On June 2, 2025, the New Jersey Attorney General’s Division of Consumer Affairs released proposed rules (57 N.J.R. 1101(a)) pursuant to the New Jersey Data Privacy Act (N.J.S.A. 56:8-166.4 et seq.). Although the proposed rules have many similarities to California’s current privacy regulations, there are some surprises. Among other things, New Jersey has proposed a limited definition of the “internal research” exception to the rules that excludes using personal data to train AI:
conduct is not “internal research” if: (1) the data or resulting research is shared with a third party, unless it is de-identified or shared pursuant to N.J.A.C. 13:45L-1.3(c); or (2) the data or resulting research is used to train artificial intelligence, unless the consumer has affirmatively consented to such use.
(emphasis supplied) The proposed rules may also have been influenced by a recent California Privacy Protection Agency settlement (see our blog post here), because the proposed rules would also require that controllers “test their methods for submitting data right requests and obtaining consumer consent to ensure they are functional and do not undermine their consumers’ choices.” In other words, the regulation would mandate that the controller have technology for consumers to submit data rights requests, and must also test that technology to make sure it works.
In addition, similar to other states (such as Texas), the proposed rules require certain disclosures if the consumer’s personal data will be used for “profiling” if the profiles result in “decisions that produce legal or similarly significant effects concerning the consumer.” The rule would define “profiling” as “any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” New Jersey would mandate the following disclosures:
(1) the categories of personal data that will be processed as part of the profiling; (2) the decisions that are made by using profiling; (3) whether the system has been evaluated for accuracy, fairness, or bias; and (4) information about how a consumer may exercise the right to opt out of the processing of personal data for profiling in furtherance of decisions that produce legal or other similarly significant effects.
(emphasis supplied).
New Jersey would also place an affirmative obligation on controllers “to notify consumers of material changes to their privacy notice in a manner by which the controllers regularly interact with consumers.” The controller would be required to obtain the consumer’s affirmative consent prior to processing any personal information under the new revised privacy notice.
The proposed rules would also require controllers to “ensure” that processors make corrections in response to a consumer’s request to correct the personal information. It is unclear whether this obligates controllers to do anything beyond including necessary requirements in processing contracts.
Unlike California’s requirements, if a consumer makes a request to delete personal information, the controller would be required to delete information about that consumer it obtained from a source other than the consumer.
The controller’s privacy policy must specify the purpose for each processing activity. The proposed rule would prohibit controllers “from identifying one broad purpose to justify numerous processing activities, specifying one broad purpose to cover potential future processing activities, or identifying so many purposes for which personal data could be processed, that the purpose or purposes become unclear or uninformative.” The proposed regulation includes some examples of descriptions: “targeted advertising,” “credit profiling,” or “AI modeling.”
New Jersey would also require controllers to take certain steps with respect to data:
- Create, establish, update, and maintain a data inventory documenting the types of data that the controller possesses, where the data is stored, and who has access to the data;
- At least once a year, assess whether biometric identifiers, photographs depicting one or more persons, audio or voice recordings containing the voice of one or more persons, or any personal data generated from a photograph or an audio or video recording held by a controller is still necessary for the specific processing purpose or purposes, and document such assessment . . .
- To ensure that the personal data is not kept longer than necessary, a controller shall set reasonable, specific time limits for erasure or for conducting a periodic review.
On a related retention point, the rules would also place a time limit on consent for some types of consumers: “When a consumer has not interacted with a controller in the prior 24 months, the controller shall refresh consent.”
New Jersey also proposes this transition requirement:
If a controller has collected personal data prior to (the effective date of this rulemaking), and the processing purpose changes after (the effective date of this rulemaking), such that the new purpose is neither reasonably necessary to, nor compatible with, the purposes for which such personal data was processed, as disclosed to the consumer, the controller must obtain valid consent before the time the processing purpose changes to continue to process the previously collected personal data.
Similar to other states, New Jersey would require an annual data protection assessment for any use of personal data that presents a “heightened risk or harm to a consumer.” If the data is used for profiling, the controller would be required to update the assessment annually, or more frequently if “existing processing activities are modified in a way that materially changes the level of risk presented” or a new data processing activity. Among the modifications that “may materially change the level of risk of a processing activity may include changes to . . . the algorithm applied.” Given the frequency with which artificial intelligence algorithms may change, this proposal could place a significant burden on controllers.
Our Take
Although not revolutionary, the proposed rules would create obligations around the management and processing of consumer personal data that will require careful planning before they can be successfully implemented. For example, the requirement that consent be refreshed if the controller has not be in touch with the consumer for 24 months, either requires refreshing consent every 24 months or keeping track of consumer interactions. Likewise, given the prevalence of audio recordings for helplines and the use of video recordings for security purposes, many companies that operate in New Jersey will need to develop yearly plans to evaluate their use and retention In addition, data controllers will need to evaluate (and document) any profiling of consumers for “accuracy, fairness, or bias”.
Perhaps most problematic is the requirement that controllers “create, establish, update, and maintain a data inventory documenting the types of data that the controller possesses, where the data is stored, and who has access to the data, ” as such inventories are notoriously difficult to create and maintain as organizations evolve and their IT systems grow. Depending on how the Division of Consumer Affairs interprets how granular the requirement is, this section could be a significant compliance burden.
It should also be noted that several of the proposed New Jersey privacy rule provisions would affect uses of consumer personal data in artificial intelligence that could have impacts well beyond New Jersey.
For people or entities who want to comment on the Proposed Rules, comments are due by August 2, 2025.