access, use, or degradation of the personal data.
  • Recordkeeping: The draft regulations clarify recordkeeping requirements including mandating the covered entity maintain records of data rights requests for at least 24 months. These records include the date of the request, the data rights requests type and the existence and resolution of any consumer appeal to a denied request.

Timeline and Next Steps

The public comment period for the proposed rules closed on August 1, 2025. The Division is now in the process of reviewing stakeholder feedback and is expected to issue a final notice of adoption sometime in 2026, according to the agency. In the meantime, businesses should begin reviewing their data practices to ensure they align with both the statute and the proposed regulatory framework.

What Businesses Should Consider

  • Assess Applicability: Determine whether your organization falls within the scope of the NJDPA based on thresholds for data processing and consumer interaction in New Jersey.
  • Conduct a Gap Analysis: Review current data governance and privacy practices against the draft regulations to identify areas of non-compliance.
  • Prepare for Implementation: Begin building internal processes and documentation, including data protection assessments and consumer rights request mechanisms.
  • Monitor for Final Rules: Stay engaged with the rulemaking process and be prepared to adjust compliance efforts once final regulations are issued.

Kaufman Dolowich will continue to monitor developments and provide updates once the final regulations are adopted.

Author:  Christopher Nucifora, Co-Managing Partner of Kaufman Dolowich’s New Jersey Office and Chair of the firm’s Commercial Litigation Practice Group.


White Paper - Impact of COVID-19
Search
News & Resources
Follow Us on Linkedin
Subscribe
Archives

Our Firm's Awards & Honors

No aspect of the advertisement has been approved by the Supreme Court. Learn more about the selection methodology of awards and honors.

Mansfield Rule Certified 2023 Super Lawyers Best Law Firms 2025 Best Law Firms 2025 Martindale Hubbel AV Preeminent Law 360