Key point: Regulations proposed in June 2025 to implement the New Jersey Data Privacy Law expired on June 2, 2026, when the regulations were not adopted within a year of the proposal. The path forward for future rulemaking to implement the law is uncertain.

In January 2024, the New Jersey legislature enacted the New Jersey Data Privacy Law, N.J. Stat. §§ 56:8-166.4 et seq., which established, among other things, a framework to protect the personal data of New Jersey residents and regulate how businesses handle that data, and provided the New Jersey Division of Consumer Affairs (DCA) with authority to promulgate rules and enforce the law. The law went into effect in January 2025.

On June 2, 2025, the DCA issued proposed regulations, which sought to implement the protections afforded under the law. Under the New Jersey Administrative Procedure Act, proposed regulations expire within one year of the proposal, unless the agency takes action to adopt the regulations or proposes substantial changes. The deadline for the DCA to act on its proposed data privacy regulations was June 2, 2026. That deadline has now passed without any action.

The path forward for the rulemaking is unclear, but regulations cannot be adopted without at least another publication and the opportunity for public comment. Among other possibilities, the DCA may issue a new proposal that includes changes based on comments received in response to the initial proposal. In this regard, the now-expired proposed regulations generated approximately 50 comments from industry stakeholders, privacy advocates, and other interested parties, demonstrating stakeholders’ significant interest in the rules.

The comments from industry stakeholders raised concerns with many aspects of the proposed regulations. Among the provisions giving rise to industry criticisms were the definitions of “personal data,” “de-identified data,” “data broker,” and other terms; the restriction on a company’s ability to use personal data to train artificial intelligence; and disclosure and notice requirements that commenters described as vague and overly burdensome.

Troutman Pepper Locke will continue to monitor developments in New Jersey and provide updates on future rulemaking with regard to the New Jersey Data Privacy Law.

Photo of Matthew Berns Matthew Berns

Drawing on his experience in senior leadership roles in the New Jersey Attorney General’s and Governor’s Offices and as a trial attorney for the U.S. Department of Justice, Matt provides an insider’s perspective when guiding clients through complex government investigations, litigation, and other…

Drawing on his experience in senior leadership roles in the New Jersey Attorney General’s and Governor’s Offices and as a trial attorney for the U.S. Department of Justice, Matt provides an insider’s perspective when guiding clients through complex government investigations, litigation, and other actions.

Read more about Matthew BernsEmail
Show more Show less
Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Read more about Kim PhanEmailKim's Linkedin Profile
Show more Show less
Photo of Angelo A. Stio III Angelo A. Stio III

Angelo is an experienced trial attorney who has handled matters in courts and before arbitration tribunals throughout the U.S. He focuses his practice on data privacy and security, consumer financial services, and higher education.

Read more about Angelo A. Stio IIIEmailAngelo's Linkedin Profile